On 2021-12-09 03:13, Jeremy Sowden wrote:
On 2021-12-08, at 21:01:48 -0600, Bruce Link wrote:Package: nftables Version: 1.0.1-1 Severity: normal Tags: upstream Dear Maintainer, * What led up to the situation? Running nft -f with the following configuration appears to trigger the bug. I've removed what I think are the non-relevant parts. table inet filter { set netflix-ips { type ipv4_addr; flags interval; elements = { 52.0.131.132, 23.221.228.214, 8.207.84.236, 54.204.25.0-54.204.25.16, 3.23.189.144-3.23.189.160, 34.195.253.0-34.195.253.128, } } chain kill-kids-netflix { ether saddr ba:db:ee:ff:5e:39 ip daddr @netflix-ips reject; } * What exactly did you do (or not do) that was effective (or ineffective)? Not applicable. * What was the outcome of this action? nft returns the following: ~$ sudo nft -f /etc/nftables.conf BUG: unsupported familynft: evaluate.c:2766: stmt_evaluate_reject_inet_family: Assertion `0' failed. Aborted * What outcome did you expect instead? nft to load the rules properly or complain about my often poor syntax.The error reporting is unhelpful. :) nft will only infer how to do the reject for the `ip` and `ip6` families, but you are using the `inet` one. If you look for "REJECT STATEMENT" in the nft man-page you will see it talks about using 'icmpx' codes for the 'inet' family. Change it to: ether saddr ba:db:ee:ff:5e:39 ip daddr @netflix-ips reject with icmpx port-unreachable; and it will work correctly. nft could be a bit cleverer (or at least more informative) about this, so I will speak to the Netfilter development team. J.
Jeremy, Thank you for the clarification. I hope my feedback provides some value. Bruce
