Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
nftables starting trouble [abandoned]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Thu Jun 15, 2017 4:54 pm    Post subject: nftables starting trouble [abandoned] Reply with quote

i'm having some starting trouble migrating from iptables to nftables following the wiki.

these rules are from http://wiki.gentoo.org/wiki/nftables/Examples#Typical_workstation_.28separate_IPv4_and_IPv6.29
Code:
$ cat /etc/conf.d/nftables.rules
#!/sbin/nft -f

flush ruleset

# filter
table ip filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state invalid counter drop comment "drop invalid packets"
                ct state {established, related} counter accept comment "accept all connections related to connections made by us"
                iifname lo accept comment "accept loopback"
                iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
                ip protocol icmp counter accept comment "accept all icmp types"
                tcp dport 22 counter accept comment "accept ssh"
                counter comment "count dropped packets"
        }

        chain output {
                type filter hook output priority 0; policy accept;
                counter comment "count accepted packets"
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }
}


Code:
# nft list tables
# nft -f /etc/conf.d/nftables.rules
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Operation not supported
table ip filter {
^^
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory
table ip filter {
^^
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Protocol wrong type for socket
table ip filter {
^^
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Protocol wrong type for socket
table ip filter {
^^
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory
table ip filter {
^^
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory
table ip filter {
^^
# nft list tables
#


Last edited by josephg on Sat Jun 17, 2017 8:53 pm; edited 5 times in total
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Thu Jun 15, 2017 4:55 pm    Post subject: Reply with quote

** deleted **

Last edited by josephg on Sat Jun 17, 2017 9:26 pm; edited 4 times in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Fri Jun 16, 2017 2:57 am    Post subject: Reply with quote

/var/lib/nftables/rules-save is the correct location if using OpenRC.
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Jun 16, 2017 7:29 am    Post subject: Reply with quote

Ant P. wrote:
/var/lib/nftables/rules-save is the correct location if using OpenRC.

Code:
# cat /var/lib/nftables/rules-save
#

nothing there, presumably because i cannot config nft as in my first post. i get errors trying the rules from gentoo wiki sample config. what am i missing?


Last edited by josephg on Fri Jun 16, 2017 11:27 pm; edited 2 times in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Fri Jun 16, 2017 4:37 pm    Post subject: Reply with quote

Are you expecting something to load "/etc/conf.d/nftables.rules" automatically? Have you pointed the init script at that file or manually saved after running it? There's no references to that path in the init script, the corresponding conf.d file or the libexec script it calls.
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Jun 16, 2017 4:58 pm    Post subject: Reply with quote

Ant P. wrote:
Are you expecting something to load "/etc/conf.d/nftables.rules" automatically? Have you pointed the init script at that file or manually saved after running it? There's no references to that path in the init script, the corresponding conf.d file or the libexec script it calls.

i'm loading rules manually, but they don't load because of errors.. see my first post.


Last edited by josephg on Sat Jun 17, 2017 8:59 pm; edited 3 times in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Fri Jun 16, 2017 5:30 pm    Post subject: Reply with quote

What does the initscript output when you run the save command?
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Jun 16, 2017 5:45 pm    Post subject: Reply with quote

Ant P. wrote:
What does the initscript output when you run the save command?

Code:
$ sudo service nftables save
 * Saving nftables state ...

ruleset is empty. there is nothing to save, as my rules seem to have errors and aren't loaded. see op.


Last edited by josephg on Sat Jun 17, 2017 9:02 pm; edited 3 times in total
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Jun 16, 2017 5:49 pm    Post subject: Reply with quote

what am i supposed to do with this file?
Code:
$ cat /etc/conf.d/nftables.rules
#!/sbin/nft -f

flush ruleset

# filter
table ip filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state invalid counter drop comment "drop invalid packets"
                ct state {established, related} counter accept comment "accept all connections related to connections made by us"
                iifname lo accept comment "accept loopback"
                iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
                ip protocol icmp counter accept comment "accept all icmp types"
                tcp dport 22 counter accept comment "accept ssh"
                counter comment "count dropped packets"
        }

        chain output {
                type filter hook output priority 0; policy accept;
                counter comment "count accepted packets"
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }
}
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5595

PostPosted: Fri Jun 16, 2017 5:57 pm    Post subject: Reply with quote

Put it in /var/lib/nftables/rules-save, or fix /etc/conf.d/nftables.
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Jun 16, 2017 6:17 pm    Post subject: Reply with quote

Ant P. wrote:
Put it in /var/lib/nftables/rules-save, or fix /etc/conf.d/nftables.

i copied /etc/conf.d/nftables.rules to /var/lib/nftables/rules-save, and got errors when i restart nftables service. same errors as when i run nft -f /etc/conf.d/nftables.rules. as in my first post above. i must be missing something critical.

what can i fix in this file?
Code:
$ cat /etc/conf.d/nftables
# /etc/conf.d/nftables

# Location in which nftables initscript will save set rules on
# service shutdown
NFTABLES_SAVE="/var/lib/nftables/rules-save"

# Options to pass to nft on save
SAVE_OPTIONS="-n"

# Save state on stopping nftables
SAVE_ON_STOP="yes"

# If you need to log nftables messages as soon as nftables starts,
# AND your logger does NOT depend on the network, then you may wish
# to uncomment the next line.
# If your logger depends on the network, and you uncomment this line
# you will create an unresolvable circular dependency during startup.
# After commenting or uncommenting this line, you must run 'rc-update -u'.
#rc_use="logger"
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Jun 16, 2017 11:34 pm    Post subject: Reply with quote

Code:
$ sudo cat /etc/conf.d/nftables.rules
#!/sbin/nft -f

flush ruleset

## filter
table ip filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state invalid counter drop comment "drop invalid packets"
                ct state {established, related} counter accept comment "accept all connections related to connections made by us"
                iifname lo accept comment "accept loopback"
                iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
                ip protocol icmp counter accept comment "accept all icmp types"
                tcp dport 22 counter accept comment "accept ssh"
                counter comment "count dropped packets"
        }

        chain output {
                type filter hook output priority 0; policy accept;
                counter comment "count accepted packets"
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }
}

Code:
$ sudo nft -f /etc/conf.d/nftables.rules
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Operation not supported
table ip filter {
^^
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory
table ip filter {
^^
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory
table ip filter {
^^
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory
table ip filter {
^^
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory
table ip filter {
^^

why am i getting these errors, and how do i fix them?
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Sat Jun 17, 2017 7:56 pm    Post subject: Reply with quote

i seem to be getting closer.. is there nobody here who understands nftables?

Code:
# nft -f /etc/conf.d/nftables.rules
#

works without errors, if i comment out some of the lines. but now i seem to have no network :(
Code:
#!/sbin/nft -f

flush ruleset

## filter
table ip filter {
   chain input {
      type filter hook input priority 0; policy drop;
      ct state invalid counter drop comment "drop invalid packets"
#      ct state {established, related} counter accept comment "accept all connections related to connections made by us"
#      iifname lo accept comment "accept loopback"
#      iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
#      ip protocol icmp counter accept comment "accept all icmp types"
#      tcp dport 22 counter accept comment "accept ssh"
      counter comment "count dropped packets"
   }

   chain output {
      type filter hook output priority 0; policy accept;
      counter comment "count accepted packets"
   }

   chain forward {
      type filter hook forward priority 0; policy drop;
      counter comment "count dropped packets"
   }
}
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Sat Jun 17, 2017 8:51 pm    Post subject: Reply with quote

i'm going back to iptables.. had enough of nftables :( i think there's something not quite right in gentoo-sources or my .config
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum