search for: inet_service

...he elements declaration, but important: * To clearly indicate that the intended initial condition is empty * For automated script-generation tools which would otherwise need to test for and branch if there were no elements Typical context: table ip global { set forwarded_ports { type inet_service elements = { 80, 443 } } set some_ports_set { type inet_service elements = { $some_ports } } set no_forwarded_ports { type inet_service # elements = { } # fails } } -- You are receiving this mail because: You are watching all bug changes. ----...

https://bugzilla.netfilter.org/show_bug.cgi?id=1185 Bug ID: 1185 Summary: counter flag proposal for sets and maps Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org

...sion: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: rwhite at pobox.com If the result value of a map is ipv[46]_addr . inet_service then a dnat or snat directive should understand that these are the address and port values for statement. so... table example { dnat_info { type inet_service : ipv4_addr . inet_service elements = { 80 : 192.168.13.5 . 8080 } } chain foo { dnat tcp port @dnat_info...

...el response The following configuration crashes nftables. I run "nft -e -f main.conf" and nft crashes, apparently on response from kernel (strace attached). When I run without -e option it just silently fails. #!/usr/sbin/nft -f add table inet main add set inet main tcp_public { type inet_service; } add set inet main udp_public { type inet_service; } add set inet main udp_trusted { type inet_service; } add set inet main tcp_trusted { type inet_service; } add set inet main blacklist { type ipv4_addr; flags interval; } add set inet main ossec4 { type ipv4_addr; } add set inet main osse...

...OS: All Status: NEW Severity: critical Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: sbezverk at cisco.com table ip ipv4table { map cluster-ip-services-set { type inet_proto . ipv4_addr . inet_service : verdict } chain k8s-nat-mark-masq { ip protocol . ip daddr vmap @cluster-ip-services-set } chain k8s-nat-do-mark-masq { meta mark set 0x00004000 return } } the command to add rule to k8s-nat-mark-masq chain is: sudo nft add rule ipv4table k8s-nat-mark-masq...

...5 Component: nft Assignee: pablo at netfilter.org Reporter: sub at ryper.org When creating a set and including a range of ports in it, the comment function seems to disappear from the "nft list ruleset -nn" output. Example configuration: set test { type inet_service flags interval elements = { 1111 comment "test1", 2222-3333 comment "test2", 4444 comment "test3", 5555-6666 comment "test4" } } And here is the output from "nft list ruleset -nn" set test...

...everity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: fasnacht at protonmail.ch Hello, For tracking, here's a bug I'm experiencing, with the following, in an inet table: map nat-int-ext-port-v4 { type ipv4_addr . inet_service . inet_proto : inet_service } [...] ip protocol {udp, tcp} snat ip to $host_ipv4_address : ip saddr . th sport . ip protocol map @nat-int-ext-port-v4 I get: Error: transport protocol mapping is only valid after transport protocol match It works fine with restricting ip protocol to one single...

...rmal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: dev at doubly.so I have a set with counters. I can see their values in a rather unreadable format: # nft list set inet dev ports_udp table inet dev { set ports_udp { type inet_service size 65536 flags dynamic,timeout timeout 30d elements = { 53 expires 29d23h58m25s672ms counter packets 35 bytes 2515, 389 expires 29d23h59m15s144ms counter packets 1 bytes 80, 515 expires 29d23h56m14s136ms counter packets 1 bytes 57, 1194 expires 29d23h58m18s460ms co...

...riority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: niconorsk at gmail.com Testing with the 0.9.0 release which added the ability to create named sets with type ifname Get the following error: > nft create set inet filter keepalived_ranges4 { type inet_service . ifname \; } > Error: Empty string is not allowed > create set inet filter keepalived_ranges4 { type inet_service . ifname ; } Getting this working would be a great help towards having a replacement for the net,iface ipset type -- You are receiving this mail because: You are watching all...

https://bugzilla.netfilter.org/show_bug.cgi?id=1175 Bug ID: 1175 Summary: Document limitations on identifier names Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org

...AssignedTo: pablo at netfilter.org ReportedBy: anarey.spam at gmail.com Estimated Hours: 0.0 Tt's impossible add these specific kinds of sets: mark, integer, string, lladdr. Only you can add ipv4_address, ipv6_address (bug https://bugzilla.netfilter.org/show_bug.cgi?id=895) and inet_service set. (tests) $ sudo nft add set ip t-ip2 set-mark { type mark\;} <cmdline>:1:34-37: Error: syntax error, unexpected mark, expecting string add set ip t-ip2 set-mark { type mark;} ^^^^ (tests) $ sudo nft add set ip t-ip2 set-integer { type integer\;} <cm...

