Re: [ANNOUNCE] nftables 1.0.0 release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 19/08/21 11:06 pm, Pablo Neira Ayuso wrote:
* Allow to combine jhash, symhash and numgen expressions with the
   queue statement, to fan out packets to userspace queues via
   nfnetlink_queue.

   ... queue to symhash mod 65536
   ... queue flags bypass to numgen inc mod 65536
   ... queue to jhash oif . meta mark mod 32

   You can also combine it with maps, to select the userspace queue
   based on any other singleton key or concatenations:

   ... queue flags bypass to oifname map { "eth0" : 0, "ppp0" : 2, "eth1" : 2 }

I upgraded from nftables 0.9.9 to 1.0.0 (Arch Linux).

Earlier I had this statement which used to work in nftables 0.9.9:

define ips_queue = 0
add rule ip foo snortips queue num $ips_queue bypass

And it gave error in nftables 1.0.0:

Aug 20 05:51:00 amish nft[3540]: /etc/nftables4.conf:19:49-54: Error: syntax error, unexpected bypass, expecting - Aug 20 05:51:00 amish nft[3540]: add rule ip foo snortips queue num $ips_queue bypass

So I changed the rule to:
define ips_queue = 0
add rule ip foo snortips queue flags bypass num $ips_queue

But it still gave me error:

Aug 20 05:54:51 amish nft[3649]: /etc/nftables4.conf:19:61-61: Error: syntax error, unexpected newline, expecting - Aug 20 05:54:51 amish nft[3649]: add rule ip foo snortips queue flags bypass num $ips_queue


Then I replaced $ips_queue directly with 0 (zero), and it worked.

add rule ip foo snortips queue flags bypass num 0

So why isn't nftables allowing defined variable?

It used to work till nft 0.9.9

Regards,

Amish




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux