Comments (8)
stapelberg
commented on May 14, 2024
Next step: compare the output of nft(8) with the nftables package and see where they differ.
from nftables.
sbezverk
commented on May 14, 2024
@stapelberg I did that and the set and its elements passed to the kernel looks identical. The difficulty is nft send almost everything in one chunk but nftables sends info in different messages with clear flags etc. I will try to strip down the program I run to test it, so it would look as close as possible to nft
from nftables.
sbezverk
commented on May 14, 2024
Here is a small program I use for testing, with 4 elements it fails, but if you reduce to 2 elements, it programs set fine.
package main
import (
"fmt"
"math/rand"
"os"
"golang.org/x/sys/unix"
"github.com/google/nftables"
"github.com/google/nftables/binaryutil"
"github.com/google/nftables/expr"
)
func main() {
fmt.Printf("Testing raw rule for port set\n")
c := nftables.Conn{}
t := &nftables.Table{
Name: "ipv4table",
Family: nftables.TableFamilyIPv4,
}
ch := &nftables.Chain{
Name: "ipv4chain-2",
Table: t,
Type: nftables.ChainTypeNAT,
Priority: nftables.ChainPriorityNATDest,
Hooknum: nftables.ChainHookPrerouting,
}
set := nftables.Set{
Anonymous: false,
Constant: true,
Name: "test-set",
ID: uint32(rand.Intn(0xffff)),
Table: t,
KeyType: nftables.TypeInetService,
}
c.AddTable(t)
c.AddChain(ch)
if err := c.Flush(); err != nil {
fmt.Printf("failed to program with error: %+v\n", err)
os.Exit(1)
}
re := []expr.Any{}
re = append(re, &expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1})
re = append(re, &expr.Cmp{
Op: expr.CmpOpEq,
Register: 1,
Data: []byte{unix.IPPROTO_TCP},
})
re = append(re, &expr.Payload{
DestRegister: 1,
Base: expr.PayloadBaseTransportHeader,
Offset: 2, // Offset for a transport protocol header
Len: 2, // 2 bytes for port
})
re = append(re, &expr.Lookup{
SourceRegister: 1,
Invert: false,
SetID: set.ID,
SetName: set.Name,
})
ports := []uint16{12000, 12001, 12002, 12003}
setElements := make([]nftables.SetElement, len(ports))
for i := 0; i < len(ports); i++ {
setElements[i].Key = binaryutil.BigEndian.PutUint16(ports[i])
}
if err := c.AddSet(&set, setElements); err != nil {
fmt.Printf("failed to add set with error: %+v\n", err)
os.Exit(1)
}
c.AddRule(&nftables.Rule{
Table: t,
Chain: ch,
Exprs: re,
})
if err := c.Flush(); err != nil {
fmt.Printf("failed to program with error: %+v\n", err)
os.Exit(1)
}
}
from nftables.
sbezverk
commented on May 14, 2024
Ok, I found discrepancy, it looks like nftables truncate message, please see below:
\x65\x74\x61\x00\x00\x00\x00\x14\x00
\x02\x80\x08\x00\x02\x00\x00\x00\x00
\x10\x08\x00\x01\x00\x00\x00\x00\x01
\x2c\x00\x01\x80\x08\x00\x01\x00\x63
\x6d\x70\x00\x20\x00\x02\x80\x08\x00
\x01\x00\x00\x00\x00\x01\x08\x00\x02
\x00\x00\x00\x00\x00\x0c\x00\x03\x80
\x05\x00\x01\x00\x06\x00\x00\x00\x34
\x00\x01\x80\x0c\x00\x01\x00
\x70\x61\x79\x6c\x6f\x61\x64\x00
\x24\x00\x02\x80
\x08\x00\x01\x00
\x00\x00\x00\x01
\x08\x00\x02\x00
\x00\x00\x00\x02
\x08\x00\x03\x00
\x00\x00\x00\x02
\x08\x00\x04\x00
\x00\x00\x00\x02
\x2c\x00\x01\x80
\x0b\x00\x01\x00
\x6c\x6f\x6f\x6b
\x75\x70\x00\x00 Lookup
\x1c\x00\x02\x80
\x08\x00\x02\x00
Reference to __set%d is missing with pretty much the rest of expressions
\x00\x00\x00\x01
\x05\x00\x01\x00
\x00\x00\x00\x00
\x08\x00\x04\x00
\x00\x00\x00\x00
Output taken from debug
| 70 61 79 6c | | data | p a y l
| 6f 61 64 00 | | data | o a d
|00036|N-|00002| |len |flags| type|
|00008|--|00001| |len |flags| type|
| 00 00 00 01 | | data |
|00008|--|00002| |len |flags| type|
| 00 00 00 02 | | data |
|00008|--|00003| |len |flags| type|
| 00 00 00 02 | | data |
|00008|--|00004| |len |flags| type|
| 00 00 00 02 | | data |
|00048|N-|00001| |len |flags| type|
|00011|--|00001| |len |flags| type|
| 6c 6f 6f 6b | | data | l o o k
| 75 70 00 00 | | data | u p
|00032|N-|00002| |len |flags| type|
|00008|--|00002| |len |flags| type|
| 00 00 00 01 | | data |
All the rest is missing
|00012|--|00001| |len |flags| type|
| 5f 5f 73 65 | | data | _ _ s e
| 74 25 64 00 | | data | t % d
|00008|--|00004| |len |flags| type|
| 00 00 00 01 | | data |
|00044|N-|00001| |len |flags| type|
|00014|--|00001| |len |flags| type|
| 69 6d 6d 65 | | data | i m m e
| 64 69 61 74 | | data | d i a t
| 65 00 00 00 | | data | e
|00024|N-|00002| |len |flags| type|
|00008|--|00001| |len |flags| type|
| 00 00 00 01 | | data |
|00012|N-|00002| |len |flags| type|
|00006|--|00001| |len |flags| type|
| 3a 98 00 00 | | data | :
|00028|N-|00001| |len |flags| type|
|00010|--|00001| |len |flags| type|
| 72 65 64 69 | | data | r e d i
| 72 00 00 00 | | data | r
|00012|N-|00002| |len |flags| type|
|00008|--|00001| |len |flags| type|
| 00 00 00 01 | | data |
---------------- ------------------
from nftables.
sbezverk
commented on May 14, 2024
Very puzzled :(, it appears the difference between working and non working case in terms of messages sent to netlink here https://github.com/google/nftables/blob/master/conn.go#L51
is valid. The difference is in length of set's element and 2 additional ports.
