search for: ipv4_addr

https://bugzilla.netfilter.org/show_bug.cgi?id=1352 Bug ID: 1352 Summary: After adding map type ipv4_addr : counter it behaves as a set Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo...

https://bugzilla.netfilter.org/show_bug.cgi?id=994 Bug ID: 994 Summary: Named sets with type "ipv4_addr" do not allow adding CIDR elements Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pa...

https://bugzilla.netfilter.org/show_bug.cgi?id=1185 Bug ID: 1185 Summary: counter flag proposal for sets and maps Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org

https://bugzilla.netfilter.org/show_bug.cgi?id=1307 Bug ID: 1307 Summary: Implement interface for 'ipv4_addr' in arptables Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: kva...

...ent: nft Assignee: pablo at netfilter.org Reporter: apex at xepa.nl Hi there, I would like to report a bug with the nft ecosystem pertaining to the auto-merge setting during the export / import in the JSON format for a set. Example: # nft 'add set inet filter myset { type ipv4_addr; flags interval; auto-merge }' # nft 'list set inet filter myset' table inet filter { set myset { type ipv4_addr flags interval auto-merge } } # nft --json 'list set inet filter myset' | jq '.nftables[1]' { "set": { "f...

...cement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: james at nurealm.net Arch Linux nftables 1:0.9.0-1 On the wiki: https://wiki.nftables.org/wiki-nftables/index.php/Sets the example is shown: % nft add set filter blackhole { type ipv4_addr\;} where man 8 nft shows: add set [family] table set { type type ; ... } the "family" is shown as optional. "family" no longer appears to be optional. Is this intentional? Or a bug? $ sudo nft list tables table inet filter table ip nat table ip private $ sudo nft add set...

...nft version: 0.9.0 kernel version: 4.18 Not sure if already fixed. If so, please add link to concrete commit. root at xmachine1:/home/user/testcase# nft add element filter S1 { 10.6.0.0/28 } root at xmachine1:/home/user/testcase# nft list set filter S1 table ip filter { set S1 { type ipv4_addr flags interval elements = { 10.5.0.20/31, 10.6.0.0/28 } } } root at xmachine1:/home/user/testcase# nft delete element filter S1 { 10.5.0.20/31 } root at xmachine1:/home/user/testcase# nft list set filter S1 table ip filter { set S1 { type ipv4_addr flags inte...

...4 OS: Ubuntu Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: elise.lennion at gmail.com Here an example of this bug. $ sudo nft add table x $ sudo nft add set x s {type ipv4_addr\; size 2\;} $ sudo nft add element x s {1.1.1.1} $ sudo nft add element x s {1.1.1.2} $ sudo nft flush set x s $ sudo nft add element x s {1.1.1.1} <cmdline>:1:1-26: Error: Could not process rule: Too many open files in system add element x s {1.1.1.1} ^^^^^^^^^^^^^^^^^^^^^^^^^^ The last co...

...Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: flnf at prout.be root at ns:~# nft add set inet filter spamhaus_DROP { type ipv4_addr \; flags interval \; size 65535 \;} root at ns:~# nft delete set inet filter spamhaus_DROP root at ns:~# nft add set inet filter spamhaus_DROP { type ipv4_addr \; flags interval, timeout \; size 65535 \;} <cmdline>:1:1-93: Error: Could not process rule: Operation not supported add set inet f...

...nt the session affinity function for my load balancer. The map is defined with the dynamic and timeout flag. I plan to add source address of new client retrieved from the packet path to a map with the `update @` action like below add table ip loadbalancer add map ip loadbalancer epToChain { type ipv4_addr : verdict ; flags dynamic,timeout ; timeout 4m ;} add chain ip loadbalancer service-ABC add rule ip loadbalancer service-ABC ip saddr vmap @epToChain add chain ip loadbalancer endpoint-1 add rule ip loadbalancer endpoint-1 update @epToChain { ip saddr : goto endpoint-1 } add chain ip loadbalancer...

...t;") self.reset_screen_colors() return @@ -566,9 +569,9 @@ class NodeConfigScreen(): if not interface == "lo": if has_ip_address(interface) or get_ipv6_address(interface): ipv4_address = get_ip_address(interface) - if get_ipv6_address(interface): - ipv6_address = get_ipv6_address(interface) - else: + try: + ipv6_addr...

