[pkg-netfilter-team] Bug#1012025: nftables: type 134 is still being rejected
Tim McConnell
tmcconnell168 at gmail.com
Tue May 31 20:27:56 BST 2022
Package: nftables
Version: 1.0.2-1
Followup-For: Bug #1012025
X-Debbugs-Cc: tmcconnell168 at gmail.com
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation? corrected .conf file as suggested
* What exactly did you do (or not do) that was effective (or
ineffective)? type 134 is still being rejected
* What was the outcome of this action? still rejecting ICMP type 134
* What outcome did you expect instead? not to get these messages:
May 31 12:02:07 DebianTim kernel: [95243.373348] FW6 REJECT (input): IN=enp1s0
OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd
SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255
FLOWLBL=87 PROTO=ICMPv6 TYPE=134 CODE=0
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.17.0-1-rt-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages nftables depends on:
ii libc6 2.33-7
ii libedit2 3.1-20210910-1
ii libnftables1 1.0.2-1
Versions of packages nftables recommends:
ii netbase 6.3
Versions of packages nftables suggests:
pn firewalld <none>
-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
table inet filter {
chain base_checks {
# Drop invalid connections and allow established/related connections
ct state invalid drop
ct state {established, related} accept
}
chain input {
type filter hook input priority 0; policy drop;
meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 } accept
jump base_checks
# Allow from loopback
iifname lo accept
iifname != lo ip daddr 127.0.0.0/8 drop
# New UDP traffic will jump to the UDP chain
ip protocol udp ct state new jump UDP
# New TCP traffic will jump to the TCP chain
tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP
# Everything else
ip protocol udp reject
ip protocol tcp reject with tcp reset
reject with icmpx type port-unreachable
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
# count and drop any other traffic
counter enp1s0{}
##CHAIN RULES
# TCP chain
set TCP_accepted {
type inet_service; flags interval;
elements = {1714-1764}
}
chain TCP {
tcp dport @TCP_accepted accept
}
# UDP chain
set UDP_accepted {
type inet_service; flags interval;
elements = {1714-1764}
}
chain UDP {
udp dport @UDP_accepted accept
}
}
-- no debconf information
More information about the pkg-netfilter-team
mailing list