diff -y named-not-working.log named-working.log
Testing raw rule for port set Testing raw rule for port set
Header: {Length:0 Type:unknown(16) Flags:request Sequence:0 P Header: {Length:0 Type:unknown(16) Flags:request Sequence:0 P
Data: Data:
\x00\x00\x00\x0a \x00\x00\x00\x0a
Header: {Length:0 Type:unknown(2560) Flags:request|acknowledg Header: {Length:0 Type:unknown(2560) Flags:request|acknowledg
Data: Data:
\x02\x00\x00\x00 \x02\x00\x00\x00
\x0e\x00\x01\x00 \x0e\x00\x01\x00
\x69\x70\x76\x34 \x69\x70\x76\x34
\x74\x61\x62\x6c \x74\x61\x62\x6c
\x65\x00\x00\x00 \x65\x00\x00\x00
\x08\x00\x02\x00 \x08\x00\x02\x00
\x00\x00\x00\x00 \x00\x00\x00\x00
Header: {Length:0 Type:unknown(2563) Flags:request|acknowledg Header: {Length:0 Type:unknown(2563) Flags:request|acknowledg
Data: Data:
\x02\x00\x00\x00 \x02\x00\x00\x00
\x0e\x00\x01\x00 \x0e\x00\x01\x00
\x69\x70\x76\x34 \x69\x70\x76\x34
\x74\x61\x62\x6c \x74\x61\x62\x6c
\x65\x00\x00\x00 \x65\x00\x00\x00
\x10\x00\x03\x00 \x10\x00\x03\x00
\x69\x70\x76\x34 \x69\x70\x76\x34
\x63\x68\x61\x69 \x63\x68\x61\x69
\x6e\x2d\x32\x00 \x6e\x2d\x32\x00
\x14\x00\x04\x80 \x14\x00\x04\x80
\x08\x00\x01\x00 \x08\x00\x01\x00
\x00\x00\x00\x00 \x00\x00\x00\x00
\x08\x00\x02\x00 \x08\x00\x02\x00
\xff\xff\xff\x9c \xff\xff\xff\x9c
\x08\x00\x07\x00 \x08\x00\x07\x00
\x6e\x61\x74\x00 \x6e\x61\x74\x00
Header: {Length:0 Type:unknown(17) Flags:request Sequence:0 P Header: {Length:0 Type:unknown(17) Flags:request Sequence:0 P
Data: Data:
\x00\x00\x00\x0a \x00\x00\x00\x0a
Header: {Length:0 Type:unknown(16) Flags:request Sequence:0 P Header: {Length:0 Type:unknown(16) Flags:request Sequence:0 P
Data: Data:
\x00\x00\x00\x0a \x00\x00\x00\x0a
Header: {Length:0 Type:unknown(2569) Flags:request|acknowledg Header: {Length:0 Type:unknown(2569) Flags:request|acknowledg
Data: Data:
\x02\x00\x00\x00 \x02\x00\x00\x00
\x0e\x00\x01\x00 \x0e\x00\x01\x00
\x69\x70\x76\x34 \x69\x70\x76\x34
\x74\x61\x62\x6c \x74\x61\x62\x6c
\x65\x00\x00\x00 \x65\x00\x00\x00
\x0d\x00\x02\x00 \x0d\x00\x02\x00
\x74\x65\x73\x74 \x74\x65\x73\x74
\x2d\x73\x65\x74 \x2d\x73\x65\x74
\x00\x00\x00\x00 \x00\x00\x00\x00
\x08\x00\x03\x00 \x08\x00\x03\x00
\x00\x00\x00\x02 \x00\x00\x00\x02
\x08\x00\x04\x00 \x08\x00\x04\x00
\x00\x00\x00\x0d \x00\x00\x00\x0d
\x08\x00\x05\x00 \x08\x00\x05\x00
\x00\x00\x00\x02 \x00\x00\x00\x02
\x08\x00\x0a\x00 \x08\x00\x0a\x00
\x00\x00\xcf\x86 \x00\x00\xcf\x86
\x0c\x00\x09\x80 \x0c\x00\x09\x80
\x08\x00\x01\x00 \x08\x00\x01\x00
\x00\x00\x00\x02 \x00\x00\x00\x02
\x0a\x00\x0d\x00 \x0a\x00\x0d\x00
\x00\x04\x02\x00 \x00\x04\x02\x00
\x00\x00\x00\x00 \x00\x00\x00\x00
Header: {Length:0 Type:unknown(2572) Flags:request|acknowledg Header: {Length:0 Type:unknown(2572) Flags:request|acknowledg
Data: Data:
\x02\x00\x00\x00 \x02\x00\x00\x00
\x0d\x00\x02\x00 \x0d\x00\x02\x00
\x74\x65\x73\x74 \x74\x65\x73\x74
\x2d\x73\x65\x74 \x2d\x73\x65\x74
\x00\x00\x00\x00 \x00\x00\x00\x00
\x08\x00\x04\x00 \x08\x00\x04\x00
\x00\x00\x00\x01 \x00\x00\x00\x01
\x0e\x00\x01\x00 \x0e\x00\x01\x00
\x69\x70\x76\x34 \x69\x70\x76\x34
\x74\x61\x62\x6c \x74\x61\x62\x6c
\x65\x00\x00\x00 \x65\x00\x00\x00
\x44\x00\x03\x80 | \x24\x00\x03\x80
\x10\x00\x01\x80 \x10\x00\x01\x80
\x0c\x00\x01\x80 \x0c\x00\x01\x80
\x06\x00\x01\x00 \x06\x00\x01\x00
\x2e\xe0\x00\x00 \x2e\xe0\x00\x00
\x10\x00\x02\x80 \x10\x00\x02\x80
\x0c\x00\x01\x80 \x0c\x00\x01\x80
\x06\x00\x01\x00 \x06\x00\x01\x00
\x2e\xe1\x00\x00 \x2e\xe1\x00\x00
\x10\x00\x03\x80 <
\x0c\x00\x01\x80 <
\x06\x00\x01\x00 <
\x2e\xe2\x00\x00 <
\x10\x00\x04\x80 <
\x0c\x00\x01\x80 <
\x06\x00\x01\x00 <
\x2e\xe3\x00\x00 <
Header: {Length:0 Type:unknown(2566) Flags:request|acknowledg Header: {Length:0 Type:unknown(2566) Flags:request|acknowledg
Data: Data:
\x02\x00\x00\x00 \x02\x00\x00\x00
\x0e\x00\x01\x00 \x0e\x00\x01\x00
\x69\x70\x76\x34 \x69\x70\x76\x34
\x74\x61\x62\x6c \x74\x61\x62\x6c
\x65\x00\x00\x00 \x65\x00\x00\x00
\x10\x00\x02\x00 \x10\x00\x02\x00
\x69\x70\x76\x34 \x69\x70\x76\x34
\x63\x68\x61\x69 \x63\x68\x61\x69
\x6e\x2d\x32\x00 \x6e\x2d\x32\x00
\x04\x01\x04\x80 \x04\x01\x04\x80
\x24\x00\x01\x80 \x24\x00\x01\x80
\x09\x00\x01\x00 \x09\x00\x01\x00
\x6d\x65\x74\x61 \x6d\x65\x74\x61
\x00\x00\x00\x00 \x00\x00\x00\x00
\x14\x00\x02\x80 \x14\x00\x02\x80
\x08\x00\x02\x00 \x08\x00\x02\x00
\x00\x00\x00\x10 \x00\x00\x00\x10
\x08\x00\x01\x00 \x08\x00\x01\x00
\x00\x00\x00\x01 \x00\x00\x00\x01
\x2c\x00\x01\x80 \x2c\x00\x01\x80
\x08\x00\x01\x00 \x08\x00\x01\x00
\x63\x6d\x70\x00 \x63\x6d\x70\x00
\x20\x00\x02\x80 \x20\x00\x02\x80
\x08\x00\x01\x00 \x08\x00\x01\x00
\x00\x00\x00\x01 \x00\x00\x00\x01
\x08\x00\x02\x00 \x08\x00\x02\x00
\x00\x00\x00\x00 \x00\x00\x00\x00
\x0c\x00\x03\x80 \x0c\x00\x03\x80
\x05\x00\x01\x00 \x05\x00\x01\x00
\x06\x00\x00\x00 \x06\x00\x00\x00
\x34\x00\x01\x80 \x34\x00\x01\x80
\x0c\x00\x01\x00 \x0c\x00\x01\x00
\x70\x61\x79\x6c \x70\x61\x79\x6c
\x6f\x61\x64\x00 \x6f\x61\x64\x00
\x24\x00\x02\x80 \x24\x00\x02\x80
\x08\x00\x01\x00 \x08\x00\x01\x00
\x00\x00\x00\x01 \x00\x00\x00\x01
\x08\x00\x02\x00 \x08\x00\x02\x00
\x00\x00\x00\x02 \x00\x00\x00\x02
\x08\x00\x03\x00 \x08\x00\x03\x00
\x00\x00\x00\x02 \x00\x00\x00\x02
\x08\x00\x04\x00 \x08\x00\x04\x00
\x00\x00\x00\x02 \x00\x00\x00\x02
\x34\x00\x01\x80 \x34\x00\x01\x80
\x0b\x00\x01\x00 \x0b\x00\x01\x00
\x6c\x6f\x6f\x6b \x6c\x6f\x6f\x6b
