bugzilla-daemon at netfilter.org
2018-Mar-31 00:18 UTC
[Bug 1238] New: meta limits protocols when it shouldn't
https://bugzilla.netfilter.org/show_bug.cgi?id=1238 Bug ID: 1238 Summary: meta limits protocols when it shouldn't Product: nftables Version: unspecified Hardware: x86_64 OS: Fedora Status: NEW Severity: minor Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: ian.kumlien at gmail.com Reading about the raw payload, which has the examples: inet filter input meta l4proto {tcp, udp} @th,16,16 { dns, http } and input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4 @nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept Makes you think that something like: meta l4proto udp @th,64,4 0x0 @th,16,16 set 5301 accept should work for detecting a dns query It's a variant of: -p udp -m udp --dport 53 -m u32 --u32 0x0>>0x16&0x3c at 0x8&0xf8=0x0 -j REDIRECT --to-ports 5301 Which I agree is a very, very special example but i DIDN'T expect this: /etc/rc.nft:52:34-41: Error: conflicting protocols specified: udp vs. unknown meta l4proto udp @th,64,4 0x0 accept ^^^^^^^^ This aspect of nft is not really well documented you could say but... -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180331/b82c5f9f/attachment.html>
bugzilla-daemon at netfilter.org
2018-Apr-03 10:29 UTC
[Bug 1238] meta limits protocols when it shouldn't
https://bugzilla.netfilter.org/show_bug.cgi?id=1238 Florian Westphal <fw at strlen.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fw at strlen.de Resolution|--- |WORKSFORME Status|NEW |RESOLVED --- Comment #1 from Florian Westphal <fw at strlen.de> --- This should work, starting with nft 0.8.3. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180403/b4343852/attachment.html>
bugzilla-daemon at netfilter.org
2018-Apr-03 11:48 UTC
[Bug 1238] meta limits protocols when it shouldn't
https://bugzilla.netfilter.org/show_bug.cgi?id=1238 --- Comment #2 from Ian Kumlien <ian.kumlien at gmail.com> --- Ok, so fedora 27 is at nftables 0.7 - will see what i can do to update it -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180403/f8105cbd/attachment.html>
Maybe Matching Threads
- [Bug 1368] New: The "meta's"
- [Bug 96802] New: Upgrading mesa from 11.0.6 -> 11.2.2 causes graphics deadlock
- [Bug 1145] New: nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
- [PATCH] Icecast2 - chroot, setuid/gid...
- [Bug 1763] New: Segfault when resetting rules with meta l4proto { tcp, udp }