On 2021-12-08, at 21:01:48 -0600, Bruce Link wrote:
> Package: nftables
> Version: 1.0.1-1
> Severity: normal
> Tags: upstream
>
> Dear Maintainer,
>
> * What led up to the situation?
> Running nft -f with the following configuration appears to trigger the bug.
> I've removed what I think are the non-relevant parts.
>
> table inet filter {
> set netflix-ips {
> type ipv4_addr;
> flags interval;
> elements = {
> 52.0.131.132,
> 23.221.228.214,
> 8.207.84.236,
> 54.204.25.0-54.204.25.16,
> 3.23.189.144-3.23.189.160,
> 34.195.253.0-34.195.253.128,
> }
> }
>
> chain kill-kids-netflix {
> ether saddr ba:db:ee:ff:5e:39 ip daddr @netflix-ips reject;
> }
>
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
> Not applicable.
>
> * What was the outcome of this action?
> nft returns the following:
>
> ~$ sudo nft -f /etc/nftables.conf
> BUG: unsupported familynft: evaluate.c:2766:
> stmt_evaluate_reject_inet_family: Assertion `0' failed.
> Aborted
>
> * What outcome did you expect instead?
> nft to load the rules properly or complain about my often poor syntax.The error reporting is unhelpful. :) nft will only infer how to do the reject for the `ip` and `ip6` families, but you are using the `inet` one. If you look for "REJECT STATEMENT" in the nft man-page you will see it talks about using 'icmpx' codes for the 'inet' family. Change it to: ether saddr ba:db:ee:ff:5e:39 ip daddr @netflix-ips reject with icmpx port-unreachable; and it will work correctly. nft could be a bit cleverer (or at least more informative) about this, so I will speak to the Netfilter development team. J.
signature.asc
Description: PGP signature
