Displaying 20 results from an estimated 143 matches for "daddr".
Did you mean:
addr
2020 Mar 26
2
[Bug 1414] New: Using ip6 daddr in nat input chain is rejected with an incorrect error
https://bugzilla.netfilter.org/show_bug.cgi?id=1414
Bug ID: 1414
Summary: Using ip6 daddr in nat input chain is rejected with an
incorrect error
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Ubuntu
Status: NEW
Severity: normal
Priority: P5
Component: nft
A...
2020 Jan 15
4
[Bug 1397] New: What am I doing wrong!?
...om
code snippet
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
fib saddr . iif oif 0 counter drop
fib saddr . iif oif "lo" counter accept
fib saddr . iif oif "$inet_if" counter accept
fib daddr . iif type { local, broadcast, multicast } counter accept
ip daddr 10.0.0.11 tcp dport 80 dnat to 8080
ip daddr 10.0.0.11 udp dport 80 dnat to 8080
ip daddr 10.0.0.11 tcp dport 80 redirect to 8080
ip daddr 10.0.0.11 udp dport 80 redirect to 8080
ip6 d...
2020 Feb 27
9
[Bug 1410] New: STATELESS, rules with notrack into a map
...Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: e.lohmann at mdex.de
I would like to put rules like this into a map. But there is no command (set)
to use the map in raw, like we do it in STATEFULL with dnat / snat.
nft add rule raw PREROUTING ip daddr *publicIP* counter notrack ip daddr set
*privateIP*
nft add rule raw PREROUTING ip saddr *privateIP* counter notrack ip saddr set
*publicIP*
I do this in STATEFULL with:
dnat to ip daddr map @pubip_pre
snat to ip saddr map @pubip_post
Open for any discussion and questions, thanks in forward, ei...
2018 Dec 19
5
[Bug 1310] New: syntax issue with tproxy
...Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: arturo at debian.org
Not sure if really a syntax issue or a documentation issue.
Original Debian bug: https://bugs.debian.org/916863
>>
>> # nft add rule inet filter divert 'ip6 daddr ::/0 meta l4proto tcp tproxy to :2000 meta mark set 1 accept'
>> Error: syntax error, unexpected to
>> add rule inet filter divert ip6 daddr ::/0 meta l4proto tcp tproxy to :2000 meta mark set 1 accept
>> ^^
&g...
2019 Dec 04
2
[Bug 1385] New: Incorrectly evaluated expression with negated ip saddr and negated ip daddr
https://bugzilla.netfilter.org/show_bug.cgi?id=1385
Bug ID: 1385
Summary: Incorrectly evaluated expression with negated ip saddr
and negated ip daddr
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: spam.fa.ku...
2024 Apr 03
9
[Bug 1742] New: using nfqueue breaks SCTP connection (tracking)
...I've added a trace (by the way kudos for the tracing functionality is really a
great improvement) and I can see how the packet is dropped in a rule that drops
connections with invalid state
trace id 0329b184 ip filter trace_chain packet: iif "eth0" ether saddr
02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr 10.244.1.47 ip daddr
10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 63 ip id 0 ip length 68 sctp sport
47261 sctp dport 8080 sctp vtag 0 @th,96,64 0x10000240486b6e3
trace id 0329b184 ip filter trace_chain rule ip protocol sctp meta nftrace set
1 (verdict continue)
trace id 03...
2024 Feb 22
4
[Bug 1737] New: meta hour error with different time-zones
...ifferent time zone (for example
Australia/Sydney), rules are written correctly, but they do not match as
expected.
### Config and date
For example:
table ip vyos_filter {
chain VYOS_OUTPUT_filter {
type filter hook output priority filter; policy accept;
ip daddr 1.1.1.1 meta hour >= "03:01" meta hour < "08:00"
counter packets 1 bytes 84 accept comment "ipv4-OUT-filter-10"
ip daddr 8.8.8.8 meta hour >= "03:01" meta hour < "14:00"
counter packets 0 bytes 0 accept comment "ipv4...
