[pkg-netfilter-team] Bug#1001360: Bug#1001360: nftables: nft returns "BUG: unsupported familynft: evaluate.c:2766..."
Jeremy Sowden
jeremy at azazel.net
Thu Dec 9 09:13:56 GMT 2021
On 2021-12-08, at 21:01:48 -0600, Bruce Link wrote:
> Package: nftables
> Version: 1.0.1-1
> Severity: normal
> Tags: upstream
>
> Dear Maintainer,
>
> * What led up to the situation?
> Running nft -f with the following configuration appears to trigger the bug. I've removed what I think are the non-relevant parts.
>
> table inet filter {
> set netflix-ips {
> type ipv4_addr;
> flags interval;
> elements = {
> 52.0.131.132,
> 23.221.228.214,
> 8.207.84.236,
> 54.204.25.0-54.204.25.16,
> 3.23.189.144-3.23.189.160,
> 34.195.253.0-34.195.253.128,
> }
> }
>
> chain kill-kids-netflix {
> ether saddr ba:db:ee:ff:5e:39 ip daddr @netflix-ips reject;
> }
>
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
> Not applicable.
>
> * What was the outcome of this action?
> nft returns the following:
>
> ~$ sudo nft -f /etc/nftables.conf
> BUG: unsupported familynft: evaluate.c:2766: stmt_evaluate_reject_inet_family: Assertion `0' failed.
> Aborted
>
> * What outcome did you expect instead?
> nft to load the rules properly or complain about my often poor syntax.
The error reporting is unhelpful. :)
nft will only infer how to do the reject for the `ip` and `ip6`
families, but you are using the `inet` one. If you look for "REJECT
STATEMENT" in the nft man-page you will see it talks about using
'icmpx' codes for the 'inet' family. Change it to:
ether saddr ba:db:ee:ff:5e:39 ip daddr @netflix-ips reject with icmpx port-unreachable;
and it will work correctly.
nft could be a bit cleverer (or at least more informative) about this,
so I will speak to the Netfilter development team.
J.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20211209/fe7fdc26/attachment.sig>
More information about the pkg-netfilter-team
mailing list