Discussion:
nftables, after adding a rule without any action, nft doesn't return correctly
Ryo Fujita
2014-07-16 15:37:43 UTC
Permalink
Hi,

I=E2=80=99m still a newbie to nftables and couldn=E2=80=99t distinguish=
right behavior from a bug.

I found a weird behavior of nft command.

# nft -f /etc/nftables/inet-filter
# nft add rule inet filter input log drop
# nft add rule inet filter input ip saddr 192.168.1.21 // without any a=
ction like =E2=80=98drop=E2=80=99, =E2=80=98accept=E2=80=99, =E2=80=98l=
og=E2=80=99 and so on
# nft list chain inet filter input
table inet filter {
chain input {
type filter hook input priority 0;
log drop
^C << - - - - - - - break

I have 2 questions.

1. Adding a rule without any action didn=E2=80=99t result any error. Wa=
s it correct behavior?

2. After adding a rule, nft didn=E2=80=99t return, needed to break, ^C.=
Was it a bug?

My environment was as followings.
nftables-0.100-3.20140704git.fc21.x86_64
libnftnl-1.0.2-1.fc21.x86_64
kernel-3.15.4-200.fc20.x86_64

Best Rio.--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso
2014-07-16 16:07:16 UTC
Permalink
Hi,
=20
I=E2=80=99m still a newbie to nftables and couldn=E2=80=99t distingui=
sh right behavior from a bug.
=20
I found a weird behavior of nft command.
=20
# nft -f /etc/nftables/inet-filter
# nft add rule inet filter input log drop
# nft add rule inet filter input ip saddr 192.168.1.21 // without any=
action like =E2=80=98drop=E2=80=99, =E2=80=98accept=E2=80=99, =E2=80=98=
log=E2=80=99 and so on
# nft list chain inet filter input
table inet filter {
chain input {
type filter hook input priority 0;
log drop
^C << - - - - - - - break
=20
I have 2 questions.
=20
1. Adding a rule without any action didn=E2=80=99t result any error. =
Was it correct behavior?

You can add rules without any action.
2. After adding a rule, nft didn=E2=80=99t return, needed to break, ^=
C. Was it a bug?

Try -n to disabling name resolution:

# nft -n list table inet filter
My environment was as followings.
nftables-0.100-3.20140704git.fc21.x86_64
Please, use latest when testing.

http://www.netfilter.org/projects/nftables/downloads.html

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Ryo Fujita
2014-07-16 23:13:12 UTC
Permalink
Hi Pablo-san and all,

Thank you so much!
You made me clear.
Post by Pablo Neira Ayuso
You can add rules without any action.
I understand it=E2=80=99s the spec not a bug.
Post by Pablo Neira Ayuso
=20
# nft -n list table inet filter
Yes, I check that reverse lookup fails as you pointed out.
Post by Pablo Neira Ayuso
Post by Ryo Fujita
My environment was as followings.
nftables-0.100-3.20140704git.fc21.x86_64
=20
Please, use latest when testing.
=20
http://www.netfilter.org/projects/nftables/downloads.html
The reason why I=E2=80=99m using the slight old version is to write a m=
agazine article introducing nftables. It=E2=80=99s easy for readers to =
install the version I checked with RPM or archive like 'nftables-0.3=E2=
=80=99.
Anyway, I=E2=80=99ll test the latest before sending a report to this ML=
=2E

Best Rio.

2014/07/17 1:07=E3=80=81Pablo Neira Ayuso <***@netfilter.org> =E3=81=AE=
=E3=83=A1=E3=83=BC=E3=83=AB=EF=BC=9A
Post by Pablo Neira Ayuso
Post by Ryo Fujita
Hi,
=20
I=E2=80=99m still a newbie to nftables and couldn=E2=80=99t distingu=
ish right behavior from a bug.
Post by Pablo Neira Ayuso
Post by Ryo Fujita
=20
I found a weird behavior of nft command.
=20
# nft -f /etc/nftables/inet-filter
# nft add rule inet filter input log drop
# nft add rule inet filter input ip saddr 192.168.1.21 // without an=
y action like =E2=80=98drop=E2=80=99, =E2=80=98accept=E2=80=99, =E2=80=98=
log=E2=80=99 and so on
Post by Pablo Neira Ayuso
Post by Ryo Fujita
# nft list chain inet filter input
table inet filter {
chain input {
type filter hook input priority 0;
log drop
^C << - - - - - - - break
=20
I have 2 questions.
=20
1. Adding a rule without any action didn=E2=80=99t result any error.=
Was it correct behavior?
Post by Pablo Neira Ayuso
=20
You can add rules without any action.
=20
Post by Ryo Fujita
2. After adding a rule, nft didn=E2=80=99t return, needed to break, =
^C. Was it a bug?
Post by Pablo Neira Ayuso
=20
=20
# nft -n list table inet filter
=20
Post by Ryo Fujita
My environment was as followings.
nftables-0.100-3.20140704git.fc21.x86_64
=20
Please, use latest when testing.
=20
http://www.netfilter.org/projects/nftables/downloads.html
=20
Thanks.
#######################################################################=
#
Ryo Fujita <***@redhat.com>
Supervisor, Solution Architects, RHCE
Red Hat K.K.
TEL +81-3-5798-8500 FAX +81-3-5798-8599
Ebisu Neonato 8F, 4-1-18 Ebisu, Shibuya-ku, Tokyo Japan 1500013

