Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
nftables rules syntax error
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Mon Sep 17, 2018 8:09 am    Post subject: nftables rules syntax error Reply with quote

Trying to migrate from iptables to nftables, I followed the Gentoo nftables wiki re kernel config.
Code:
$ lsmod | grep ^nf
nft_limit              12288  0
nft_counter            12288  0
nft_log                12288  0
nf_tables              61440  3 nft_limit,nft_counter,nft_log
nfnetlink              12288  1 nf_tables
nf_log_ipv4            12288  3
nf_log_common          12288  1 nf_log_ipv4
nf_reject_ipv4         12288  1 ipt_REJECT
nf_conntrack_ipv4      12288  8
nf_defrag_ipv4         12288  1 nf_conntrack_ipv4
nf_conntrack           45056  2 nf_conntrack_ipv4,xt_conntrack


I copied rules from Gentoo wiki examples.
Code:
$ cat /etc/conf.d/nftables.rules
#!/sbin/nft -f

flush ruleset

# filter, inet
table inet filter {
        chain output {
                type filter hook output priority 0; policy accept;
                counter comment "count accepted packets"
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }

        chain input {
                type filter hook input priority 0; policy drop;
                ct state invalid counter drop comment "drop invalid packets"
                ct state {established, related} counter accept comment "accept all connections related to connections made by us"
                iifname lo accept comment "accept loopback"
                iifname != lo ipv4 daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
                iifname != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
                ip protocol icmp counter accept comment "accept all icmp types"
                ip6 nexthdr icmpv6 counter accept comment "accept all icmp types"
                tcp dport 22 counter accept comment "accept ssh"
                counter comment "count dropped packets"
        }
}


I get sytax error :(
Code:
$ sudo nft -f /etc/conf.d/nftables.rules
/etc/conf.d/nftables.rules:22:36-40: Error: syntax error, unexpected daddr
                iifname != lo ipv4 daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
                                   ^^^^^

_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey


Last edited by josephg on Wed Sep 19, 2018 10:51 am; edited 1 time in total
Back to top
View user's profile Send private message
guitou
Guru
Guru


Joined: 02 Oct 2003
Posts: 370
Location: France

PostPosted: Mon Sep 17, 2018 11:20 am    Post subject: Reply with quote

Hello, got absolutely lo knowledge of the subjet, but after a quick glance at some docs, I think your mistake is at "ipv4" (should be simply "ip" instead, no?)

++
Gi)
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Wed Sep 19, 2018 10:44 am    Post subject: Reply with quote

guitou wrote:
Hello, got absolutely lo knowledge of the subjet, but after a quick glance at some docs, I think your mistake is at "ipv4" (should be simply "ip" instead, no?)

Hello thank you for the initiative :) Yes I think you're right. I looked at the nftables wiki, and changed "ipv4" to "ip". That error has gone away. Perhaps the gentoo wiki needs to be corrected?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Wed Sep 19, 2018 10:50 am    Post subject: Reply with quote

Now that error is gone, but I have a whole raft of new errors
Code:
$ sudo nft -f /etc/conf.d/nftables.rules
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Address family not supported by protocol
table inet filter {
^^
/etc/conf.d/nftables.rules:7:15-20: Error: Could not process rule: Address family not supported by protocol
        chain output {
              ^^^^^^
/etc/conf.d/nftables.rules:12:15-21: Error: Could not process rule: Address family not supported by protocol
        chain forward {
              ^^^^^^^
/etc/conf.d/nftables.rules:17:15-19: Error: Could not process rule: Address family not supported by protocol
        chain input {
              ^^^^^
/etc/conf.d/nftables.rules:20:26-47: Error: Could not process rule: Address family not supported by protocol
                ct state {established, related} counter accept comment "accept all connections related to connections made by us"
                         ^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:20:26-47: Error: Could not process rule: Address family not supported by protocol
                ct state {established, related} counter accept comment "accept all connections related to connections made by us"
                         ^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:9:17-23: Error: Could not process rule: Address family not supported by protocol
                counter comment "count accepted packets"
                ^^^^^^^
/etc/conf.d/nftables.rules:14:17-23: Error: Could not process rule: Address family not supported by protocol
                counter comment "count dropped packets"
                ^^^^^^^
/etc/conf.d/nftables.rules:19:17-45: Error: Could not process rule: Address family not supported by protocol
                ct state invalid counter drop comment "drop invalid packets"
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:20:17-62: Error: Could not process rule: Address family not supported by protocol
                ct state {established, related} counter accept comment "accept all connections related to connections made by us"
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:21:17-33: Error: Could not process rule: Address family not supported by protocol
                iifname lo accept comment "accept loopback"
                ^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:23:17-63: Error: Could not process rule: Address family not supported by protocol
                iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:24:17-60: Error: Could not process rule: Address family not supported by protocol
                iifname != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:25:17-47: Error: Could not process rule: Address family not supported by protocol
                ip protocol icmp counter accept comment "accept all icmp types"
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:26:17-49: Error: Could not process rule: Address family not supported by protocol
                ip6 nexthdr icmpv6 counter accept comment "accept all icmp types"
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:27:17-43: Error: Could not process rule: Address family not supported by protocol
                tcp dport 22 counter accept comment "accept ssh"
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:28:17-23: Error: Could not process rule: Address family not supported by protocol
                counter comment "count dropped packets"


I manually added the table/chains before trying again, but same errors again as above.

Maybe I'm doing it without understanding all of this and simply blind copying from Gentoo Wiki and hoping the wiki is telling me right.
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 140

PostPosted: Fri Sep 21, 2018 7:25 pm    Post subject: Reply with quote

josephg wrote:
Maybe I'm doing it without understanding all of this and simply blind copying from Gentoo Wiki and hoping the wiki is telling me right.

Don;t know if you already solved your issue.
I have no idea (yet) what im doing.
But this works ( crippled i think but it works)
Can't remember where i got it from :( Sorry original author, and thanks )
However it does timeout my eix-sync and dhclient complains about ipv6 not permitted because of the drop state ( working on that )
Maybe you can figure it out.

Code:
#==== TO LIST sudo nft list ruleset
#==== TO DISCRIBE PORTS do sudo nft describe tcp dport

flush ruleset

table inet filter {
    set tcp_accepted {
        type inet_service; flags interval;
        elements = {
            http, https,rsync,
                   }
    }
    set udp_accepted {
        type inet_service; flags interval;
        elements = {
            domain,
        }
    }

    chain base_checks {
        # allow established/related connections
        ct state {established, related} accept

        # early drop of invalid connections
        ct state invalid log prefix "Invalid Input Connection: " drop
    }
    chain input {
        type filter hook input priority 0; policy drop;

        jump base_checks

        # allow from loopback
        iifname lo accept

        # allow icmp
        ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
        ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept

        # allow ports
        #tcp dport @tcp_accepted accept
        #udp dport @udp_accepted accept

        # everything else
        reject with icmpx type port-unreachable
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
        log prefix "Dropped Forward Connection: "
    }

    chain output {
        type filter hook output priority 0; policy drop;
        jump base_checks
        # allow ports
        tcp dport @tcp_accepted accept
        udp dport @udp_accepted accept
        #log prefix "Invalid Output Connection: " Warning : This floods logs
    }
}


_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Wed Sep 26, 2018 10:16 am    Post subject: Reply with quote

spidark wrote:
josephg wrote:
Maybe I'm doing it without understanding all of this and simply blind copying from Gentoo Wiki and hoping the wiki is telling me right.

Don;t know if you already solved your issue.
I have no idea (yet) what im doing.

thank you spidark. i've abandoned nftables and removed those modules from kernel, as i was getting weird issues that seem to have since disappeared which might be completely unrelated. i felt like i was groping too much in the dark, and the nftables error messages felt too cryptic for me.
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 140

PostPosted: Wed Sep 26, 2018 8:56 pm    Post subject: Reply with quote

josephg wrote:

thank you spidark. i've abandoned nftables and removed those modules from kernel, as i was getting weird issues that seem to have since disappeared which might be completely unrelated. i felt like i was groping too much in the dark, and the nftables error messages felt too cryptic for me.

No Problem Josephg,
I read your Kernel paging issue post, I do not have that issue and i'm running same kernel 4.14.65-gentoo.
Maybe not related,but Just in case. :wink:
Code:

CONFIG_KALLSYMS=y
# CONFIG_KALLSYMS_ALL is not set
CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y
CONFIG_KALLSYMS_BASE_RELATIVE=y

CONFIG_NF_TABLES=y
CONFIG_NF_TABLES_INET=m
CONFIG_NF_TABLES_NETDEV=m
CONFIG_NF_TABLES_IPV4=m
# CONFIG_NF_TABLES_ARP is not set
CONFIG_NF_TABLES_IPV6=m

[I] net-firewall/nftables
     Available versions:  0.8-r3 ~0.8.5 ~0.9.0 {debug doc +gmp json +readline KERNEL="linux"}
     Installed versions:  0.8-r3(09:57:13 AM 09/12/2018)(gmp readline -debug -doc KERNEL="linux")


_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Thu Sep 27, 2018 1:30 pm    Post subject: Reply with quote

thank you spidark :) you whet my appetite again

so now i have
Code:
CONFIG_KALLSYMS=y
# CONFIG_KALLSYMS_ALL is not set
# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set
CONFIG_KALLSYMS_BASE_RELATIVE=y

CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y, depends on KALLSYMS=y which is not set. i see you have it on.

Code:
CONFIG_NF_TABLES=m
# CONFIG_NF_TABLES_NETDEV is not set
CONFIG_NF_TABLES_IPV4=m
# CONFIG_NF_TABLES_ARP is not set

i don't need the netdev table yet, nor ip6.

i see your ruleset has "ct state", "log", "nexthdr", "reject", etc. i think you need additional kernel module(s) for those to work. do you not have them in your running kernel?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3490
Location: Dallas area

PostPosted: Thu Sep 27, 2018 2:52 pm    Post subject: Reply with quote

rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables?
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 140

PostPosted: Thu Sep 27, 2018 3:45 pm    Post subject: Reply with quote

josephg wrote:
thank you spidark :) you whet my appetite again
i see your ruleset has "ct state", "log", "nexthdr", "reject", etc. i think you need additional kernel module(s) for those to work. do you not have them in your running kernel?

Hi Josephg,
Ok let's compare .config, see what you don't or do have.

Code:
CONFIG_NF_TABLES=y
CONFIG_NF_TABLES_INET=m
CONFIG_NF_TABLES_NETDEV=m
CONFIG_NF_TABLES_IPV4=m
# CONFIG_NF_TABLES_ARP is not set
CONFIG_NF_TABLES_IPV6=m

CONFIG_NETFILTER=y
# CONFIG_NETFILTER_ADVANCED is not set
# Core Netfilter Configuration
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_LOG=y
# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_NAT=m
# CONFIG_NETFILTER_XT_TARGET_NETMAP is not set
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
# CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set
CONFIG_NETFILTER_XT_TARGET_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
# IP: Netfilter Configuration
# IPv6: Netfilter Configuration
# iptables trigger is under Netfilter config (LED target)

CONFIG_NF_DEFRAG_IPV6=y
CONFIG_NF_CONNTRACK_IPV6=y
# CONFIG_NF_SOCKET_IPV6 is not set
CONFIG_NF_TABLES_IPV6=m
# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set
CONFIG_NFT_REJECT_IPV6=m
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_FIB_IPV6 is not set
# CONFIG_NF_DUP_IPV6 is not set
CONFIG_NF_REJECT_IPV6=y
CONFIG_NF_LOG_IPV6=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=y


CONFIG_NF_DEFRAG_IPV4=y
CONFIG_NF_CONNTRACK_IPV4=y
# CONFIG_NF_SOCKET_IPV4 is not set
CONFIG_NF_TABLES_IPV4=m
# CONFIG_NFT_CHAIN_ROUTE_IPV4 is not set
CONFIG_NFT_REJECT_IPV4=m
# CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_FIB_IPV4 is not set
# CONFIG_NF_DUP_IPV4 is not set
CONFIG_NF_LOG_IPV4=m
CONFIG_NF_REJECT_IPV4=y
CONFIG_NF_NAT_IPV4=m
# CONFIG_NFT_CHAIN_NAT_IPV4 is not set
CONFIG_NF_NAT_MASQUERADE_IPV4=m
# CONFIG_NFT_MASQ_IPV4 is not set
# CONFIG_NFT_REDIR_IPV4 is not set