2020 Jan 07
4
[Bug 1396] New: When rule with 3 concat elements are added, nft list shows only 2
...iority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: sbezverk at cisco.com
table ip ipv4table {
map cluster-ip-services-set {
type inet_proto . ipv4_addr . inet_service : verdict
}
chain k8s-nat-mark-masq {
ip protocol . ip daddr vmap @cluster-ip-services-set
}
chain k8s-nat-do-mark-masq {
meta mark set 0x00004000 return
}
}
the command to add rule to k8s-nat-mark-masq chain is:
sudo nft add rule ipv4table k8s-nat-mark-masq ip protocol . ip daddr . th dport
vmap @cluster-ip-services-set
It does not f...
2008 Sep 12
4
Custom build kernel patch fails big time.
..._entry *dst, *dst_prev;
struct rtable *rt0 = (struct rtable*)(*dst_p);
struct rtable *rt = rt0;
- u32 remote = fl->fl4_dst;
- u32 local = fl->fl4_src;
struct flowi fl_tunnel = {
.nl_u = {
.ip4_u = {
- .saddr = local,
- .daddr = remote,
+ .saddr = fl->fl4_dst,
+ .daddr = fl->fl4_src,
.tos = fl->fl4_tos
}
}
};
+ union {
+ struct in6_addr *in6;
+ struct in_addr *in;
+ } remote, local;
+ unsigned short outer_family = 0,...
2018 Jan 10
5
[Bug 1213] New: Nft stateless NAT (NOTRACK)
...I'd like to use stateless NAT (1:1)instead of iptables.
nft add table NAT
nft add chain NAT prerouting {type nat hook prerouting priority - 300 \; }
nft add chain NAT postrouting {type nat hook postrouting priority - 300 \; }
nft add rule NAT prerouting counter
nft add rule NAT prerouting ip daddr 192.168.204.60 notrack counter
nft add rule NAT prerouting counter
The counter value of prerouting is zero.
table ip NAT{
chain prerouting {
counter packets 0 bytes 0
ip daddr 192.168.204.60 notrack counter packets 0 bytes 0
counter packets 0 bytes 0
}
Tha...
2016 Mar 08
4
[Bug 1057] New: Allow for multiple protocols to be specified in a rule
...oth UDP as well as TCP, I have to specify two rules
each time I want to allow DNS traffic. This looks something like this:
oif eth0 udp dport domain accept
oif eth0 tcp dport domain accept
In an example found online [1] someone showed the following example:
{udp, tcp} sport domain ip daddr 127.0.0.1 accept
Apparently this was never tested. At least it doesn't work for me. For the
example above it would look something like this:
oif eth0 {udp, tcp} dport domain accept
This would make rulesets easier to read, which is why I want to suggest this as
future enhancement.
[1]: h...
2017 Aug 24
5
[Bug 1179] New: vmap and sets cause "BUG: invalid range expression type set"
..._pre_nat {
# Configured here for possiblity that the external interface
# is on a blackhole net (for testing)
# Reexamine after testing completed
ip saddr vmap { $if_external_net_ipv4 : continue,
@blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_src }
ip daddr vmap { $if_external_addrs_ipv4 : continue,
@blackhole_ipv4 : jump log_drop_ext_pre_pre_nat_dst }
return
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <...
2018 Sep 25
2
bpf compilation using clang
...addr) + 1),
load_byte(skb, nhoff +
offsetof(struct iphdr, saddr) + 2),
load_byte(skb, nhoff +
offsetof(struct iphdr, saddr) + 3)),
.dst_addr = IPv4(load_byte(skb, nhoff +
offsetof(struct iphdr, daddr)),
load_byte(skb, nhoff +
offsetof(struct iphdr, daddr) + 1),
load_byte(skb, nhoff +
offsetof(struct iphdr, daddr) + 2),
load_byte(skb, nhoff +
offsetof(struct iphdr, daddr) +...
