[pkg-netfilter-team] Bug#879684: nftables: cannot set rules with a script

Tue Oct 24 12:50:55 UTC 2017

Package: nftables
Version: 0.8-1
Severity: important

Dear Maintainer,

I use a script to set the rules with nft. It worked well before the
updating today. I don't know what are updated. My (executable) script  is

-------------------
#!/usr/sbin/nft -f

flush ruleset
#include "nftables.conf"

# define inner_net = {10.0.0.0/8,10.14.129.0/24,10.110.64.0/24}
# ipp:631, mldonkey:4000, mldonkey_http:4080, rpc:111, ftp:21, ssh:22
define tcp_port = {111,22}
# 1701:l2tpd, dns:53, ipp:631, mdns:5353
define udp_port = {53,631,5353}
# 21688 for mldonkey (TCP) 21688+4 for mldonkey (UDP)
define ml_tcp_port= {21688, 51413}
define ml_udp_port= {21692, 51413}

add table vnat
add table myfilter
add chain myfilter tcp_chain
add chain myfilter udp_chain

add chain myfilter myinput {
    type filter hook input priority 0; policy drop;
    ct state established,related accept;
    #ip protocol icmp counter accept ;
    ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept;
    ct state new tcp flags syn tcp dport $tcp_port jump tcp_chain;
    ct state new udp dport $udp_port jump udp_chain;
    ct state new tcp flags syn tcp dport $ml_tcp_port accept;
    ct state new udp dport $ml_udp_port accept;
    ip protocol icmp ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept;
}

#add rule myfilter tcp_chain ip saddr $inner_net accept;
add rule myfilter tcp_chain ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept;
add rule myfilter tcp_chain limit rate 5/hour counter;

#add rule myfilter udp_chain ip saddr $inner_net accept;
add rule myfilter udp_chain ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept;
add rule myfilter udp_chain limit rate 5/hour counter;
----------------------------

after setting the ruleset with the script, I check the ruleset with
nft list ruleset

the output is

table ip vnat {
}
table ip myfilter {
chain tcp_chain {
ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept
limit rate 5/hour counter packets 0 bytes 0
}

chain udp_chain {
ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept
limit rate 5/hour counter packets 0 bytes 0
}

chain myinput {
type filter hook input priority 0; policy drop;
}
}

This shows most of rules in the script are not read. Because my policy is 'drop', the net disconnects. I have to set
the policy 'accept'.

I think  this may be a bug.

Best regards

Lu Wang

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nftables depends on:
ii  dpkg          1.18.24
ii  libc6         2.24-17
ii  libgmp10      2:6.1.2+dfsg-1.1
ii  libmnl0       1.0.4-2
ii  libnftnl7     1.0.8-1
ii  libreadline7  7.0-3
ii  libxtables12  1.6.1-2+b1

nftables recommends no packages.

nftables suggests no packages.

-- no debconf information

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-netfilter-team/attachments/20171024/8d16dcf6/attachment.html>