nftables, after adding a rule without any action, nft doesn't return correctly

nftables, after adding a rule without any action, nft doesn't return correctly

[Ryo Fujita]

Hi,

I’m still a newbie to nftables and couldn’t distinguish right behavior from a bug.

I found a weird behavior of nft command.

# nft -f /etc/nftables/inet-filter
# nft add rule inet filter input log drop
# nft add rule inet filter input ip saddr 192.168.1.21 // without any action like ‘drop’, ‘accept’, ‘log’ and so on
# nft list chain inet filter input
table inet filter {
	chain input {
		 type filter hook input priority 0;
		 log drop
^C << - - - - - - - break

I have 2 questions.

1. Adding a rule without any action didn’t result any error. Was it correct behavior?

2. After adding a rule, nft didn’t return, needed to break, ^C. Was it a bug?

My environment was as followings.
nftables-0.100-3.20140704git.fc21.x86_64
libnftnl-1.0.2-1.fc21.x86_64
kernel-3.15.4-200.fc20.x86_64

Best Rio.

Re: nftables, after adding a rule without any action, nft doesn't return correctly

[Pablo Neira Ayuso]

On Thu, Jul 17, 2014 at 12:37:43AM +0900, Ryo Fujita wrote:
> Hi,
> 
> I’m still a newbie to nftables and couldn’t distinguish right behavior from a bug.
> 
> I found a weird behavior of nft command.
> 
> # nft -f /etc/nftables/inet-filter
> # nft add rule inet filter input log drop
> # nft add rule inet filter input ip saddr 192.168.1.21 // without any action like ‘drop’, ‘accept’, ‘log’ and so on
> # nft list chain inet filter input
> table inet filter {
> 	chain input {
> 		 type filter hook input priority 0;
> 		 log drop
> ^C << - - - - - - - break
> 
> I have 2 questions.
> 
> 1. Adding a rule without any action didn’t result any error. Was it correct behavior?

You can add rules without any action.

> 2. After adding a rule, nft didn’t return, needed to break, ^C. Was it a bug?

Try -n to disabling name resolution:

# nft -n list table inet filter

> My environment was as followings.
> nftables-0.100-3.20140704git.fc21.x86_64

Please, use latest when testing.

http://www.netfilter.org/projects/nftables/downloads.html

Thanks.

Re: nftables, after adding a rule without any action, nft doesn't return correctly

[Ryo Fujita]

Hi Pablo-san and all,

Thank you so much!
You made me clear.

> You can add rules without any action.

I understand it’s the spec not a bug.

> Try -n to disabling name resolution:
> 
> # nft -n list table inet filter


Yes, I check that reverse lookup fails as you pointed out.

>> My environment was as followings.
>> nftables-0.100-3.20140704git.fc21.x86_64
> 
> Please, use latest when testing.
> 
> http://www.netfilter.org/projects/nftables/downloads.html


The reason why I’m using the slight old version is to write a magazine article introducing nftables. It’s easy for readers to install the version I checked with RPM or archive like 'nftables-0.3’.
Anyway, I’ll test the latest before sending a report to this ML.

Best Rio.

2014/07/17 1:07、Pablo Neira Ayuso <pablo@netfilter.org> のメール：

> On Thu, Jul 17, 2014 at 12:37:43AM +0900, Ryo Fujita wrote:
>> Hi,
>> 
>> I’m still a newbie to nftables and couldn’t distinguish right behavior from a bug.
>> 
>> I found a weird behavior of nft command.
>> 
>> # nft -f /etc/nftables/inet-filter
>> # nft add rule inet filter input log drop
>> # nft add rule inet filter input ip saddr 192.168.1.21 // without any action like ‘drop’, ‘accept’, ‘log’ and so on
>> # nft list chain inet filter input
>> table inet filter {
>> 	chain input {
>> 		 type filter hook input priority 0;
>> 		 log drop
>> ^C << - - - - - - - break
>> 
>> I have 2 questions.
>> 
>> 1. Adding a rule without any action didn’t result any error. Was it correct behavior?
> 
> You can add rules without any action.
> 
>> 2. After adding a rule, nft didn’t return, needed to break, ^C. Was it a bug?
> 
> Try -n to disabling name resolution:
> 
> # nft -n list table inet filter
> 
>> My environment was as followings.
>> nftables-0.100-3.20140704git.fc21.x86_64
> 
> Please, use latest when testing.
> 
> http://www.netfilter.org/projects/nftables/downloads.html
> 
> Thanks.