...sents: nftables 0.9.4 This release contains fixes and new features available up to the Linux kernel 5.6 release. * Support for ranges in concatenations (requires Linux kernel >= 5.6), e.g. table ip foo { set whitelist { type ipv4_addr . ipv4_addr . inet_service flags interval elements = { 192.168.10.35-192.168.10.40 . 192.68.11.123-192.168.11.125 . 80 } } chain bar { type filter hook prerouting priority filter; policy drop; ip saddr . ip daddr . tcp dport @w...

https://bugzilla.netfilter.org/show_bug.cgi?id=1176 Bug ID: 1176 Summary: Invalid identifiers produce unhelpful error messages Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: critical Priority: P5 Component: nft Assignee: pablo at

...Severity: critical Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: sbezverk at cisco.com Here is defined vmap: table ip ipv4table { map no-endpoints-services { type inet_proto . ipv4_addr . inet_service : verdict } When I try to add an element to the vmap I get an error: ``` sudo nft --debug all add element ipv4table no-endpoints-services { tcp . 192.168.80.104 . 8989 : goto do_reject } Error: Could not process rule: Invalid argument add element ipv4table no-endpoints-serv...

https://bugzilla.netfilter.org/show_bug.cgi?id=1434 Bug ID: 1434 Summary: Usability improvements, enabling creation of complex firewalls Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft

...hen no entry matches. This doesn't really make sense for plain sets where membership is what's being tested, but for the branch-like implicit in mapping it's 'very hard' to create some kinds of 'else' branch. So like... table ip example { map server { type inet_service : ipv4_addr flags interval, default default = 172.18.0.2 elements = { 9994 : 172.18.0.5} } } Default is, obviously just an the result data type with none of the key parts so it's not really part of the elements = {} part. using elements = { default: 17.18.0.2 } is...

...nd "list flow table tablename flowname" are so similar in function but have a different word count and are not orthogonal to add and delete and clear etc. So if they were just like sets this would be so much less confusing. table ip example { gauge dhcp_throttle { type ipv4_addr . inet_service flags whatever, whateverelse } On 03/22/17 16:25, Pablo Neira Ayuso wrote: > This would provide a way to restore flow table between reboots, so we > could even per populate them with elements. chain dhcp_traffic { gauge { ip saddr limit over 200/day } drop gauge @dhcp_thrott...

...ilter.org Reporter: bugzilla at hard-wired.net notables 0.8 will fail. 0.7 was working. A nft rule contains an anonymous set with port numbers will just be ignored : this will fail : tcp dport { ftp, ssh, smtp, domain, http } accept This will works : set output_tcp_sports { type inet_service elements = { ssh, smtp, domain, http } } tcp dport @output_tcp_dports accept -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/att...

...at gmail.com I'm not sure if this is a bug, not implemented, or as designed. I am trying to use a vmap to direct traffic to NFQueue when specific criteria are matched. The map has been defined and a rule using it: table ip filter { map AppControl_TCP { type ipv4_addr . ipv4_addr . inet_service : verdict } chain Forward { type filter hook forward priority filter; policy drop; ip saddr . ip daddr . tcp dport vmap @AppControl_TCP } ... } But I cannot assign the verdict "queue num 3" to the map. The following error is returned when importing the ruleset with nft...

...usage as several users requested on the mailing list. * Allow to use variable reference for set element definitions, eg. # cat ruleset.nft define s-ext-2-int = { 10.10.10.10 . 25, 10.10.10.10 . 143 } table inet forward { set s-ext-2-int { type ipv4_addr . inet_service elements = $s-ext-2-int } } # nft -f ruleset.nft Useful to improve ruleset maintainability, as you can split out variable and set definitions from the filtering policy itself. * Allow to use variable definitions from element commands, eg. define whitel...