2019 Jul 30
0
[PATCH 05/13] mm: remove the unused vma argument to hmm_range_dma_unmap
...mm/hmm.c | 2 --
2 files changed, 3 deletions(-)
diff --git a/include/linux/hmm.h b/include/linux/hmm.h
index 82265118d94a..59be0aa2476d 100644
--- a/include/linux/hmm.h
+++ b/include/linux/hmm.h
@@ -422,7 +422,6 @@ long hmm_range_dma_map(struct hmm_range *range,
dma_addr_t *daddrs,
unsigned int flags);
long hmm_range_dma_unmap(struct hmm_range *range,
- struct vm_area_struct *vma,
struct device *device,
dma_addr_t *daddrs,
bool dirty);
diff --git a/mm/hmm.c b/mm/hmm.c
index d66fa29b42e0..3a3852660757 100644
--- a/mm/hmm.c
+++ b/mm/hmm.c
@@ -1121...
2017 Jan 13
1
[Bug 1112] New: xtables-compat-multi fails to parse comments
...#39; is part of the match rule, the jump verdict is appended
to the ending quote.
For example:
# iptables-translate -A INPUT -p tcp -m tcp --sport http -s 192.168.0.0/16 -d
192.168.0.0/16 -j LONGNACCEPT -m comment --comment "foobar"
nft add rule ip filter INPUT ip saddr 192.168.0.0/16 ip daddr 192.168.0.0/16
tcp sport 80 counter comment \"foobar\"jump LONGNACCEPT
Note that even without comment with double-quotes (i.e. --comment "foobar"), it
will add quotes:
# iptables-translate -A FORWARD -p tcp -m tcp --sport http -s 192.168.0.0/16 -d
192.168.0.0/16 -j DROP -m com...
2020 Jun 06
0
[ANNOUNCE] nftables 0.9.5 release
...set y {
typeof ip saddr
counter
elements = { 192.168.10.35, 192.168.10.101, 192.168.10.135 }
}
chain z {
type filter hook output priority filter; policy accept;
ip daddr @y
}
}
The counter statement in the set `y' definition turns on counters.
* Support for restoring set element counters via nft -f.
# cat ruleset.nft
table ip x {
set y {
typeof ip saddr
counter
elements = { 192.168.1...
2016 Feb 28
9
[Bug 1051] New: nftables DNAT not working
...add rule inet filter forward counter
# nft add chain inet filter output { type filter hook output priority 0 \;
policy accept\; }
# nft add rule inet filter output counter
# nft add table nat
# nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
# nft add rule nat prerouting ip daddr 1.2.3.4 tcp dport 80 counter dnat
1.2.3.4:8080
# nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
But the traffic doesn't redirect to 8080 (there is 0 bytes/packets)
# nft list table nat -a -nn
table ip nat {
chain prerouting {
type nat hook pre...
2020 Apr 10
15
[Bug 1422] New: iptables-nft fails to check / delete rules in raw table
https://bugzilla.netfilter.org/show_bug.cgi?id=1422
Bug ID: 1422
Summary: iptables-nft fails to check / delete rules in raw
table
Product: iptables
Version: 1.6.x
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: major
Priority: P5
Component: iptables
2024 Jan 23
1
[PATCH][next] drm/nouveau/fifo/gk104: remove redundant variable ret
On Tue, Jan 23, 2024 at 12:04:23AM +0100, Danilo Krummrich wrote:
> On 1/16/24 13:31, Dan Carpenter wrote:
> > On Tue, Jan 16, 2024 at 11:16:09AM +0000, Colin Ian King wrote:
> > > The variable ret is being assigned a value but it isn't being
> > > read afterwards. The assignment is redundant and so ret can be
> > > removed.
> > >
> > >
2019 Oct 10
13
[Bug 1371] New: Concatenations Literal sets
...OS: other
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: tad1073 at gmail.com
inet.nft:97:44-51: Error: syntax error, unexpected protocol
iif $int_if0 ip6 saddr . ip6 daddr . ip6 protocol { $g6dns . $myip_v6 .
tcp, $g6dns . $myip_v6 . udp } jump global_dns_in
^^^^^^^^
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL...