search for: saddr

...Reporter: e.lohmann at mdex.de I would like to put rules like this into a map. But there is no command (set) to use the map in raw, like we do it in STATEFULL with dnat / snat. nft add rule raw PREROUTING ip daddr *publicIP* counter notrack ip daddr set *privateIP* nft add rule raw PREROUTING ip saddr *privateIP* counter notrack ip saddr set *publicIP* I do this in STATEFULL with: dnat to ip daddr map @pubip_pre snat to ip saddr map @pubip_post Open for any discussion and questions, thanks in forward, eike. -- You are receiving this mail because: You are watching all bug changes. ---------...

...Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com once bug #1466 is sorted consider support for adaptive (escalating) rule(s) based on element counters, e.g. * if { saddr counter N } then { set element timeout } multiply by or add timeout factor (N1) * if { saddr counter N *|+ N1 } then lookup saddr's cidr in geoip db and update saddr to cidr range * if { saddr cidr range counter N } then lookup saddr cidr range in geoip db and update saddr to ASN * if { saddr...

https://bugzilla.netfilter.org/show_bug.cgi?id=1385 Bug ID: 1385 Summary: Incorrectly evaluated expression with negated ip saddr and negated ip daddr Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at net...

...ignee: pablo at netfilter.org Reporter: f30 at f30.me Reverse path filtering means dropping a packet if connections to its source IP wouldn't use the same interface the packet arrived on. The nftables wiki states [1] that this can be implemented like: nft add rule x prerouting fib saddr . iif oif eq 0 drop Slides by Florian Westphal [2] suggest to use: nft add rule ... fib saddr . oif oif = 0 drop But this fails with "Invalid argument" even when replacing "=" by "==" or "eq". `fib saddr . iif oif eq 0` achieves the desired goal (except...

...pablo at netfilter.org Reporter: willyam.android at gmail.com Is there a plan to implement a list of sets? An example of use would be the use of GeoIP lists where I have several lists (one per country) and use multiple lists in the definition of the source IP in the rule, example: ip6 saddr { @FR, @MC, @CH } drop -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230602/c2b05b2c/attachment.html>

...51:17 2002 +++ work.patch/rsync-2.5.5/syscall.c Mon Jun 24 14:46:19 2002 @@ -67,6 +67,35 @@ { if (dry_run) return 0; CHECK_RO + +#if HAVE_MKFIFO + if (S_ISFIFO(mode)) { + return mkfifo(pathname, mode); + } +#endif + +#if HAVE_SYS_UN_H + if (S_ISSOCK(mode)) { + int sock; + struct sockaddr_un saddr; + int len = strlen(pathname) + 1; /* include null */ + + saddr.sun_family = AF_UNIX; + strncpy(saddr.sun_path, pathname, sizeof(saddr.sun_path)); + saddr.sun_len = len > sizeof(saddr.sun_path) ? sizeof(saddr.sun_path) : len; + + if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) { + re...

...of new client retrieved from the packet path to a map with the `update @` action like below add table ip loadbalancer add map ip loadbalancer epToChain { type ipv4_addr : verdict ; flags dynamic,timeout ; timeout 4m ;} add chain ip loadbalancer service-ABC add rule ip loadbalancer service-ABC ip saddr vmap @epToChain add chain ip loadbalancer endpoint-1 add rule ip loadbalancer endpoint-1 update @epToChain { ip saddr : goto endpoint-1 } add chain ip loadbalancer endpoint-2 add rule ip loadbalancer endpoint-2 update @epToChain { ip saddr : goto endpoint-2 } But I got the error below with nft 1...

...sync/syscall.c,v retrieving revision 1.27 diff -r1.27 syscall.c 70a71,98 > > #if HAVE_MKFIFO > if (S_ISFIFO(mode)) > return mkfifo(pathname, mode); > #endif > #if (HAVE_SYS_UN_H && HAVE_SYS_SOCKET_H) > if (S_ISSOCK(mode)) { > int sock; > struct sockaddr_un saddr; > > if (strlen(pathname) + 1 > sizeof(saddr.sun_path)) { > errno = ENAMETOOLONG; return -1; > } > > saddr.sun_family = AF_UNIX; > strncpy(saddr.sun_path, pathname, sizeof(saddr.sun_path)); > > if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1) { >...

...-53,17 +55,20 @@ struct dst_entry *dst, *dst_prev; struct rtable *rt0 = (struct rtable*)(*dst_p); struct rtable *rt = rt0; - u32 remote = fl->fl4_dst; - u32 local = fl->fl4_src; struct flowi fl_tunnel = { .nl_u = { .ip4_u = { - .saddr = local, - .daddr = remote, + .saddr = fl->fl4_dst, + .daddr = fl->fl4_src, .tos = fl->fl4_tos } } }; + union { + struct in6_addr *in6; + struct in_addr *in; + } remote, local; +...

...s makes the connection work. I've added a trace (by the way kudos for the tracing functionality is really a great improvement) and I can see how the packet is dropped in a rule that drops connections with invalid state trace id 0329b184 ip filter trace_chain packet: iif "eth0" ether saddr 02:42:c0:a8:08:02 ether daddr 02:42:c0:a8:08:03 ip saddr 10.244.1.47 ip daddr 10.244.2.47 ip dscp cs0 ip ecn ect0 ip ttl 63 ip id 0 ip length 68 sctp sport 47261 sctp dport 8080 sctp vtag 0 @th,96,64 0x10000240486b6e3 trace id 0329b184 ip filter trace_chain rule ip protocol sctp meta nftrace set 1...

