bugzilla-daemon at netfilter.org
2017-Apr-01 17:59 UTC
[Bug 1140] New: nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140
Bug ID: 1140
Summary: nft dump invalid (flow table)
Product: nftables
Version: unspecified
Hardware: x86_64
OS: other
Status: NEW
Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: netfilter at d9c.eu
Hi,
test.nft:
#!/usr/bin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
ip protocol icmp flow table i4 { icmp type counter } accept
ip6 nexthdr icmpv6 flow table i6 { icmpv6 type counter } accept
}
}
eof
nft -f test.nft
nft list ruleset > test1.nft
nft flush ruleset
nft -f test1.nft
test1.nft:4:33-41: Error: conflicting protocols specified: inet-service vs.
icmp
flow table i4 { icmp type counter packets 0 bytes 0} accept
^^^^^^^^^
test1.nft:
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
flow table i4 { icmp type counter packets 0 bytes 0} accept
flow table i6 { icmpv6 type counter packets 0 bytes 0} accept
}
}
I am using nftables v0.7 on ArchLinux x64
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170401/757e1d31/attachment.html>
bugzilla-daemon at netfilter.org
2017-May-31 16:59 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140 --- Comment #1 from Andreas Fischer <netfilter at d9c.eu> --- (In reply to Andreas Fischer from comment #0)> Hi, > > test.nft: > #!/usr/bin/nft -f > flush ruleset > > table inet filter { > chain input { > type filter hook input priority 0; > ip protocol icmp flow table i4 { icmp type counter } accept > } > } > eof >After updating from kernel 4.10 to 4.11, this ruleset is now completly broken: /etc/nftables.nft:2:1-2: Error: Could not process rule: Operation not supported table inet filter { ^^ Should i open another bug for this? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170531/e7db0df5/attachment.html>
bugzilla-daemon at netfilter.org
2017-Jul-30 18:59 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140 --- Comment #2 from Andreas Fischer <netfilter at d9c.eu> ---> Error: syntax error, unexpected '}' > ip protocol icmp flow table ee { icmp type } accept > ^Apparently nftables expects an actual type, while this would be exaclty the value i would like to have in the flow table. Did i make a stupid mistake? Is this already fixed? Should i close? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170730/a4149418/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-07 14:27 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140
Harsha Sharma <harshasharmaiitr at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |harshasharmaiitr at gmail.com
--- Comment #3 from Harsha Sharma <harshasharmaiitr at gmail.com> ---
(In reply to Andreas Fischer from comment #2)> > Error: syntax error, unexpected '}'
> > ip protocol icmp flow table ee { icmp type } accept
> > ^
>
> Apparently nftables expects an actual type, while this would be exaclty the
> value i would like to have in the flow table.
>
> Did i make a stupid mistake? Is this already fixed? Should i close?
This seems to work just fine. For the above error if you are using zsh, then
try the above commands with bash.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171007/c07a32f9/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-11 13:26 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140 --- Comment #4 from Andreas Fischer <netfilter at d9c.eu> --- Since i am running a nft script with "nft -f /etc/nftables.nft", the current shell should not matter at all. Anyways, i have tried with bash and the error remains. Maybe nft 0.8 will solve the problem once it hits Arch repos. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171011/7595f758/attachment.html>
bugzilla-daemon at netfilter.org
2017-Oct-17 09:54 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140
Karel Rericha <karel at unitednetworks.cz> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |karel at unitednetworks.cz
--- Comment #5 from Karel Rericha <karel at unitednetworks.cz> ---
Hi Andreas,
I would suggest using stateful objects for now, which works (v0.8, kernel
4.13.7):
nft add counter x c-echo-reply
nft add rule x y ip protocol icmp counter name icmp type map { echo-reply:
"c-echo-reply" }
Of course add counters for other types of icmp messages as needed.
Karel
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171017/6c39abbc/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-31 18:41 UTC
[Bug 1140] nft dump invalid (flow table)
https://bugzilla.netfilter.org/show_bug.cgi?id=1140
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Flow table syntax is deprecated these days, see:
https://wiki.nftables.org/wiki-nftables/index.php/Meters
This still works for backward compatibility though, even if it's not the
preferred way to instantiate these dynamic sets.
A quick test says this is working:
# cat /tmp/x.nft
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
ip protocol icmp flow table i4 { icmp type counter } accept
ip6 nexthdr icmpv6 flow table i6 { icmpv6 type counter } accept
}
}
# nft -f /tmp/x.nft
# nft list ruleset > /tmp/y.nft
# nft flush ruleset
# nft -f /tmp/y.nft
# nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
ip protocol icmp meter i4 size 65535 { icmp type counter }
accept
ip6 nexthdr ipv6-icmp meter i6 size 65535 { icmpv6 type counter
} accept
}
}
Closing this old bug.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200731/89cdb875/attachment.html>
Reasonably Related Threads
- [Bug 1382] New: nftables.py cmd leaking memory when ruleset contain mapping ip length to range with high limit 65535
- [Bug 1127] New: running nft command creates lag for forwarded packets
- [Bug 1184] New: disable implicit concatenating of elements of sets with flag interval
- [Bug 1185] New: counter flag proposal for sets and maps
- [Bug 1386] New: nftables.py cmd doesn't read updated counter values after first read