bugzilla-daemon at netfilter.org
2018-Jun-18 11:11 UTC
[Bug 1262] New: nft insert rule ignores space in prefix value
https://bugzilla.netfilter.org/show_bug.cgi?id=1262
Bug ID: 1262
Summary: nft insert rule ignores space in prefix value
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Gentoo
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: ikonta at yandex.ru
My kernel is:
Linux tux 4.9.95-gentoo #2 SMP Fri May 25 11:35:57 MSK 2018 x86_64 AMD
Athlon(tm) II X2 250 Processor AuthenticAMD GNU/Linux
I use standard log target to monitor dropped packages.
When I add/modify ruleset creating table, i.e.:
tux ~ # /sbin/nft delete table filter
tux ~ # /sbin/nft -f fw.me
fw.me file has the following contents:
table ip filter {
chain input {
type filter hook input priority 0;
# accept traffic originated from us
ct state established,related accept
# accept any localhost traffic
iif lo accept
# log and drop any other traffic
log prefix "nftables " drop
}
}
everything is as expected, I see the following strings in dmesg:
dmesg:
[15648.869932] nftables IN=lan0 OUT= MAC=…
But when I refresh ruleset without recreation filter table, with the following
script:
#!/bin/sh
#
/sbin/nft flush table filter
#
/sbin/nft insert rule filter input log prefix "nftables " drop
# other filtering rules
I see space in log prefix vaule is ingored.
dmesg shows the following strings:
dmesg:
[15783.270898] nftablesIN=lan0 OUT= MAC=…
P.S. Utility version:
# equery b /sbin/nft
* Searching for /sbin/nft ...
net-firewall/nftables-0.8-r3 (/sbin/nft)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180618/21d68393/attachment.html>
bugzilla-daemon at netfilter.org
2020-Jul-22 16:04 UTC
[Bug 1262] nft insert rule ignores space in prefix value
https://bugzilla.netfilter.org/show_bug.cgi?id=1262
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to ikonta from comment #0)> #!/bin/sh
> #
> /sbin/nft flush table filter
> #
> /sbin/nft insert rule filter input log prefix "nftables " drop
>From the shell, you have to escape the quotes, ie.
/sbin/nft insert rule filter input log prefix \"nftables \" drop
Anyway: I recommend you use nft -f for this purpose instead of using a shell
script since this is breaking atomicity, eg.
#!/usr/sbin/nft
flush table filter
insert rule filter input log prefix "nftables " drop
-EOF-
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200722/597a93fd/attachment.html>
Reasonably Related Threads
- [Bug 914] New: nft configure does not use --prefix as include/lib search path
- [Bug 1135] New: When used as a script interpreter, nft fails if extra arguments are passed
- [Bug 1354] New: cat foo.nft | nft -f - produces syntax error not seen with nft -f foo.nft
- [Bug 1213] New: Nft stateless NAT (NOTRACK)
- [Bug 1418] New: segfaults when running nft --file foo.nft --echo