On Sun, May 29, 2022, 01:03 Tim McConnell <tmcconnell...@gmail.com> wrote:
> Package: nftables > Version: 1.0.2-1 > Severity: important > File: nftables.conf > Tags: ipv6 > X-Debbugs-Cc: tmcconnell...@gmail.com > > Dear Maintainer, > > What led up to the situation? > Trying to configure and enable nftables to stop ip6 neighbor discovery > packets > from being rejected by VPN > > What exactly did you do (or not do) that was effective (or > ineffective)? Attempted to use workstation.nft in examples folder and > looked for documentation on the web.I couldn't find anything newer than > 2014 > and asked on Debian Forums and Linuxquestions.org > > What was the outcome of this action? > Attempt to run 'sudo systemctl start nftables.service' and receive this > error: > Job for nftables.service failed because the control process exited with > error > code. > See "systemctl status nftables.service" and "journalctl -xeu > nftables.service" > for details. > tmick@DebianTim:~/recap$ sudo systemctl status nftables.service > × nftables.service - nftables > Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor > preset: enabled) > Active: failed (Result: exit-code) since Sat 2022-05-28 16:39:05 CDT; > 7s > ago > Docs: man:nft(8) > http://wiki.nftables.org > Process: 1704177 ExecStart=/usr/sbin/nft -f /etc/nftables.conf > (code=exited, status=1/FAILURE) > Main PID: 1704177 (code=exited, status=1/FAILURE) > CPU: 24ms > > May 28 16:39:05 DebianTim nft[1704177]: > ^^^^^^ > May 28 16:39:05 DebianTim nft[1704177]: /etc/nftables.conf:18:3-6: Error: > syntax error, unexpected meta > May 28 16:39:05 DebianTim nft[1704177]: meta nexthdr ipv6 > icmpv6 type { destination-unreachable, packet-too> > May 28 16:39:05 DebianTim nft[1704177]: ^^^^ > May 28 16:39:05 DebianTim nft[1704177]: /etc/nftables.conf:19:8-12: Error: > syntax error, unexpected saddr, expecting string > May 28 16:39:05 DebianTim nft[1704177]: ipv6 saddr > fe80::/10 > icmpv6 type { 130, 131, 132, 134, 143, 151, 15> > May 28 16:39:05 DebianTim nft[1704177]: ^^^^^ > May 28 16:39:05 DebianTim systemd[1]: nftables.service: Main process > exited, > code=exited, status=1/FAILURE > May 28 16:39:05 DebianTim systemd[1]: nftables.service: Failed with result > 'exit-code'. > May 28 16:39:05 DebianTim systemd[1]: Failed to start nftables. > I've tried other methods as inet etc and still get this type of error. > > What outcome did you expect instead? For documentation to be clear enough > for > this not to be a problem and the nftables to be able to add this filter. > > > -- System Information: > Debian Release: bookworm/sid > APT prefers testing > APT policy: (500, 'testing') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.17.0-1-rt-amd64 (SMP w/2 CPU threads; PREEMPT) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE > not set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages nftables depends on: > ii libc6 2.33-7 > ii libedit2 3.1-20210910-1 > ii libnftables1 1.0.2-1 > > Versions of packages nftables recommends: > ii netbase 6.3 > > Versions of packages nftables suggests: > pn firewalld <none> > > -- Configuration Files: > /etc/nftables.conf changed: > flush ruleset > table enp1s0 filter { > This table declaration is missing family specificiation, which defaults to IPv4. I think you canot use IPv6 stuff in v4 tables. I think you may want to use a table in the 'inet' family, which is dual-stack, and should accept both IPv4 and IPv6 stuff. chain base_checks { > # Drop invalid connections and allow established/related > connections > ct state invalid drop > ct state {established, related} accept > } > > chain input { > type filter hook input priority 0; policy drop; > meta nexthdr ipv6 icmpv6 type { destination-unreachable, > packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, > nd-router-solicit, nd-router-advert, nd-neighbor-solicit, > nd-neighbor-advert, 148, 149 } accept > ipv6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 134, > 143, 151, 152, 153 } accept > jump base_checks > # Allow from loopback > iifname lo accept > iifname != lo ip daddr 127.0.0.0/32 drop > # New UDP traffic will jump to the UDP chain > ip protocol udp ct state new jump UDP > # New TCP traffic will jump to the TCP chain > tcp flags & (fin | syn | rst | ack) == syn ct state new > jump TCP > # Everything else > ip protocol udp reject > ip protocol tcp reject with tcp reset > reject with icmpx type port-unreachable > } > chain forward { > type filter hook forward priority 0; policy drop; > } > chain output { > type filter hook output priority 0; policy accept; > } > > # count and drop any other traffic > counter enp1s0{} > ##CHAIN RULES > # TCP chain > set TCP_accepted { > type inet_service; flags interval; > elements = {1714-1764} > } > chain TCP { > tcp dport @TCP_accepted accept > } > # UDP chain > set UDP_accepted { > type inet_service; flags interval; > elements = {1714-1764} > } > chain UDP { > udp dport @UDP_accepted accept > } > } > > > -- no debconf information >