bugzilla-daemon at netfilter.org
2020-Sep-23 09:46 UTC
[Bug 1465] New: [vmap] ct state concatenation not working
https://bugzilla.netfilter.org/show_bug.cgi?id=1465
Bug ID: 1465
Summary: [vmap] ct state concatenation not working
Product: nftables
Version: unspecified
Hardware: All
OS: Debian GNU/Linux
Status: NEW
Severity: minor
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: vtolkm at gmail.com
kernel 5.9.0-rc6 armv7l | nft 0.9.6
works:
ct state vmap { 1: drop, 2: accept, 4: accept }
not working:
ct state vmap { 1: drop, 2 . 4: accept }
Error: Can't parse symbolic invalid expressions
and neither:
ct state vmap { 1: drop, 2 and 4: accept }
ct state vmap { 1: drop, 2 & 4: accept }
where nft list ruleset then prints:
ct state vmap { 0x0 : accept, invalid : drop }
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/203e1792/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-23 10:25 UTC
[Bug 1465] [vmap] ct state concatenation not working
https://bugzilla.netfilter.org/show_bug.cgi?id=1465
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to vtolkm from comment #0)> kernel 5.9.0-rc6 armv7l | nft 0.9.6
>
> works:
>
> ct state vmap { 1: drop, 2: accept, 4: accept }
hm. this is hard to read, why not simply use the existing flag definitions?
ct state vmap { invalid: drop, established: accept, related: accept }
> not working:
>
> ct state vmap { 1: drop, 2 . 4: accept }
hm, this syntax is not correct. Why are you using a concatenation here?
Instead, you can combine flags via:
ct state vmap { invalid: drop, established,related: accept, related: accept }
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/994baf87/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-23 10:26 UTC
[Bug 1465] [vmap] ct state concatenation not working
https://bugzilla.netfilter.org/show_bug.cgi?id=1465
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WORKSFORME |---
--- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> ---
hm, not enough coffe here, reopening :-)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/675120df/attachment.html>
bugzilla-daemon at netfilter.org
2020-Sep-23 10:30 UTC
[Bug 1465] [vmap] ct state concatenation not working
https://bugzilla.netfilter.org/show_bug.cgi?id=1465
--- Comment #3 from vtolkm at gmail.com ---
probably should have mentioned initially that also tried:
ct state vmap { 1: drop, 2,4: accept };
for better reading :
ct state vmap { invalid: drop, established,related: accept }
producing:
Error: syntax error, unexpected comma, expecting colon
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20200923/d7b625a9/attachment.html>
Maybe Matching Threads
- [Bug 1473] New: [log] not printing in combination with ct state and set update a/o rate limit
- [Bug 1468] New: [netdev] dropping ether type vlan frames drops ICMPv6 type 134
- [Bug 1467] New: [sets] support adaptive (escalating) rule(s)
- [Bug 1472] New: [sets] global named sets that can be utilised across families
- [PATCH v4 05/10] drm/ttm: Add vmap/vunmap to TTM and TTM GEM helpers