[pkg-netfilter-team] Bug#1012025: nftables.conf: trying to import nftables.conf and get unexpected meta or ip6 when trying to start
Arturo Borrero Gonzalez
arturo at debian.org
Sun May 29 08:30:15 BST 2022
On Sun, May 29, 2022, 01:03 Tim McConnell <tmcconnell168 at gmail.com> wrote:
> Package: nftables
> Version: 1.0.2-1
> Severity: important
> File: nftables.conf
> Tags: ipv6
> X-Debbugs-Cc: tmcconnell168 at gmail.com
>
> Dear Maintainer,
>
> What led up to the situation?
> Trying to configure and enable nftables to stop ip6 neighbor discovery
> packets
> from being rejected by VPN
>
> What exactly did you do (or not do) that was effective (or
> ineffective)? Attempted to use workstation.nft in examples folder and
> looked for documentation on the web.I couldn't find anything newer than
> 2014
> and asked on Debian Forums and Linuxquestions.org
>
> What was the outcome of this action?
> Attempt to run 'sudo systemctl start nftables.service' and receive this
> error:
> Job for nftables.service failed because the control process exited with
> error
> code.
> See "systemctl status nftables.service" and "journalctl -xeu
> nftables.service"
> for details.
> tmick at DebianTim:~/recap$ sudo systemctl status nftables.service
> × nftables.service - nftables
> Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor
> preset: enabled)
> Active: failed (Result: exit-code) since Sat 2022-05-28 16:39:05 CDT;
> 7s
> ago
> Docs: man:nft(8)
> http://wiki.nftables.org
> Process: 1704177 ExecStart=/usr/sbin/nft -f /etc/nftables.conf
> (code=exited, status=1/FAILURE)
> Main PID: 1704177 (code=exited, status=1/FAILURE)
> CPU: 24ms
>
> May 28 16:39:05 DebianTim nft[1704177]:
> ^^^^^^
> May 28 16:39:05 DebianTim nft[1704177]: /etc/nftables.conf:18:3-6: Error:
> syntax error, unexpected meta
> May 28 16:39:05 DebianTim nft[1704177]: meta nexthdr ipv6
> icmpv6 type { destination-unreachable, packet-too>
> May 28 16:39:05 DebianTim nft[1704177]: ^^^^
> May 28 16:39:05 DebianTim nft[1704177]: /etc/nftables.conf:19:8-12: Error:
> syntax error, unexpected saddr, expecting string
> May 28 16:39:05 DebianTim nft[1704177]: ipv6 saddr
> fe80::/10
> icmpv6 type { 130, 131, 132, 134, 143, 151, 15>
> May 28 16:39:05 DebianTim nft[1704177]: ^^^^^
> May 28 16:39:05 DebianTim systemd[1]: nftables.service: Main process
> exited,
> code=exited, status=1/FAILURE
> May 28 16:39:05 DebianTim systemd[1]: nftables.service: Failed with result
> 'exit-code'.
> May 28 16:39:05 DebianTim systemd[1]: Failed to start nftables.
> I've tried other methods as inet etc and still get this type of error.
>
> What outcome did you expect instead? For documentation to be clear enough
> for
> this not to be a problem and the nftables to be able to add this filter.
>
>
> -- System Information:
> Debian Release: bookworm/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 5.17.0-1-rt-amd64 (SMP w/2 CPU threads; PREEMPT)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE
> not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages nftables depends on:
> ii libc6 2.33-7
> ii libedit2 3.1-20210910-1
> ii libnftables1 1.0.2-1
>
> Versions of packages nftables recommends:
> ii netbase 6.3
>
> Versions of packages nftables suggests:
> pn firewalld <none>
>
> -- Configuration Files:
> /etc/nftables.conf changed:
> flush ruleset
> table enp1s0 filter {
>
This table declaration is missing family specificiation, which defaults to
IPv4. I think you canot use IPv6 stuff in v4 tables.
I think you may want to use a table in the 'inet' family, which is
dual-stack, and should accept both IPv4 and IPv6 stuff.
chain base_checks {
> # Drop invalid connections and allow established/related
> connections
> ct state invalid drop
> ct state {established, related} accept
> }
>
> chain input {
> type filter hook input priority 0; policy drop;
> meta nexthdr ipv6 icmpv6 type { destination-unreachable,
> packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request,
> nd-router-solicit, nd-router-advert, nd-neighbor-solicit,
> nd-neighbor-advert, 148, 149 } accept
> ipv6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 134,
> 143, 151, 152, 153 } accept
> jump base_checks
> # Allow from loopback
> iifname lo accept
> iifname != lo ip daddr 127.0.0.0/32 drop
> # New UDP traffic will jump to the UDP chain
> ip protocol udp ct state new jump UDP
> # New TCP traffic will jump to the TCP chain
> tcp flags & (fin | syn | rst | ack) == syn ct state new
> jump TCP
> # Everything else
> ip protocol udp reject
> ip protocol tcp reject with tcp reset
> reject with icmpx type port-unreachable
> }
> chain forward {
> type filter hook forward priority 0; policy drop;
> }
> chain output {
> type filter hook output priority 0; policy accept;
> }
>
> # count and drop any other traffic
> counter enp1s0{}
> ##CHAIN RULES
> # TCP chain
> set TCP_accepted {
> type inet_service; flags interval;
> elements = {1714-1764}
> }
> chain TCP {
> tcp dport @TCP_accepted accept
> }
> # UDP chain
> set UDP_accepted {
> type inet_service; flags interval;
> elements = {1714-1764}
> }
> chain UDP {
> udp dport @UDP_accepted accept
> }
> }
>
>
> -- no debconf information
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20220529/39143bfc/attachment-0001.htm>
More information about the pkg-netfilter-team
mailing list