bugzilla-daemon at netfilter.org
2020-Sep-09 16:33 UTC
[Bug 1463] New: nft --json table list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463
Bug ID: 1463
Summary: nft --json table list ruleset crashes
Product: nftables
Version: unspecified
Hardware: All
OS: Debian GNU/Linux
Status: NEW
Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: abrian at netapp.com
# nft --json list ruleset
warning: stmt ops xt have no json callback
nft: json.c:169: stmt_print_json: Assertion `__out' failed.
Aborted (core dumped)
# nft --version
nftables v0.9.0 (Fearless Fosdick)
# uname -a
Linux host-deb10-build 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2 (2019-08-28)
x86_64 GNU/Linux
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/2241a899/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-09 18:12 UTC
[Bug 1463] nft --json table list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463 --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- it looks like you have loaded a ruleset via iptables-nft, then list it via nft -j list ruleset. There is just a stub for the xtables extension at this moment. Is this something you have a usecase for? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/5c9eabb5/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-09 18:57 UTC
[Bug 1463] nft --json list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463
abrian at netapp.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|nft --json table list |nft --json list ruleset
|ruleset crashes |crashes
--- Comment #2 from abrian at netapp.com ---
We have some legacy code that sets up some rules using iptables that would not
be trivial to change to use nft.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/e146e6d8/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-09 18:59 UTC
[Bug 1463] nft --json list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463
--- Comment #3 from abrian at netapp.com ---
Here is the resulting ip filter tables that crashes:
# nft list table ip filter
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn tcp
dport
{ 8082,8083,8084,8085} # #conn src/0 > 20000 counter packets 0 bytes 0 reject
with tcp reset
meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn tcp
dport
{ 18082,18083,18084,18085} # #conn src/0 > 10000 counter packets 0 bytes 0
reject with tcp reset
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
# nft --json list table ip filter
warning: stmt ops xt have no json callback
nft: json.c:169: stmt_print_json: Assertion `__out' failed.
Aborted (core dumped)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/b09205a3/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-09 19:02 UTC
[Bug 1463] nft --json list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463 --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- Could you post your iptables-nft input file? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/9cee0212/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-09 19:18 UTC
[Bug 1463] nft --json list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463 --- Comment #5 from abrian at netapp.com --- We do the configuration programmatically, some based on user provided configuration. Here are the commands that set up the rules in the example I provided above: iptables -A INPUT -p tcp --syn -m multiport --dports 8082,8083,8084,8085 -m connlimit --connlimit-above 20000 --connlimit-mask 0 -j REJECT --reject-with tcp-reset iptables -A INPUT -p tcp --syn -m multiport --dports 18082,18083,18084,18085 -m connlimit --connlimit-above 10000 --connlimit-mask 0 -j REJECT --reject-with tcp-reset ip6tables -A INPUT -p tcp --syn -m multiport --dports 8082,8083,8084,8085 -m connlimit --connlimit-above 20000 --connlimit-mask 0 -j REJECT --reject-with tcp-reset ip6tables -A INPUT -p tcp --syn -m multiport --dports 18082,18083,18084,18085 -m connlimit --connlimit-above 10000 --connlimit-mask 0 -j REJECT --reject-with tcp-reset Here are examples of the type of commands we use based on the user's configuration: iptables -t nat -A OUTPUT -o $IFACE -p $PROTO --dport $D_PORT -j DNAT --to-destination :$S_PORT iptables -t nat -A PREROUTING -i $IFACE -p $PROTO --dport $S_PORT -j REDIRECT --to-port $D_PORT -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/d1ddacf0/attachment-0001.html>
Reasonably Related Threads
- [Bug 1422] New: iptables-nft fails to check / delete rules in raw table
- [Bug 1349] New: "nft list ruleset" shows rules twice
- [Bug 1130] New: Better handling DNS names in nft ruleset
- [Bug 1195] New: 'list ruleset' of 'nft -f' outputs garbage while 'nft list ruleset' seems to work.
- [Bug 1424] New: v0.9.0: segfault when using nft -f <file> and issuing "ruleset flush" twice