| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
With no -n, semantics for *filter are to delete filter table and all its
content.
This restores the similar behaviour introduced in ca165845f7ec
("xtables-compat-restore: flush rules and delete user-defined chains").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
# iptables-compat -X
iptables: No chain/target/match by that name.
While it should display no error message at all.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-n still flushes user-defined chains and its content, the following snippet:
iptables-compat -N FOO
iptables-compat -I INPUT
iptables-compat -I FOO
iptables-compat -I FOO
iptables-compat-save > A
iptables-compat-restore < A
iptables-compat -N BAR
iptables-compat -A BAR
iptables-compat-restore -n < A
results in:
iptables-compat-save
# Generated by xtables-save v1.6.2 on Mon May 7 17:18:44 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BAR - [0:0]
:FOO - [0:0]
-A INPUT
-A INPUT
-A BAR
-A FOO
-A FOO
COMMIT
# Completed on Mon May 7 17:18:44 2018
Still, user-defined chains that are not re-defined, such as BAR, are
left in place.
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Instead of deleting the table and base chains.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
needed to display rules that exceed 4k (MNL buffer size).
This can happen with many matches in a rule or when using
-m cgroup (4k per match).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
noticed that iptables-compat-save exits with 1 on success,
whereas iptables-compat-save -t filter returns 0 (as expected).
Caused by double-invert of return value, so ge rid of those.
do_output now returns a value suitable to pass to exit() or return from main.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Remove dead code that uses the ancient non-batch netlink API. Chains
are already purged out from table flush.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The following snippet fails if user chain FOO exists, but it should not fail:
iptables-compat -F
iptables-compat -N FOO
iptables-compat-save > foo
iptables-compat-restore < foo
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This is only needed by 3.16, which was released 8 months after nftables was
merged upstream. That kernel version supports a reduced featureset.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
... or when using multiple --comment lines.
This is more of a 'cosmetic' fix to handle the test suite case.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Kernel clamps udata size at 256 bytes, udata size however also includes
internal bookkeeping which brings us over this limit.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
| |
Only ip and ip6tables have revision retrieval support; pretend
ebtables and arptables are always ok.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Its not supported anymore as of 4.13, and it did not work
before this either (arp packets cannot be routed).
This unbreaks arptables-compat -- without this fix kernel rejects the
incoming ruleset skeleton.
filtering forwarded arp packets on a bridge can be done either via
'netdev' or 'bridge' families.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
| |
This function is only used from iptables/nft.c.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Release existing list and restart in case that netlink dump hits EINTR.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
nft_init() should rollback all changes it made during init
when something goes wrong, callers should NOT call nft_fini()
on error.
Note that this change is irrelevant at the moment, all users
call exit() on failure.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
| |
This allows xtables-compat to list all builtin tables unless one
contains nft specific expressions.
Tables that do not exist in xtables world are not printed anymore
(but a small hint is shown that such non-printable table(s) exist).
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of not listing anything at all if an unknown table name
exists, just skip them. Output a small comment that the listing
doesn't include the (unrecognized, nft-created) tables.
Next patch will restrict 'is this table printable in
xtables syntax' check to the "builtin" tables.
