search for: daddr

https://bugzilla.netfilter.org/show_bug.cgi?id=1414 Bug ID: 1414 Summary: Using ip6 daddr in nat input chain is rejected with an incorrect error Product: nftables Version: unspecified Hardware: x86_64 OS: Ubuntu Status: NEW Severity: normal Priority: P5 Component: nft A...

...om code snippet table inet nat { chain prerouting { type nat hook prerouting priority dstnat; policy accept; fib saddr . iif oif 0 counter drop fib saddr . iif oif "lo" counter accept fib saddr . iif oif "$inet_if" counter accept fib daddr . iif type { local, broadcast, multicast } counter accept ip daddr 10.0.0.11 tcp dport 80 dnat to 8080 ip daddr 10.0.0.11 udp dport 80 dnat to 8080 ip daddr 10.0.0.11 tcp dport 80 redirect to 8080 ip daddr 10.0.0.11 udp dport 80 redirect to 8080 ip6 d...

...Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: e.lohmann at mdex.de I would like to put rules like this into a map. But there is no command (set) to use the map in raw, like we do it in STATEFULL with dnat / snat. nft add rule raw PREROUTING ip daddr *publicIP* counter notrack ip daddr set *privateIP* nft add rule raw PREROUTING ip saddr *privateIP* counter notrack ip saddr set *publicIP* I do this in STATEFULL with: dnat to ip daddr map @pubip_pre snat to ip saddr map @pubip_post Open for any discussion and questions, thanks in forward, ei...

...Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: arturo at debian.org Not sure if really a syntax issue or a documentation issue. Original Debian bug: https://bugs.debian.org/916863 >> >> # nft add rule inet filter divert 'ip6 daddr ::/0 meta l4proto tcp tproxy to :2000 meta mark set 1 accept' >> Error: syntax error, unexpected to >> add rule inet filter divert ip6 daddr ::/0 meta l4proto tcp tproxy to :2000 meta mark set 1 accept >> ^^ &g...

https://bugzilla.netfilter.org/show_bug.cgi?id=1385 Bug ID: 1385 Summary: Incorrectly evaluated expression with negated ip saddr and negated ip daddr Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: spam.fa.ku...

...I've added a trace (by the way kudos for the tracing functionality is really a great improvement) and I can see how the packet is dropped in a rule that drops connections with invalid state trace id 0329b184 ip filter trace_chain packet: iif "eth0" ether saddr 02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr 10.244.1.47 ip daddr 10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 63 ip id 0 ip length 68 sctp sport 47261 sctp dport 8080 sctp vtag 0 @th,96,64 0x10000240486b6e3 trace id 0329b184 ip filter trace_chain rule ip protocol sctp meta nftrace set 1 (verdict continue) trace id 03...

...ifferent time zone (for example Australia/Sydney), rules are written correctly, but they do not match as expected. ### Config and date For example: table ip vyos_filter { chain VYOS_OUTPUT_filter { type filter hook output priority filter; policy accept; ip daddr 1.1.1.1 meta hour >= "03:01" meta hour < "08:00" counter packets 1 bytes 84 accept comment "ipv4-OUT-filter-10" ip daddr 8.8.8.8 meta hour >= "03:01" meta hour < "14:00" counter packets 0 bytes 0 accept comment "ipv4...

...iority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: sbezverk at cisco.com table ip ipv4table { map cluster-ip-services-set { type inet_proto . ipv4_addr . inet_service : verdict } chain k8s-nat-mark-masq { ip protocol . ip daddr vmap @cluster-ip-services-set } chain k8s-nat-do-mark-masq { meta mark set 0x00004000 return } } the command to add rule to k8s-nat-mark-masq chain is: sudo nft add rule ipv4table k8s-nat-mark-masq ip protocol . ip daddr . th dport vmap @cluster-ip-services-set It does not f...

..._entry *dst, *dst_prev; struct rtable *rt0 = (struct rtable*)(*dst_p); struct rtable *rt = rt0; - u32 remote = fl->fl4_dst; - u32 local = fl->fl4_src; struct flowi fl_tunnel = { .nl_u = { .ip4_u = { - .saddr = local, - .daddr = remote, + .saddr = fl->fl4_dst, + .daddr = fl->fl4_src, .tos = fl->fl4_tos } } }; + union { + struct in6_addr *in6; + struct in_addr *in; + } remote, local; + unsigned short outer_family = 0,...

