Re: issue with nftable - goto : Operation not supported

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: leroy christophe <christophe.leroy@c-s.fr>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter@vger.kernel.org, netfilter-devel@vger.kernel.org
Subject: Re: issue with nftable - goto : Operation not supported
Date: Thu, 27 Nov 2014 13:31:52 +0100	[thread overview]
Message-ID: <547719B8.6040302@c-s.fr> (raw)
In-Reply-To: <20141126181312.GA25447@salvia>


Le 26/11/2014 19:13, Pablo Neira Ayuso a écrit :
>> How can it interpret the below output which seems buggy ?
>>
>> root@vgoip:~# nft list table filter
>> table ip filter {
>>          chain input {
>>                   type filter hook input priority 0;
>>                   oifname "lo" accept
>>                   ip protocol icmp accept
>>                   ct state 8 unknown unknown 0x16 [invalid type] accept
>>                   ct state { 4, 2} accept
>>                   reject with icmp type 10
>>          }
> What is the original ruleset you loaded? This should not happen. Any
> relevant information regarding your testbed?
Ruleset is:
nft add table ip filter
nft add chain ip filter input { type filter hook input priority 0 \; }
nft add rule filter input meta oifname lo accept
nft add rule filter input ip protocol icmp accept
nft add rule filter input ct state new tcp dport 22 accept
nft add rule filter input ct state {established, related} accept
nft add rule filter input reject with icmp type host-prohibited

Target is a powerpc
All building is done on a x86 PC, using home built cross-compile gnu 
tools (binutils, gcc, glibc, ....)

I just ran 'nft' with gdb, and I have seen something wrong with byte 
ordering.
It looks like in symbolic_constant_print(), mpz_export_data() return a 
strange val.
First time we get there, we get 0x800000000
Next time, we get 0x400000000
Last time, we get 0x200000000
While we expect 8(new), 4(related), 2(established)

Any idea on how I can fix that ?

Kernel 3.17.4
nftables-20141121
gmp-4.3.2
libmnl-1.0.3
libnfnetlink-1.0.1
libnftnl-20141121
libnetfilter_conntrack-1.0.4

Christophe

          parent reply	other threads:[~2014-11-27 12:31 UTC|newest]

Thread overview: expand[flat|nested]  mbox.gz  Atom feed
 [parent not found: <20141126181312.GA25447@salvia>]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=547719B8.6040302@c-s.fr \
    --to=christophe.leroy@c-s.fr \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=netfilter@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).