########################################################################
Ryo Fujita <rfujita@redhat.com>
Supervisor, Solution Architects, RHCE
Red Hat K.K.
TEL +81-3-5798-8500 FAX +81-3-5798-8599
Ebisu Neonato 8F, 4-1-18 Ebisu, Shibuya-ku, Tokyo Japan 1500013

レッドハット株式会社
グローバルサービス本部プラットフォームソリューション統括部
ソリューションアーキテクト部長
藤田　稜
〒150-0013
東京都渋谷区恵比寿4-1-18 恵比寿ネオナート8階
Tel 03-5798-8500
http://www.jp.redhat.com/

Please consider the environment before printing this e-mail.
########################################################################

Re: nftables, after adding a rule without any action, nft doesn't return correctly

[Alex van den Bogaerdt]

> Hi,
>
> I’m still a newbie to nftables and couldn’t distinguish right behavior
> from a bug.
>
> I found a weird behavior of nft command.
>
> # nft -f /etc/nftables/inet-filter
> # nft add rule inet filter input log drop
> # nft add rule inet filter input ip saddr 192.168.1.21 // without any
> action like ‘drop’, ‘accept’, ‘log’ and so on
> # nft list chain inet filter input
> table inet filter {
> 	chain input {
> 		 type filter hook input priority 0;
> 		 log drop
> ^C << - - - - - - - break

Forgive me my ignorance if any, but isn't nft waiting for "}}" or similar?

Re: nftables, after adding a rule without any action, nft doesn't return correctly

[Alex van den Bogaerdt]

never mind

> Forgive me my ignorance

Re: nftables, after adding a rule without any action, nft doesn't return correctly

[Pablo Neira Ayuso]

On Thu, Jul 17, 2014 at 08:13:12AM +0900, Ryo Fujita wrote:
> Hi Pablo-san and all,
> 
> Thank you so much!
> You made me clear.
> 
> > You can add rules without any action.
> 
> I understand it’s the spec not a bug.
> 
> > Try -n to disabling name resolution:
> > 
> > # nft -n list table inet filter
> 
> 
> Yes, I check that reverse lookup fails as you pointed out.
> 
> >> My environment was as followings.
> >> nftables-0.100-3.20140704git.fc21.x86_64
> > 
> > Please, use latest when testing.
> > 
> > http://www.netfilter.org/projects/nftables/downloads.html
> 
> 
> The reason why I’m using the slight old version is to write a
> magazine article introducing nftables. It’s easy for readers to
> install the version I checked with RPM or archive like
> 'nftables-0.3’.  Anyway, I’ll test the latest before sending a
> report to this ML.

Not a good idea to stick to old versions. We're still changing syntax
in some aspects and resolving bugs at this stage. The user document
aims to be in sync with latest. You should recommend people to stick
to latest until 1.0 comes out.

Re: nftables, after adding a rule without any action, nft doesn't return correctly

[Ryo Fujita]

Hi,

> Not a good idea to stick to old versions. We're still changing syntax
> in some aspects and resolving bugs at this stage. The user document
> aims to be in sync with latest. You should recommend people to stick
> to latest until 1.0 comes out.

Yes, I know.
Actually I wrote an article based on Fedora rawhide and it’s chasing nftables git tree with several days behind. Considering the development pace of nftables, it doesn’t matter for readers to use Fedora rawhide. Of course, I’m checking the latest tree in order to advise my readers to recognize the possibilities of changing syntax and so on.

Anyway, thank you for kindly advice!

Best Rio.

2014/07/17 23:14、Pablo Neira Ayuso <pablo@netfilter.org> のメール：

> On Thu, Jul 17, 2014 at 08:13:12AM +0900, Ryo Fujita wrote:
>> Hi Pablo-san and all,
>> 
>> Thank you so much!
>> You made me clear.
>> 
>>> You can add rules without any action.
>> 
>> I understand it’s the spec not a bug.
>> 
>>> Try -n to disabling name resolution:
>>> 
>>> # nft -n list table inet filter
>> 
>> 
>> Yes, I check that reverse lookup fails as you pointed out.
>> 
>>>> My environment was as followings.
>>>> nftables-0.100-3.20140704git.fc21.x86_64
>>> 
>>> Please, use latest when testing.
>>> 
>>> http://www.netfilter.org/projects/nftables/downloads.html
>> 
>> 
>> The reason why I’m using the slight old version is to write a
>> magazine article introducing nftables. It’s easy for readers to
>> install the version I checked with RPM or archive like
>> 'nftables-0.3’.  Anyway, I’ll test the latest before sending a
>> report to this ML.
> 
> Not a good idea to stick to old versions. We're still changing syntax
> in some aspects and resolving bugs at this stage. The user document
> aims to be in sync with latest. You should recommend people to stick
> to latest until 1.0 comes out.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

########################################################################
Ryo Fujita <rfujita@redhat.com>
Supervisor, Solution Architects, RHCE
Red Hat K.K.
TEL +81-3-5798-8500 FAX +81-3-5798-8599
Ebisu Neonato 8F, 4-1-18 Ebisu, Shibuya-ku, Tokyo Japan 1500013

レッドハット株式会社
グローバルサービス本部プラットフォームソリューション統括部
ソリューションアーキテクト部長
藤田　稜
〒150-0013
東京都渋谷区恵比寿4-1-18 恵比寿ネオナート8階
Tel 03-5798-8500
http://www.jp.redhat.com/

Please consider the environment before printing this e-mail.
########################################################################