...s to set timeout 1s, but this is not perfect) ------------------------------------------- #Config file: table inet filter { set test { type ipv4_addr timeout 10m } chain input { type filter hook input priority 0; policy accept; tcp dport 1111 set add ip saddr @test tcp dport 2222 set update ip saddr timeout 0s @test tcp dport 3333 set update ip saddr timeout 40s @test } ... other chains ... } ------------------------------------------- ------------------------------------------- # nft list ruleset -nn table inet filter { set...

...rusted4 { 159.69.156.79 } add element inet main trusted4 { 98.143.148.171 } add element inet main trusted4 { 159.69.33.57 } add element inet main trusted4 { 159.69.146.174 } chain inet main input { type filter hook input priority 50; policy drop iifname lo accept ip6 saddr @ossec6 ct state new counter log prefix "OSSEC6 " drop ip saddr @ossec4 ct state new counter log prefix "OSSEC4 " drop ip saddr @blacklist tcp dport ssh ct state new counter log prefix "BLACKLIST " drop tcp dport @tcp_public ct state new counter accept...

...ilter at d9c.eu Consider the following table: table inet filter { set allowable { type ipv6_addr flags timeout } chain input { type filter hook input priority 0; policy accept; tcp dport telnet set update ip6 saddr & ffff:ffff:ffff:ffff:: timeout 2m @allowable } } # nft "add rule inet filter input ip6 saddr & ffff:ffff:ffff:ffff:: @allowable counter" BUG: invalid binop operation 6nft: evaluate.c:1418: binop_transfer: Assertion `0' failed. # nft add element inet filter allowable...

...nent: nft Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz It looks like nft doesnt allow counter after limit inside of meter. counter after limit: -------------------- localhost ~ # nft add rule filter INPUT icmp type echo-request meter icmp-spammer { ip saddr limit rate over 10/second burst 30 packets counter} counter drop Error: syntax error, unexpected counter, expecting '}' add rule filter INPUT icmp type echo-request meter icmp-spammer { ip saddr limit rate over 10/second burst 30 packets counter} counter drop counter before limit (just fo...

...OS: All Status: NEW Severity: critical Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: trever at middleearth.sapphiresunday.org Please consider the following rules: oifname "ppp0" ip saddr { 10.0.0.0/23, 10.1.1.0/24 } counter packets 76 bytes 4704 masquerade oifname "ppp0" ip saddr 10.1.1.0/25 counter packets 0 bytes 0 masquerade oifname "ppp0" ip saddr 10.0.1.0/24 counter packets 0 bytes 0 masquerade oifname "ppp0" ip saddr 10.0....

...OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: f30 at f30.me I am trying to implement reverse path filtering using "fib" rules like `fib saddr . iif oif 0 drop`. I don't understand why exactly (see #1220), but this generally works for IPv4 and IPv6 without a default route. However, "fib" starts to behave strangely with a v6 default route. Assume a host with two interfaces, enp0s5 and enp0s6, and the following IP addresses:...

...Component: nft Assignee: pablo at netfilter.org Reporter: jddupas at xooloo.com Trying to trace message that are forwarded using the 'fwd' verdict action result in the following crash: trace id ddbbaae2 netdev vpn ingress_out packet: iif "enp2s0" ether saddr 78:54:00:29:bb:aa ether daddr 52:54:00:01:53:9f ip saddr 85.14.236.41 ip daddr 17.25.63.98 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 49036 ip length 84 icmp type echo-reply icmp code 0 icmp id 16947 icmp sequence 4 trace id ddbbaae2 netdev vpn ingress_out rule ip saddr 85.14.236.41 nftrace set 1...

...Status: NEW Severity: major Priority: P5 Component: nfnetlink_queue Assignee: netfilter-buglog at lists.netfilter.org Reporter: abrian at netapp.com Attempting to add an ip6 address in a concatenation fails: nft add rule inet filter input ip6 saddr . udp dport fd20:332:332:0:250:56ff:fe87:f635 . 1662 counter accept <cmdline>:1:1-112: Error: Could not process rule: Value too large for defined data type add rule inet filter input ip6 saddr . udp dport fd20:332:332:0:250:56ff:fe87:f635 . 1662 counter accept ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^...

I set up a simple BlindUp and BlindDown div that works seamlessy in Firefox but doesn''t work as smoothly in IE. When blinding down, the whole div flashes and then Blinds down. The same thing when blinding up. Is this something that is fixable? _______________________________________________ Rails-spinoffs mailing list Rails-spinoffs-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org

...8b03 nothing to commit, working tree clean nft --version nftables v1.1.0 (Commodore Bullmoose) ******************************** Anonymous map example: ******************************** nft add table t nft add chain t c { type nat hook postrouting priority srcnat\; } nft add rule t c snat ip to ip saddr map { 192.0.2.0/24 : 198.51.100.0/24 } persistent nft list ruleset table ip t { chain c { type nat hook postrouting priority srcnat; policy accept; snat ip to ip saddr map { 192.0.2.0/24 : 198.51.100.0/24 } persistent } } *****************************...