[pkg-netfilter-team] Bug#1012025: nftables: type 134 is still being rejected

Tim McConnell tmcconnell168 at gmail.com
Tue May 31 20:27:56 BST 2022 

Package: nftables
Version: 1.0.2-1
Followup-For: Bug #1012025
X-Debbugs-Cc: tmcconnell168 at gmail.com

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation? corrected .conf file as suggested
   * What exactly did you do (or not do) that was effective (or
     ineffective)? type 134 is still being rejected
   * What was the outcome of this action? still rejecting ICMP type 134
   * What outcome did you expect instead? not to get these messages:
May 31 12:02:07 DebianTim kernel: [95243.373348] FW6 REJECT (input): IN=enp1s0
OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd
SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255
FLOWLBL=87 PROTO=ICMPv6 TYPE=134 CODE=0

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: bookworm/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.17.0-1-rt-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  libc6         2.33-7
ii  libedit2      3.1-20210910-1
ii  libnftables1  1.0.2-1

Versions of packages nftables recommends:
ii  netbase  6.3

Versions of packages nftables suggests:
pn  firewalld  <none>

-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
table inet filter {
chain base_checks {
        # Drop invalid connections and allow established/related connections
                ct state invalid drop
                ct state {established, related} accept
    }
        chain input {
                type filter hook input priority 0; policy drop;
		meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
	 icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 } accept
        jump base_checks
        # Allow from loopback
                iifname lo accept
        iifname != lo ip daddr 127.0.0.0/8 drop
        # New UDP traffic will jump to the UDP chain
                ip protocol udp ct state new jump UDP
        # New TCP traffic will jump to the TCP chain
                tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP
        # Everything else
                ip protocol udp reject
                ip protocol tcp reject with tcp reset
        reject with icmpx type port-unreachable
        }
        chain forward {
                type filter hook forward priority 0; policy drop;
        } 
        chain output {
                type filter hook output priority 0; policy accept;
        }
		# count and drop any other traffic
		counter enp1s0{} 
		##CHAIN RULES
    # TCP chain
    set TCP_accepted {
        type inet_service; flags interval; 
        elements = {1714-1764}
    }
        chain TCP {
        tcp dport @TCP_accepted accept
        } 
    # UDP chain
    set UDP_accepted {
        type inet_service; flags interval;
         elements = {1714-1764}
    }
        chain UDP {
        udp dport @UDP_accepted accept
        }
}


-- no debconf information

More information about the pkg-netfilter-team mailing list