bugzilla-daemon at netfilter.org
2014-May-28 18:13 UTC
[Bug 946] New: Cannot invert a protocol: ip protocol != tcp
https://bugzilla.netfilter.org/show_bug.cgi?id=946
Summary: Cannot invert a protocol: ip protocol != tcp
Product: nftables
Version: unspecified
Platform: x86_64
OS/Version: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
AssignedTo: pablo at netfilter.org
ReportedBy: anarey at gmail.com
Estimated Hours: 0.0
There is a problem when we invert a protocol:
* We add the following rule, and It does not show any error.
$ sudo nft add rule ip test input ip protocol != icmp
* We list the table test, and It shows this problem:
$ sudo nft -nn list table ip test
nft: src/payload.c:76: payload_expr_pctx_update: Assertion `expr->op ==
OP_EQ'
failed.
Also, we can reproduce it in the following cases:
- ah with nexthdr:
* We add the following rule, and It does not show any error.
$ sudo nft add rule ip test input ah nexthdr != esp
* We list the table test, It shows the following problem:
$ sudo nft -nn list table ip test
nft: src/payload.c:76: payload_expr_pctx_update: Assertion `expr->op ==
OP_EQ'
failed.
- comp nexthdr != esp
sudo nft add rule ip test input comp nexthdr != esp
sudo nft list table ip test
nft: src/payload.c:76: payload_expr_pctx_update: Assertion `expr->op ==
OP_EQ'
failed.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2014-Jun-05 15:08 UTC
[Bug 946] Cannot invert a protocol: ip protocol != tcp
https://bugzilla.netfilter.org/show_bug.cgi?id=946
Alvaro <alvaroneay at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |alvaroneay at gmail.com
Resolution| |FIXED
--- Comment #1 from Alvaro <alvaroneay at gmail.com> 2014-06-05 17:08:16
CEST ---
This bug has been fixed with the patch:
https://git.netfilter.org/nftables/commit/?id=0c512cf7f26363713b8c76a6a826e2401e21907f
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Reasonably Related Threads
- [Bug 924] New: Range: It is not possible invert a range of ip address
- [Bug 927] New: tos: symbolic names are not supported
- [Bug 993] New: nft produces incorrect output when a reject rule is added using nft -f
- [Bug 932] New: TOS: An Invert mask in TOS
- [Bug 934] New: frag: Invert a range in frag