[pkg-netfilter-team] Bug#913088: iptables: nftables layer breaks rule parameter -f , --fragment
Timo van Roermund
timo at van-roermund.nl
Sun Nov 11 16:44:28 GMT 2018
Hi Sven,
Thanks for submitting this bug report. When I reconfigured my firewall
today, I ran into issues and your bug report actually helped me to
pinpoint the issue to this specific firewall rule. :)
(Note: I don't use package 'arno-iptables-firewall', but I do apply the
same rule '-A INPUT -f -j DROP' in my manual configuration.)
I tried to investigate what is going on and I actually notice something
strange.
Note the output of iptables-translate:
iptables-translate -A INPUT -f -j DROP
nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 counter drop
However, if I execute this command:
iptables -A INPUT -f -j DROP
The following is added (output of 'nft list table filter'):
table ip filter {
chain INPUT {
...
ip frag-off & 65311 != 0 counter packets 0 bytes 0 drop
}
...
}
Note: 65311 (dec) = 0xff1f and not 0x1ffff. Could it be that the byte
order for the mask is somehow swapped?
Cheers,
Timo
More information about the pkg-netfilter-team
mailing list