Displaying 9 results from an estimated 9 matches for "nftrace".
Did you mean:
ftrace
2023 Apr 14
5
[Bug 1673] New: bug egress hook virtio interface with VLAN
...c Yak)
dhcpcd 9.4.1
isc-dhclient-4.4.3-P1
virtio interface : enp6s19
E1000 interface : enp6s20
I made tests with this ruleset :
table netdev filter {
chain egress {
type filter hook egress device "enp6s19.100" priority filter;
policy accept;
meta nftrace set 1
log group 30
udp sport 68 udp dport 67 counter packets 0 bytes 0
}
chain egress2 {
type filter hook egress device "enp6s20.100" priority filter;
policy accept;
meta nftrace set 1
log gro...
2023 Apr 14
3
[Bug 1672] New: bug egress hook virtio interface with VLAN
...c Yak)
dhcpcd 9.4.1
isc-dhclient-4.4.3-P1
virtio interface : enp6s19
E1000 interface : enp6s20
I made tests with this ruleset :
table netdev filter {
chain egress {
type filter hook egress device "enp6s19.100" priority filter;
policy accept;
meta nftrace set 1
log group 30
udp sport 68 udp dport 67 counter packets 0 bytes 0
}
chain egress2 {
type filter hook egress device "enp6s20.100" priority filter;
policy accept;
meta nftrace set 1
log gro...
2016 Jun 02
0
[ANNOUNCE] nftables 0.6 release
...to parse this output yet. Commands to empty flow tables and remove
specific entries are still missing.
Moreover, flow tables require a Linux kernel >= 4.3.
* New tracing infrastructure: Useful for ruleset debugging, you have
to enable tracing via:
# nft filter input tcp dport 10000 nftrace set 1
# nft filter input icmp type echo-request nftrace set 1
Then, you can monitor traces through:
# nft -nn monitor trace
That generates the following outputs:
trace id e1f5055f ip filter input packet: iif eth0 ether saddr
63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 ip sad...
2018 Jun 12
1
[Bug 1261] New: nft trace crash with msg "BUG: invalid verdict value 2"
...t; ether saddr
78:54:00:29:bb:aa ether daddr 52:54:00:01:53:9f ip saddr 85.14.236.41 ip daddr
17.25.63.98 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 49036 ip length 84 icmp
type echo-reply icmp code 0 icmp id 16947 icmp sequence 4
trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 nftrace set
1 (verdict continue)
trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 ether saddr
set aa:bb:00:18:cc:dd ether daddr set 00:00:5e:00:00:11 fwd to "enp1s0"BUG:
invalid verdict value 2
nft: datatype.c:282: verdict_type_print: Assertion `0' failed.
fish: “nft monito...
2020 Jan 19
1
[Bug 1399] New: tables/chains priority doesn't work
...rg
running latest Debian 10 in VPS/KVM - nftables v0.9.2 (Scram)
nftables are initialized by scripts. I have following tables/chains
table ip nat {
set bad_ip {
type ipv4_addr
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
meta nftrace set 1 ip saddr @bad_ip tcp dport { 80, 443 } redirect to
:8080
}
}
table filter {
chain prerouting {type filter hook prerouting priority -150;}
chain input {type filter hook input priority 0; policy drop;}
chain output {type filter hook output priority 0; policy drop;}...
2017 Aug 16
3
[Bug 1169] New: Bug in altering IP TTL field of a packet?
...Assignee: pablo at netfilter.org
Reporter: berend at kubusje.nl
When I try to set the IP TTL field to a certain number with a rule it doesn't
change the TTL field but it changes the PROTO field.
This is the rule:
oifname eno2 ip daddr 136.144.X.X ip ttl 1-63 ip ttl set 64 nftrace set 1 log
prefix "TTLTEST "
This is in the log file:
Aug 16 15:08:58 name kernel: TTLTEST IN= OUT=eno2 SRC=217.100.X.X
DST=136.144.X.X LEN=64 TOS=0x10 PREC=0x00 TTL=63 ID=32700 DF PROTO=64
So this seems like a bug to me.
Altering other IP/TCP fields like dport or sport as documented o...
2014 Apr 14
0
[ANNOUNCE]: Release of nftables 0.2
...network interface related type iface_*. The arphrd type has been
renamed to iface_type.
* Unqualified meta expressions
A number of keys of the meta expressions can be used without the meta
keyword for simplicity. These are mark, iif, iifname, iiftype, oif,
oifname, oiftype, skuid, skgid, nftrace and rtclassid. The meta keyword
may still be used if desired.
- nft filter output meta skuid root accept
becomes
- nft filter output skuid root accept
New features
============
The more prominent new features include:
* Support for hybrid IPv4/IPv6 tables
nftables now supports the...
2024 Apr 03
9
[Bug 1742] New: using nfqueue breaks SCTP connection (tracking)
...t; ether saddr
02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr 10.244.1.47 ip daddr
10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 63 ip id 0 ip length 68 sctp sport
47261 sctp dport 8080 sctp vtag 0 @th,96,64 0x10000240486b6e3
trace id 0329b184 ip filter trace_chain rule ip protocol sctp meta nftrace set
1 (verdict continue)
trace id 0329b184 ip filter trace_chain verdict continue
trace id 0329b184 ip filter trace_chain policy accept
trace id 0329b184 inet kube-netpol forward packet: iif "eth0" oif
"vetha2b65671" ether saddr 02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip...
2016 Oct 20
2
[Bug 1092] New: nft v0.6 segfault in must_print_eq_op at expression.c:520 during 'nft monitor trace' in netdev filter
...Status: NEW
Severity: enhancement
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: sverd.johnsen+nf at gmail.com
table netdev filter {
chain foobar {
type filter hook ingress device eth0 priority 0;
udp sport 53 meta nftrace set 1
}
}
Reading symbols from /usr/bin/nft...done.
[New LWP 11571]
Core was generated by `nft monitor trace'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00000047a69fce5a in must_print_eq_op (expr=0x47a8a13610,
expr=0x47a8a13610) at expression.c:520
520 expression....