[pkg-netfilter-team] Bug#1012025: nftables.conf: trying to import nftables.conf and get unexpected meta or ip6 when trying to start

Tim McConnell tmcconnell168 at gmail.com
Sun May 29 00:00:52 BST 2022 

Package: nftables
Version: 1.0.2-1
Severity: important
File: nftables.conf
Tags: ipv6
X-Debbugs-Cc: tmcconnell168 at gmail.com

Dear Maintainer,

What led up to the situation?
Trying to configure and enable nftables to stop ip6 neighbor discovery packets
from being rejected by VPN

What exactly did you do (or not do) that was effective (or
     ineffective)? Attempted to use workstation.nft in examples folder and
looked for documentation on the web.I couldn't find anything newer than 2014
and asked on Debian Forums and Linuxquestions.org

What was the outcome of this action?
Attempt to run 'sudo systemctl start nftables.service' and receive this error:
Job for nftables.service failed because the control process exited with error
code.
See "systemctl status nftables.service" and "journalctl -xeu nftables.service"
for details.
tmick at DebianTim:~/recap$ sudo systemctl status nftables.service
× nftables.service - nftables
     Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor
preset: enabled)
     Active: failed (Result: exit-code) since Sat 2022-05-28 16:39:05 CDT; 7s
ago
       Docs: man:nft(8)
             http://wiki.nftables.org
    Process: 1704177 ExecStart=/usr/sbin/nft -f /etc/nftables.conf
(code=exited, status=1/FAILURE)
   Main PID: 1704177 (code=exited, status=1/FAILURE)
        CPU: 24ms

May 28 16:39:05 DebianTim nft[1704177]:
^^^^^^
May 28 16:39:05 DebianTim nft[1704177]: /etc/nftables.conf:18:3-6: Error:
syntax error, unexpected meta
May 28 16:39:05 DebianTim nft[1704177]:                 meta nexthdr ipv6
icmpv6 type { destination-unreachable, packet-too>
May 28 16:39:05 DebianTim nft[1704177]:                 ^^^^
May 28 16:39:05 DebianTim nft[1704177]: /etc/nftables.conf:19:8-12: Error:
syntax error, unexpected saddr, expecting string
May 28 16:39:05 DebianTim nft[1704177]:                 ipv6 saddr fe80::/10
icmpv6 type { 130, 131, 132, 134, 143, 151, 15>
May 28 16:39:05 DebianTim nft[1704177]:                      ^^^^^
May 28 16:39:05 DebianTim systemd[1]: nftables.service: Main process exited,
code=exited, status=1/FAILURE
May 28 16:39:05 DebianTim systemd[1]: nftables.service: Failed with result
'exit-code'.
May 28 16:39:05 DebianTim systemd[1]: Failed to start nftables.
I've tried other methods as inet etc and still get this type of error.

What outcome did you expect instead? For documentation to be clear enough for
this not to be a problem and the nftables to be able to add this filter.


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-1-rt-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  libc6         2.33-7
ii  libedit2      3.1-20210910-1
ii  libnftables1  1.0.2-1

Versions of packages nftables recommends:
ii  netbase  6.3

Versions of packages nftables suggests:
pn  firewalld  <none>

-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
table enp1s0 filter {
chain base_checks {
        # Drop invalid connections and allow established/related connections
                ct state invalid drop
                ct state {established, related} accept
    }
    
        chain input {
                type filter hook input priority 0; policy drop;
		meta nexthdr ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		ipv6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 } accept
        jump base_checks
        # Allow from loopback
                iifname lo accept
        iifname != lo ip daddr 127.0.0.0/32 drop
        # New UDP traffic will jump to the UDP chain
                ip protocol udp ct state new jump UDP
        # New TCP traffic will jump to the TCP chain
                tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP
        # Everything else
                ip protocol udp reject
                ip protocol tcp reject with tcp reset
        reject with icmpx type port-unreachable
        }
        chain forward {
                type filter hook forward priority 0; policy drop;
        } 
        chain output {
                type filter hook output priority 0; policy accept;
        }
		
		# count and drop any other traffic
		counter enp1s0{}
		##CHAIN RULES
    # TCP chain
    set TCP_accepted {
        type inet_service; flags interval; 
        elements = {1714-1764}
    }
        chain TCP {
        tcp dport @TCP_accepted accept
        } 
    # UDP chain
    set UDP_accepted {
        type inet_service; flags interval;
         elements = {1714-1764}
    }
        chain UDP {
        udp dport @UDP_accepted accept
        }
}


-- no debconf information

More information about the pkg-netfilter-team mailing list