search for: anarey

https://bugzilla.netfilter.org/show_bug.cgi?id=985 Bug ID: 985 Summary: iptables-save cannot display devgroup rule the right way? Product: iptables Version: 1.4.x Hardware: x86_64 OS: other Status: NEW Severity: enhancement Priority: P5 Component: iptables

...and comparat Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 There is a problem with ranges and comparisons. Here some examples of this bug. With ttl: $ sudo nft add rule ip test input ip ttl 13-15 counter drop BUG: invalid byte order conversion 0 => 2 nft: src/evaluate.c:153: byteorder_conversion_op: Assertion `0&...

...9;t work Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 * We add the following rule, and It doesn't show any error. $ sudo nft add rule ip6 test6 input icmpv6 id 2 * Then, We list the table, and It list the following message: $ sudo nft list table ip6 test6 table ip6 test6 { chain input { payl...

...y error. Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey.spam at gmail.com Estimated Hours: 0.0 You can add a non-name set with 250 elements. All is ok $ sudo nft add table ip test-1 $ sudo sudo nft add chain ip test-1 input250 { type filter hook input priority 0 \; } $ sudo nft add rule ip test-1 input250 ip saddr { 127.2.2.201, 127.2.2.200, 1...

...of set. Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey.spam at gmail.com Estimated Hours: 0.0 You can add a set with a long name (16 or more characters) but "nft" remanes it to another name with 15 characters without showing a error message. thenameofthissetistoolong (25 characters) => thenameofthisse (15 characters)(It is not OK) th...

...pv4 and ipv6) Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The following command-line parameter of "ah" iptables-extensions is not supported in nft yet: FIXED: reserver (--ahres in iptables) The last commit in Pablo git tree of kernel is "40e6442 netfilter: x_tables: allow to use cgroup match for LOC...

...supported Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The following command-line parameters of DNAT and SNAT iptables-extensions (in ipv4 and ipv6) are not supported in nft yet: --random --persistent The last commit in Pablo git tree of kernel is "40e6442 netfilter: x_tables: allow to use cgroup match for...

...supported Product: nftables Version: unspecified Platform: x86_64 OS/Version: All Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The following command-line parameters of log, ulog and nflog of iptables-extensions are not supported in nft yet: --log-level level --log-tcp-sequence --log-tcp-options --log-ip-options --log-uid --log-macdecode --nflog-threshold size --nflog-range size --u...

...ot suppported Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The following command-line parameter in multiport of iptables-extensions is not supported in nft yet: --ports (iptables iprange) The last commit in Pablo git tree of kernel is "40e6442 netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks...

...of ip address Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 BUG: Is not possible invert a range of ip address. Here an example of this bug. $ sudo nft add rule ip test input ip daddr != 192.168.1.2-192.168.1.55 BUG: invalid data expression type range nft: src/netlink.c:300: netlink_gen_data: Assertion `0' failed....

...not supported Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The following icmp v4 types are not supported in nft (but these is suppported in iptables) Valid ICMP Types in iptables => Valid ICMP Type in nftables. any echo-reply (pong) => echo-reply in nft destination-unreachable => destinatio...

...not supported Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The following symbol in TOS of iptables-extensions are not supported in nft: [!] --tos symbol Accepted symbolic names for value are: (0x10) 16 Minimize-Delay (0x08) 8 Maximize-Throughput (0x04) 4 Maximize-Reliability...

...not supported Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The following command-line parameters in ECN iptables-extensions are not supported in nft yet: --ecn-tcp-ece --ecn-ip-ect The last commit in Pablo git tree of kernel is "40e6442 netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks"...

...ot supported. Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The following command-line parameter in SCTP iptables-extensions is not supported in nft yet: --chunk-types The last commit in Pablo git tree of kernel is "40e6442 netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks" The last comm...

...not supported Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The following command-line parameters in DCCP iptables-extensions is not supported in nft yet: --dccp-types --dccp-option The last commit in Pablo git tree of kernel is "40e6442 netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks"...

...d in nft Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The following command-line parameters in limit iptables-extensions are not supported in nft yet: --limit-burst number number to match in a burst, default 5 The last commit in Pablo git tree of kernel is "40e6442 netfilter: x_tables: allow to use cgro...

...t mask in TOS Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 Without show some error message, you can add a rule using invert option with flags, but after, you can not show the table. Here some examples of this bug. $ sudo nft add rule ip test3 input ip tos and 0x04 == 0x02 counter accept $ sudo nft list table test3...

...on with queue Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 The correct use of option in queue is "[..] queue [..] options fanout, bypass [...] But, you can add the following rule in a table without It shows some error messages: $ sudo nft add rule ip test input queue num 2 total 3 options fanout options bypass...

...range in frag Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 Here a example of this bug: $ sudo nft add rule ip test input frag id != 22-26 ? BUG: invalid data expression type range nft: src/netlink.c:300: netlink_gen_data: Assertion `0' failed. The last commit in Pablo git tree of kernel is "40e6442 netfilt...

...with frag-off Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey at gmail.com Estimated Hours: 0.0 Without show some error message, you can add a rule using frag-off option with flag. After, when you show the table, it shows the followin error: $ sudo nft add rule ip test input frag frag-off 33 $ sudo nft list table ip test table ip test { chain inpu...