Displaying 20 results from an estimated 78 matches for "ipv4_addr".
2019 Jul 11
2
[Bug 1352] New: After adding map type ipv4_addr : counter it behaves as a set
https://bugzilla.netfilter.org/show_bug.cgi?id=1352
Bug ID: 1352
Summary: After adding map type ipv4_addr : counter it behaves
as a set
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo...
2015 Jan 08
1
[Bug 994] New: Named sets with type "ipv4_addr" do not allow adding CIDR elements
https://bugzilla.netfilter.org/show_bug.cgi?id=994
Bug ID: 994
Summary: Named sets with type "ipv4_addr" do not allow adding
CIDR elements
Product: nftables
Version: unspecified
Hardware: x86_64
OS: other
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pa...
2017 Sep 22
13
[Bug 1185] New: counter flag proposal for sets and maps
https://bugzilla.netfilter.org/show_bug.cgi?id=1185
Bug ID: 1185
Summary: counter flag proposal for sets and maps
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
2018 Dec 03
2
[Bug 1307] New: Implement interface for 'ipv4_addr' in arptables
https://bugzilla.netfilter.org/show_bug.cgi?id=1307
Bug ID: 1307
Summary: Implement interface for 'ipv4_addr' in arptables
Product: nftables
Version: unspecified
Hardware: x86_64
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: kva...
2024 Jan 29
2
[Bug 1734] New: nft set with auto-merge json import/export
...ent: nft
Assignee: pablo at netfilter.org
Reporter: apex at xepa.nl
Hi there,
I would like to report a bug with the nft ecosystem pertaining to the
auto-merge setting during the export / import in the JSON format for a set.
Example:
# nft 'add set inet filter myset { type ipv4_addr; flags interval; auto-merge
}'
# nft 'list set inet filter myset'
table inet filter {
set myset {
type ipv4_addr
flags interval
auto-merge
}
}
# nft --json 'list set inet filter myset' | jq '.nftables[1]'
{
"set": {
"f...
2018 Nov 16
9
[Bug 1299] New: add set - syntax has changed - update documentation
...cement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: james at nurealm.net
Arch Linux
nftables 1:0.9.0-1
On the wiki:
https://wiki.nftables.org/wiki-nftables/index.php/Sets
the example is shown:
% nft add set filter blackhole { type ipv4_addr\;}
where man 8 nft shows:
add set [family] table set { type type ; ... }
the "family" is shown as optional.
"family" no longer appears to be optional. Is this intentional? Or a bug?
$ sudo nft list tables
table inet filter
table ip nat
table ip private
$ sudo nft add set...
2018 Nov 28
3
[Bug 1304] New: issue with interval sets
...nft version: 0.9.0
kernel version: 4.18
Not sure if already fixed. If so, please add link to concrete commit.
root at xmachine1:/home/user/testcase# nft add element filter S1 { 10.6.0.0/28 }
root at xmachine1:/home/user/testcase# nft list set filter S1
table ip filter {
set S1 {
type ipv4_addr
flags interval
elements = { 10.5.0.20/31, 10.6.0.0/28 }
}
}
root at xmachine1:/home/user/testcase# nft delete element filter S1 { 10.5.0.20/31
}
root at xmachine1:/home/user/testcase# nft list set filter S1
table ip filter {
set S1 {
type ipv4_addr
flags inte...
2017 Jan 19
5
[Bug 1114] New: set: Can't add elements after flushing a full set with size description
...4
OS: Ubuntu
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: elise.lennion at gmail.com
Here an example of this bug.
$ sudo nft add table x
$ sudo nft add set x s {type ipv4_addr\; size 2\;}
$ sudo nft add element x s {1.1.1.1}
$ sudo nft add element x s {1.1.1.2}
$ sudo nft flush set x s
$ sudo nft add element x s {1.1.1.1}
<cmdline>:1:1-26: Error: Could not process rule: Too many open files in system
add element x s {1.1.1.1}
^^^^^^^^^^^^^^^^^^^^^^^^^^
The last co...
2017 Aug 26
5
[Bug 1180] New: Can't create a set with both timeout and interval flags at the same time
...Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: flnf at prout.be
root at ns:~# nft add set inet filter spamhaus_DROP { type ipv4_addr \; flags
interval \; size 65535 \;}
root at ns:~# nft delete set inet filter spamhaus_DROP
root at ns:~# nft add set inet filter spamhaus_DROP { type ipv4_addr \; flags
interval, timeout \; size 65535 \;}
<cmdline>:1:1-93: Error: Could not process rule: Operation not supported
add set inet f...
2024 Feb 13
16
[Bug 1736] New: nftables - dynamic update for verdict map from the packet path
...nt
the session affinity function for my load balancer.
The map is defined with the dynamic and timeout flag. I plan to add source
address of new client retrieved from the packet path to a map with the `update
@` action like below
add table ip loadbalancer
add map ip loadbalancer epToChain { type ipv4_addr : verdict ; flags
dynamic,timeout ; timeout 4m ;}
add chain ip loadbalancer service-ABC
add rule ip loadbalancer service-ABC ip saddr vmap @epToChain
add chain ip loadbalancer endpoint-1
add rule ip loadbalancer endpoint-1 update @epToChain { ip saddr : goto
endpoint-1 }
add chain ip loadbalancer...
2011 Aug 03
0
[PATCH] display ipv6 address in networking details page, also fix ipv6 netmask configurations.
