bugzilla-daemon at netfilter.org
2017-Nov-13 19:05 UTC
[Bug 1202] New: Cannot match on both dport and sport in one nftables rule
https://bugzilla.netfilter.org/show_bug.cgi?id=1202
Bug ID: 1202
Summary: Cannot match on both dport and sport in one nftables
rule
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: jac_linux at yahoo.com
In nftables v0.5 I could have the following rule to match on EITHER sport or
dport in the same rule:
tcp sport ssh tcp dport ssh counter accept
In nftables v0.7 this no longer works.
I can add the rule, but it won't match a packet.
If the packet has dport = ssh, it won't match, unless I create a SEPARATE
rule
with just dport:
tcp dport ssh counter accept
tcp sport ssh counter accept
Is this a bug (I didn't see anything regarding this in the v0.8 bug list) or
are dport/sport in same rule no longer allowed?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20171113/6f16992e/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jan-28 23:54 UTC
[Bug 1202] Cannot match on both dport and sport in one nftables rule
https://bugzilla.netfilter.org/show_bug.cgi?id=1202
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kfm at plushkava.net
--- Comment #1 from kfm at plushkava.net ---
(In reply to jac from comment #0)> In nftables v0.5 I could have the following rule to match on EITHER sport
or
> dport in the same rule:
> tcp sport ssh tcp dport ssh counter accept
>
> In nftables v0.7 this no longer works.
As with iptables, logical disjunctions are not supported. That rule should
never have worked for the stated purpose. While "or" can be used in
rules, it
works as a bitwise operator, not a logical operator. So, this is really a
feature request.
Perhaps it would be nice for maps to support a metacharacter that matches
anything. For example, imagine being able to write:
tcp sport . tcp dport vmap { ssh . * : accept, * . ssh : accept }
Whether that is technically feasible to implement, I do not know.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200128/7e1fa405/attachment.html>
bugzilla-daemon at netfilter.org
2020-Dec-01 19:38 UTC
[Bug 1202] Cannot match on both dport and sport in one nftables rule
https://bugzilla.netfilter.org/show_bug.cgi?id=1202
kfm at plushkava.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|normal |enhancement
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201201/75855de5/attachment.html>
Apparently Analagous Threads
- [Bug 1325] New: Reproducible NULL ptr deref upon checking trivial nftables ruleset in Linux 5.0
- [Bug 1444] New: nftables-0.9.6 crashes on some set notations:
- [Bug 1464] New: Trying to populate a set raises a netlink error "Could not process rule: No space left on device"
- [Bug 1392] New: nft stalls on EGAIN upon repeatedly flushing and populating a set
- [Bug 1057] New: Allow for multiple protocols to be specified in a rule