Hi Sven,

Thanks for submitting this bug report. When I reconfigured my firewall today, I ran into issues and your bug report actually helped me to pinpoint the issue to this specific firewall rule. :)
(Note: I don't use package 'arno-iptables-firewall', but I do apply the 
same rule '-A INPUT -f -j DROP' in my manual configuration.)
I tried to investigate what is going on and I actually notice something 
strange.
Note the output of iptables-translate:

    iptables-translate -A INPUT -f -j DROP
    nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 counter drop

However, if I execute this command:

    iptables -A INPUT -f -j DROP

The following is added (output of 'nft list table filter'):

    table ip filter {
        chain INPUT {
            ...
            ip frag-off & 65311 != 0 counter packets 0 bytes 0 drop
        }
        ...
    }

Note: 65311 (dec) = 0xff1f and not 0x1ffff. Could it be that the byte order for the mask is somehow swapped?
Cheers,

Timo

Reply via email to