netfilter buglog - Aug 2020 - [Bug 1455] New: Queue verdict cannot be used in vmap

https://bugzilla.netfilter.org/show_bug.cgi?id=1455

            Bug ID: 1455
           Summary: Queue verdict cannot be used in vmap
           Product: nftables
           Version: unspecified
          Hardware: arm
                OS: Ubuntu
            Status: NEW
          Severity: normal
          Priority: P5
         Component: nft
          Assignee: pablo at netfilter.org
          Reporter: phillc at gmail.com

I'm not sure if this is a bug, not implemented, or as designed.

I am trying to use a vmap to direct traffic to NFQueue when specific criteria
are matched.

The map has been defined and a rule using it:

table ip filter {

  map AppControl_TCP {
      type ipv4_addr . ipv4_addr . inet_service : verdict
  }

  chain Forward {
      type filter hook forward priority filter; policy drop;
      ip saddr . ip daddr . tcp dport vmap @AppControl_TCP
  }
...
}

But I cannot assign the verdict "queue num 3" to the map. The
following error
is returned when importing the ruleset with nft -f.

"
nft-map-appcontrol-tcp.conf:2:66-70: Error: syntax error, unexpected queue
add element ip filter AppControl_TCP {10.1.1.1 . 10.1.1.100 . 502 : queue num
3}                                                              ^^^^^
"

I have worked around this for now by using 'goto AppControl' as the vmap
verdict and then adding "queue num 3" as the only rule in the chain
'AppControl'. It would be great if the queue verdict would work in the
vmap
though.

Thanks

--------------------------------------------
OS: Ubuntu 20.04
Kernel: Ubuntu 5.4.0-1015.15-raspi 5.4.44
nftables/focal,now 0.9.3-2 arm64

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200827/0998b99f/attachment.html>