| Summary: | net-firewall/nftables-0.4: init script ipv6 address substitution on saving corrupts saved ipv6 addresses | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Vladimir Datsevich <bgo> |
| Component: | [OLD] Core system | Assignee: | Gentoo's Team for Core System packages <base-system> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | mrueg, nvinson234 |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
net-filter/nftables-0.5: the init scripts hasn't changed. I've added an updated ebuild and new init scripts to bug 560920. I think they will solve this problem as well. Should be fixed in >=0.5-r1 |
Having a nftables ruleset like the one following, results in corrupted or changed ipv6 addresses (not all) when they are being saved by the nftables init script. table inet filter { set test_ipv6 { type ipv6_addr elements = { 2aff:2010::6787:f534, 2aff:2010::bc54:d10e, 2aff:2010::fe6b:dffc} } ... } results in (/var/lib/nftables/rules-save): table inet filter { set test_ipv6 { type ipv6_addr elements = { 2aff:2010::6787/128:f534, 2aff:2010::bc54/128:d10e, 2aff:2010::fe6b/128:dffc} } ... } Which itself gives an error when nftables starts up: * Loading nftables state and starting firewall ... /var/lib/nftables/rules-save:51:28-53: Error: mapping outside of map context elements = { 2aff:2010::6787/128:f534, 2aff:2010::bc54/128:d10e, 2aff:2010::fe6b/128:dffc} ^^^^^^^^^^^^^^^^^^^^^^^^^^ [ !! ] When saving the nftables ruleset by hand via nft list ruleset f.e. and then load it again (after a nft flush ruleset) with nft -f everything is working fine. The nftables init script performs a substitution in /etc/init.d/nftables in lines 130-144 which seems to be the problem: nft list tables ${l3f} | while read line; do line=$(echo ${line} | sed "s/table/table ${l3f}/") # The below substitution fixes an issue where nft -n output may not # always be parsable by nft -f. For example, nft -n might print # # ip6 saddr ::1 ip6 daddr ::1 counter packets 0 bytes 0 accept # # but nft -f refuses to parse that string with error: # # In file included from internal:0:0-0: # /var/lib/nftables/rules-save:1:1-2: Error: Could not process rule: # Invalid argument # table ip6 filter { # ^^ echo "$(nft ${SAVE_OPTIONS} list ${line} |\ sed 's/\(::[0-9a-fA-F]\+\)\([^/]\)/\1\/128\2/g')" >> "${tmp_save}" Reproducible: Always Steps to Reproduce: 1. load the described rule 2. run rc-service nftables save 3. restart nftables Actual Results: nftables fails to load the ruleset, all tables are blank Expected Results: nftables should load the rules, the firewall should work as expected