Joe Williams
Joe Williams
I am having the same problem on ubuntu 21.04 and gpaste 3.42.6.
Another +1 for this, we are running into this quite a bit since we don't run the latest.
:+1:
Synproxy/syncookie support in nftables exists but is no longer needed due to lockless listener changes for TCP https://lwn.net/Articles/659199/
I think I may have found the problem with this. Attempting to do the equivalent with raw [netlink](https://github.com/mdlayher/netlink) messages I was able to reproduce the same invalid argument error. It...
@stapelberg unless I am mistaken adding a match expression rule is broken due to the above `NLA_F_NESTED` vs `NFTA_MATCH_NAME` problem in this library itself.
Thanks @turekt, it's very nice of you to work up an example! Unfortunately I need to specifically use match rules for my use case.
I have also tried a UDP based match and get the same `invalid argument` error. ``` &expr.Match{ Name: "udp", Rev: 0, Info: &xt.Udp{ DstPorts: [2]uint16{uint16(50), uint16(60)}, }, }, &expr.Verdict{ Kind:...
Trying this from a different angle, I used `iptables-nft` to create a conntrack match which is applied as a `match` in nftables. ``` sudo iptables-nft -A INPUT -m conntrack --ctstate...
I am not sure what's up with the UDP match support but it seems like my original problem was using `Rev:1` and `xt.AddrType` rather than `xt.AddrType1`.