search for: vtolkm

...linux-gnueabihf Product: nftables Version: unspecified Hardware: arm OS: Debian GNU/Linux Status: NEW Severity: blocker Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com Created attachment 613 --> https://bugzilla.netfilter.org/attachment.cgi?id=613&action=edit build log build node: * x86_64-pc-linux-gnu with kernel 5.9.7 * gcc 10.2.0 (Debian 10.2.0-16) * bison (GNU Bison) 3.7.3 * Python 3.8.6 Enclosed the build log. Tried a few times with...

...type 134 Product: nftables Version: unspecified Hardware: other OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com kernel 5.9.0-rc6 armv7l | nft 0.9.6 ___ table netdev filter { set et { typeof ether type flags constant counter elements = { vlan } } chain input { type filter hook ingress device...

...e a/o rate limit Product: nftables Version: unspecified Hardware: arm OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com kernel 5.9.0-rc6 armv7l | nft 0.9.6 ____ works (as in printing log): ct state != { 2,4 } log flags all prefix "foo DROP: " drop; not printing log: ct state != { 2,4 } update @foo { ip6 saddr limit rate over 500/second burst 25 packets } log flags all prefix "foo DR...

...ive (escalating) rule(s) Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com once bug #1466 is sorted consider support for adaptive (escalating) rule(s) based on element counters, e.g. * if { saddr counter N } then { set element timeout } multiply by or add timeout factor (N1) * if { saddr counter N *|+ N1 } then lookup saddr's cidr in geoip db and update...

...families Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com kernel 5.9.0-rc6 armv7l | nft 0.9.6 Currently named sets can be utilised in rules only within the family a set is defined. However, there are use cases where the same sets are applicable for different families, and thus it would be handy if there were a sort of (global) sets that co...

...ation not working Product: nftables Version: unspecified Hardware: All OS: Debian GNU/Linux Status: NEW Severity: minor Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com kernel 5.9.0-rc6 armv7l | nft 0.9.6 works: ct state vmap { 1: drop, 2: accept, 4: accept } not working: ct state vmap { 1: drop, 2 . 4: accept } Error: Can't parse symbolic invalid expressions and neither: ct state vmap { 1: drop, 2 and 4: accept } ct state vmap { 1: drop...

...etect python3 Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com build node: * x86_64-pc-linux-gnu with kernel 5.9.7 * gcc 10.2.0 (Debian 10.2.0-16) * bison (GNU Bison) 3.7.3 * Python 3.8.6 the script (sh configure) fails to detect the installation of python3 and prints instead: checking for python... no checking for python2... no checking for py...

...limit Product: nftables Version: unspecified Hardware: All OS: Debian GNU/Linux Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com kernel 5.9.0-rc6 armv7l | nft 0.9.6 as discoursed on the user mailing list combination of counter and limit currently does not work and throws error Error: Could not process rule: Not supported -- You are receiving this mail because: You are watching all bug changes. -------------...

...mprove flags combination Product: nftables Version: unspecified Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com kernel 5.9.0-rc6 armv7l | nft 0.9.6 ----- in set this this works: flags dynamic, timeout does not work: flags dynamic, timeout, interval producing: Error: Could not process rule: Not supported ---- having looked up wiki & man there is no mentioning that flags are mutually...

...sets) Product: nftables Version: unspecified Hardware: arm OS: Debian GNU/Linux Status: NEW Severity: normal Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: vtolkm at gmail.com kernel 5.9.0-rc6 armv7l | nft 0.9.6 _____ With two config files, one being the main config and another one to be loaded on a certain node condition after the main config being already in play. Both however with rules that refer to the same named set that is being loaded initially wit...