Hi Elrik,
Thanks for reporting your issue to Ubuntu, and apologies for the delayed
response. Can you say explicitly what behavior you're expecting to have
work that does not? I.E. are ssh connections to the host unsuccessful or
are other outbound operations failing?
Some useful diagnostics to see what's happening would be to install the
conntrack package and then run:
$ sudo conntrack -L -o id,extended
to see what connections it's tracking. Additionally, it would probably
be useful to add a log rule at the end of the input chain to see what's
failing; something like:
log prefix "[nftables] input denied: " flags all counter drop
and then looking at dmesg output, journalctl output, or
/var/log/kern.log can tell you what is getting blocked.
It should be noted that Ubuntu 20.04 uses systemd-resolved as its DNS
resolver and depending on whether you've adjusted your DNS settings,
with the nftables configuration above, likely the problem you're seeing
is that connections to the resolver listening on the loopback interface
(ip addr 127.0.0.53) are being blocked; in my testing, this showed up
looking like:
[nftables] input denied: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:
00 SRC=127.0.0.1 DST=127.0.0.53 LEN=86 TOS=0x00 PREC=0x00 TTL=64 ID=11108 DF
PROTO=UDP SPT=45001 DPT=53 LEN=66
Given that, adding a rule like:
udp dport 53 ip saddr 127.0.0.1 accept
on the input chain caused outbound initiated network traffic to work.
Is this what you were seeing or is there some other behavior you were
expecting that did not work?
Thanks.
** Changed in: nftables (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1888076
Title:
nftables can't be statefull
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1888076/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
