search for: oifnam

https://bugzilla.netfilter.org/show_bug.cgi?id=1360 Bug ID: 1360 Summary: BUG: invalid expression type concat on invalid input "iifname . oifname p . q" Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter:...

...Hardware: x86_64 OS: All Status: NEW Severity: critical Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: trever at middleearth.sapphiresunday.org Please consider the following rules: oifname "ppp0" ip saddr { 10.0.0.0/23, 10.1.1.0/24 } counter packets 76 bytes 4704 masquerade oifname "ppp0" ip saddr 10.1.1.0/25 counter packets 0 bytes 0 masquerade oifname "ppp0" ip saddr 10.0.1.0/24 counter packets 0 bytes 0 masquerade oifname &quo...

...some cases your firewall useless. For ex: # iptables -F # iptables -A OUTPUT -m policy --dir out --pol ipsec --strict --mode tunnel -o eth0 -j ACCEPT # echo $? 0 # nft list ruleset <cut> chain OUTPUT { type filter hook output priority 0; policy accept; oifname "eth0" counter packets 90 bytes 26085 accept } } As you can see, the inserted rule allows everything, while the expected behavior would be 'only if going through an IPsec tunnel'. Even worse: inserting the rule did not fail. Until the 'ipsec' (or 'secpath...

...o load the following table on any vanilla kernel > 4.15.18: table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "wlp3s0" masquerade oifname "tun0" masquerade } } kernel config looks like: # # Core Netfilter Configuration # CONFIG_NETFILTER_INGRESS=y CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_FAMILY_BRIDGE=y CONFIG_NETFILTER_FAMILY_ARP=y CONFIG_NETFILTER_NETLINK...

...do some nftables stuff... ------------------ cat nftables.aaaa #!/usr/bin/nft -f flush ruleset table ip nat { chain prerouting { type nat hook prerouting priority -150; policy accept; } chain postrouting { type nat hook postrouting priority -150; policy accept; oifname "pub-aaaa" masquerade } } table inet filter { chain input { type filter hook input priority 0; policy accept; } chain forward { type filter hook forward priority 0; policy accept; } chain output { type filter hook output priority 0; policy...

...N_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth1"}}, {"goto": {"target": "nat_POST_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": &...

...e source IP of the host but the answers are not forwarded back. Creating an empty prerouting chain with its hook solved the issue. My NAT rules are: table ip nat { chain prerouting { type nat hook prerouting priority 0; } chain postrouting { type nat hook postrouting priority 0; oifname eth0 masquerade } } Kernel: 4.8.13-1-ARCH Version: nftables 1:0.6-3 Distribution: ArchLinux -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfil...

...10.1" table nat { chain prerouting { type nat hook prerouting priority -100; policy accept; iifname $wan tcp dport 10000 dnat to $server:10000; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname $vpn masquerade oifname $wan masquerade } } checks ok, no error nft -c -f tmp.nft (empty) but optimize fails nft: optimize.c:486: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed. -- You are receiving this mail because: You ar...

...es Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: ville.skytta at iki.fi ...at least in iifname, oifname. Not a problem otherwise for the system to have interface names starting with a number that I can see. For example: # ip link show dev 5af3c3f0 14: 5af3c3f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc [...] # nft add rule inet filter forward iifname 5af3c3f0 jump meh Error: syntax er...

...: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: berend at kubusje.nl When I try to set the IP TTL field to a certain number with a rule it doesn't change the TTL field but it changes the PROTO field. This is the rule: oifname eno2 ip daddr 136.144.X.X ip ttl 1-63 ip ttl set 64 nftrace set 1 log prefix "TTLTEST " This is in the log file: Aug 16 15:08:58 name kernel: TTLTEST IN= OUT=eno2 SRC=217.100.X.X DST=136.144.X.X LEN=64 TOS=0x10 PREC=0x00 TTL=63 ID=32700 DF PROTO=64 So this seems like a bug to me. Alt...

...ous (my-forward) chain. All other packets may then be processed by the docker chains. Something like: chain my-forward { type filter hook forward priority -1; policy drop; # The web server lives in a docker container. iifname "eth0" oifname "docker0" tcp dport { 80, 443 } accept } chain DOCKER-USER { # In case the previous decision was drop, then drop it here too. meta previous-decision drop drop # All other packets are procesed by the docker chain(s)....

https://bugzilla.netfilter.org/show_bug.cgi?id=1347 Bug ID: 1347 Summary: ebtables-nft: regression in -o option Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: iptables over nftable Assignee:

...related types *_proto and the network interface related type iface_*. The arphrd type has been renamed to iface_type. * Unqualified meta expressions A number of keys of the meta expressions can be used without the meta keyword for simplicity. These are mark, iif, iifname, iiftype, oif, oifname, oiftype, skuid, skgid, nftrace and rtclassid. The meta keyword may still be used if desired. - nft filter output meta skuid root accept becomes - nft filter output skuid root accept New features ============ The more prominent new features include: * Support for hybrid IPv4/IPv6 ta...