You should lookup the difference between ip and inet.
inet is stacked ipv4 combined with ipv6
Ip separates ipv4 from ipv6
But its documented on Gentoo.
And flush your rule set always, or weird stuff will happen.
This was a Test rule that also worked.
Change the inet to ip, and enjoy the errors. :lol:
Funny thing about the code below, its inet, but i still can use ip6 to block all ipv6 traffic.
I still have to look into that.
Code:
flush ruleset
table inet filter {
   chain input {
      type filter hook input priority 0; policy accept;
      ct state established,related accept
      ct state invalid counter packets 0 bytes 0 drop comment "drop invalid packets"
      ct state != related drop
      iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
      iif "lo" accept
      ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } drop
      ip protocol icmp icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } drop
      ip protocol igmp drop
      counter packets 0 bytes 0 drop
   }

   chain output {
      type filter hook output priority 0; policy drop;
      ct state related accept
      oif "lo" accept
      oif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
      tcp dport smtp accept
      tcp dport domain accept
      tcp dport http accept
      tcp dport https accept
      udp dport domain accept
      tcp dport rsync accept
      tcp dport git accept
      tcp dport 9050 accept
      counter packets 0 bytes 0 drop comment "count accepted packets"
   }

   chain forward {
      type filter hook forward priority 0; policy drop;
      counter packets 0 bytes 0 comment "count dropped packets"
   }
}
table ip6 filter6 {
   chain input {
      type filter hook input priority 0; policy drop;
      counter packets 0 bytes 0 comment "count dropped packets"
   }

   chain output {
      type filter hook output priority 0; policy drop;
      counter packets 0 bytes 0 comment "count dropped packets"
   }

   chain forward {
      type filter hook forward priority 0; policy drop;
      counter packets 0 bytes 0 comment "count dropped packets"
   }
}


Let me know if it worked.
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 140

PostPosted: Thu Sep 27, 2018 3:57 pm    Post subject: Reply with quote

Anon-E-moose wrote:
rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables?

Seriously Anon-E-moose, this tool exist 8O
I'm guessing enabling nftables useflag on iptable package ?
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3490
Location: Dallas area

PostPosted: Thu Sep 27, 2018 4:02 pm    Post subject: Reply with quote

spidark wrote:
Anon-E-moose wrote:
rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables?

Seriously Anon-E-moose, this tool exist 8O
I'm guessing enabling nftables useflag on iptable package ?


Yep, I ran across it when researching using nftables, it does it line by line but still it's a start.
And yes it gets created with the nftables tag when emerging iptables.

You give it the old line, it gives you the nftables equiv.

Edit to add: for example from my iptables file

iptables-translate -A INPUT -i eth0 -p tcp -s 0/0 --dport 25 -m limit --limit 2/minute -j LOG --log-prefix="IPTABLES:mail "
output:
nft add rule ip filter INPUT iifname eth0 tcp dport 25 limit rate 2/minute burst 5 packets counter log prefix \"IPTABLES:mail \"
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Thu Sep 27, 2018 5:11 pm    Post subject: Reply with quote

