[pkg-netfilter-team] Bug#1012025: nftables.conf: trying to import nftables.conf and get unexpected meta or ip6 when trying to start

tmcconnell168 at gmail.com tmcconnell168 at gmail.com
Sun May 29 18:43:27 BST 2022 

Hi Arturo, 
I changed that to inet and I had to change the line for my IPv6 to look
like this: 
ICMPv6 packets which must not be dropped, see
https://tools.ietf.org/html/rfc4890#section-4.4.1
		meta nfproto ipv6 icmpv6 type { destination-
unreachable, packet-too-big, time-exceeded, parameter-problem, echo-
reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-
solicit, nd-neighbor-advert, 148, 149 } accept
		#ipv6 saddr fe80::/10 
		icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153
}accept

I'm not sure why I needed to comment out the local loopback in IPv6 but
it works now. I'll find out if the neighbor discovery packet quit
getting rejected now. 
Thanks for the help, 
Tim 

On Sun, 2022-05-29 at 09:30 +0200, Arturo Borrero Gonzalez wrote:
> 
> 
> On Sun, May 29, 2022, 01:03 Tim McConnell <tmcconnell168 at gmail.com>
> wrote:
> > Package: nftables
> > Version: 1.0.2-1
> > Severity: important
> > File: nftables.conf
> > Tags: ipv6
> > X-Debbugs-Cc: tmcconnell168 at gmail.com
> > 
> > Dear Maintainer,
> > 
> > What led up to the situation?
> > Trying to configure and enable nftables to stop ip6 neighbor
> > discovery packets
> > from being rejected by VPN
> > 
> > What exactly did you do (or not do) that was effective (or
> >      ineffective)? Attempted to use workstation.nft in examples
> > folder and
> > looked for documentation on the web.I couldn't find anything newer
> > than 2014
> > and asked on Debian Forums and Linuxquestions.org
> > 
> > What was the outcome of this action?
> > Attempt to run 'sudo systemctl start nftables.service' and receive
> > this error:
> > Job for nftables.service failed because the control process exited
> > with error
> > code.
> > See "systemctl status nftables.service" and "journalctl -xeu
> > nftables.service"
> > for details.
> > tmick at DebianTim:~/recap$ sudo systemctl status nftables.service
> > × nftables.service - nftables
> >      Loaded: loaded (/lib/systemd/system/nftables.service; enabled;
> > vendor
> > preset: enabled)
> >      Active: failed (Result: exit-code) since Sat 2022-05-28
> > 16:39:05 CDT; 7s
> > ago
> >        Docs: man:nft(8)
> >              http://wiki.nftables.org
> >     Process: 1704177 ExecStart=/usr/sbin/nft -f /etc/nftables.conf
> > (code=exited, status=1/FAILURE)
> >    Main PID: 1704177 (code=exited, status=1/FAILURE)
> >         CPU: 24ms
> > 
> > May 28 16:39:05 DebianTim nft[1704177]:
> > ^^^^^^
> > May 28 16:39:05 DebianTim nft[1704177]: /etc/nftables.conf:18:3-6:
> > Error:
> > syntax error, unexpected meta
> > May 28 16:39:05 DebianTim nft[1704177]:                 meta
> > nexthdr ipv6
> > icmpv6 type { destination-unreachable, packet-too>
> > May 28 16:39:05 DebianTim nft[1704177]:                 ^^^^
> > May 28 16:39:05 DebianTim nft[1704177]: /etc/nftables.conf:19:8-12:
> > Error:
> > syntax error, unexpected saddr, expecting string
> > May 28 16:39:05 DebianTim nft[1704177]:                 ipv6 saddr
> > fe80::/10
> > icmpv6 type { 130, 131, 132, 134, 143, 151, 15>
> > May 28 16:39:05 DebianTim nft[1704177]:                      ^^^^^
> > May 28 16:39:05 DebianTim systemd[1]: nftables.service: Main
> > process exited,
> > code=exited, status=1/FAILURE
> > May 28 16:39:05 DebianTim systemd[1]: nftables.service: Failed with
> > result
> > 'exit-code'.
> > May 28 16:39:05 DebianTim systemd[1]: Failed to start nftables.
