* Issue with latest nftables
@ 2013-06-28 20:08 Eric Leblond
2013-06-29 9:45 ` Pablo Neira Ayuso
0 siblings, 1 reply; 4+ messages in thread
From: Eric Leblond @ 2013-06-28 20:08 UTC (permalink / raw)
To: netfilter-devel; +Cc: Pablo Neira Ayuso
Hi,
I've found an issue when using the libnftables based nft.
If you use nft-add-rule from libnftables examples and you try to list
the rules afterward with nft, there is a problem with the added rules
which are not displayed correctly.
Here is the output of "nft list table filter -n -a --debug=all":
family=ip table=filter chain=output handle=9 flags=0 match name=iprange rev=1 payload dreg=1 base=1 offset=9 len=1 target name=LOG rev=0
table filter {
chain input {
hook NF_INET_LOCAL_IN 0;
}
chain forward {
hook NF_INET_FORWARD 0;
}
chain output {
hook NF_INET_LOCAL_OUT 0;
ip daddr 1.2.3.4 drop # handle 4
ip daddr 1.2.3.5 drop # handle 5
ip daddr 1.2.3.6 drop # handle 6
# handle 9
}
}
netlink: Error: unknown expression type 'match'
name=iprange rev=1
netlink: Error: unknown expression type 'target'
name=LOG rev=0
Should this problem be trivial for someone, I let him do the job. If
not, I will start to work on it.
BR,
--
Eric Leblond <eric@regit.org>
Blog: https://home.regit.org/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Issue with latest nftables
2013-06-28 20:08 Issue with latest nftables Eric Leblond
@ 2013-06-29 9:45 ` Pablo Neira Ayuso
2013-07-01 6:56 ` Tomasz Bursztyka
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-29 9:45 UTC (permalink / raw)
To: Eric Leblond; +Cc: netfilter-devel
On Fri, Jun 28, 2013 at 10:08:40PM +0200, Eric Leblond wrote:
> Hi,
>
> I've found an issue when using the libnftables based nft.
>
> If you use nft-add-rule from libnftables examples and you try to list
> the rules afterward with nft, there is a problem with the added rules
> which are not displayed correctly.
>
> Here is the output of "nft list table filter -n -a --debug=all":
>
> family=ip table=filter chain=output handle=9 flags=0 match name=iprange rev=1 payload dreg=1 base=1 offset=9 len=1 target name=LOG rev=0
> table filter {
> chain input {
> hook NF_INET_LOCAL_IN 0;
> }
>
> chain forward {
> hook NF_INET_FORWARD 0;
> }
>
> chain output {
> hook NF_INET_LOCAL_OUT 0;
> ip daddr 1.2.3.4 drop # handle 4
> ip daddr 1.2.3.5 drop # handle 5
> ip daddr 1.2.3.6 drop # handle 6
> # handle 9
> }
> }
> netlink: Error: unknown expression type 'match'
> name=iprange rev=1
>
>
> netlink: Error: unknown expression type 'target'
> name=LOG rev=0
>
> Should this problem be trivial for someone, I let him do the job. If
> not, I will start to work on it.
We don't have support for compat from nft yet. That should be
relatively easy to fix.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Issue with latest nftables
2013-06-29 9:45 ` Pablo Neira Ayuso
@ 2013-07-01 6:56 ` Tomasz Bursztyka
2013-07-01 8:22 ` Eric Leblond
0 siblings, 1 reply; 4+ messages in thread
From: Tomasz Bursztyka @ 2013-07-01 6:56 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Eric Leblond, netfilter-devel
Hi Pablo,
>> netlink: Error: unknown expression type 'match'
>> name=iprange rev=1
>>
>>
>> netlink: Error: unknown expression type 'target'
>> name=LOG rev=0
>>
>> Should this problem be trivial for someone, I let him do the job. If
>> not, I will start to work on it.
> We don't have support for compat from nft yet. That should be
> relatively easy to fix.
>
Do we want to support those totally, or just when listing the rules? I
would rather do the later one, nft is not meant to maintain
iptables-nftables rules.
Where were could only handle then the expression itselsf and the name of
the match/target, but nothing more. (No blob parsing etc...)
Tomasz
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Issue with latest nftables
2013-07-01 6:56 ` Tomasz Bursztyka
@ 2013-07-01 8:22 ` Eric Leblond
0 siblings, 0 replies; 4+ messages in thread
From: Eric Leblond @ 2013-07-01 8:22 UTC (permalink / raw)
To: Tomasz Bursztyka; +Cc: Pablo Neira Ayuso, netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 974 bytes --]
Hi,
Le lundi 01 juillet 2013 à 09:56 +0300, Tomasz Bursztyka a écrit :
> Hi Pablo,
> >> netlink: Error: unknown expression type 'match'
> >> name=iprange rev=1
> >>
> >>
> >> netlink: Error: unknown expression type 'target'
> >> name=LOG rev=0
> >>
> >> Should this problem be trivial for someone, I let him do the job. If
> >> not, I will start to work on it.
> > We don't have support for compat from nft yet. That should be
> > relatively easy to fix.
> >
>
> Do we want to support those totally, or just when listing the rules? I
> would rather do the later one, nft is not meant to maintain
> iptables-nftables rules.
> Where were could only handle then the expression itselsf and the name of
> the match/target, but nothing more. (No blob parsing etc...)
IMHO, the minimum task here is to have examples in libnftables that are
compatible with nft and don't use compat layer. Adding compat layer to
nft is another story.
BR
--
Eric
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 190 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-07-01 8:22 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-06-28 20:08 Issue with latest nftables Eric Leblond
2013-06-29 9:45 ` Pablo Neira Ayuso
2013-07-01 6:56 ` Tomasz Bursztyka
2013-07-01 8:22 ` Eric Leblond
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.