[pkg-netfilter-team] Bug#1018156: nftables: list ruleset shows negative ipv6 address
Jeremy Sowden
jeremy at azazel.net
Sun Sep 18 20:49:25 BST 2022
On 2022-08-25, at 23:14:12 -0500, Ross Johnson wrote:
> Package: nftables
> Version: 0.9.8-3.1
> Severity: normal
> X-Debbugs-Cc: ross at homemail.org
>
> Dear Maintainer,
>
> As shown below, I created a file call "junk" that makes a few simple nftables chains.
> When I list the chains, nftables shows what looks like a negative number in the last one.
> I would expect it to show the canonical form of ff00::/8 as given in the previous line.
> This simple example is extracted from a complex script to show the problem concisely.
>
> root at biden:/srv/nftables# cat junk
> #!/usr/sbin/nft -f
>
> flush ruleset
> table ip6 whatever {
> chain junk {
> ip6 saddr ff00::/8 drop
> ip6 saddr fe80::/10 drop
> ip6 saddr { ff00::/8, fe80::/10 } drop
> }
> }
> root at biden:/srv/nftables# /sbin/nft -f junk
> root at biden:/srv/nftables# /sbin/nft list ruleset
> table ip6 whatever {
> chain junk {
> ip6 saddr ff00::/8 drop
> ip6 saddr fe80::/10 drop
> ip6 saddr { fe80::/10, ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } drop
> }
> }
> root at biden:/srv/nftables#
I've sent a patch upstream to fix this, but one thing to point out is
that what we see here is not a garbled address with a negative number
embedded in it, but a range (ff00:: to ffff:ffff:...:ffff). It's more
obvious (to me at least) with an IPv4 prefix.
ip saddr { 10.0.0.0/8, 192.0.0.0/2 } drop
becomes:
ip saddr { 10.0.0.0/8, 192.0.0.0-255.255.255.255 } drop
J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20220918/70df318a/attachment.sig>
More information about the pkg-netfilter-team
mailing list