From: Daniel <tech@tootai.net>
To: netfilter@vger.kernel.org
Subject: nftables 0.9.8 - unknown rule handle
Date: Tue, 6 Jun 2023 12:30:36 +0200 [thread overview]
Message-ID: <06d3308e-1fc8-95d6-692e-5794fc83f564@tootai.net> (raw)
Hi,
I face the above failure on mark rules. Ex:
chain TRACE_IN { # handle 6
type filter hook prerouting priority -500; policy accept;
iif "wig0" ip6 daddr fd99:a:b:98:10::ff1 meta nftrace set 1 # handle 7
}
chain TRACE_OUT { # handle 8
type route hook output priority -500; policy accept;
oif "lan" ip6 saddr fd99:a:b:98:10::ff1 meta nftrace set 1 # handle 9
}
nft monitor shows
trace id b606126c ip6 mangle TRACE_IN unknown rule handle 7 (verdict
continue)
trace id b606126c ip6 mangle TRACE_IN verdict continue
trace id b606126c ip6 mangle TRACE_IN policy accept
trace id a7b94fc8 ip6 mangle TRACE_OUT packet: oif "lan" ip6 saddr
fd99:a:b:98:10::ff1 ip6 daddr 2001:db8:c:b::1 ip6 dscp cs0 ip6 ecn
not-ect ip6 hoplimit 64 ip6 flowlabel 283281 ip6 length 40 tcp sport
5555 tcp dport 34618 tcp flags == 0x12 tcp window 65320
trace id a7b94fc8 ip6 mangle TRACE_OUT unknown rule handle 9 (verdict
continue)
trace id a7b94fc8 ip6 mangle TRACE_OUT verdict continue
trace id a7b94fc8 ip6 mangle TRACE_OUT policy accept
I have this behavior also on all mark rules, ex:
chain output { # handle 2
type route hook output priority mangle; policy accept;
oif "lan" ip6 saddr fd99:a:b:98:10::ff1 meta mark set 0x00000100 ct
mark set meta mark accept # handle 11
oif "lan" meta mark set 0x00000000 ct mark set meta mark # handle 13
}
trace id a7b94fc8 ip6 mangle output unknown rule handle 11 (verdict accept)
chain postrouting { # handle 5
type filter hook postrouting priority mangle; policy accept;
meta mark 0x00000100 accept # handle 12
}
trace id a7b94fc8 ip6 mangle postrouting unknown rule handle 12 (verdict
accept)
aso.
What's going on here ?
--
Daniel
--
Daniel Huhardeaux
+33.368460088@tootai.net sip:820@sip.tootai.net
+41.445532125@swiss-itech.ch tootaiNET
next reply other threads:[~2023-06-06 10:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-06 10:30 Daniel [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-06-06 10:30 nftables 0.9.8 - unknown rule handle Daniel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=06d3308e-1fc8-95d6-692e-5794fc83f564@tootai.net \
--to=tech@tootai.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).