Package: nftables
Version: 0.8-1
Severity: important
Dear Maintainer,
I use a script to set the rules with nft. It worked well before the
updating today. I don't know what are updated. My (executable) script is
-------------------
#!/usr/sbin/nft -f
flush ruleset
#include "nftables.conf"
# define inner_net = {10.0.0.0/8,10.14.129.0/24,10.110.64.0/24}
# ipp:631, mldonkey:4000, mldonkey_http:4080, rpc:111, ftp:21, ssh:22
define tcp_port = {111,22}
# 1701:l2tpd, dns:53, ipp:631, mdns:5353
define udp_port = {53,631,5353}
# 21688 for mldonkey (TCP) 21688+4 for mldonkey (UDP)
define ml_tcp_port= {21688, 51413}
define ml_udp_port= {21692, 51413}
add table vnat
add table myfilter
add chain myfilter tcp_chain
add chain myfilter udp_chain
add chain myfilter myinput {
type filter hook input priority 0; policy drop;
ct state established,related accept;
#ip protocol icmp counter accept ;
ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept;
ct state new tcp flags syn tcp dport $tcp_port jump tcp_chain;
ct state new udp dport $udp_port jump udp_chain;
ct state new tcp flags syn tcp dport $ml_tcp_port accept;
ct state new udp dport $ml_udp_port accept;
ip protocol icmp ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept;
}
#add rule myfilter tcp_chain ip saddr $inner_net accept;
add rule myfilter tcp_chain ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept;
add rule myfilter tcp_chain limit rate 5/hour counter;
#add rule myfilter udp_chain ip saddr $inner_net accept;
add rule myfilter udp_chain ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept;
add rule myfilter udp_chain limit rate 5/hour counter;
----------------------------
after setting the ruleset with the script, I check the ruleset with
nft list ruleset
the output is
table ip vnat {
}
table ip myfilter {
chain tcp_chain {
ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept
limit rate 5/hour counter packets 0 bytes 0
}
chain udp_chain {
ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept
limit rate 5/hour counter packets 0 bytes 0
}
chain myinput {
type filter hook input priority 0; policy drop;
}
}
This shows most of rules in the script are not read. Because my policy is
'drop', the net disconnects. I have to set
the policy 'accept'.
I think this may be a bug.
Best regards
Lu Wang
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages nftables depends on:
ii dpkg 1.18.24
ii libc6 2.24-17
ii libgmp10 2:6.1.2+dfsg-1.1
ii libmnl0 1.0.4-2
ii libnftnl7 1.0.8-1
ii libreadline7 7.0-3
ii libxtables12 1.6.1-2+b1
nftables recommends no packages.
nftables suggests no packages.
-- no debconf information