=E3=83=AC=E3=83=83=E3=83=89=E3=83=8F=E3=83=83=E3=83=88=E6=A0=AA=E5=BC=8F=
=E4=BC=9A=E7=A4=BE
=E3=82=B0=E3=83=AD=E3=83=BC=E3=83=90=E3=83=AB=E3=82=B5=E3=83=BC=E3=83=93=
=E3=82=B9=E6=9C=AC=E9=83=A8=E3=83=97=E3=83=A9=E3=83=83=E3=83=88=E3=83=95=
=E3=82=A9=E3=83=BC=E3=83=A0=E3=82=BD=E3=83=AA=E3=83=A5=E3=83=BC=E3=82=B7=
=E3=83=A7=E3=83=B3=E7=B5=B1=E6=8B=AC=E9=83=A8
=E3=82=BD=E3=83=AA=E3=83=A5=E3=83=BC=E3=82=B7=E3=83=A7=E3=83=B3=E3=82=A2=
=E3=83=BC=E3=82=AD=E3=83=86=E3=82=AF=E3=83=88=E9=83=A8=E9=95=B7
=E8=97=A4=E7=94=B0=E3=80=80=E7=A8=9C
=E3=80=92150-0013
=E6=9D=B1=E4=BA=AC=E9=83=BD=E6=B8=8B=E8=B0=B7=E5=8C=BA=E6=81=B5=E6=AF=94=
=E5=AF=BF4-1-18 =E6=81=B5=E6=AF=94=E5=AF=BF=E3=83=8D=E3=82=AA=E3=83=8A=E3=
=83=BC=E3=83=888=E9=9A=8E
Tel 03-5798-8500
http://www.jp.redhat.com/

Please consider the environment before printing this e-mail.
#######################################################################=
#

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso
2014-07-17 14:14:28 UTC
Permalink
Post by Ryo Fujita
Hi Pablo-san and all,
=20
Thank you so much!
You made me clear.
=20
Post by Pablo Neira Ayuso
You can add rules without any action.
=20
I understand it=E2=80=99s the spec not a bug.
=20
Post by Pablo Neira Ayuso
=20
# nft -n list table inet filter
=20
=20
Yes, I check that reverse lookup fails as you pointed out.
=20
Post by Pablo Neira Ayuso
Post by Ryo Fujita
My environment was as followings.
nftables-0.100-3.20140704git.fc21.x86_64
=20
Please, use latest when testing.
=20
http://www.netfilter.org/projects/nftables/downloads.html
=20
=20
The reason why I=E2=80=99m using the slight old version is to write a
magazine article introducing nftables. It=E2=80=99s easy for readers =
to
Post by Ryo Fujita
install the version I checked with RPM or archive like
'nftables-0.3=E2=80=99. Anyway, I=E2=80=99ll test the latest before =
sending a
Post by Ryo Fujita
report to this ML.
Not a good idea to stick to old versions. We're still changing syntax
in some aspects and resolving bugs at this stage. The user document
aims to be in sync with latest. You should recommend people to stick
to latest until 1.0 comes out.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Ryo Fujita
2014-07-18 00:49:31 UTC
Permalink
Hi,
Post by Pablo Neira Ayuso
Not a good idea to stick to old versions. We're still changing syntax
in some aspects and resolving bugs at this stage. The user document
aims to be in sync with latest. You should recommend people to stick
to latest until 1.0 comes out.
Yes, I know.
Actually I wrote an article based on Fedora rawhide and it=E2=80=99s ch=
asing nftables git tree with several days behind. Considering the devel=
opment pace of nftables, it doesn=E2=80=99t matter for readers to use F=
edora rawhide. Of course, I=E2=80=99m checking the latest tree in order=
to advise my readers to recognize the possibilities of changing syntax=
and so on.

Anyway, thank you for kindly advice!

Best Rio.

