Anything changed in rules for nft?
I have my own set of nft rules for a special purpose. This set worked perfect since 2021. However today I am using the newest Tumbleweed and I get error messages when starting this set with nft. The set is: add table ip filter add chain ip filter INPUT { type filter hook input priority 0; policy drop; } add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } add chain ip filter reject_func add rule ip filter INPUT iifname "lo" counter accept add rule ip filter INPUT ct state established counter accept add rule ip filter INPUT ip protocol icmp ct state related counter accept add rule ip filter INPUT udp dport 5353 pkttype multicast counter accept add rule ip filter OUTPUT oifname "lo" counter accept add rule ip filter reject_func ip protocol tcp counter reject with tcp reset add rule ip filter reject_func ip protocol udp counter reject add rule ip filter reject_func counter reject with icmp type prot-unreachable The error message is: /etc/network/ruleset-init.nft:8:26-33: Error: Could not process rule: No such file or directory add rule ip filter INPUT ct state established counter accept ^^^^^^^^ /etc/network/ruleset-init.nft:9:43-50: Error: Could not process rule: No such file or directory add rule ip filter INPUT ip protocol icmp ct state related counter accept ^^^^^^^^ Are there any changes in the syntax of nft rules? -- fr.gr. member openSUSE Freek de Kruijf
On 04.04.2024 19:13, Freek de Kruijf wrote:
I have my own set of nft rules for a special purpose. This set worked perfect since 2021. However today I am using the newest Tumbleweed and I get error messages when starting this set with nft.
The set is:
add table ip filter add chain ip filter INPUT { type filter hook input priority 0; policy drop; } add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } add chain ip filter reject_func add rule ip filter INPUT iifname "lo" counter accept add rule ip filter INPUT ct state established counter accept add rule ip filter INPUT ip protocol icmp ct state related counter accept add rule ip filter INPUT udp dport 5353 pkttype multicast counter accept add rule ip filter OUTPUT oifname "lo" counter accept add rule ip filter reject_func ip protocol tcp counter reject with tcp reset add rule ip filter reject_func ip protocol udp counter reject add rule ip filter reject_func counter reject with icmp type prot-unreachable
The error message is: /etc/network/ruleset-init.nft:8:26-33: Error: Could not process rule: No such file or directory add rule ip filter INPUT ct state established counter accept ^^^^^^^^ /etc/network/ruleset-init.nft:9:43-50: Error: Could not process rule: No such file or directory add rule ip filter INPUT ip protocol icmp ct state related counter accept ^^^^^^^^
Are there any changes in the syntax of nft rules?
I tried your script on the just updated Tumbleweed and got no errors.
Op donderdag 4 april 2024 20:17:20 CEST schreef Andrei Borzenkov:
On 04.04.2024 19:13, Freek de Kruijf wrote:
I have my own set of nft rules for a special purpose. This set worked perfect since 2021. However today I am using the newest Tumbleweed and I get error messages when starting this set with nft.
The set is:
add table ip filter add chain ip filter INPUT { type filter hook input priority 0; policy drop; } add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } add chain ip filter reject_func add rule ip filter INPUT iifname "lo" counter accept add rule ip filter INPUT ct state established counter accept add rule ip filter INPUT ip protocol icmp ct state related counter accept add rule ip filter INPUT udp dport 5353 pkttype multicast counter accept add rule ip filter OUTPUT oifname "lo" counter accept add rule ip filter reject_func ip protocol tcp counter reject with tcp reset add rule ip filter reject_func ip protocol udp counter reject add rule ip filter reject_func counter reject with icmp type prot-unreachable
The error message is: /etc/network/ruleset-init.nft:8:26-33: Error: Could not process rule: No such file or directory add rule ip filter INPUT ct state established counter accept
^^^^^^^^
/etc/network/ruleset-init.nft:9:43-50: Error: Could not process rule: No such file or directory add rule ip filter INPUT ip protocol icmp ct state related counter accept
^^^^^^^^
Are there any changes in the syntax of nft rules?
I tried your script on the just updated Tumbleweed and got no errors.
Apparently something is wrong with the Tumbleweed image for the Raspberry Pi 4 I used to generate the system, although the checksum was OK. -- fr.gr. member openSUSE Freek de Kruijf
participants (2)
-
Andrei Borzenkov -
Freek de Kruijf