Package: nftables Version: 0.8-1 Severity: normal Dear Maintainer,
* What led up to the situation? Upgrading the kernel to 4.13 and nftables to version 0.8 caused this issue to occur. In previous releases the configuration below worked flawlessly. The configuration below causes no error-messages and when issuing nft -nna list ruleset, all rules are shown. The real issue is that the sets which have more than 2 elements in input chain never match a packet. For example on line "add rule ip filter INPUT iif $lan-if tcp dport {22.445,3000,19999,64738} counter accept". This never matches a packet. When issuing a trace, the packet goes straight to the last rule which just drops the packet. * What exactly did you do (or not do) that was effective (or ineffective)? When using named set instead of anonymous sets, there is no issue. This works everytime I reload the configuration file. Sets with less or equal than 2 elements seem to work just fine or at least match some of the elements.. * What outcome did you expect instead? I expected this configuration to work with newer kernel and nftables. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages nftables depends on: ii dpkg 1.18.24 ii libc6 2.24-17 ii libgmp10 2:6.1.2+dfsg-1.1 ii libmnl0 1.0.4-2 ii libnftnl7 1.0.8-1 ii libreadline7 7.0-3 ii libxtables12 1.6.1-2+b1 nftables recommends no packages. nftables suggests no packages. -- Configuration Files: /etc/nftables.conf changed: flush ruleset define lan-if = {enp6s0f1, enp7s0f0} define wan-if = enp6s0f0 define drop-wan-tcp = {0,25,135-139,179,445,593,1433-1434,7547} define drop-wan-udp = {25,135-139,161,445,593,1433-1434,1900} define drop-wan-dst-ip = {10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4} add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add map filter ct_map { type ct_state : verdict; } add element filter ct_map { established : accept } add element filter ct_map { related : accept } add element filter ct_map { invalid : drop } add rule ip filter INPUT iif lo counter accept add rule ip filter INPUT ct state vmap @ct_map add rule ip filter INPUT icmp type {1,6,8,11-14} counter accept add rule ip filter INPUT iif $lan-if udp dport {53,67,1200,64738} accept add rule ip filter INPUT iif $lan-if tcp dport {22.445,3000,19999,64738} accept add rule ip filter INPUT iif $wan-if udp dport {1200,1201} accept add rule ip filter INPUT iif $wan-if tcp dport {22,64738} accept add rule ip filter INPUT iifname {rex0,mei0} tcp dport {22,80,445,3000,19999} accept add rule ip filter INPUT counter drop add rule ip filter FORWARD ct state vmap @ct_map add rule ip filter FORWARD oif $wan-if tcp dport $drop-wan-tcp log prefix "FORWARD TCP1 : " counter drop add rule ip filter FORWARD oif $wan-if udp dport $drop-wan-udp log prefix "FORWARD UDP1: " counter drop add rule ip filter FORWARD oif $wan-if ip daddr $drop-wan-dst-ip log prefix "FORWARD WAN SRC1: " counter drop add rule ip filter FORWARD oif $wan-if icmp type != {0,1,6,8,11-14} counter drop add rule ip filter FORWARD iif $lan-if oif $wan-if counter accept add rule ip filter FORWARD counter drop add rule ip filter OUTPUT oif $wan-if tcp dport $drop-wan-tcp log prefix "OUTPUT TCP1: " counter drop add rule ip filter OUTPUT oif $wan-if udp dport $drop-wan-udp log prefix "OUTPUT UDP1: " counter drop add rule ip filter OUTPUT oif $wan-if ip daddr $drop-wan-dst-ip log prefix "OUTPUT SRC1: " counter drop add table ip nat add chain ip nat PREROUTING { type nat hook prerouting priority 0; } add chain ip nat POSTROUTING { type nat hook postrouting priority 0; } add rule ip nat POSTROUTING oif $wan-if counter masquerade add rule ip nat PREROUTING tcp dport 6060 counter dnat 192.168.23.1:22 add table ip mangle add chain ip mangle POSTROUTING { type filter hook output priority 0; } add rule ip mangle POSTROUTING oif $lan-if ip saddr {192.168.23.0/24, 10.8.0.0/24} counter meta priority set 1:3 -- no debconf information