bugzilla-daemon at netfilter.org
2018-Mar-31 00:18 UTC
[Bug 1238] New: meta limits protocols when it shouldn't
https://bugzilla.netfilter.org/show_bug.cgi?id=1238
Bug ID: 1238
Summary: meta limits protocols when it shouldn't
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Fedora
Status: NEW
Severity: minor
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: ian.kumlien at gmail.com
Reading about the raw payload, which has the examples:
inet filter input meta l4proto {tcp, udp} @th,16,16 { dns, http }
and
input meta iifname enp2s0 arp ptype 0x0800 arp htype 1 arp hlen 6 arp plen 4
@nh,192,32 0xc0a88f10 @nh,144,48 set 0x112233445566 accept
Makes you think that something like:
meta l4proto udp @th,64,4 0x0 @th,16,16 set 5301 accept
should work for detecting a dns query
It's a variant of:
-p udp -m udp --dport 53 -m u32 --u32 0x0>>0x16&0x3c at
0x8&0xf8=0x0 -j REDIRECT
--to-ports 5301
Which I agree is a very, very special example but i DIDN'T expect this:
/etc/rc.nft:52:34-41: Error: conflicting protocols specified: udp vs. unknown
meta l4proto udp @th,64,4 0x0 accept
^^^^^^^^
This aspect of nft is not really well documented you could say but...
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180331/b82c5f9f/attachment.html>
bugzilla-daemon at netfilter.org
2018-Apr-03 10:29 UTC
[Bug 1238] meta limits protocols when it shouldn't
https://bugzilla.netfilter.org/show_bug.cgi?id=1238
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fw at strlen.de
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
--- Comment #1 from Florian Westphal <fw at strlen.de> ---
This should work, starting with nft 0.8.3.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180403/b4343852/attachment.html>
bugzilla-daemon at netfilter.org
2018-Apr-03 11:48 UTC
[Bug 1238] meta limits protocols when it shouldn't
https://bugzilla.netfilter.org/show_bug.cgi?id=1238 --- Comment #2 from Ian Kumlien <ian.kumlien at gmail.com> --- Ok, so fedora 27 is at nftables 0.7 - will see what i can do to update it -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180403/f8105cbd/attachment.html>
Possibly Parallel Threads
- [Bug 1368] New: The "meta's"
- [Bug 96802] New: Upgrading mesa from 11.0.6 -> 11.2.2 causes graphics deadlock
- [Bug 1145] New: nft 0.7: expression.c:966: range_expr_value_low: Assertion '0' failed.
- [PATCH] Icecast2 - chroot, setuid/gid...
- Attempting to use tproxy on Centos 8 fails with 'No such file or directory'