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
| |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
| |
|
|
|
|
|
|
| |
If user chain contains rules, flush needs to happen first to retain
iptables semantics. Use NLM_F_NONREC to request non-recursive chain
deletion.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following memory leaks are detected by valgrind when
ip[6]tables-compat-restore is executed:
valgrind --leak-check=full iptables-compat-restore test-ruleset
==2548== 16 bytes in 1 blocks are definitely lost in loss record 1 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x4E39D67: __mnl_socket_open (socket.c:110)
==2548== by 0x4E39DDE: mnl_socket_open (socket.c:133)
==2548== by 0x11A48E: nft_init (nft.c:765)
==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 16 bytes in 1 blocks are definitely lost in loss record 2 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874)
==2548== by 0x11B2DB: nftnl_chain_list_get (nft.c:1194)
==2548== by 0x11B377: nft_chain_dump (nft.c:1210)
==2548== by 0x114DF9: get_chain_list (xtables-restore.c:167)
==2548== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 40 bytes in 1 blocks are definitely lost in loss record 5 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x56ABB99: xtables_calloc (xtables.c:291)
==2548== by 0x116DA7: command_jump (xtables.c:623)
==2548== by 0x117D5B: do_parse (xtables.c:923)
==2548== by 0x1188BA: do_commandx (xtables.c:1183)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 40 bytes in 1 blocks are definitely lost in loss record 6 of 20
==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2548== by 0x4E3AE07: mnl_nlmsg_batch_start (nlmsg.c:441)
==2548== by 0x1192B7: mnl_nftnl_batch_alloc (nft.c:106)
==2548== by 0x11931A: mnl_nftnl_batch_page_add (nft.c:122)
==2548== by 0x11DB0C: nft_action (nft.c:2402)
==2548== by 0x11DB65: nft_commit (nft.c:2413)
==2548== by 0x114FBB: xtables_restore_parse (xtables-restore.c:238)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 80 bytes in 5 blocks are definitely lost in loss record 8 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x50496FE: nftnl_table_list_alloc (table.c:433)
==2548== by 0x11DF88: nft_xtables_config_load (nft.c:2539)
==2548== by 0x11B037: nft_rule_append (nft.c:1116)
==2548== by 0x116639: add_entry (xtables.c:429)
==2548== by 0x118A3B: do_commandx (xtables.c:1187)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 80 bytes in 5 blocks are definitely lost in loss record 9 of 20
==2548== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2548== by 0x504C7CD: nftnl_chain_list_alloc (chain.c:874)
==2548== by 0x11DF91: nft_xtables_config_load (nft.c:2540)
==2548== by 0x11B037: nft_rule_append (nft.c:1116)
==2548== by 0x116639: add_entry (xtables.c:429)
==2548== by 0x118A3B: do_commandx (xtables.c:1187)
==2548== by 0x115655: xtables_restore_parse (xtables-restore.c:405)
==2548== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
==2548==
==2548== 135,168 bytes in 1 blocks are definitely lost in loss record 19 of 20
==2548== at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2548== by 0x119280: mnl_nftnl_batch_alloc (nft.c:102)
==2548== by 0x11A51F: nft_init (nft.c:777)
==2548== by 0x11589F: xtables_restore_main (xtables-restore.c:463)
==2548== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
==2548== by 0x12FF39: subcmd_main (xshared.c:211)
==2548== by 0x10F63C: main (xtables-compat-multi.c:41)
An additional leak occurs if a rule-set already exits:
==2735== 375 (312 direct, 63 indirect) bytes in 3 blocks are definitely lost in loss record 19 of 24
==2735== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==2735== by 0x504AAE9: nftnl_chain_alloc (chain.c:92)
==2735== by 0x11B1F1: nftnl_chain_list_cb (nft.c:1172)
==2735== by 0x4E3A2E8: __mnl_cb_run (callback.c:78)
==2735== by 0x4E3A4A7: mnl_cb_run (callback.c:162)
==2735== by 0x11920D: mnl_talk (nft.c:70)
==2735== by 0x11B343: nftnl_chain_list_get (nft.c:1203)
==2735== by 0x11B377: nft_chain_dump (nft.c:1210)
==2735== by 0x114DF9: get_chain_list (xtables-restore.c:167)
==2735== by 0x114EF8: xtables_restore_parse (xtables-restore.c:217)
==2735== by 0x115B43: xtables_restore_main (xtables-restore.c:526)
==2735== by 0x115B88: xtables_ip4_restore_main (xtables-restore.c:534)
Fix these memory leaks.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a cache of rules within the nft handle. This feature is
useful since the whole ruleset was brought from the kernel for every
chain during listing operations. In addition with the new checks of
ruleset compatibility, the rule list is loaded one more time.
Now all the operations causing changes in the ruleset must invalidate
the cache, a function called flush_rule_cache has been introduced for
this purpose.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a verification of the compatibility between the nft
ruleset and iptables. Nft tables, chains and rules are checked to be
compatible with iptables. If something is not compatible, the execution
stops and an error message is displayed to the user.
This checking is triggered by xtables-compat -L and xtables-compat-save
commands.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The static function nft_rule_list_get was exposed outside nft.c through
the nft_rule_list_create function, but this was never used out there.
A similar situation occurs with nftnl_rule_list_free and
nft_rule_list_destroy.
This patch removes nft_rule_list_create and nft_rule_list_destroy for
the sake of simplicity.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
| |
ip[6]tables-compat -L was not printing the comments since commit
d64ef34a9961 ("iptables-compat: use nft built-in comments support").
