From: leroy christophe <christophe.leroy@c-s.fr>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter@vger.kernel.org
Subject: Re: issue with nftable - goto : Operation not supported
Date: Wed, 26 Nov 2014 18:15:38 +0100 [thread overview]
Message-ID: <54760ABA.4040900@c-s.fr> (raw)
In-Reply-To: <20141126130042.GA1533@salvia>
Le 26/11/2014 14:00, Pablo Neira Ayuso a écrit :
> On Tue, Nov 25, 2014 at 06:29:53PM +0100, leroy christophe wrote:
>> Using nft, i'm trying to jump to another table from the end of a
>> table and I get the following error.
>>
>> root@localhost:~# nft add rule filter input goto accs
>> <cmdline>:1:1-31: Error: Could not process rule: Operation not supported
>> add rule filter input goto accs
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> What could be the reason ?
>>
>> I'm using
>> * nftables-20141121
>> * gmp-4.3.2
>> * libmnl-1.0.3
>> * libnfnetlink-1.0.1
>> * libnftnl-20141121
>> * libnetfilter_conntrack-1.0.4
> Kernel version?
3.17.4
>
> Could you run this command with strace:
>
> strace nft add rule ...
See at the end
>
> Could you post the relevant part of your ruleset (table and chain
> configuration)?
root@vgoip:~# nft list table filter
table ip filter {
chain forward {
type filter hook forward priority 0;
drop
}
}
root@vgoip:~# ./mynft.sh start
+ echo Starting NFTABLES test ...
Starting NFTABLES test ...
+ Start
+ nft add chain ip filter rej { type filter hook input priority 20 ; }
+ nft add rule filter rej ip saddr 192.168.2.0/24 reject with icmp type
host-prohibited
+ nft add rule filter rej drop
+ nft add chain ip filter test { type filter hook input priority 10 ; }
+ nft add rule filter test meta oifname lo accept
+ nft add rule filter test icmp type echo-request ip saddr 192.168.2.1
accept
+ nft add rule filter test icmp type {echo-request,timestamp-request}
goto rej
<cmdline>:1:1-72: Error: Could not process rule: Operation not supported
add rule filter test icmp type {echo-request,timestamp-request} goto rej
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ nft add rule filter test ct state {established, related} accept
+ nft add rule filter test ct state new tcp dport 22 ip saddr
192.168.2.1 accept
+ nft add rule filter test goto rej
<cmdline>:1:1-29: Error: Could not process rule: Operation not supported
add rule filter test goto rej
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+ return 0
+ Result=0
+ echo Done
Done
+ exit 0
root@vgoip:~# nft list table filter
table ip filter {
chain forward {
type filter hook forward priority 0;
drop
}
chain rej {
type filter hook input priority 20;
ip saddr 192.168.2.0/24 reject with icmp type 10
drop
}
chain test {
type filter hook input priority 10;
oifname "lo" accept
unknown unknown 0x8 [invalid type] ip saddr
192.168.2.1 accept
ct state { 4, 2} accept
ct state 8 unknown unknown 0x16 [invalid type] ip
saddr 192.168.2.1 accept
}
}
root@vgoip:~# strace -f nft add rule filter test goto rej
execve("/usr/sbin/nft", ["nft", "add", "rule", "filter", "test", "goto",
"rej"], [/* 10 vars */]) = 0
brk(0) = 0x10069000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/usr/lib/tls/ppc823/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT
(No such file or directory)
stat64("/usr/lib/tls/ppc823", 0x7fecc6b8) = -1 ENOENT (No such file or
directory)
open("/usr/lib/tls/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
stat64("/usr/lib/tls", 0x7fecc6b8) = -1 ENOENT (No such file or
directory)
open("/usr/lib/ppc823/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
stat64("/usr/lib/ppc823", 0x7fecc6b8) = -1 ENOENT (No such file or
directory)
open("/usr/lib/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
file or directory)
stat64("/usr/lib", {st_mode=S_IFDIR|0755, st_size=912, ...}) = 0
open("/lib/tls/ppc823/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
stat64("/lib/tls/ppc823", 0x7fecc6b8) = -1 ENOENT (No such file or
directory)
open("/lib/tls/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
file or directory)
stat64("/lib/tls", 0x7fecc6b8) = -1 ENOENT (No such file or
directory)
open("/lib/ppc823/libmnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
file or directory)
stat64("/lib/ppc823", 0x7fecc6b8) = -1 ENOENT (No such file or
directory)
open("/lib/libmnl.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\0\23\264\0\0\0004"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=18666, ...}) = 0
mmap(0xffdc000, 78792, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xffdc000
mprotect(0xffe0000, 61440, PROT_NONE) = 0
mmap(0xffef000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0xffef000
close(3) = 0
open("/usr/lib/libnftnl.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
file or directory)
open("/lib/libnftnl.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\0V\350\0\0\0004"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=130461, ...}) = 0
mmap(0xffa1000, 174260, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xffa1000
mprotect(0xffbb000, 61440, PROT_NONE) = 0
