netfilter buglog - May 2019 - [Bug 1338] New: Can't add IPv6 concatenation rule

https://bugzilla.netfilter.org/show_bug.cgi?id=1338

            Bug ID: 1338
           Summary: Can't add IPv6 concatenation rule
           Product: netfilter/iptables
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: nfnetlink_queue
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: abrian at netapp.com

Attempting to add an ip6 address in a concatenation fails:

nft add rule inet filter input ip6 saddr . udp dport
fd20:332:332:0:250:56ff:fe87:f635 . 1662 counter accept
<cmdline>:1:1-112: Error: Could not process rule: Value too large for
defined
data type
add rule inet filter input ip6 saddr . udp dport
fd20:332:332:0:250:56ff:fe87:f635 . 1662 counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If I replace ip6 with ip and use an IPv4 address, it works. If I remove the
concatenation and just add an ip6 saddr rule, it works.

I'm using debian 9 (stretch):
ii  libnfnetlink0:amd64  1.0.1-3  amd64  Netfilter netlink library
Linux node2 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2+ntap11 (2019-05-01) x86_64
GNU/Linux

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190520/444fb440/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1338

--- Comment #1 from abrian at netapp.com ---
Adding debug=netlink output:

nft add rule inet filter input ip6 saddr . udp dport
[fd20:332:332:0:250:56ff:fe87:f635] . 1662 counter accept --debug=netlink
inet filter input
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x0000000a ]
  [ payload load 1b @ network header + 6 => reg 1 ]
  [ cmp eq reg 1 0x00000011 ]
  [ payload load 16b @ network header + 8 => reg 1 ]
  [ payload load 2b @ transport header + 2 => reg 2 ]
  [ cmp eq reg 1 0x320320fd 0x00003203 0xff565002 0x35f687fe 0x00007e06 ]
  [ counter pkts 0 bytes 0 ]
  [ immediate reg 0 accept ]

<cmdline>:1:1-114: Error: Could not process rule: Value too large for
defined
data type
add rule inet filter input ip6 saddr . udp dport
[fd20:332:332:0:250:56ff:fe87:f635] . 1662 counter accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190520/e87344f8/attachment.html>