search for: unitednetworks

...igh limit 65535 Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz Created attachment 574 --> https://bugzilla.netfilter.org/attachment.cgi?id=574&action=edit example of nftables.py leaking memory System: Gentoo 5.3.10 x86_64 nft up to date from GIT as of 12.11.2019 Overwiew: nft commands which change ruleset leak memory when running through nfta...

...fter first read Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz Created attachment 577 --> https://bugzilla.netfilter.org/attachment.cgi?id=577&action=edit example of nftables.py not reading updated counter state System: Gentoo 5.4.1 x86_64 nft up to date from GIT as of 4.12.2019 CPython 3.6.9 Overview: nft commands which read named counters a...

...5 works fine Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: critical Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz Created attachment 588 --> https://bugzilla.netfilter.org/attachment.cgi?id=588&action=edit example of adjacent ranges causing error After upgrading kernel from 5.5 to 5.6.2 our ruleset which includes mapping packet sizes to counters fails to load. Problem is in adjacent ranges: This...

...rwarded packets Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz We have several routers with Gentoo x86-64 kernels 4.9.9 or 4.10.1 with about 150 nftables rules (nftables used are commit da3f503, date 2017-1-03). Hardware used are Xeons or i7-7700K with 10Gbe Intel or Solarflare NICs. There are few sets, maps and flows. Any nft command, be it listing sets,...

...ets and maps Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz Now when we have stateful objects, one can use map to emulate counting of hits in set elements, but counters have to be created first. It would be nice to have "counter" flag for sets and maps with similar function as counters in rules, just to count packets and bytes hitting element...

...command bug Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: major Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz Created attachment 482 --> https://bugzilla.netfilter.org/attachment.cgi?id=482&action=edit Proof of bug script System: Gentoo AMD64, kernel 4.8.1 nft, libmnl, libnftnl compiled from git (as of 13.10.2016) When adding IPv4 addresses one by one to set { type ipv4_addr; flags interval;...

...val raise SIGSEGV Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz latest nft, libnftnl, libmnl (v0.8, v1.0.8, v1.0.4 + 2 more commits) kernel 4.13.7 x86-64 commands: nft add map x testmap { type inet_service: counter\; flags interval\;} nft add counter x testcounter nft add element x testmap { 0-100 : "testcounter" } Neoprávněný přístup do paměti...

...lag interval Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz If consequent elements are added to set with flag interval in one command, they get concatenated. But when they are added with separate commands, they don't. This is inconsistent behaviour and needs to be fixed. Listing of such sets and keeping them in consistence with external data is prob...

https://bugzilla.netfilter.org/show_bug.cgi?id=1180 Bug ID: 1180 Summary: Can't create a set with both timeout and interval flags at the same time Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5

...ic sets with Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz Few years ago I have proposed hit counters to set items: https://bugzilla.netfilter.org/show_bug.cgi?id=1185 Now when we have dynamic sets that replaced meters, and lookups are already allowed for these sets, maybe it is a time to add "hit" counters in set items, which will increase...

https://bugzilla.netfilter.org/show_bug.cgi?id=1140 Bug ID: 1140 Summary: nft dump invalid (flow table) Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: major Priority: P5 Component: nft Assignee: pablo at netfilter.org

...in meters Product: nftables Version: unspecified Hardware: x86_64 OS: Gentoo Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: karel at unitednetworks.cz It looks like nft doesnt allow counter after limit inside of meter. counter after limit: -------------------- localhost ~ # nft add rule filter INPUT icmp type echo-request meter icmp-spammer { ip saddr limit rate over 10/second burst 30 packets counter} counter drop Error: syntax error, unex...