search for: nfproto

...s not work: table inet filter { chain input { icmp type echo-request limit rate 10/second accept icmpv6 type echo-request limit rate 10/second accept } } gives a "Error: conflicting protocols specified: inet-service vs. icmp" fix: table inet filter { chain input { meta nfproto ipv4 icmp type echo-request limit rate 10/second accept meta nfproto ipv6 icmpv6 type echo-request limit rate 10/second accept } } Is this behavior intentional? Related conversations: http://www.spinics.net/lists/netfilter/msg55433.html http://comments.gmane.org/gmane.comp.security.firewall...

...s: fix up meta l4proto change for ip6 family src: ip: switch implicit dependencies to meta l4proto too tests: fix up meta l4proto change for ip family Merge branch 'meta_l4_dependency' ct: fix inet/bridge/netdev family handling for saddr/daddr meta: permit meta nfproto ip in ip family parser: allow ct eventmask set new,related netlink_delinearize: prefer ct event set foo,bar over 'set foo|bar' src: rename ct eventmask to event tests: restrict ct saddr test to inet family tests: remove two non-sensical rules tests: restr...

https://bugzilla.netfilter.org/show_bug.cgi?id=1338 Bug ID: 1338 Summary: Can't add IPv6 concatenation rule Product: netfilter/iptables Version: unspecified Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: nfnetlink_queue Assignee: netfilter-buglog

...ardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: kfm at plushkava.net Consider the following ruleset: table inet t { chain c { meta nfproto ipv6 tcp dport 80 dnat to :9030 } } Here, this produces "Error: Could not process rule: Address family not supported by protocol". The manual states the following: > When used in the inet family (available with kernel 5.2), the dnat and snat statements require the use of the ip a...

...nary expression with the appropiate operation payload: generate dependency in the appropriate byteorder src: Enhance payload_gen_dependency() datatype: Enhance symbolic_constant_parse() nft: complete reject support evaluate: fix a crash if we specify ether type or meta nfproto in reject delinearize: list the icmpx reason with the string associated evaluate: reject: fix crash if we specify ether type or meta nfproto evaluate: reject: fix crash if we have transport protocol conflict from inet test: update and add the reject tests for ip, ip6, bridge...

...ablo at netfilter.org Reporter: slyfox at inbox.ru # This report is a valid nft file. # $ uname -r # 4.14.0-rc5-00009-g3728e6a255b5 # run as: 'nft -f nft.bug' # This will output: # table inet filter { # chain local-input { # iifname "lo" meta nfproto ipv4 payload @nh,96,64 0x7f0000017f000001 [invalid type] ip protocol udp counter packets 0 bytes 0 accept # } # } # While when we run 'list ruleset' right afterwards decoding is fine: # table inet filter { # chain local-input { # iifname "lo" ip s...

...failure involving linux/netlink.h build: resolve compile error involving XT_EXTENSION_MAXNAMELEN Kristian Evensen (2): meta: Let user specify any combination of sreg/dreg expr: ct: Add support for setting the mark Pablo Neira Ayuso (17): src: fix compilation due to missing NFPROTO_INET definition build: fix final report after configuration include: add cached copy of linux/kernel.h Merge branch 'master' into next-3.14 chain: print usage counter for base chain via default output as well src: compile queue expression support src: ear...

...ura Garcia Liebana (5): expr: add hash expression expr: add number generation expression expr: numgen: Rename until attribute by modulus expr: hash: Add offset to hash value expr: numgen: add number generation offset Liping Zhang (7): trace: use get_u32 to parse NFPROTO and POLICY attribute expr: queue: remove redundant NFTNL_EXPR_QUEUE_NUM set in json parse tests: queue: add missing NFTNL_EXPR_QUEUE_FLAGS compare test expr: queue: add NFTA_QUEUE_SREG_QNUM attr support expr: log: fix typo in nftnl_expr_log_export expr: log: do not pri...

...0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0, offset = 0}, {location = {indesc = 0x0, {{token_offset = 0, line_offset = 0, first_line = 0, last_line = 0, first_column = 0, last_column = 0}, {nle = 0x0}}}, desc = 0x0, offset = 0}}} dev_type = <optimized out> nfproto = <optimized out> stmt = 0x47a8a0cc90 next = 0x47a8a13c40 #3 0x00000047a6a07b66 in netlink_events_trace_cb (monh=0x3cc19177bd0, type=17, nlh=0x3cc19166b30) at netlink.c:2405 nlt = 0x47a8a22050 #4 netlink_events_cb (nlh=nlh at entry=0x3cc19166b30, data=data at entry=0...

...context updates ct expr: protocol context updates and dynamic typing include: resync nftables.h with kernel nftables: add support for the "inet" family netlink_delinearize: remove implied meta expressions proto: add support for meta templates meta: add nfproto support meta: add l4proto support Merge remote-tracking branch 'origin/master' into next-3.14 netlink_delinearize: fix compiler warning Merge remote-tracking branch 'origin/master' into next-3.14 Merge remote-tracking branch 'origin/master' into...

...tests/py: Unmask negative set lookup rule: Introduce helper function cache_flush evaluate: Update cache on flush ruleset Anders K. Pedersen (4): rt: introduce routing expression Replace tests/files/expr-rt with Python based tests, and replace ether type with meta nfproto, which generates a bit fewer instructions. evaluate: Allow concatenation of rt nexthop etc. doc: fix synopsis for ct expression Arturo Borrero (3): tests: shell: delete unused variable in run-tests.sh tests: shell: cleanup tempfile handling in testcases/sets/cache_handling_...

https://bugzilla.netfilter.org/show_bug.cgi?id=1777 Bug ID: 1777 Summary: Error: COMMAND_FAILED: 'python-nftables' failed Product: nftables Version: 1.0.x Hardware: arm OS: Debian GNU/Linux Status: NEW Severity: blocker Priority: P5 Component: kernel Assignee: pablo at