...I'd like to use stateless NAT (1:1)instead of iptables. nft add table NAT nft add chain NAT prerouting {type nat hook prerouting priority - 300 \; } nft add chain NAT postrouting {type nat hook postrouting priority - 300 \; } nft add rule NAT prerouting counter nft add rule NAT prerouting ip daddr 192.168.204.60 notrack counter nft add rule NAT prerouting counter The counter value of prerouting is zero. table ip NAT{ chain prerouting { counter packets 0 bytes 0 ip daddr 192.168.204.60 notrack counter packets 0 bytes 0 counter packets 0 bytes 0 } Tha...

...oth UDP as well as TCP, I have to specify two rules each time I want to allow DNS traffic. This looks something like this: oif eth0 udp dport domain accept oif eth0 tcp dport domain accept In an example found online [1] someone showed the following example: {udp, tcp} sport domain ip daddr 127.0.0.1 accept Apparently this was never tested. At least it doesn't work for me. For the example above it would look something like this: oif eth0 {udp, tcp} dport domain accept This would make rulesets easier to read, which is why I want to suggest this as future enhancement. [1]: h...

..._pre_nat { # Configured here for possiblity that the external interface # is on a blackhole net (for testing) # Reexamine after testing completed ip saddr vmap { $if_external_net_ipv4 : continue, @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_src } ip daddr vmap { $if_external_addrs_ipv4 : continue, @blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_dst } return } } -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <...

...addr) + 1), load_byte(skb, nhoff + offsetof(struct iphdr, saddr) + 2), load_byte(skb, nhoff + offsetof(struct iphdr, saddr) + 3)), .dst_addr = IPv4(load_byte(skb, nhoff + offsetof(struct iphdr, daddr)), load_byte(skb, nhoff + offsetof(struct iphdr, daddr) + 1), load_byte(skb, nhoff + offsetof(struct iphdr, daddr) + 2), load_byte(skb, nhoff + offsetof(struct iphdr, daddr) +...

...mm/hmm.c | 2 -- 2 files changed, 3 deletions(-) diff --git a/include/linux/hmm.h b/include/linux/hmm.h index 82265118d94a..59be0aa2476d 100644 --- a/include/linux/hmm.h +++ b/include/linux/hmm.h @@ -422,7 +422,6 @@ long hmm_range_dma_map(struct hmm_range *range, dma_addr_t *daddrs, unsigned int flags); long hmm_range_dma_unmap(struct hmm_range *range, - struct vm_area_struct *vma, struct device *device, dma_addr_t *daddrs, bool dirty); diff --git a/mm/hmm.c b/mm/hmm.c index d66fa29b42e0..3a3852660757 100644 --- a/mm/hmm.c +++ b/mm/hmm.c @@ -1121...

...#39; is part of the match rule, the jump verdict is appended to the ending quote. For example: # iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar" nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16 tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT Note that even without comment with double-quotes (i.e. --comment "foobar"), it will add quotes: # iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d 192.168.0.0/16 -j DROP -m com...

...set y { typeof ip saddr counter elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 } } chain z { type filter hook output priority filter; policy accept; ip daddr @y } } The counter statement in the set `y' definition turns on counters. * Support for restoring set element counters via nft -f. # cat ruleset.nft table ip x { set y { typeof ip saddr counter elements = { 192.168.1...

...add rule inet filter forward counter # nft add chain inet filter output { type filter hook output priority 0 \; policy accept\; } # nft add rule inet filter output counter # nft add table nat # nft add chain nat prerouting { type nat hook prerouting priority 0 \; } # nft add rule nat prerouting ip daddr 1.2.3.4 tcp dport 80 counter dnat 1.2.3.4:8080 # nft add chain nat postrouting { type nat hook postrouting priority 0 \; } But the traffic doesn't redirect to 8080 (there is 0 bytes/packets) # nft list table nat -a -nn table ip nat { chain prerouting { type nat hook pre...

https://bugzilla.netfilter.org/show_bug.cgi?id=1422 Bug ID: 1422 Summary: iptables-nft fails to check / delete rules in raw table Product: iptables Version: 1.6.x Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: iptables

On Tue, Jan 23, 2024 at 12:04:23AM +0100, Danilo Krummrich wrote: > On 1/16/24 13:31, Dan Carpenter wrote: > > On Tue, Jan 16, 2024 at 11:16:09AM +0000, Colin Ian King wrote: > > > The variable ret is being assigned a value but it isn't being > > > read afterwards. The assignment is redundant and so ret can be > > > removed. > > > > > >

...OS: other Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: tad1073 at gmail.com inet.nft:97:44-51: Error: syntax error, unexpected protocol iif $int_if0 ip6 saddr . ip6 daddr . ip6 protocol { $g6dns . $myip_v6 . tcp, $g6dns . $myip_v6 . udp } jump global_dns_in ^^^^^^^^ -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL...