bugzilla-daemon at netfilter.org
2020-Dec-28 18:55 UTC
[Bug 1489] New: "map" doesn't work as expected
https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Bug ID: 1489
Summary: "map" doesn't work as expected
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: bugz at dragon-home.dyndns-mail.com
add table ip mangle
add chain ip mangle manout { type route hook output priority mangle; }
add rule ip mangle manout ct direction reply mark set ct original daddr map {
$ext1_ip : 0x11, $ext2_ip : 0x12 }
nft list ruleset
nft: netlink_delinearize.c:125: netlink_parse_concat_expr: Assertion
`consumed> 0' failed.
Aborted
But
add rule ip mangle manout icmp type 8 mark set ip saddr map { $ext1_ip : 0x11,
$ext2_ip : 0x12 }
works fine
Debian10
linux-image-5.9.0-0.bpo.2-amd64 (5.9.6-1~bpo10+1)
nftables v0.9.6 (0.9.6-1~bpo10+1 amd64)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201228/21bbdc68/attachment.html>
bugzilla-daemon at netfilter.org
2021-Jan-15 17:26 UTC
[Bug 1489] "map" doesn't work as expected
https://bugzilla.netfilter.org/show_bug.cgi?id=1489
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Please try with:
add table ip mangle
add chain ip mangle manout { type route hook output priority mangle; }
add rule ip mangle manout ct direction reply mark set ct original ip daddr map
{ $ext1_ip : 0x11, $ext2_ip : 0x12 }
note the:
ct original ip daddr
instead of
ct original daddr
I agree that this needs a fix, ie. a proper error report to the user instead of
this crash.
Thanks.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210115/de55e55c/attachment.html>
bugzilla-daemon at netfilter.org
2021-Jan-15 17:46 UTC
[Bug 1489] "map" doesn't work as expected
https://bugzilla.netfilter.org/show_bug.cgi?id=1489 --- Comment #2 from Pablo Neira Ayuso <pablo at netfilter.org> --- https://patchwork.ozlabs.org/project/netfilter-devel/patch/20210115174520.28504-1-pablo at netfilter.org/ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210115/d196fed2/attachment.html>
bugzilla-daemon at netfilter.org
2021-Jan-15 22:17 UTC
[Bug 1489] "map" doesn't work as expected
https://bugzilla.netfilter.org/show_bug.cgi?id=1489
--- Comment #3 from Alexander.S <bugz at dragon-home.dyndns-mail.com> ---
Thank you!
But one more thing.
Currently, instead of:
add rule ip mangle manout ct direction reply mark set ct original _ip_ daddr
map { $ext1_ip : 0x11, $ext2_ip : 0x12 }
I use:
add rule ip mangle manout ct direction reply ct original daddr $ext1_ip mark
set 0x11
add rule ip mangle manout ct direction reply ct original daddr $ext2_ip mark
set 0x12
and it works without "ip".
In
"https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Ct"
examples are also without "ip".
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210115/85e8847a/attachment-0001.html>
bugzilla-daemon at netfilter.org
2021-Jan-15 22:27 UTC
[Bug 1489] "map" doesn't work as expected
https://bugzilla.netfilter.org/show_bug.cgi?id=1489 --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Alexander.S from comment #3)> Thank you! > > But one more thing. > Currently, instead of: > > add rule ip mangle manout ct direction reply mark set ct original _ip_ daddr > map { $ext1_ip : 0x11, $ext2_ip : 0x12 } > > I use: > > add rule ip mangle manout ct direction reply ct original daddr $ext1_ip mark > set 0x11 > add rule ip mangle manout ct direction reply ct original daddr $ext2_ip mark > set 0x12 > > and it works without "ip".Yes, it's the legacy syntax which cannot be used with set/map/concatenation. It only works in simple rules like the one above, but for more complex operations, nft needs the "ip" prefix.> In > "https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference- > nftables_in_10_minutes#Ct" examples are also without "ip".Thanks for spotting this, I have just updated the wiki. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210115/5d2add06/attachment.html>