> > I've tried other methods as inet etc and still get this type of
> > error.
> > 
> > What outcome did you expect instead? For documentation to be clear
> > enough for
> > this not to be a problem and the nftables to be able to add this
> > filter.
> > 
> > 
> > -- System Information:
> > Debian Release: bookworm/sid
> >   APT prefers testing
> >   APT policy: (500, 'testing')
> > Architecture: amd64 (x86_64)
> > Foreign Architectures: i386
> > 
> > Kernel: Linux 5.17.0-1-rt-amd64 (SMP w/2 CPU threads; PREEMPT)
> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
> > LANGUAGE not set
> > Shell: /bin/sh linked to /usr/bin/dash
> > Init: systemd (via /run/systemd/system)
> > LSM: AppArmor: enabled
> > 
> > Versions of packages nftables depends on:
> > ii  libc6         2.33-7
> > ii  libedit2      3.1-20210910-1
> > ii  libnftables1  1.0.2-1
> > 
> > Versions of packages nftables recommends:
> > ii  netbase  6.3
> > 
> > Versions of packages nftables suggests:
> > pn  firewalld  <none>
> > 
> > -- Configuration Files:
> > /etc/nftables.conf changed:
> > flush ruleset
> > table enp1s0 filter {
> 
> This table declaration is missing family specificiation, which
> defaults to IPv4. I think you canot use IPv6 stuff in v4 tables.
> 
> I think you may want to use a table in the 'inet' family, which is
> dual-stack, and should accept both IPv4 and IPv6 stuff.
> 
> 
> 
> 
> > chain base_checks {
> >         # Drop invalid connections and allow established/related
> > connections
> >                 ct state invalid drop
> >                 ct state {established, related} accept
> >     }
> > 
> >         chain input {
> >                 type filter hook input priority 0; policy drop;
> >                 meta nexthdr ipv6 icmpv6 type { destination-
> > unreachable, packet-too-big, time-exceeded, parameter-problem,
> > echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-
> > neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
> >                 ipv6 saddr fe80::/10 icmpv6 type { 130, 131, 132,
> > 134, 143, 151, 152, 153 } accept
> >         jump base_checks
> >         # Allow from loopback
> >                 iifname lo accept
> >         iifname != lo ip daddr 127.0.0.0/32 drop
> >         # New UDP traffic will jump to the UDP chain
> >                 ip protocol udp ct state new jump UDP
> >         # New TCP traffic will jump to the TCP chain
> >                 tcp flags & (fin | syn | rst | ack) == syn ct state
> > new jump TCP
> >         # Everything else
> >                 ip protocol udp reject
> >                 ip protocol tcp reject with tcp reset
> >         reject with icmpx type port-unreachable
> >         }
> >         chain forward {
> >                 type filter hook forward priority 0; policy drop;
> >         } 
> >         chain output {
> >                 type filter hook output priority 0; policy accept;
> >         }
> > 
> >                 # count and drop any other traffic
> >                 counter enp1s0{}
> >                 ##CHAIN RULES
> >     # TCP chain
> >     set TCP_accepted {
> >         type inet_service; flags interval; 
> >         elements = {1714-1764}
> >     }
> >         chain TCP {
> >         tcp dport @TCP_accepted accept
> >         } 
> >     # UDP chain
> >     set UDP_accepted {
> >         type inet_service; flags interval;
> >          elements = {1714-1764}
> >     }
> >         chain UDP {
> >         udp dport @UDP_accepted accept
> >         }
> > }
> > 
> > 
> > -- no debconf information

More information about the pkg-netfilter-team mailing list