search for: nftrace

...c Yak) dhcpcd 9.4.1 isc-dhclient-4.4.3-P1 virtio interface : enp6s19 E1000 interface : enp6s20 I made tests with this ruleset : table netdev filter { chain egress { type filter hook egress device "enp6s19.100" priority filter; policy accept; meta nftrace set 1 log group 30 udp sport 68 udp dport 67 counter packets 0 bytes 0 } chain egress2 { type filter hook egress device "enp6s20.100" priority filter; policy accept; meta nftrace set 1 log gro...

...c Yak) dhcpcd 9.4.1 isc-dhclient-4.4.3-P1 virtio interface : enp6s19 E1000 interface : enp6s20 I made tests with this ruleset : table netdev filter { chain egress { type filter hook egress device "enp6s19.100" priority filter; policy accept; meta nftrace set 1 log group 30 udp sport 68 udp dport 67 counter packets 0 bytes 0 } chain egress2 { type filter hook egress device "enp6s20.100" priority filter; policy accept; meta nftrace set 1 log gro...

...to parse this output yet. Commands to empty flow tables and remove specific entries are still missing. Moreover, flow tables require a Linux kernel >= 4.3. * New tracing infrastructure: Useful for ruleset debugging, you have to enable tracing via: # nft filter input tcp dport 10000 nftrace set 1 # nft filter input icmp type echo-request nftrace set 1 Then, you can monitor traces through: # nft -nn monitor trace That generates the following outputs: trace id e1f5055f ip filter input packet: iif eth0 ether saddr 63:f6:4b:00:54:52 ether daddr c9:4b:a9:00:54:52 ip sad...

...t; ether saddr 78:54:00:29:bb:aa ether daddr 52:54:00:01:53:9f ip saddr 85.14.236.41 ip daddr 17.25.63.98 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 49036 ip length 84 icmp type echo-reply icmp code 0 icmp id 16947 icmp sequence 4 trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 nftrace set 1 (verdict continue) trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 ether saddr set aa:bb:00:18:cc:dd ether daddr set 00:00:5e:00:00:11 fwd to "enp1s0"BUG: invalid verdict value 2 nft: datatype.c:282: verdict_type_print: Assertion `0' failed. fish: “nft monito...

...rg running latest Debian 10 in VPS/KVM - nftables v0.9.2 (Scram) nftables are initialized by scripts. I have following tables/chains table ip nat { set bad_ip { type ipv4_addr } chain prerouting { type nat hook prerouting priority dstnat; policy accept; meta nftrace set 1 ip saddr @bad_ip tcp dport { 80, 443 } redirect to :8080 } } table filter { chain prerouting {type filter hook prerouting priority -150;} chain input {type filter hook input priority 0; policy drop;} chain output {type filter hook output priority 0; policy drop;}...

...Assignee: pablo at netfilter.org Reporter: berend at kubusje.nl When I try to set the IP TTL field to a certain number with a rule it doesn't change the TTL field but it changes the PROTO field. This is the rule: oifname eno2 ip daddr 136.144.X.X ip ttl 1-63 ip ttl set 64 nftrace set 1 log prefix "TTLTEST " This is in the log file: Aug 16 15:08:58 name kernel: TTLTEST IN= OUT=eno2 SRC=217.100.X.X DST=136.144.X.X LEN=64 TOS=0x10 PREC=0x00 TTL=63 ID=32700 DF PROTO=64 So this seems like a bug to me. Altering other IP/TCP fields like dport or sport as documented o...

...network interface related type iface_*. The arphrd type has been renamed to iface_type. * Unqualified meta expressions A number of keys of the meta expressions can be used without the meta keyword for simplicity. These are mark, iif, iifname, iiftype, oif, oifname, oiftype, skuid, skgid, nftrace and rtclassid. The meta keyword may still be used if desired. - nft filter output meta skuid root accept becomes - nft filter output skuid root accept New features ============ The more prominent new features include: * Support for hybrid IPv4/IPv6 tables nftables now supports the...

...t; ether saddr 02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr 10.244.1.47 ip daddr 10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 63 ip id 0 ip length 68 sctp sport 47261 sctp dport 8080 sctp vtag 0 @th,96,64 0x10000240486b6e3 trace id 0329b184 ip filter trace_chain rule ip protocol sctp meta nftrace set 1 (verdict continue) trace id 0329b184 ip filter trace_chain verdict continue trace id 0329b184 ip filter trace_chain policy accept trace id 0329b184 inet kube-netpol forward packet: iif "eth0" oif "vetha2b65671" ether saddr 02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip...

...Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: sverd.johnsen+nf at gmail.com table netdev filter { chain foobar { type filter hook ingress device eth0 priority 0; udp sport 53 meta nftrace set 1 } } Reading symbols from /usr/bin/nft...done. [New LWP 11571] Core was generated by `nft monitor trace'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00000047a69fce5a in must_print_eq_op (expr=0x47a8a13610, expr=0x47a8a13610) at expression.c:520 520 expression....