[pkg-netfilter-team] Bug#880145: nftables: When more than 2-3 elements are in an anonymous set the rule does not match to any of them
Mark Nipper
nipsy at bitgnome.net
Mon Oct 30 17:42:07 UTC 2017
Package: nftables
Version: 0.8-1
Followup-For: Bug #880145
I experienced a variation of the reported issue. Previously,
this rule was working as intended:
---
tcp dport { http, https } accept
After the upgrade to the newer kernel and nftables versions, I was able
to connect over 443 still, but 80 was now blocking traffic (last rule
being "counter log reject").
Changing to this resolves the issue for now:
---
tcp dport http accept
tcp dport https accept
I'm guessing there might be some slight variation in behavior based on
the initial bug report of more than two elements in an anonymous set
versus having exactly two.
Either way, things broke, which is always an unwelcome change.
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (650, 'testing'), (600, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nftables depends on:
ii dpkg 1.18.24
ii libc6 2.24-17
ii libgmp10 2:6.1.2+dfsg-1.1
ii libmnl0 1.0.4-2
ii libnftnl7 1.0.8-1
ii libreadline7 7.0-3
ii libxtables12 1.6.1-2+b1
nftables recommends no packages.
nftables suggests no packages.
-- Configuration Files:
/etc/nftables.conf changed [not included]
-- no debconf information
More information about the pkg-netfilter-team
mailing list