A.N..D... voila i get it again
Code:
BUG: unable to handle kernel paging request at 0002ffa8
IP: __radix_tree_lookup+0x11/0xe0
*pdpt = 00000000206fc001 *pde = 0000000000000000
Oops: 0000 [#1] SMP
Modules linked in: nft_meta nft_log nft_counter nft_ct nf_tables_ipv4 nf_tables nfnetlink ctr ccm af_packet nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 xt_pkttype xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_multiport xt_conntrack nf_conntrack iptable_filter ip_tables x_tables zram zsmalloc ext4 crc16 mbcache jbd2 arc4 ath9k ath9k_common bfq ath9k_hw mac80211 coretemp i915 ath cfg80211 i2c_algo_bit hwmon snd_hda_codec_realtek snd_hda_codec_generic input_leds rfkill drm_kms_helper cfbfillrect psmouse snd_hda_intel atkbd snd_hda_codec sr_mod ehci_pci evdev syscopyarea cfbimgblt sysfillrect sdhci_pci libps2 lpc_ich snd_hwdep ehci_hcd sdhci mmc_core cdrom snd_hda_core mfd_core sysimgblt fb_sys_fops cfbcopyarea i2c_i801 led_class snd_pcm pcspkr fan thermal button usbcore drm
 battery snd_timer intel_agp video intel_gtt pcc_cpufreq rtc_cmos backlight acpi_cpufreq agpgart ac i8042 serio snd soundcore usb_common
CPU: 0 PID: 18186 Comm: DOM Worker Tainted: G     U          4.14.65-gentoo-jgv #23
Hardware name: TOSHIBA Satellite Pro A300/Portable PC, BIOS 2.20 12/07/2009
task: f141b000 task.stack: e0192000
EIP: __radix_tree_lookup+0x11/0xe0
EFLAGS: 00210286 CPU: 0
EAX: 0002ffa4 EBX: a11df000 ECX: 00000000 EDX: 01ffffff
ESI: 01ffffff EDI: 00000000 EBP: 0002ffa0 ESP: e0193de4
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
CR0: 80050033 CR2: 0002ffa8 CR3: 24be3860 CR4: 000006f0
Call Trace:
 ? radix_tree_lookup_slot+0xb/0x20
 ? find_get_entry+0x19/0xe0
 ? pagecache_get_page+0x1c/0x210
 ? lookup_swap_cache+0x30/0xf0
 ? swap_readahead_detect+0x60/0x2a0
 ? do_swap_page+0xbb/0x790
 ? mem_cgroup_commit_charge+0x62/0x3e0
 ? reuse_swap_page+0x2f/0x150
 ? page_add_new_anon_rmap+0x5d/0xa0
 ? handle_mm_fault+0x669/0xf00
 ? __do_page_fault+0x19b/0x400
 ? vmalloc_sync_all+0x10/0x10
 ? common_exception+0x52/0x5a
Code: d5 8b 74 24 14 8b 5c 24 18 85 d2 0f 84 0b ff ff ff e9 f5 fe ff ff 8d 74 26 00 55 57 56 53 83 ec 08 89 04 24 89 4c 24 04 8b 04 24 <8b> 70 04 89 f0 83 e0 03 83 f8 01 0f 85 a6 00 00 00 89 f0 83 e0
EIP: __radix_tree_lookup+0x11/0xe0 SS:ESP: 0068:e0193de4
CR2: 000000000002ffa8
---[ end trace 54e0e562fff73ff2 ]---

_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Thu Sep 27, 2018 5:17 pm    Post subject: Reply with quote

Anon-E-moose wrote:
rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables?

i couldn't get nftables to work.. that's why. i didn't understand nftables and those cryptic error messages don't help.. is probably another reason. i assumed i could start with something dependable, and hence picked from the gentoo wiki.

now that i understand nftables a bit better, i can say that i got lost following the gentoo wiki. i'll start building my ruleset, once i have nftables working.
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Thu Sep 27, 2018 5:31 pm    Post subject: Reply with quote

to get iptables-translate tool in gentoo
Code:
# USE="nftables" emerge net-firewall/iptables


i found iptables-translate to be very useful, and it is very easy to use, but not always very accurate. don't blind copy, but try and understand what it's doing, and use the output as hints or tips to write your ruleset.

you can translate iptables rules line by line, or your entire ruleset at one go.
ref: http://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 140

PostPosted: Thu Sep 27, 2018 6:42 pm    Post subject: Reply with quote

josephg wrote:
A.N..D... voila i get it again

Faulty mem ,hardware maybe :?
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 140

PostPosted: Thu Sep 27, 2018 6:46 pm    Post subject: Reply with quote

Anon-E-moose wrote:

Yep, I ran across it when researching using nftables, it does it line by line but still it's a start.
And yes it gets created with the nftables tag when emerging iptables.

You give it the old line, it gives you the nftables equiv.

