* "nft --check" not warning about missing statement in rule
@ 2022-05-16 7:50 Alexander Helmer
2022-05-16 13:31 ` Florian Westphal
0 siblings, 1 reply; 2+ messages in thread
From: Alexander Helmer @ 2022-05-16 7:50 UTC (permalink / raw)
To: 'netfilter@vger.kernel.org'
Hi everyone!
I got my first nftables-based firewall in production after many years with iptables. I opted to use a nft-script to manage the ruleset.
A small bash wrapper does some checks first and then loads the new ruleset.
One of those checks is a syntax-check with:
"nft -c -f #path-to-ruleset-file#"
For better readability I used newlines in some rules. Unfortunately at two places in the 2k lines script I failed to put a '\' at the end of a line which caused nftables to create two seperate rules instead of one.
I do not understand how nftables interpreted the rules and why nft -c did not throw an error.
Both rules looked something like this (forward chain, drop policy):
ip saddr { xxxxx } \
ip daddr { yyyyy } < missing \ here
ct state new accept;
Nftables created the rules like this:
1. ip saddr { xxxxx } ip daddr { yyyyy }
2. ct state new accept
I guess I do not have to tell u why this was catastrophic.
I do not understand why the first rule has is a valid rule since it does not contain a statement.
"nft -c" usually found other issues in the script and even in other included script-files (although the line numbers where never correct) so I assume it can check nft-scripts.
Is my understanding of the syntax wrong? Does a nftables rule not need a statement? If so is no statement equal to the statement "continue"?
Or is nft -c not checking this case?
kind regards
Alexander
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: "nft --check" not warning about missing statement in rule
2022-05-16 7:50 "nft --check" not warning about missing statement in rule Alexander Helmer
@ 2022-05-16 13:31 ` Florian Westphal
0 siblings, 0 replies; 2+ messages in thread
From: Florian Westphal @ 2022-05-16 13:31 UTC (permalink / raw)
To: Alexander Helmer; +Cc: 'netfilter@vger.kernel.org'
Alexander Helmer <a.helmer@internett.de> wrote:
> Hi everyone!
>
> I got my first nftables-based firewall in production after many years with iptables. I opted to use a nft-script to manage the ruleset.
> A small bash wrapper does some checks first and then loads the new ruleset.
>
> One of those checks is a syntax-check with:
> "nft -c -f #path-to-ruleset-file#"
>
> For better readability I used newlines in some rules. Unfortunately at two places in the 2k lines script I failed to put a '\' at the end of a line which caused nftables to create two seperate rules instead of one.
> I do not understand how nftables interpreted the rules and why nft -c did not throw an error.
>
> Both rules looked something like this (forward chain, drop policy):
>
> ip saddr { xxxxx } \
> ip daddr { yyyyy } < missing \ here
> ct state new accept;
>
>
> Nftables created the rules like this:
>
> 1. ip saddr { xxxxx } ip daddr { yyyyy }
Implict continue, just as yu guessed already.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-05-16 13:31 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-05-16 7:50 "nft --check" not warning about missing statement in rule Alexander Helmer
2022-05-16 13:31 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox