Re: Aw: Re: Problems to get started with nftables

["Álvaro Neira Ayuso" <alvaroneay@gmail.com>]

Dear Michael

El 16/06/14 17:19, pistenflitzer@alpenjodel.de escribió:
> Dear Álvaro,
>
> thank you for your detailed answers. Some questions still remain, unfortunately.
>
>>>                    icmp type { echo-request } limit rate 5/second counter accept
>>                              ^^^^^^^^^^^^^^^^
>> It's a single element, you don't need to use a set. You can use the rule
>
> I just added the braces to be consistent throughout the ruleset.

Ok, if you want to do that but the kernel creates a set with only one 
element (in your case). It's overkill.

>
>>> What I observe when I load these rules is that the accept in the log1 line is
>>> not enough to accept the packets. They are ultimately dropped in the log3
>>> rule. How do I get the packets through both rule chains?
>>
>> Because you have a table inet and a table ip6. The table ip6 filter
>> sees the ip6 traffic and the table inet filter sees the ip4 and ip6
>> traffic. You have defined the priority of the first chain at 0 so
>> nftables checks the rules there and after nftables checks the rules
>> inside of the filter chain in inet.
>>
>> I suggest you to use one singles filter table like inet.
>
> How would the rule look like? I tried to just copy it to the inet section,
> but I get "Error: conflicting protocols specified: inet-service vs. icmpv6".
>
> I created the separate ip and ip6 tables only for icmp and icmp, because I
> couldn't get past this issue:
> $ nft add rule inet filter input icmp type { echo-request } limit rate 5/second counter accept
> <cmdline>:1:28-36: Error: conflicting protocols specified: inet-service vs. icmp
> $ sudo nft add rule inet filter input icmpv6 type { echo-request } limit rate 5/second counter accept
> <cmdline>:1:28-38: Error: conflicting protocols specified: inet-service vs. icmpv6
> $ nft add rule ip6 filter input icmpv6 type { echo-request } limit rate 5/second counter accept
> <works>

You have found a bug. A temporary solution is use the rules adding meta 
nfproto, for example:

nft add rule inet filter input meta nfproto ipv4 \
	icmp type echo-request counter accept

nft add rule inet filter input meta nfproto ipv6 \
	icmp6 type echo-request counter accept

I'm working in a fix for that.

>
>>> #                 udp sport bootps dport bootpc accept
>>
>> The rules is like that:
>>
>> nft add rule filter input udp sport bootps udp dport bootpc accept
>
> OK, I overlooked the second udp. Now, it works fine.
>
>>> And finally: Is there a way to match the destination mac address of an
>>> incoming packet?
>>
>> You must to add a rule with ether like this:
>>
>> nft add rule filter input ether daddr 20:16:d8:a2:59:33 counter
>
> In what section would that go? When I just execute the command, I get:
> "<cmdline>:1:1-59: Error: Could not process rule: No such file or directory
> add rule filter input ether daddr 20:16:d8:a2:59:33 counter"

If you follow this trace:

nft add table filter
nft add chain filter input { type filter hook input priority 0 \; }
nft add rule filter input ether daddr 20:16:d8:a2:59:33 counter

it works for me. Try it and tell me if you have problem. Maybe you have 
forgot to add the table or the chain?

Regards

Álvaro