search for: oifname

Displaying 13 results from an estimated 13 matches for "oifname".

Did you mean: ifname
2019 Aug 27
3
[Bug 1360] New: BUG: invalid expression type concat on invalid input "iifname . oifname p . q"
https://bugzilla.netfilter.org/show_bug.cgi?id=1360 Bug ID: 1360 Summary: BUG: invalid expression type concat on invalid input "iifname . oifname p . q" Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: a...
2018 Nov 24
5
[Bug 1303] New: nft improperly merges intervals
...Hardware: x86_64 OS: All Status: NEW Severity: critical Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: trever at middleearth.sapphiresunday.org Please consider the following rules: oifname "ppp0" ip saddr { 10.0.0.0/23, 10.1.1.0/24 } counter packets 76 bytes 4704 masquerade oifname "ppp0" ip saddr 10.1.1.0/25 counter packets 0 bytes 0 masquerade oifname "ppp0" ip saddr 10.0.1.0/24 counter packets 0 bytes 0 masquerade oifname &quot...
2018 Nov 06
1
[Bug 1290] New: ptables: nftables layer breaks ipsec/policy keyword
...some cases your firewall useless. For ex: # iptables -F # iptables -A OUTPUT -m policy --dir out --pol ipsec --strict --mode tunnel -o eth0 -j ACCEPT # echo $? 0 # nft list ruleset <cut> chain OUTPUT { type filter hook output priority 0; policy accept; oifname "eth0" counter packets 90 bytes 26085 accept } } As you can see, the inserted rule allows everything, while the expected behavior would be 'only if going through an IPsec tunnel'. Even worse: inserting the rule did not fail. Until the 'ipsec' (or 'secpath...
2018 Jun 21
6
[Bug 1263] New: Device or resource busy on nat loading.
...o load the following table on any vanilla kernel > 4.15.18: table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "wlp3s0" masquerade oifname "tun0" masquerade } } kernel config looks like: # # Core Netfilter Configuration # CONFIG_NETFILTER_INGRESS=y CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_FAMILY_BRIDGE=y CONFIG_NETFILTER_FAMILY_ARP=y CONFIG_NETFILTER_NETLINK_...
2017 Feb 03
4
[Bug 1117] New: Table ipv4-nat prerouting dnat doesn't accept dest IP:PORT
...do some nftables stuff... ------------------ cat nftables.aaaa #!/usr/bin/nft -f flush ruleset table ip nat { chain prerouting { type nat hook prerouting priority -150; policy accept; } chain postrouting { type nat hook postrouting priority -150; policy accept; oifname "pub-aaaa" masquerade } } table inet filter { chain input { type filter hook input priority 0; policy accept; } chain forward { type filter hook forward priority 0; policy accept; } chain output { type filter hook output priority 0; policy a...
2024 Oct 29
21
[Bug 1777] New: Error: COMMAND_FAILED: 'python-nftables' failed
...N_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth1"}}, {"goto": {"target": "nat_POST_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": &q...
2016 Dec 24
6
[Bug 1105] New: masquerade fully broken when no prerouting chain is created
...e source IP of the host but the answers are not forwarded back. Creating an empty prerouting chain with its hook solved the issue. My NAT rules are: table ip nat { chain prerouting { type nat hook prerouting priority 0; } chain postrouting { type nat hook postrouting priority 0; oifname eth0 masquerade } } Kernel: 4.8.13-1-ARCH Version: nftables 1:0.6-3 Distribution: ArchLinux -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilt...
2024 Jul 20
2
[Bug 1762] New: coredump in --optimize
...10.1" table nat { chain prerouting { type nat hook prerouting priority -100; policy accept; iifname $wan tcp dport 10000 dnat to $server:10000; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname $vpn masquerade oifname $wan masquerade } } checks ok, no error nft -c -f tmp.nft (empty) but optimize fails nft: optimize.c:486: rule_build_stmt_matrix_stmts: Assertion `k >= 0' failed. -- You are receiving this mail because: You are...
2018 Oct 24
1
[Bug 1284] New: nft doesn't accept interface names starting with a number
...es Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: ville.skytta at iki.fi ...at least in iifname, oifname. Not a problem otherwise for the system to have interface names starting with a number that I can see. For example: # ip link show dev 5af3c3f0 14: 5af3c3f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc [...] # nft add rule inet filter forward iifname 5af3c3f0 jump meh Error: syntax err...
2017 Aug 16
3
[Bug 1169] New: Bug in altering IP TTL field of a packet?
...: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: berend at kubusje.nl When I try to set the IP TTL field to a certain number with a rule it doesn't change the TTL field but it changes the PROTO field. This is the rule: oifname eno2 ip daddr 136.144.X.X ip ttl 1-63 ip ttl set 64 nftrace set 1 log prefix "TTLTEST " This is in the log file: Aug 16 15:08:58 name kernel: TTLTEST IN= OUT=eno2 SRC=217.100.X.X DST=136.144.X.X LEN=64 TOS=0x10 PREC=0x00 TTL=63 ID=32700 DF PROTO=64 So this seems like a bug to me. Alte...
2018 Nov 14
3
[Bug 1295] New: Access decision from previous priority
...ous (my-forward) chain. All other packets may then be processed by the docker chains. Something like: chain my-forward { type filter hook forward priority -1; policy drop; # The web server lives in a docker container. iifname "eth0" oifname "docker0" tcp dport { 80, 443 } accept } chain DOCKER-USER { # In case the previous decision was drop, then drop it here too. meta previous-decision drop drop # All other packets are procesed by the docker chain(s)....
2019 Jul 02
5
[Bug 1347] New: ebtables-nft: regression in -o option
https://bugzilla.netfilter.org/show_bug.cgi?id=1347 Bug ID: 1347 Summary: ebtables-nft: regression in -o option Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: iptables over nftable Assignee:
2014 Apr 14
0
[ANNOUNCE]: Release of nftables 0.2
...related types *_proto and the network interface related type iface_*. The arphrd type has been renamed to iface_type. * Unqualified meta expressions A number of keys of the meta expressions can be used without the meta keyword for simplicity. These are mark, iif, iifname, iiftype, oif, oifname, oiftype, skuid, skgid, nftrace and rtclassid. The meta keyword may still be used if desired. - nft filter output meta skuid root accept becomes - nft filter output skuid root accept New features ============ The more prominent new features include: * Support for hybrid IPv4/IPv6 tab...