...t;")
self.reset_screen_colors()
return
@@ -566,9 +569,9 @@ class NodeConfigScreen():
if not interface == "lo":
if has_ip_address(interface) or get_ipv6_address(interface):
ipv4_address = get_ip_address(interface)
- if get_ipv6_address(interface):
- ipv6_address = get_ipv6_address(interface)
- else:
+ try:
+ ipv6_addr...
2020 May 27
17
[Bug 1431] New: flush set doesn't work as expected in script
...OS: Debian GNU/Linux
Status: NEW
Severity: minor
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: jimmyz.z at gmail.com
# nft list ruleset
table ip potato {
set potato {
type ipv4_addr
flags interval
elements = { 0.0.0.0-255.255.255.255 }
}
}
# cat b.nft
flush set ip potato potato;
add element ip potato potato {
10.0.0.0/8
}
# nft -f b.nft
b.nft:3:9-18: Error: interval overlaps with an existing one
10.0.0.0/8...
2019 Mar 24
3
[Bug 1327] New: Cannot use named set for matching IPv4 networks
...Severity: major
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: email at cs-ware.de
I've the following (for this bug report reduced) ruleset in nftables:
table inet filter {
set blocklistssh4 {
type ipv4_addr
}
chain blocklistssh {
}
}
Now, issuing "add rule inet filter blocklistssh ip saddr & 255.0.0.0
@blocklistssh4 drop" causes "nft -f file" to segfault. Issuing this statement
in "nft -i" reveals the following message and terminates:
BUG: in...
2011 Aug 03
1
[PATCH] display ipv6 address in networking details page, also fix ipv6 netmask configurations
...t;")
self.reset_screen_colors()
return
@@ -566,9 +569,9 @@ class NodeConfigScreen():
if not interface == "lo":
if has_ip_address(interface) or get_ipv6_address(interface):
ipv4_address = get_ip_address(interface)
- if get_ipv6_address(interface):
- ipv6_address = get_ipv6_address(interface)
- else:
+ try:
+ ipv6_addr...
2020 Jan 30
2
[Bug 1402] New: Race errors with nft
...ruleset`: "free(): double free
detected in tcache 2"
2. Output is composed of duplicate (or even trippled) dumps of the same
tables/rules
Test files to reproduce
-----------------------
R1.tf
```
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set DROP-NETS-V4 {
type ipv4_addr
flags interval
elements = { 1.2.3.0/27 }
}
chain predefrag {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 49151 != 0 counter packets 0 bytes 0 drop
ip6 nexthdr ipv6-frag counter packets 0 bytes 0 drop
}
chain I...
2017 Aug 24
5
[Bug 1179] New: vmap and sets cause "BUG: invalid range expression type set"
...ng that sets will properly scale to this level, it is possible to use
individual tests for each of the outcomes. Using the vmap is a preferred
option, especially if one can define a "default" match option.
To Replicate:
=============
table inet global {
set blackhole_ipv4 {
type ipv4_addr
flags interval
elements = {
0.0.0.0/8, # "default"
10.0.0.0/8, # RFC 1918
100.64.0.0/10, # bogon-bn-agg.txt 2017-08-17
127.0.0.0/8, # loopback
169.254.0.0/16, # Self-configured DHCP
172.16.0.0/12,...
2018 Apr 27
5
[Bug 1249] New: set update with timeout 0s removes timeout
...be fixed? If not, would it be possible to
request a "set delete" feature to be able to remove elements from a set?
(current workaround is to set timeout 1s, but this is not perfect)
-------------------------------------------
#Config file:
table inet filter {
set test {
type ipv4_addr
timeout 10m
}
chain input {
type filter hook input priority 0; policy accept;
tcp dport 1111 set add ip saddr @test
tcp dport 2222 set update ip saddr timeout 0s @test
tcp dport 3333 set update ip saddr timeout 40s @test
}
... other chains ......
2020 Jan 07
4
[Bug 1396] New: When rule with 3 concat elements are added, nft list shows only 2
...are: All
OS: All
Status: NEW
Severity: critical
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: sbezverk at cisco.com
table ip ipv4table {
map cluster-ip-services-set {
type inet_proto . ipv4_addr . inet_service : verdict
}
chain k8s-nat-mark-masq {
ip protocol . ip daddr vmap @cluster-ip-services-set
}
chain k8s-nat-do-mark-masq {
meta mark set 0x00004000 return
}
}
the command to add rule to k8s-nat-mark-masq chain is:
sudo nft add rule ipv4table k8...
2014 Dec 16
0
[ANNOUNCE] nftables 0.4 release
...netlink_log
support (available since 3.17).
* Automatic selection of the optimal set implementation (available
since 3.16).
You can tell the kernel to optimize your set representation base
according to the space-time tradeoff, eg. optimize memory:
# nft add set filter set1 { type ipv4_addr ; policy memory ; }
Or optimize performance:
# nft add set filter set1 { type ipv4_addr ; policy performance ; }
You can also use this in maps:
# nft add map filter map1 { type ipv4_addr : verdict ; policy performace ; }
And indicate the expected size to assist the set se...
2020 Feb 28
3
[Bug 1411] New: add elements with counter to dynamic sets with
...rs, so you can see how
many times given item was added/updated. But when you add this item manually
and not from packet path, this counter is missing:
**********************
# setup dynamic set
nft add table t
nft add chain t c { type filter hook input priority 0\; }
nft add set t dynset { type ipv4_addr\; flags dynamic\; }
nft add rule t c add @dynset { ip saddr counter }
# ping 8.8.8.8
ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=50 time=6.05 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=50 time=5.05 ms
^C
# list dynamic set, see "add" co...