Bug#880145: nftables: When more than 2-3 elements are in an anonymous set the rule does not match to any of them

Sun, 29 Oct 2017 16:25:00 -0700 

Package: nftables
Version: 0.8-1
Severity: normal

Dear Maintainer,

* What led up to the situation?
Upgrading the kernel to 4.13 and nftables to version 0.8 caused this
issue to occur. In previous releases the configuration below worked
flawlessly.

The configuration below causes no error-messages and when issuing nft
-nna list ruleset, all rules are shown. The real issue is that the sets
which have more than 2 elements in input chain never match a packet. For
example on line "add rule ip filter INPUT iif $lan-if tcp dport 
{22.445,3000,19999,64738} counter accept". This never matches a packet. When 
issuing a trace, the packet goes straight to the last rule which just drops the 
packet. 

* What exactly did you do (or not do) that was effective (or ineffective)?
When using named set instead of anonymous sets, there is no issue. This works 
everytime I reload the configuration file. Sets with less or equal than 2 
elements seem to work just fine or at least match some of the elements.. 


* What outcome did you expect instead?
I expected this configuration to work with newer kernel and nftables.



-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nftables depends on:
ii  dpkg          1.18.24
ii  libc6         2.24-17
ii  libgmp10      2:6.1.2+dfsg-1.1
ii  libmnl0       1.0.4-2
ii  libnftnl7     1.0.8-1
ii  libreadline7  7.0-3
ii  libxtables12  1.6.1-2+b1

nftables recommends no packages.

nftables suggests no packages.

-- Configuration Files:
/etc/nftables.conf changed:
flush ruleset
define lan-if = {enp6s0f1, enp7s0f0}
define wan-if = enp6s0f0
define drop-wan-tcp = {0,25,135-139,179,445,593,1433-1434,7547}
define drop-wan-udp = {25,135-139,161,445,593,1433-1434,1900}
define drop-wan-dst-ip = {10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 
172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.51.100.0/24, 
203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4}
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; }
add chain ip filter FORWARD { type filter hook forward priority 0; }
add chain ip filter OUTPUT { type filter hook output priority 0; }
add map filter ct_map { type ct_state : verdict; }
add element filter ct_map { established : accept }
add element filter ct_map { related : accept }
add element filter ct_map { invalid : drop }
add rule ip filter INPUT iif lo counter accept
add rule ip filter INPUT ct state vmap @ct_map
add rule ip filter INPUT icmp type {1,6,8,11-14} counter accept
add rule ip filter INPUT iif $lan-if udp dport {53,67,1200,64738} accept
add rule ip filter INPUT iif $lan-if tcp dport {22.445,3000,19999,64738} accept
add rule ip filter INPUT iif $wan-if udp dport {1200,1201} accept
add rule ip filter INPUT iif $wan-if tcp dport {22,64738} accept
add rule ip filter INPUT iifname {rex0,mei0} tcp dport {22,80,445,3000,19999} 
accept
add rule ip filter INPUT counter drop
add rule ip filter FORWARD ct state vmap @ct_map
add rule ip filter FORWARD oif $wan-if tcp dport $drop-wan-tcp log prefix 
"FORWARD TCP1 : " counter drop
add rule ip filter FORWARD oif $wan-if udp dport $drop-wan-udp log prefix 
"FORWARD UDP1: " counter drop
add rule ip filter FORWARD oif $wan-if ip daddr $drop-wan-dst-ip log prefix 
"FORWARD WAN SRC1: " counter drop
add rule ip filter FORWARD oif $wan-if icmp type != {0,1,6,8,11-14} counter drop
add rule ip filter FORWARD iif $lan-if oif $wan-if counter accept
add rule ip filter FORWARD counter drop
add rule ip filter OUTPUT oif $wan-if tcp dport $drop-wan-tcp log prefix 
"OUTPUT TCP1: " counter drop
add rule ip filter OUTPUT oif $wan-if udp dport $drop-wan-udp log prefix 
"OUTPUT UDP1: " counter drop
add rule ip filter OUTPUT oif $wan-if ip daddr $drop-wan-dst-ip log prefix 
"OUTPUT SRC1: " counter drop
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority 0; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 0; }
add rule ip nat POSTROUTING oif $wan-if counter masquerade
add rule ip nat PREROUTING tcp dport 6060 counter dnat 192.168.23.1:22
add table ip mangle
add chain ip mangle POSTROUTING { type filter hook output priority 0; }
add rule ip mangle POSTROUTING oif $lan-if ip saddr {192.168.23.0/24, 
10.8.0.0/24} counter meta priority set 1:3 


-- no debconf information

Reply via email to