Re: nftables rules not matching after upgrading from 0.7 to 0.8

"Anders K. Pedersen | Cohaesio" <akp@xxxxxxxxxxxx> · Thu, 26 Oct 2017 07:00:02 +0000

On tor, 2017-10-26 at 01:44 +0200, Pablo Neira Ayuso wrote:
> On Thu, Oct 26, 2017 at 12:45:36AM +0200, Florian Westphal wrote:
> > Anders K. Pedersen | Cohaesio <akp@xxxxxxxxxxxx> wrote:
> > > On ons, 2017-10-25 at 20:20 +0200, Anders K. Pedersen | Cohaesio
> > > wrote:
> > > > On ons, 2017-10-25 at 19:57 +0200, Florian Westphal wrote:
> > > > > Anders K. Pedersen | Cohaesio <akp@xxxxxxxxxxxx> wrote:
> 
> [...]
> > > If I use 0.8 to dump the rule set that was loaded with 0.7, I get
> > > the
> > > correct rule set except for a difference with regards to sets and
> > > maps
> > > that use interfaces like:
> > > 
> > > --- nft-0.7-0.8 rule set loaded with 0.7 and dumped with 0.8
> > > +++ nft-0.8     same rule set loaded and dumped with 0.8
> > > @@ -9,12 +9,12 @@
> > >         chain prerouting {
> > >                 type filter hook prerouting priority -100; policy
> > > accept;
> > >                 iif "lo" accept
> > > -               ct mark set iif map { 33554432 : 0x00000001,
> > > 67108864 : 0x00000002 }
> > > +               ct mark set iif map { "eth0" : 0x00000001, "eth2"
> > > : 0x00000002 }
> > >                 iif "eth1" jump prerouting_internal
> > > -               iif { 33554432, 67108864 } ip saddr { 0.0.0.0/8,
> > > 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
> > > 224.0.0.0-255.255.255.255 } counter packets 6 bytes 705 drop
> > > +               iif { "eth0", "eth2" } ip saddr { 0.0.0.0/8,
> > > 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
> > > 224.0.0.0-255.255.255.255 } counter packets 0 bytes 0 drop
> > 
> > I will look at this too.
> 
> This difference in the way things are dump is related to this:
> 
> commit b9b6092304aef17fea704c25b3d9d7dcdb3995a5
> Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> Date:   Fri Feb 24 20:47:49 2017 +0100
> 
>     evaluate: store byteorder for set keys
> 
> To my understanding, byteorder was not OK in 0.7.
> 
> Are these maps not matching anymore or is just the dump theat is
> different?

The maps are matching and sets the intended marks, so it's just the
dump that is weird, when the rule set has been loaded with 0.7 and is
dumped with 0.8.

-- 
Regards,
Anders��.n��������+%������w��{.n����z��׫���n�r������&��z�ޗ�zf���h���~����������_��+v���)ߣ