FS#43306 : [nftables] inet family not allowed for tables (default configuration failing)

FS#43306 - [nftables] inet family not allowed for tables (default configuration failing)

Attached to Project: Arch Linux
Opened by Ma Jiehong (jiehong) - Friday, 02 January 2015, 16:31 GMT
Last edited by Sébastien Luttringer (seblu) - Monday, 05 January 2015, 23:21 GMT

Task Type	Bug Report
Category	Packages: Extra
Status	Closed
Assigned To	Sébastien Luttringer (seblu)
Architecture	x86_64
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:
When installing nftables, the default configuration (/etc/nftables.conf) creates a new table called "filter" for the inet family (IPv4 and IPv6), but loading it fails.

Additional info:
* package version: 1:0.4-1
* default config file: /etc/nftables.conf.

First, let's see that the default configuration fails:
Steps to reproduce:
1. Install nftables and libnftnl;
2. Run nft on the default configuration: `nft -f /etc/nftables.conf`;

Here is the output:
/home/jiehong/firewall.rules:2:1-2: Error: Could not process rule: Invalid argument
table inet firewall {
^^

This does not happen with a table of another family.

On the other hand, it seems that creating a table on the fly with the nft tool works, but does nothing when given a specific family.

Steps to reproduce a working example:
1. run `nft add table dummy`;
2. check that the table has been created by running `nft list tables`.

Now, if you try to create an inet, or even an ip6 table:
1. run `nft add table inet dummy2`;
2: check that the table hasn't been created with `nft list tables`.

Priority is very high, because the default configuration crashes.

This task depends upon

Closed by Sébastien Luttringer (seblu)
Monday, 05 January 2015, 23:21 GMT
Reason for closing: Fixed
Additional comments about closing: nftables-1:0.4-2

Comment by Christian Hesse (eworm) - Friday, 02 January 2015, 19:03 GMT

This is an API issue with linux < 3.18.x. I suppose you are running linux 3.17.6 from [core]?

You could update to linux from [testing].

Any chance to see linux 3.18.1 in [core] soon?

Comment by Christian Hesse (eworm) - Friday, 02 January 2015, 19:06 GMT

Ah, just for the record: nft fails to set default icmp type and code for reject. You can replace

reject

with something like

reject with icmp type port-unreachable

for linux 3.17.x.

Comment by Ma Jiehong (jiehong) - Friday, 02 January 2015, 19:37 GMT

Indeed, I do run linux 3.17.6.

Thank you for the note.

Comment by Sébastien Luttringer (seblu) - Monday, 05 January 2015, 23:20 GMT

"nft list tables" means "nft list tables ip". When you create an inet table, you have to use "nft list tables inet" to list them.

I switched to the syntax suggested by Christian, that works for both <3.18 and 3.18.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#43306 - [nftables] inet family not allowed for tables (default configuration failing)

Details

Loading...