...OS: Debian GNU/Linux Status: NEW Severity: minor Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: jimmyz.z at gmail.com # nft list ruleset table ip potato { set potato { type ipv4_addr flags interval elements = { 0.0.0.0-255.255.255.255 } } } # cat b.nft flush set ip potato potato; add element ip potato potato { 10.0.0.0/8 } # nft -f b.nft b.nft:3:9-18: Error: interval overlaps with an existing one 10.0.0.0/8...

...Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: email at cs-ware.de I've the following (for this bug report reduced) ruleset in nftables: table inet filter { set blocklistssh4 { type ipv4_addr } chain blocklistssh { } } Now, issuing "add rule inet filter blocklistssh ip saddr & 255.0.0.0 @blocklistssh4 drop" causes "nft -f file" to segfault. Issuing this statement in "nft -i" reveals the following message and terminates: BUG: in...

...t;") self.reset_screen_colors() return @@ -566,9 +569,9 @@ class NodeConfigScreen(): if not interface == "lo": if has_ip_address(interface) or get_ipv6_address(interface): ipv4_address = get_ip_address(interface) - if get_ipv6_address(interface): - ipv6_address = get_ipv6_address(interface) - else: + try: + ipv6_addr...

...ruleset`: "free(): double free detected in tcache 2" 2. Output is composed of duplicate (or even trippled) dumps of the same tables/rules Test files to reproduce ----------------------- R1.tf ``` #!/usr/sbin/nft -f flush ruleset table inet filter { set DROP-NETS-V4 { type ipv4_addr flags interval elements = { 1.2.3.0/27 } } chain predefrag { type filter hook prerouting priority -450; policy accept; ip frag-off & 49151 != 0 counter packets 0 bytes 0 drop ip6 nexthdr ipv6-frag counter packets 0 bytes 0 drop } chain I...

...ng that sets will properly scale to this level, it is possible to use individual tests for each of the outcomes. Using the vmap is a preferred option, especially if one can define a "default" match option. To Replicate: ============= table inet global { set blackhole_ipv4 { type ipv4_addr flags interval elements = { 0.0.0.0/8, # "default" 10.0.0.0/8, # RFC 1918 100.64.0.0/10, # bogon-bn-agg.txt 2017-08-17 127.0.0.0/8, # loopback 169.254.0.0/16, # Self-configured DHCP 172.16.0.0/12,...

...be fixed? If not, would it be possible to request a "set delete" feature to be able to remove elements from a set? (current workaround is to set timeout 1s, but this is not perfect) ------------------------------------------- #Config file: table inet filter { set test { type ipv4_addr timeout 10m } chain input { type filter hook input priority 0; policy accept; tcp dport 1111 set add ip saddr @test tcp dport 2222 set update ip saddr timeout 0s @test tcp dport 3333 set update ip saddr timeout 40s @test } ... other chains ......

...are: All OS: All Status: NEW Severity: critical Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: sbezverk at cisco.com table ip ipv4table { map cluster-ip-services-set { type inet_proto . ipv4_addr . inet_service : verdict } chain k8s-nat-mark-masq { ip protocol . ip daddr vmap @cluster-ip-services-set } chain k8s-nat-do-mark-masq { meta mark set 0x00004000 return } } the command to add rule to k8s-nat-mark-masq chain is: sudo nft add rule ipv4table k8...

...netlink_log support (available since 3.17). * Automatic selection of the optimal set implementation (available since 3.16). You can tell the kernel to optimize your set representation base according to the space-time tradeoff, eg. optimize memory: # nft add set filter set1 { type ipv4_addr ; policy memory ; } Or optimize performance: # nft add set filter set1 { type ipv4_addr ; policy performance ; } You can also use this in maps: # nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; } And indicate the expected size to assist the set se...

...rs, so you can see how many times given item was added/updated. But when you add this item manually and not from packet path, this counter is missing: ********************** # setup dynamic set nft add table t nft add chain t c { type filter hook input priority 0\; } nft add set t dynset { type ipv4_addr\; flags dynamic\; } nft add rule t c add @dynset { ip saddr counter } # ping 8.8.8.8 ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=6.05 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=5.05 ms ^C # list dynamic set, see "add" co...