This patch solves the issue.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
After this patch, iptables-compat uses nft built-in comments support
instead of comment match.
This change simplifies the treatment of comments in nft after load a
rule set through iptables-compat-restore.
Signed-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Adapt this code to use the new symbols in libnftnl. This patch contains quite
some renaming to reserve the nft_ prefix for our high level library.
Explicitly request libnftnl 1.0.5 at configure stage.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
This patch fixes the rule number handling in nft_rule_find and __nft_rule_list.
The rule number is only valid in the selected table and chain and therefore may
not be increased for other tables or chains.
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
iptables allows to insert a rule into the next non existing rule number but
iptables-compat does not allow to do this
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
This prints the header like ebtables.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch bootstraps ebtables-compat, the ebtables compatibility
software upon nf_tables.
[ Original patches:
http://patchwork.ozlabs.org/patch/395544/
http://patchwork.ozlabs.org/patch/395545/
http://patchwork.ozlabs.org/patch/395546/
I have also forward port them on top of the current git HEAD, otherwise
compilation breaks.
This bootstrap is experimental, this still needs more work. --Pablo ]
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch adds an explicit object update type to rename chains, so we avoid
calling the nf_tables API with NLM_F_EXCL.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Let's kill the invflags parameter and use directly NFT_CMP_[N]EQ.
The caller must calculate which kind of cmp operation requires.
BTW, this patch solves absence of inversion in some arptables-compat
builtin matches. Thus, translating arptables inv flags is no longer needed.
Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a difference between error messages in iptables and
iptables-compat:
# iptables -R INPUT 23 -s 192.168.2.140 -j ACCEPT
iptables: Index of replacement too big.
# iptables-compat -R INPUT 23 -s 192.168.2.140 -j ACCEPT
iptables: No chain/target/match by that name.
Now, iptables-compat shows the same error message than iptables in
this case.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are some differences between error messages in iptables and
iptables-compat:
# iptables -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
# iptables-compat -C INPUT -s 192.168.2.102 -j ACCEPT
iptables: No chain/target/match by that name.
# iptables -N new_chain
# iptables -N new_chain
iptables: Chain already exists.
# iptables-compat -N new_chain
# iptables-compat -N new_chain
iptables: File exists.
Now, iptables-compat shows the same error messages than iptables in
those cases.
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
# iptables-compat -L
# iptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Note that the second (and follow up) invocations after the first one
display the chains.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Newly created (emulated) xt built-in chain have to use NF_ACCEPT. Remove
extra unused chain parameter and rename nft_chain_builtin_init to
nft_xt_builtin_init too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
The functions that allows you to create built-in table and chains are
required out of the scope of nft.c
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Initialize built-in tables/chains if they don't exists, otherwise
simply skip.
This avoids the chain policy reset to NF_ACCEPT by when you call
iptables -L -n.
Reported-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Ana Rey <anarey@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
# arptables-compat -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination <--
This header is not shown by arptables.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes
# iptables-compat -X test4345
iptables: No chain/target/match by that name.
# iptables-compat -N test4345
# iptables-compat -N test4345
iptables: File exists.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Add the glue code to use the chain batching for user chain commands.
Reported-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
The compat layer should report problems in the iptables way instead.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Release the batch pages once they have been sent via sendmsg().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Use the existing functions in libnftnl to begin and end a batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
| |
This patch prints the counters of a rule before the details,
like iptables-save syntax.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since kernel changes:
55dd6f9 ("netfilter: nf_tables: use new transaction infrastructure
to handle table").
91c7b38 ("netfilter: nf_tables: use new transaction infrastructure
to handle chain").
it is possible to put tables and chains in the same batch (which was
already including rules). This patch probes the kernel to check if
if the new transaction is available, otherwise it falls back to the
previous non-transactional approach to handle these two objects.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
| |
Remove code to set table in dormant state, this is not required from
the iptables over nft compatibility layer.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
| |
Prepare inclusion of tables and chain objects in the batch.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the family declaration has been modified in libnftnl,
from commit 3cd9cd06625f8181c713489cec2c1ce6722a7e16
the assertion is failed for {ip,ip6,arp}tables-compat
when printing rules.
iptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
ip6tables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
arptables-compat -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
libnftnl: attribute 0 assertion failed in rule.c:273
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
