bugzilla-daemon at netfilter.org
2020-Sep-09 16:33 UTC
[Bug 1463] New: nft --json table list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463 Bug ID: 1463 Summary: nft --json table list ruleset crashes Product: nftables Version: unspecified Hardware: All OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: abrian at netapp.com # nft --json list ruleset warning: stmt ops xt have no json callback nft: json.c:169: stmt_print_json: Assertion `__out' failed. Aborted (core dumped) # nft --version nftables v0.9.0 (Fearless Fosdick) # uname -a Linux host-deb10-build 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2 (2019-08-28) x86_64 GNU/Linux -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/2241a899/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-09 18:12 UTC
[Bug 1463] nft --json table list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463 --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- it looks like you have loaded a ruleset via iptables-nft, then list it via nft -j list ruleset. There is just a stub for the xtables extension at this moment. Is this something you have a usecase for? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/5c9eabb5/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-09 18:57 UTC
[Bug 1463] nft --json list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463 abrian at netapp.com changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|nft --json table list |nft --json list ruleset |ruleset crashes |crashes --- Comment #2 from abrian at netapp.com --- We have some legacy code that sets up some rules using iptables that would not be trivial to change to use nft. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/e146e6d8/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-09 18:59 UTC
[Bug 1463] nft --json list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463 --- Comment #3 from abrian at netapp.com --- Here is the resulting ip filter tables that crashes: # nft list table ip filter table ip filter { chain INPUT { type filter hook input priority 0; policy accept; meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn tcp dport { 8082,8083,8084,8085} # #conn src/0 > 20000 counter packets 0 bytes 0 reject with tcp reset meta l4proto tcp tcp flags & (fin|syn|rst|ack) == syn tcp dport { 18082,18083,18084,18085} # #conn src/0 > 10000 counter packets 0 bytes 0 reject with tcp reset } chain FORWARD { type filter hook forward priority 0; policy accept; } chain OUTPUT { type filter hook output priority 0; policy accept; } } # nft --json list table ip filter warning: stmt ops xt have no json callback nft: json.c:169: stmt_print_json: Assertion `__out' failed. Aborted (core dumped) -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/b09205a3/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-09 19:02 UTC
[Bug 1463] nft --json list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463 --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- Could you post your iptables-nft input file? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/9cee0212/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-09 19:18 UTC
[Bug 1463] nft --json list ruleset crashes
https://bugzilla.netfilter.org/show_bug.cgi?id=1463 --- Comment #5 from abrian at netapp.com --- We do the configuration programmatically, some based on user provided configuration. Here are the commands that set up the rules in the example I provided above: iptables -A INPUT -p tcp --syn -m multiport --dports 8082,8083,8084,8085 -m connlimit --connlimit-above 20000 --connlimit-mask 0 -j REJECT --reject-with tcp-reset iptables -A INPUT -p tcp --syn -m multiport --dports 18082,18083,18084,18085 -m connlimit --connlimit-above 10000 --connlimit-mask 0 -j REJECT --reject-with tcp-reset ip6tables -A INPUT -p tcp --syn -m multiport --dports 8082,8083,8084,8085 -m connlimit --connlimit-above 20000 --connlimit-mask 0 -j REJECT --reject-with tcp-reset ip6tables -A INPUT -p tcp --syn -m multiport --dports 18082,18083,18084,18085 -m connlimit --connlimit-above 10000 --connlimit-mask 0 -j REJECT --reject-with tcp-reset Here are examples of the type of commands we use based on the user's configuration: iptables -t nat -A OUTPUT -o $IFACE -p $PROTO --dport $D_PORT -j DNAT --to-destination :$S_PORT iptables -t nat -A PREROUTING -i $IFACE -p $PROTO --dport $S_PORT -j REDIRECT --to-port $D_PORT -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200909/d1ddacf0/attachment-0001.html>
Seemingly Similar Threads
- [Bug 1422] New: iptables-nft fails to check / delete rules in raw table
- [Bug 1349] New: "nft list ruleset" shows rules twice
- [Bug 1130] New: Better handling DNS names in nft ruleset
- [Bug 1195] New: 'list ruleset' of 'nft -f' outputs garbage while 'nft list ruleset' seems to work.
- [Bug 1424] New: v0.9.0: segfault when using nft -f <file> and issuing "ruleset flush" twice