From: "etkaar" <lists.netfilter.org@prvy.eu>
To: netfilter@vger.kernel.org
Subject: nftables >= 0.9.8: atomic update (nft -f ...) of a set not possible any more
Date: Tue, 04 Jan 2022 17:31:13 +0100 [thread overview]
Message-ID: <5tg3b13w5.PCaY2G@prvy.eu> (raw)
Dear colleagues,
given is following perfectly working ruleset (nft list ruleset), which drops almost all of the IPv4 traffic, but grants access to port 22 (SSH) for two IPv4 addresses provided by the set named 'whitelist_ipv4_tcp':
+++
table inet filter {
set whitelist_ipv4_tcp {
type inet_service . ipv4_addr
flags interval
elements = { 22 . 111.222.333.444,
22 . 555.666.777.888 }
}
set whitelist_ipv4_udp {
type inet_service . ipv4_addr
flags interval
}
set blacklist_ipv4 {
type ipv4_addr
flags interval
}
chain default_input {
type filter hook input priority filter + 1; policy drop;
ip saddr @blacklist_ipv4 drop
ct state established,related accept
ct state invalid drop
iifname "lo" accept
ip protocol icmp icmp type { echo-reply, destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
meta nfproto ipv4 tcp dport . ip saddr @whitelist_ipv4_tcp accept
meta nfproto ipv4 udp dport . ip saddr @whitelist_ipv4_udp accept
}
chain default_forward {
type filter hook forward priority filter; policy drop;
}
chain default_output {
type filter hook output priority filter; policy accept;
oifname "lo" accept
}
}
+++
Now comes the strange thing: In case the ruleset is atomically updated using following file (nft -f ...) the output of 'nft list ruleset' does not change at all (which is expected!), but now the IPv4 addresses do not any more have access:
+++
#!/usr/sbin/nft -f
flush set inet filter whitelist_ipv4_tcp
flush set inet filter whitelist_ipv4_udp
table inet filter {
set whitelist_ipv4_tcp {
type inet_service . ipv4_addr; flags interval;
elements = {
22 . 111.222.333.444/32,
22 . 555.666.777.888/32,
}
}
set whitelist_ipv4_udp {
type inet_service . ipv4_addr; flags interval;
}
}
+++
I have double-checked that in the logs:
+++
nft dropped: [...] SRC=111.222.333.444 DST=194.48.XXX.XX [...] DPT=22 [...]
+++
This problem is not present in Debian 10 (Buster) which uses nftables 0.9.0. But it is present in Debian 11 (Bullseye) which uses nftables 0.9.8. Because I even got a segmentation fault here I cannot reproduce yet, I tried it with nftables 1.0.1 - but still no success.
I don't understand how the 'nft list ruleset' output can be identical after using 'nft -f ...'. In any case, the IPv4 addresses are part of the whitelist set and are unexpectedly blocked.
Kind Regards,
etkaar
next reply other threads:[~2022-01-04 16:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-04 16:31 etkaar [this message]
2022-01-04 19:57 ` nftables >= 0.9.8: atomic update (nft -f ...) of a set not possible any more Florian Westphal
2022-01-04 23:22 ` Stefano Brivio
-- strict thread matches above, loose matches on Subject: below --
2022-01-07 14:54 etkaar
2022-04-22 12:08 etkaar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5tg3b13w5.PCaY2G@prvy.eu \
--to=lists.netfilter.org@prvy.eu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.