[nftables] table netdev, chain ingress, too much interfaces?

[nftables] table netdev, chain ingress, too much interfaces?

[Mathias Dufresne]

Hi,

Still playing around auto-generated firewalls rules, I have one
firewall with two interfaces accepting a chain while the other
firewall which has 13 interfaces refuses the very same chain in the
very same table.

Once this table is removed the whole configuration is working.

The full table is:
table netdev filter_4_all {
  chain LOG_INGRESS_TCP {
    counter packets 0 bytes 0 log prefix "DROP_INGRESS_TCP: " group 1
    counter packets 0 bytes 0 drop
  }
  chain ingress {
    type filter hook ingress priority -499 ;
    # ip fragments
    ip frag-off & 0x1fff != 0 counter drop
    # tcp XMAS
    tcp flags & (fin|psh|urg) == fin|psh|urg counter jump LOG_INGRESS_TCP
    # tcp NULL
    tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter jump LOG_INGRESS_TCP
    # tcp MSS
    tcp flags syn tcp option maxseg size 1-535 counter jump LOG_INGRESS_TCP
  }
}

and the error is:
nftables.conf:7:5-42: Error: Missing `device' in this chain definition
    type filter hook ingress priority -499 ;
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I also tried to "define" a variable using:
define all_interfaces = { eth_name01, eth_name02, ... }

using it with:
type filter hook ingress device $all_interfaces priority -499 ;

which results with:
Segmentation fault

And using a "set" declared into the table::
  set all_IFs {
    type ifname
    elements = {
       eth_name01,
       eth_name02,
       ...
       eth_name13
    }
  }

But using:
type filter hook ingress device @all_IFs priority -499 ;

results with:
nftables.conf:28:37-37: Error: syntax error, unexpected @, expecting
string or quoted string or string with a trailing asterisk or '$'
    type filter hook ingress device @all_IFs priority -499 ;
                                    ^
The "^" is pointing to the "@"...

I suppose the error is somewhere between my chair and my keyboard but
still, I can't find a workaround... Any help would be greatly
appreciated ; )

Best regards,
mathias

Re: [nftables] table netdev, chain ingress, too much interfaces?

[Pablo Neira Ayuso]

On Fri, Mar 13, 2026 at 11:51:25AM +0100, Mathias Dufresne wrote:
[...]
> and the error is:
> nftables.conf:7:5-42: Error: Missing `device' in this chain definition
>     type filter hook ingress priority -499 ;
>     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

It sounds like you are using old userspace version.

Re: [nftables] table netdev, chain ingress, too much interfaces?

[Mathias Dufresne]

Hello Pablo,

A great thanks to you, my mistake was the major version of the systems
I used. One was Debian 13 and the one behaving strangely was still a
Debian 12.

Once the older one was rebuilt using latest major version, the issue
disappeared.

Cheers,

Mathias

Le dim. 15 mars 2026 à 19:03, Pablo Neira Ayuso <pablo@netfilter.org> a écrit :
>
> On Fri, Mar 13, 2026 at 11:51:25AM +0100, Mathias Dufresne wrote:
> [...]
> > and the error is:
> > nftables.conf:7:5-42: Error: Missing `device' in this chain definition
> >     type filter hook ingress priority -499 ;
> >     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> It sounds like you are using old userspace version.