From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Sixene <notsixene@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Optimize fails on a large ruleset
Date: Sat, 18 Nov 2023 19:35:05 +0100 [thread overview]
Message-ID: <ZVkD2Yu9oKoyilC0@calendula> (raw)
In-Reply-To: <CABGCCVeMFcQvetiSLUhjOudvz3mLeo7quPLtHDkVQQobLHwfAA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 462 bytes --]
On Fri, Nov 17, 2023 at 05:42:59PM +0100, Sixene wrote:
> Hi,
> After checking via dnf, it seems I'm running the latest version already.
> After some investigation I found out I had a lot of duplicate entries,
> after fixing this, I now get the error "Segmentation fault (core
> dumped)" with the same command.
No crash with nftables 1.0.9, what nftables version are you using?
I am attaching the output with your ruleset, running:
nft -c -o -f notsixene.nft
[-- Attachment #2: output.txt --]
[-- Type: text/plain, Size: 3365 bytes --]
Merging:
notsixene.nft:4:9-60: ip saddr 1.12.32.0/23 counter packets 0 bytes 0 drop
notsixene.nft:5:9-59: ip saddr 1.14.0.0/15 counter packets 0 bytes 0 drop
notsixene.nft:6:9-60: ip saddr 1.44.96.0/24 counter packets 0 bytes 0 drop
notsixene.nft:7:9-60: ip saddr 1.116.0.0/15 counter packets 0 bytes 0 drop
notsixene.nft:8:9-61: ip saddr 1.178.32.0/19 counter packets 0 bytes 0 drop
notsixene.nft:9:9-60: ip saddr 1.247.4.0/24 counter packets 0 bytes 0 drop
notsixene.nft:10:9-61: ip saddr 1.255.30.0/24 counter packets 0 bytes 0 drop
into:
ip saddr { 1.12.32.0/23, 1.14.0.0/15, 1.44.96.0/24, 1.116.0.0/15, 1.178.32.0/19, 1.247.4.0/24, 1.255.30.0/24 } counter drop
Merging:
notsixene.nft:172:9-57: tcp dport 9090 ct state { new, untracked } accept
notsixene.nft:173:9-55: tcp dport 80 ct state { new, untracked } accept
notsixene.nft:174:9-58: tcp dport 25565 ct state { new, untracked } accept
notsixene.nft:175:9-58: tcp dport 25566 ct state { new, untracked } accept
into:
tcp dport . ct state { 9090 . new, 9090 . untracked, 80 . new, 80 . untracked, 25565 . new, 25565 . untracked, 25566 . new, 25566 . untracked } accept
Merging:
notsixene.nft:176:9-58: udp dport 25565 ct state { new, untracked } accept
notsixene.nft:177:9-58: udp dport 25566 ct state { new, untracked } accept
into:
ct state . udp dport { new . 25565, untracked . 25565, new . 25566, untracked . 25566 } accept
Merging:
notsixene.nft:178:9-58: tcp dport 27015 ct state { new, untracked } accept
notsixene.nft:179:9-56: tcp dport 443 ct state { new, untracked } accept
notsixene.nft:180:9-57: tcp dport 8092 ct state { new, untracked } accept
notsixene.nft:181:9-57: tcp dport 8093 ct state { new, untracked } accept
into:
tcp dport . ct state { 27015 . new, 27015 . untracked, 443 . new, 443 . untracked, 8092 . new, 8092 . untracked, 8093 . new, 8093 . untracked } accept
Merging:
notsixene.nft:182:9-57: udp dport 8092 ct state { new, untracked } accept
notsixene.nft:183:9-57: udp dport 8093 ct state { new, untracked } accept
into:
ct state . udp dport { new . 8092, untracked . 8092, new . 8093, untracked . 8093 } accept
Merging:
notsixene.nft:184:9-57: tcp dport 8080 ct state { new, untracked } accept
notsixene.nft:185:9-57: tcp dport 8181 ct state { new, untracked } accept
notsixene.nft:186:9-57: tcp dport 4430 ct state { new, untracked } accept
notsixene.nft:187:9-58: tcp dport 34523 ct state { new, untracked } accept
notsixene.nft:188:9-57: tcp dport 8000 ct state { new, untracked } accept
notsixene.nft:189:9-57: tcp dport 8010 ct state { new, untracked } accept
into:
tcp dport . ct state { 8080 . new, 8080 . untracked, 8181 . new, 8181 . untracked, 4430 . new, 4430 . untracked, 34523 . new, 34523 . untracked, 8000 . new, 8000 . untracked, 8010 . new, 8010 . untracked } accept
Merging:
notsixene.nft:314:9-45: icmpv6 type nd-neighbor-advert accept
notsixene.nft:315:9-46: icmpv6 type nd-neighbor-solicit accept
notsixene.nft:316:9-43: icmpv6 type nd-router-advert accept
notsixene.nft:317:9-38: icmpv6 type nd-redirect accept
into:
icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert, nd-redirect } accept
next prev parent reply other threads:[~2023-11-18 18:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-17 14:40 Optimize fails on a large ruleset Sixene
2023-11-17 15:54 ` Pablo Neira Ayuso
[not found] ` <CABGCCVeMFcQvetiSLUhjOudvz3mLeo7quPLtHDkVQQobLHwfAA@mail.gmail.com>
2023-11-18 18:35 ` Pablo Neira Ayuso [this message]
2023-11-17 16:44 ` A L
-- strict thread matches above, loose matches on Subject: below --
2023-11-17 14:35 sixene
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZVkD2Yu9oKoyilC0@calendula \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=notsixene@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.