2014/07/17 23:14=E3=80=81Pablo Neira Ayuso <***@netfilter.org> =E3=81=
=AE=E3=83=A1=E3=83=BC=E3=83=AB=EF=BC=9A
Post by Pablo Neira Ayuso
Post by Ryo Fujita
Hi Pablo-san and all,
=20
Thank you so much!
You made me clear.
=20
Post by Pablo Neira Ayuso
You can add rules without any action.
=20
I understand it=E2=80=99s the spec not a bug.
=20
Post by Pablo Neira Ayuso
=20
# nft -n list table inet filter
=20
=20
Yes, I check that reverse lookup fails as you pointed out.
=20
Post by Pablo Neira Ayuso
Post by Ryo Fujita
My environment was as followings.
nftables-0.100-3.20140704git.fc21.x86_64
=20
Please, use latest when testing.
=20
http://www.netfilter.org/projects/nftables/downloads.html
=20
=20
The reason why I=E2=80=99m using the slight old version is to write =
a
Post by Pablo Neira Ayuso
Post by Ryo Fujita
magazine article introducing nftables. It=E2=80=99s easy for readers=
to
Post by Pablo Neira Ayuso
Post by Ryo Fujita
install the version I checked with RPM or archive like
'nftables-0.3=E2=80=99. Anyway, I=E2=80=99ll test the latest before=
sending a
Post by Pablo Neira Ayuso
Post by Ryo Fujita
report to this ML.
=20
Not a good idea to stick to old versions. We're still changing syntax
in some aspects and resolving bugs at this stage. The user document
aims to be in sync with latest. You should recommend people to stick
to latest until 1.0 comes out.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" =
in
Post by Pablo Neira Ayuso
More majordomo info at http://vger.kernel.org/majordomo-info.html
#######################################################################=
#
Ryo Fujita <***@redhat.com>
Supervisor, Solution Architects, RHCE
Red Hat K.K.
TEL +81-3-5798-8500 FAX +81-3-5798-8599
Ebisu Neonato 8F, 4-1-18 Ebisu, Shibuya-ku, Tokyo Japan 1500013

=E3=83=AC=E3=83=83=E3=83=89=E3=83=8F=E3=83=83=E3=83=88=E6=A0=AA=E5=BC=8F=
=E4=BC=9A=E7=A4=BE
=E3=82=B0=E3=83=AD=E3=83=BC=E3=83=90=E3=83=AB=E3=82=B5=E3=83=BC=E3=83=93=
=E3=82=B9=E6=9C=AC=E9=83=A8=E3=83=97=E3=83=A9=E3=83=83=E3=83=88=E3=83=95=
=E3=82=A9=E3=83=BC=E3=83=A0=E3=82=BD=E3=83=AA=E3=83=A5=E3=83=BC=E3=82=B7=
=E3=83=A7=E3=83=B3=E7=B5=B1=E6=8B=AC=E9=83=A8
=E3=82=BD=E3=83=AA=E3=83=A5=E3=83=BC=E3=82=B7=E3=83=A7=E3=83=B3=E3=82=A2=
=E3=83=BC=E3=82=AD=E3=83=86=E3=82=AF=E3=83=88=E9=83=A8=E9=95=B7
=E8=97=A4=E7=94=B0=E3=80=80=E7=A8=9C
=E3=80=92150-0013
=E6=9D=B1=E4=BA=AC=E9=83=BD=E6=B8=8B=E8=B0=B7=E5=8C=BA=E6=81=B5=E6=AF=94=
=E5=AF=BF4-1-18 =E6=81=B5=E6=AF=94=E5=AF=BF=E3=83=8D=E3=82=AA=E3=83=8A=E3=
=83=BC=E3=83=888=E9=9A=8E
Tel 03-5798-8500
http://www.jp.redhat.com/

Please consider the environment before printing this e-mail.
#######################################################################=
#

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Alex van den Bogaerdt
2014-07-16 23:52:26 UTC
Permalink
Hi,
I=E2=80=99m still a newbie to nftables and couldn=E2=80=99t distingui=
sh right behavior
from a bug.
I found a weird behavior of nft command.
# nft -f /etc/nftables/inet-filter
# nft add rule inet filter input log drop
# nft add rule inet filter input ip saddr 192.168.1.21 // without any
action like =E2=80=98drop=E2=80=99, =E2=80=98accept=E2=80=99, =E2=80=98=
log=E2=80=99 and so on
# nft list chain inet filter input
table inet filter {
chain input {
type filter hook input priority 0;
log drop
^C << - - - - - - - break
=46orgive me my ignorance if any, but isn't nft waiting for "}}" or sim=
ilar?


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Alex van den Bogaerdt
2014-07-17 05:22:36 UTC
Permalink
never mind
Forgive me my ignorance
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...