mmap(0xffca000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19000) = 0xffca000
close(3) = 0
open("/usr/lib/libgmp.so.3", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such
file or directory)
open("/lib/libgmp.so.3", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\0s\300\0\0\0004"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=368473, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x77ced000
mmap(0xff2b000, 414688, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xff2b000
mprotect(0xff80000, 61440, PROT_NONE) = 0
mmap(0xff8f000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x54000) = 0xff8f000
mmap(0xff90000, 992, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xff90000
close(3) = 0
open("/usr/lib/libncurses.so.5", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No
such file or directory)
open("/lib/libncurses.so.5", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\0\301d\0\0\0004"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=284121, ...}) = 0
mmap(0xfecc000, 322280, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xfecc000
mprotect(0xff05000, 65536, PROT_NONE) = 0
mmap(0xff15000, 20480, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x39000) = 0xff15000
mmap(0xff1a000, 2792, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xff1a000
close(3) = 0
open("/usr/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file
or directory)
open("/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3,
"\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\24\0\0\0\1\0\2\16t\0\0\0004"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1746172, ...}) = 0
mmap(0xfd36000, 1596552, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0xfd36000
mprotect(0xfea4000, 65536, PROT_NONE) = 0
mmap(0xfeb4000, 24576, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16e000) = 0xfeb4000
mmap(0xfeba000, 7304, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xfeba000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x77cec000
mprotect(0xfeb4000, 8192, PROT_READ) = 0
mprotect(0x77cee000, 4096, PROT_READ) = 0
brk(0) = 0x10069000
brk(0x1008a000) = 0x1008a000
socket(PF_NETLINK, SOCK_RAW, 12) = 3
fcntl64(3, F_SETFL, O_RDONLY|O_NONBLOCK) = 0
open("/etc/xtables/connlabel.conf", O_RDONLY) = -1 ENOENT (No such file
or directory)
open("/etc/iproute2/group", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/iproute2/rt_realms", O_RDONLY) = -1 ENOENT (No such file or
directory)
open("/etc/iproute2/rt_marks", O_RDONLY) = -1 ENOENT (No such file or
directory)
sendto(3,
"\0\0\0\24\0\20\0\1\0\0\0\0\0\0\0\0\2\0\0\n\0\0\0\24\n\t\0\5\0\0\0\1"..., 60,
0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 60
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\0\0\0(\0\2\0\0\0\0\0\1\0\0\1\327\377\377\377\352\0\0\0\24\n\t\0\5\0\0\0\1"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 40
sendto(3, "\0\0\0\24\n\20\0\1\0\0\0\3\0\0\0\0\0\0\0\0", 20, 0,
{sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\0\0\0(\0\2\0\0\0\0\0\3\0\0\1\327\377\377\377\352\0\0\0\24\n\20\0\1\0\0\0\3"...,
69631}], msg_controllen=0, msg_flags=0}, 0) = 40
mmap(NULL, 204800, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x77c8d000
setsockopt(3, SOL_SOCKET, 0x20 /* SO_??? */, [131072], 4) = 0
sendmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\0\0\0\24\0\20\0\1\0\0\0\3\0\0\0\0\0\0\0\n\0\0\0h\n\6\16\1\0\0\0\4"...,
144}], msg_controllen=0, msg_flags=0}, 0) = 144
select(4, [3], NULL, NULL, {0, 0}) = 1 (in [3], left {0, 0})
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000},
msg_iov(1)=[{"\0\0\0|\0\2\0\0\0\0\0\4\0\0\1\327\377\377\377\241\0\0\0h\n\6\16\1\0\0\0\4"...,
4096}], msg_controllen=0, msg_flags=0}, 0) = 124
select(4, [3], NULL, NULL, {0, 0}) = 0 (Timeout)
munmap(0x77c8d000, 204800) = 0
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(204, 46), ...}) = 0
ioctl(1, TCGETS, {B115200 opost isig icanon echo ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
= 0x77ceb000
write(1, "<cmdline>:1:1-29: Error: Could n"..., 73<cmdline>:1:1-29:
Error: Could not process rule: Operation not supported
) = 73
write(1, "add rule filter test goto rej\n", 30add rule filter test goto rej
) = 30
write(1, "^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n", 30^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
) = 30
close(3) = 0
exit_group(1) = ?
+++ exited with 1 +++
next prev parent reply other threads:[~2014-11-26 17:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-25 17:29 issue with nftable - goto : Operation not supported leroy christophe
2014-11-26 13:00 ` Pablo Neira Ayuso
2014-11-26 17:15 ` leroy christophe [this message]
2014-11-26 17:47 ` Pablo Neira Ayuso
2014-11-26 18:00 ` leroy christophe
2014-11-26 18:13 ` Pablo Neira Ayuso
2014-11-26 21:45 ` stoffl4ever
2014-11-27 10:25 ` Arturo Borrero Gonzalez
2014-11-27 12:31 ` leroy christophe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54760ABA.4040900@c-s.fr \
--to=christophe.leroy@c-s.fr \
--cc=netfilter@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.