[pkg-netfilter-team] Bug#916863: Bug#916863: [nftables] tproxy action not parsed correctly

Michał Mirosław mirq-deboogs at rere.qmqm.pl
Wed Dec 19 17:16:16 GMT 2018 

On Wed, Dec 19, 2018 at 06:05:10PM +0100, Arturo Borrero Gonzalez wrote:
> On 12/19/18 5:57 PM, Michał Mirosław wrote:
> > Package: nftables
> > Version: 0.9.0-2
> > Severity: normal
> > 
> > --- Please enter the report below this line. ---
> > 
> > # nft add rule inet filter divert 'ip6 daddr ::/0 meta l4proto tcp tproxy to :2000 meta mark set 1 accept'
> > Error: syntax error, unexpected to
> > add rule inet filter divert ip6 daddr ::/0 meta l4proto tcp tproxy to :2000 meta mark set 1 accept
> >                                                                    ^^
> > 
> > RedHats have the same problem: https://bugzilla.redhat.com/show_bug.cgi?id=1651813
> This may be a bug in the documentation.
> 
> Try something like:
> 
>  * tproxy ip to 192.0.2.1
>  * tproxy ip6 to [2001:db8::1]:50080

It clearly does not like 'to' or destination socket address.

# nft add rule inet filter divert 'ip6 daddr ::/0 meta l4proto tcp tproxy :2000 meta mark set 1 accept'
Error: syntax error, unexpected colon
add rule inet filter divert ip6 daddr ::/0 meta l4proto tcp tproxy :2000 meta mark set 1 accept
                                                                   ^

# nft add rule inet filter divert 'ip6 daddr ::/0 meta l4proto tcp tproxy to 2000 meta mark set 1 accept'
Error: syntax error, unexpected to
add rule inet filter divert ip6 daddr ::/0 meta l4proto tcp tproxy to 2000 meta mark set 1 accept
                                                                   ^^

# nft add rule inet filter divert 'ip6 daddr ::/0 meta l4proto tcp tproxy ip6 to :2000 meta mark set 1 accept'
Error: syntax error, unexpected to, expecting end of file or newline or semicolon
add rule inet filter divert ip6 daddr ::/0 meta l4proto tcp tproxy ip6 to :2000 meta mark set 1 accept
                                                                       ^^

# nft add rule inet filter divert 'ip6 daddr ::/0 meta l4proto tcp tproxy ip6 :2000 meta mark set 1 accept'
Error: syntax error, unexpected colon, expecting end of file or newline or semicolon
add rule inet filter divert ip6 daddr ::/0 meta l4proto tcp tproxy ip6 :2000 meta mark set 1 accept
                                                                       ^

More information about the pkg-netfilter-team mailing list