bugzilla-daemon at netfilter.org
2016-May-31 21:18 UTC
[Bug 1071] New: nftables: set does not work within inet table with option flags interval
https://bugzilla.netfilter.org/show_bug.cgi?id=1071
Bug ID: 1071
Summary: nftables: set does not work within inet table with
option flags interval
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: jason.lee.campbell at gmail.com
I'm using nftables to combine my IPv4 and IPv6 into one ruleset, so using a
single inet table. This allows for single line edits, such as when I want to
enable ssh in, instead of editing two separate entries. I imagine separating
the rules would work, but defeats the purpose of allowing only a single line
edit.
I'm to the point that I want to import my text file of blocked IP subnets,
so
tried using set within an inet table. To allow subnets, the option flags
interval appears to be required. However, when I check the rules (nft -n -f
firewall.rules) with flags interval, I receive Operation not permitted. Without
the flags interval option, the rule check works, but then unable to add subnets
to the set.
I have run strace on the rule check, and here's the difference I have found.
The last line given in each example differ, where rule check working is
127.0.0.1 and rule check not working is ::ffff:127.0.0.1.
I am using the following versions, compiled today (5/31).
libnftnl-1.0.6-x86_64-1
nftables-e049f92bb7b98dfa218eda2b9b6f14506238abf2-x86_64-1
Without flags interval:
socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET6, sin6_port=htons(22), inet_pton(AF_INET6,
"::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(45890), inet_pton(AF_INET6,
"::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
connect(5, {sa_family=AF_UNSPEC,
sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) 0
connect(5, {sa_family=AF_INET, sin_port=htons(22),
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(38754), inet_pton(AF_INET6,
"::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0,
sin6_scope_id=0}, [28]) = 0
With flags interval:
socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP) = 5
connect(5, {sa_family=AF_INET6, sin6_port=htons(22), inet_pton(AF_INET6,
"::1",
&sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(53024), inet_pton(AF_INET6,
"::1", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, [28]) = 0
connect(5, {sa_family=AF_UNSPEC,
sa_data="\0\0\0\0\0\0\0\0\0\0\0\0\0\0"}, 16) 0
connect(5, {sa_family=AF_INET, sin_port=htons(22),
sin_addr=inet_addr("127.0.0.1")}, 16) = 0
getsockname(5, {sa_family=AF_INET6, sin6_port=htons(38635), inet_pton(AF_INET6,
"::ffff:127.0.0.1", &sin6_addr), sin6_flowinfo=0,
sin6_scope_id=0}, [28]) = 0
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160531/130e674d/attachment.html>
bugzilla-daemon at netfilter.org
2016-May-31 21:59 UTC
[Bug 1071] nftables: set does not work within inet table with option flags interval
https://bugzilla.netfilter.org/show_bug.cgi?id=1071 --- Comment #1 from JLC <jason.lee.campbell at gmail.com> --- Sorry, the pasted strace results do not differ. I was comparing the wrong lines. Starting at that point, they differ. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160531/4f935fdd/attachment.html>
bugzilla-daemon at netfilter.org
2016-Jun-06 11:50 UTC
[Bug 1071] nftables: set does not work within inet table with option flags interval
https://bugzilla.netfilter.org/show_bug.cgi?id=1071
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |DUPLICATE
--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Please, give a try to 4.7-rc1 and nft 0.6.
We have resolved issues with prefixes and named sets in these two releases.
Will be passing Linux kernel patches for -stable branches so this propagates
backward.
Thanks.
*** This bug has been marked as a duplicate of bug 1009 ***
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160606/d769f833/attachment.html>
Reasonably Related Threads
- Linux 4.2p1 crash during reverse name lookup
- rsync failure with error 12
- Bug#793921: tftpd-hpa: IPv6 address cannonization breaks IPv4
- [Bug 1950] New: sshd tries to bind over and over to ::1 for several seconds
- Bug#793921: tftpd-hpa: IPv6 address cannonization breaks IPv4