tmick |
05-23-2022 07:26 PM |
nftables errors stating unexpected ip6?
So I'm getting errors about an unexpected ip6 in nftables when I run:
Code:
sudo nft -f /etc/nftables.conf
/etc/nftables.conf:41:3-5: Error: syntax error, unexpected ip6
ip6 nexthdr ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
^^^
/etc/nftables.conf:42:3-5: Error: syntax error, unexpected ip6
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept
^^^
/etc/nftables.conf:45:11-14: Error: syntax error, unexpected drop, expecting string
counter drop
^^^^
If I run:
Code:
sudo nft --check --file /etc/nftables.conf
/etc/nftables.conf:41:3-5: Error: syntax error, unexpected ip6
ip6 nexthdr ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
^^^
/etc/nftables.conf:42:3-5: Error: syntax error, unexpected ip6
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept
^^^
/etc/nftables.conf:45:11-14: Error: syntax error, unexpected drop, expecting string
counter drop
^^^^
In Debian it has example files and I also tried to use
Quote:
meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept
|
and it doesn't like that either, I get errors about an unexpected meta.
My nftables.conf looks like this
Code:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain base_checks {
# Drop invalid connections and allow established/related connections
ct state invalid drop
ct state {established, related} accept
}
chain input {
type filter hook input priority 0; policy drop;
jump base_checks
# Allow from loopback
iifname lo accept
iifname != lo ip daddr 127.0.0.1/8 drop
# New UDP traffic will jump to the UDP chain
ip protocol udp ct state new jump UDP
# New TCP traffic will jump to the TCP chain
tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP
# Everything else
ip protocol udp reject
ip protocol tcp reject with tcp reset
reject with icmpx type port-unreachable
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
ip6 nexthdr ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept
# count and drop any other traffic
counter drop
# ---------------------------------------------------------------------------------
##CHAIN RULES
# TCP chain
set TCP_accepted {
type inet_service; flags interval;
elements = {1714-1764}
}
chain TCP {
tcp dport @TCP_accepted accept
}
# UDP chain
set UDP_accepted {
type inet_service; flags interval;
elements = {1714-1764}
}
chain UDP {
udp dport @UDP_accepted accept
}
}
I'd love to know what I did wrong here, help is appreciated.
I also want to have enp1s0 (usually called eth0) and tun0 (my VPN) be able to trust each other but I can't find anything for the syntax of that any ideas?
I'm trying to get rid of these messages in my logs:
Code:
May 23 16:02:04 DebianTim kernel: [89979.947803] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=356592 PROTO=ICMPv6 TYPE=134 CODE=0
|