On 2022-08-25, at 23:14:12 -0500, Ross Johnson wrote:
> Package: nftables
> Version: 0.9.8-3.1
> Severity: normal
> X-Debbugs-Cc: r...@homemail.org
>
> Dear Maintainer,
>
> As shown below, I created a file call "junk" that makes a few simple nftables
> chains.
> When I list the chains, nftables shows what looks like a negative number in
> the last one.
> I would expect it to show the canonical form of ff00::/8 as given in the
> previous line.
> This simple example is extracted from a complex script to show the problem
> concisely.
>
> root@biden:/srv/nftables# cat junk
> #!/usr/sbin/nft -f
>
> flush ruleset
> table ip6 whatever {
> chain junk {
> ip6 saddr ff00::/8 drop
> ip6 saddr fe80::/10 drop
> ip6 saddr { ff00::/8, fe80::/10 } drop
> }
> }
> root@biden:/srv/nftables# /sbin/nft -f junk
> root@biden:/srv/nftables# /sbin/nft list ruleset
> table ip6 whatever {
> chain junk {
> ip6 saddr ff00::/8 drop
> ip6 saddr fe80::/10 drop
> ip6 saddr { fe80::/10,
> ff00::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff } drop
> }
> }
> root@biden:/srv/nftables#
I've sent a patch upstream to fix this, but one thing to point out is
that what we see here is not a garbled address with a negative number
embedded in it, but a range (ff00:: to ffff:ffff:...:ffff). It's more
obvious (to me at least) with an IPv4 prefix.
ip saddr { 10.0.0.0/8, 192.0.0.0/2 } drop
becomes:
ip saddr { 10.0.0.0/8, 192.0.0.0-255.255.255.255 } drop
J.
signature.asc
Description: PGP signature
