netfilter buglog - Feb 2014 - [Bug 895] New: Add a 'ipv6_address' set into a ipv4 table and vice versa

https://bugzilla.netfilter.org/show_bug.cgi?id=895

           Summary: Add a 'ipv6_address' set into a ipv4 table and vice
                    versa
           Product: nftables
           Version: unspecified
          Platform: x86_64
        OS/Version: Debian GNU/Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: nft
        AssignedTo: pablo at netfilter.org
        ReportedBy: anarey.spam at gmail.com
   Estimated Hours: 0.0


You can add a 'ipv6_address' set into a ipv4 table and a
'ipv4_address' set
into a ipv6 table.

# With a ipv6-set
 $ sudo nft list table ip t-ip
table ip t-ip {
    set t-ipv4-set {
        type ipv4_address
    }

    chain c-filter {
         type filter hook input priority 0;
    }
}
 $ sudo nft add set ip t-ip t-ipv6-set { type ipv6_address\;}
 $ sudo nft -nna list table ip t-ip
table ip t-ip {
    set t-ipv4-set {
        type ipv4_address
    }

    set t-ipv6-set {
        type ipv6_address
    }

    chain c-filter {
         type filter hook input priority 0;
    }
}

# With a ipv6-set
 $ sudo nft add table ip6 t-ipv6
 $ sudo nft add chain ip6 t-ipv6 c-filter { type filter hook input priority 0
\; }
 $ sudo nft add set ip6 t-ipv6 ipv6-set2 { type ipv6_address\;}
 $ sudo nft add set ip6 t-ipv6 ipv4-set2 { type ipv4_address\;}
 $ sudo nft list table ip6 t-ipv6
table ip6 t-ipv6 {
    set ipv6-set2 {
        type ipv6_address
    }

    set ipv4-set2 {
        type ipv4_address
    }

    chain c-filter {
         type filter hook input priority 0;
    }
}

I can always reproduce this bug.

The last commit in libmnl repo is "090a842 examples: use
mnl_socket_setsockopt"
The last commit in libnftnl repo is "076fd1e include: add cached copy of
linux/kernel.h"
The last commit in nftables repo is "11ba325 bump release number to
0.100"

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

https://bugzilla.netfilter.org/show_bug.cgi?id=895

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |phil at nwl.cc

--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
I don't see why this should be a problem. I guess it might even be useful to
filter tunnelled traffic, matching IPv6 addresses encapsulated in IPv4 packets.

Ana: Could you please elaborate why this is a bug rather than a feature?

Thanks, Phil

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170213/2baf831b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=895

--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
I agree we can close this bug.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170213/fac4d236/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=895

Phil Sutter <phil at nwl.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170214/71abab5e/attachment-0001.html>