\x75\x70\x00\x00 \x75\x70\x00\x00
\x24\x00\x02\x80 \x24\x00\x02\x80
\x08\x00\x02\x00 \x08\x00\x02\x00
\x00\x00\x00\x01 \x00\x00\x00\x01
\x0d\x00\x01\x00 \x0d\x00\x01\x00
\x74\x65\x73\x74 \x74\x65\x73\x74
\x2d\x73\x65\x74 \x2d\x73\x65\x74
\x00\x00\x00\x00 \x00\x00\x00\x00
\x08\x00\x04\x00 \x08\x00\x04\x00
\x00\x00\xcf\x86 \x00\x00\xcf\x86
\x2c\x00\x01\x80 \x2c\x00\x01\x80
\x0e\x00\x01\x00 \x0e\x00\x01\x00
\x69\x6d\x6d\x65 \x69\x6d\x6d\x65
\x64\x69\x61\x74 \x64\x69\x61\x74
\x65\x00\x00\x00 \x65\x00\x00\x00
\x18\x00\x02\x80 \x18\x00\x02\x80
\x08\x00\x01\x00 \x08\x00\x01\x00
\x00\x00\x00\x01 \x00\x00\x00\x01
\x0c\x00\x02\x80 \x0c\x00\x02\x80
\x06\x00\x01\x00 \x06\x00\x01\x00
\x3a\x98\x00\x00 \x3a\x98\x00\x00
\x1c\x00\x01\x80 \x1c\x00\x01\x80
\x0a\x00\x01\x00 \x0a\x00\x01\x00
\x72\x65\x64\x69 \x72\x65\x64\x69
\x72\x00\x00\x00 \x72\x00\x00\x00
\x0c\x00\x02\x80 \x0c\x00\x02\x80
\x08\x00\x01\x00 \x08\x00\x01\x00
\x00\x00\x00\x01 \x00\x00\x00\x01
Header: {Length:0 Type:unknown(17) Flags:request Sequence:0 P Header: {Length:0 Type:unknown(17) Flags:request Sequence:0 P
Data: Data:
\x00\x00\x00\x0a \x00\x00\x00\x0a
from nftables.
sbezverk
commented on May 14, 2024
@stapelberg do you have any other suggestions? I am at the dead end...
from nftables.
stapelberg
commented on May 14, 2024
Iām looking into it now.
from nftables.
stapelberg
commented on May 14, 2024
This should work now. I added a test for it (which is an easy way to find mismatches, by the way).
from nftables.
Related Issues (20)
- Anonymous time collection problem HOT 10
- Please consider create a release/tag HOT 1
- Alignment issues on 32-bit archs: TestAlignedBuff32 & TestAlignedBuffInt32 failures HOT 9
- Test failures on s390x: endianness problems? HOT 11
- Reason for not wrapping libnftnl/libmnl. HOT 1
- GetRules lost expr.Masq HOT 1
- nftables go dynset implementation will not work with libnftnl versions <1.1.9 HOT 1
- High
- Feature: add support for monitor HOT 6
- AddSet IPv4 wrong byte order on Ubuntu 22.04 HOT 8
- Rule Handle not updated after InsertRule even using Flush. HOT 4
- Not all response messages are received causing the receive buffer to overflow HOT 8
- Named quotas and their usage in map HOT 1
- BUG: block in Conn.Flush() HOT 4
- How to get an error when try to add an existed table?
- Adding rules in code produces different results and logs than the rules I added directly from the command line HOT 6
- Use a CIDR prefix as target in a NAT rule HOT 3
- Troubleshooting NFTables Table Creation with Go HOT 2
- Objects implementation refactor HOT 1
- Broken deps HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nftables.