netfilter buglog - Mar 2020 - [Bug 1414] New: Using ip6 daddr in nat input chain is rejected with an incorrect error

https://bugzilla.netfilter.org/show_bug.cgi?id=1414

            Bug ID: 1414
           Summary: Using ip6 daddr in nat input chain is rejected with an
                    incorrect error
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: avamander at gmail.com

nft version: nftables v0.9.2 (Scram)

Example config:
```
table ip nat {
        chain input {
                type nat hook input priority 0;
                ip6 daddr ::1/128 accept;
        }
}
```

Error:
```
/etc/nftables.conf:186:3-11: Error: conflicting protocols specified: ip vs. ip6
                ip6 daddr ::1/128 accept;
                ^^^^^^^^^
```

It should output a reasonable error.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200326/23a77668/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1414

Pablo Neira Ayuso <pablo at netfilter.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED

--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to Avamander from comment #0)
> nft version: nftables v0.9.2 (Scram)
> 
> Example config:
> ```
> table ip nat {
Table is 'ip', use 'ip6' instead (or 'inet' if you want
a dual ip/ip6 table)
>         chain input {
>                 type nat hook input priority 0;
>                 ip6 daddr ::1/128 accept;
>         }
> }
> ```
> 
> Error:
> ```
> /etc/nftables.conf:186:3-11: Error: conflicting protocols specified: ip vs.
> ip6
>                 ip6 daddr ::1/128 accept;
>                 ^^^^^^^^^
This example uses 'ip6', hence the error.
> ```
> 
> It should output a reasonable error.
-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200326/b6342ba0/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1414

--- Comment #2 from Avamander <avamander at gmail.com> ---
Exactly, the error is misleading, it should highlight that the conflict is
between the table and ip6 not between ip6 and daddr.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200326/5356bd2c/attachment.html>