Edit to add: for example from my iptables file

iptables-translate -A INPUT -i eth0 -p tcp -s 0/0 --dport 25 -m limit --limit 2/minute -j LOG --log-prefix="IPTABLES:mail "
output:
nft add rule ip filter INPUT iifname eth0 tcp dport 25 limit rate 2/minute burst 5 packets counter log prefix \"IPTABLES:mail \"

Nice tip , thanks Anon-E-moose

josephg wrote:

i found iptables-translate to be very useful,

Yes it is :lol:
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Thu Sep 27, 2018 6:47 pm    Post subject: Reply with quote

maybe :( but why only when i'm playing with nftables modules? never had it before.. could it be having both iptables and nftables?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3490
Location: Dallas area

PostPosted: Thu Sep 27, 2018 7:07 pm    Post subject: Reply with quote

What kernel version are you using?
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Thu Sep 27, 2018 8:04 pm    Post subject: Reply with quote

Anon-E-moose wrote:
What kernel version are you using?

sys-kernel/gentoo-sources:4.14.65 x86
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3490
Location: Dallas area

PostPosted: Thu Sep 27, 2018 8:06 pm    Post subject: Reply with quote

You might try a newer kernel and see if the problem persists (using basically the same .config)

as far as it being because of both iptables and nftables, I wouldn't think so, unless you're mixing the two together at the same time.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Thu Sep 27, 2018 10:33 pm    Post subject: Reply with quote

Anon-E-moose wrote:
You might try a newer kernel and see if the problem persists (using basically the same .config)

i'm a bit reluctant in upgrading kernels as i use btrfs.

i had been blindly enabling whatever modules gentoo wiki told me, and then when something fails enabling more modules without understanding whether they were needed or not. i seem to have a better understanding now, and seem to have got on top of it.. cutting and pruning down to only modules wanted by my ruleset
Code:
CONFIG_NF_CONNTRACK=m
CONFIG_NF_LOG_COMMON=m
CONFIG_NF_TABLES=m
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_TABLES_IPV4=m
CONFIG_NF_LOG_IPV4=m
CONFIG_NF_REJECT_IPV4=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m

Code:
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_IPV4=m

so far i haven't got any further oops.. fingers crossed.

Anon-E-moose wrote:
as far as it being because of both iptables and nftables, I wouldn't think so, unless you're mixing the two together at the same time.

i did mix the two together at times, and wondered if that perhaps contributed to my issues.
nftables wiki wrote:
Beware of using both the nft and the legacy tools at the same time. That means using both x_tables and nf_tables kernel subsystems at the same time, and could lead to unexpected results.

Apparently you can run both together. The result is an AND of both their rulesets.
http://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F

But that is not my intention. I like how nfttables is so much more cleaner than iptables.
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 140

PostPosted: Sun Sep 30, 2018 3:00 pm    Post subject: Reply with quote

josephg wrote:
so far i haven't got any further oops.. fingers crossed.

Glad you got things working :)
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 778
Location: usually offline

PostPosted: Sun Sep 30, 2018 11:03 pm    Post subject: Reply with quote

Could that be because I haven't nftables yet perhaps? I noticed that those modules are not loaded till I run the nftables command. I can start testing nftables again in a few days when I'll have more time.
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 140

PostPosted: Mon Oct 01, 2018 1:00 pm    Post subject: Reply with quote

josephg wrote:
Could that be because I haven't nftables yet perhaps? I noticed that those modules are not loaded till I run the nftables command. I can start testing nftables again in a few days when I'll have more time.

I'm not sure,

Maybe not relevant, but i do not have iptables installed, i don't use NetworkManager and i have iproute2 installed with -iptables use flag.
All the [0] modules get loaded when i run nftables.
Code:

# lsmod

Module                  Size  Used by
nf_log_ipv6            16384  0
nf_log_ipv4            16384  0
nf_log_common          16384  2 nf_log_ipv4,nf_log_ipv6
nft_reject_inet        16384  0
nft_reject             16384  1 nft_reject_inet
nft_meta               16384  0
nft_log                16384  0
nft_ct                 16384  0
nft_set_bitmap         16384  0
nft_set_hash           20480  0
nft_set_rbtree         16384  0
nf_tables_inet         16384  0
nf_tables_ipv6         16384  1 nf_tables_inet
nf_tables_ipv4         16384  1 nf_tables_inet

_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum