Comments (4)
sbezverk
commented on May 4, 2024
sudo nft add chain ip filter forward '{' type filter hook forward priority 0 ; '}'
[]byte("\x02 <----- the only difference in ipv4 case
\x00\x00\x00\x0b\x00\x01\x00\x66\x69\x6c\x74\x65\x72\x00\x00\x0c\x00\x03\x00\x66\x6f\x72\x77\x61\x72\x64\x00\x14\x00\x04\x80\x08\x00\x01\x00\x00\x00\x00\x02\x08\x00\x02\x00\x00\x00\x00\x00\x0b\x00\x07\x00\x66\x69\x6c\x74\x65\x72\x00\x00"),
sudo nft --debug all add chain ip6 filter forward '{' type filter hook forward priority 0 ; '}'
[]byte("\x0a <----- the only difference in ipv6 case \x00\x00\x00\x0b\x00\x01\x00\x66\x69\x6c\x74\x65\x72\x00\x00\x0c\x00\x03\x00\x66\x6f\x72\x77\x61\x72\x64\x00\x14\x00\x04\x80\x08\x00\x01\x00\x00\x00\x00\x02\x08\x00\x02\x00\x00\x00\x00\x00\x0b\x00\x07\x00\x66\x69\x6c\x74\x65\x72\x00\x00"),
The problem is is ip6 is not specified, the following add of ipv6 rule fails.
from nftables.
sbezverk
commented on May 4, 2024
It seems it is part of extra header, any ideas how to handle this extra header?
---------------- ------------------ ---------------- ------------------
| 0000000076 | | message length | | 0000000076 | | message length |
| 02563 | R--- | | type | flags | | 02563 | R--- | | type | flags |
| 0000000001 | | sequence number| | 0000000001 | | sequence number|
| 0000000000 | | port ID | | 0000000000 | | port ID |
---------------- ------------------ ---------------- ------------------
| 02 00 00 00 | | extra header | | | 0a 00 00 00 | | extra header |
|00011|--|00001| |len |flags| type| |00011|--|00001| |len |flags| type|
| 66 69 6c 74 | | data | f i l t | 66 69 6c 74 | | data | f i l t
| 65 72 00 00 | | data | e r | 65 72 00 00 | | data | e r
|00012|--|00003| |len |flags| type| |00012|--|00003| |len |flags| type|
| 66 6f 72 77 | | data | f o r w | 66 6f 72 77 | | data | f o r w
| 61 72 64 00 | | data | a r d | 61 72 64 00 | | data | a r d
|00020|N-|00004| |len |flags| type| |00020|N-|00004| |len |flags| type|
|00008|--|00001| |len |flags| type| |00008|--|00001| |len |flags| type|
| 00 00 00 02 | | data | | 00 00 00 02 | | data |
|00008|--|00002| |len |flags| type| |00008|--|00002| |len |flags| type|
| 00 00 00 00 | | data | | 00 00 00 00 | | data |
|00011|--|00007| |len |flags| type| |00011|--|00007| |len |flags| type|
| 66 69 6c 74 | | data | f i l t | 66 69 6c 74 | | data | f i l t
| 65 72 00 00 | | data | e r | 65 72 00 00 | | data | e r
---------------- ------------------ ---------------- ------------------
from nftables.
stapelberg
commented on May 4, 2024
Chain has a link to table, but I do not see table's address family used when a chain's attributes are getting prepared for passing down to the net link library.
That’s happening here:
Line 104 in 8cccfee
We don’t have any explicit tests exercising this, but on my router I do have IPv6 chains:
table ip6 filter {
counter fwded {
packets 1 bytes 122
}
chain forward {
type filter hook forward priority 0; policy accept;
counter name "fwded"
oifname "uplink0" tcp flags syn tcp option maxseg size set rt mtu
}
}
Given the above, can you ask a more specific question please?
from nftables.
sbezverk
commented on May 4, 2024
It make sense, so it is nft command that needs explicitly specifying address family, in nftables api when chain is created it automatically inherent address family from the table.
Thanks a lot for clarification, closing it.
from nftables.
Related Issues (20)
- Please consider create a release/tag HOT 1
- Alignment issues on 32-bit archs: TestAlignedBuff32 & TestAlignedBuffInt32 failures HOT 9
- Test failures on s390x: endianness problems? HOT 11
- Reason for not wrapping libnftnl/libmnl. HOT 1
- GetRules lost expr.Masq HOT 1
- nftables go dynset implementation will not work with libnftnl versions <1.1.9 HOT 1
- High
- Feature: add support for monitor HOT 6
- AddSet IPv4 wrong byte order on Ubuntu 22.04 HOT 8
- Rule Handle not updated after InsertRule even using Flush. HOT 4
- Not all response messages are received causing the receive buffer to overflow HOT 8
- Named quotas and their usage in map HOT 1
- BUG: block in Conn.Flush() HOT 4
- How to get an error when try to add an existed table?
- Adding rules in code produces different results and logs than the rules I added directly from the command line HOT 6
- Use a CIDR prefix as target in a NAT rule HOT 3
- Troubleshooting NFTables Table Creation with Go HOT 2
- Objects implementation refactor HOT 1
- Broken deps HOT 3
- Is there a way to mock interface? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nftables.