bugzilla-daemon at netfilter.org
2016-Aug-22 07:30 UTC
[Bug 1083] New: Cannot parse negative priorities from command line
https://bugzilla.netfilter.org/show_bug.cgi?id=1083
Bug ID: 1083
Summary: Cannot parse negative priorities from command line
Product: nftables
Version: unspecified
Hardware: x86_64
OS: RedHat Linux
Status: NEW
Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: georg at fleig.xyz
Adding a chain with a negative priority using the command line is not possible.
E.g. the IPv4 nat example provided by this software:
nft add chain nat prerouting { type nat hook prerouting priority -150\; }
Returns:
nft: invalid option -- '1'
However, when this is stored in a file and loaded using nft -f <file> it
works
without problems. So negative priorities seem to work but can not be configured
directly on the command line.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160822/d9199cbe/attachment.html>
bugzilla-daemon at netfilter.org
2017-Feb-10 17:56 UTC
[Bug 1083] Cannot parse negative priorities from command line
https://bugzilla.netfilter.org/show_bug.cgi?id=1083
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phil at nwl.cc
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
This happens due to how nft parses commandline options:
- First, getopt_long() is called (in main.c).
- Then, lex/yacc parses whatever remains.
The leading dash of the negative priority value is picked up by getopt, which
obviously rejects it. I think this neither can nor should be "solved".
Instead, here are two ways how to achieve what you want to do:
1) quote the whole part in curly braces (I usually do that to avoid the shell
picking up the braces by accident:
nft add chain nat prerouting '{ type nat hook prerouting priority -150;
}'
2) Use '--' parameter to tell getopt it shall not parse beyond that:
nft -- add chain nat prerouting { type nat hook prerouting priority -150\; }
Since I don't think any workaround in nft is feasible (and good ways to work
around this issue exist), I'm closing this ticket. If you still think this
is
an absolute must-have for you, please feel free to reopen.
Cheers, Phil
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170210/b531e9bc/attachment.html>
Reasonably Related Threads
- [Bug 1281] New: Using kernel 4.18.10, nft commandline tool or nft -f can't parse negative priority values over -200.
- [Bug 983] New: mnl_socket_recvfrom hangs in example code
- [Bug 1400] New: "COMMIT expected at line ..." when iptables-restore 1.8.4 (nft) parses stdin with empty lines
- [Bug 1395] New: Add element fails with Error: Could not process rule: Invalid argument
- [Bug 1739] New: meta mark 0x80000000 display error