search for: plushkava

...populating a set Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: kfm at plushkava.net Created attachment 580 --> https://bugzilla.netfilter.org/attachment.cgi?id=580&action=edit bash script that reproduces the issue filed Recently, I was assisting somebody in the course of adjusting some scripts that generate an ipset consisting of IPv6 bogons, so as to use native nft...

...in Linux 5.0 Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: kfm at plushkava.net After upgrading one of my machines from 4.19.26 to 5.0, I encountered a crash during the boot process. This occurs at a point where nft(8) is invoked with the -c option, so as to test the validity of the previously saved ruleset. I was able to reduce the entire ruleset to just one rule, with t...

https://bugzilla.netfilter.org/show_bug.cgi?id=1434 Bug ID: 1434 Summary: Usability improvements, enabling creation of complex firewalls Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft

https://bugzilla.netfilter.org/show_bug.cgi?id=1438 Bug ID: 1438 Summary: nft generates wrong intervals for sets with auto-merge Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo

https://bugzilla.netfilter.org/show_bug.cgi?id=1330 Bug ID: 1330 Summary: Parse error for importing set with netmask Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org

...on device" Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: kfm at plushkava.net This bug is somewhat related to bug 1392. As explained there, I was unable to atomically re-populate a set by issuing a "flush set" command followed by an "add element" command within the same command stream. Eventually this was resolved by upgrading to nftables commit 40ef...

...Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: normal Priority: P5 Component: iptables over nftable Assignee: pablo at netfilter.org Reporter: kfm at plushkava.net Created attachment 581 --> https://bugzilla.netfilter.org/attachment.cgi?id=581&action=edit iptables-nft-trace.txt.xz As per the summary. The steps to reproduce here are to initialize a ruleset: printf '%s\n' '*filter' :{INPUT,FORWARD,OUTPUT}' ACCEPT [0:0]'...

https://bugzilla.netfilter.org/show_bug.cgi?id=1380 Bug ID: 1380 Summary: please enable adding networks to named set Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org

...yphenated ranges Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: kfm at plushkava.net Sometimes, the list set command expresses intervals as ranges rather than in CIDR notation. I do not understand what the criteria is for doing so, exactly. When it happens, the attached timeout values are not reported. Here are some demonstrations, which were carried out with nftables (commit...

...sets, maps and meters Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: kfm at plushkava.net Depends on: 1312, 1330, 1392, 1438, 1444, 1449, 1451, 1454 This is intended as a meta-bug, so as to make it easier to track the bugs that affect the behaviour of sets, maps and meters - something that is otherwise becoming increasingly difficult. To do so, I am adding some relevant bug...

https://bugzilla.netfilter.org/show_bug.cgi?id=1197 Bug ID: 1197 Summary: 255.255.255.255 is transformed into 255.255.255.255-255.255.255.255 Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft

https://bugzilla.netfilter.org/show_bug.cgi?id=1180 Bug ID: 1180 Summary: Can't create a set with both timeout and interval flags at the same time Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5

...segfault Product: nftables Version: 1.0.x Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: kfm at plushkava.net Here, the input contains an invalid datatype; it should be "ifname" instead. However, rather than identify the error in syntax, nft incurs a segmentation fault. # nft -V | head -n1 nftables v1.0.9 (Old Doc Yak #3) # nft 'table inet t { set s { type iface; elements = { "enp...

https://bugzilla.netfilter.org/show_bug.cgi?id=922 Summary: iprange: --ports is not suppported Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo: pablo at netfilter.org ReportedBy: anarey

https://bugzilla.netfilter.org/show_bug.cgi?id=942 Summary: ct: timeout, ctevents, expevents and zone is not supported in nft Product: nftables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft AssignedTo:

...son has no effect Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: kfm at plushkava.net Given a loaded ruleset that contains at least one populated set, the following bash program demonstrates that --terse has no effect when combined with the --json option. for opts in -s -t '-s -t'; do printf 'opts = %s: ' "$opts" if cmp -s <(nft -j list rul...

https://bugzilla.netfilter.org/show_bug.cgi?id=1202 Bug ID: 1202 Summary: Cannot match on both dport and sport in one nftables rule Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft

https://bugzilla.netfilter.org/show_bug.cgi?id=1462 Bug ID: 1462 Summary: `nft -j list set` does not show counters Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org

https://bugzilla.netfilter.org/show_bug.cgi?id=1319 Bug ID: 1319 Summary: Exporting a map with many elements to JSON will fail Product: nftables Version: unspecified Hardware: x86_64 OS: RedHat Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at

https://bugzilla.netfilter.org/show_bug.cgi?id=1326 Bug ID: 1326 Summary: `nft list' is very slow when output contains meters that has lots of elements Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5