# nftables rules syntax error

## josephg

Trying to migrate from iptables to nftables, I followed the Gentoo nftables wiki re kernel config.

```
$ lsmod | grep ^nf

nft_limit              12288  0

nft_counter            12288  0

nft_log                12288  0

nf_tables              61440  3 nft_limit,nft_counter,nft_log

nfnetlink              12288  1 nf_tables

nf_log_ipv4            12288  3

nf_log_common          12288  1 nf_log_ipv4

nf_reject_ipv4         12288  1 ipt_REJECT

nf_conntrack_ipv4      12288  8

nf_defrag_ipv4         12288  1 nf_conntrack_ipv4

nf_conntrack           45056  2 nf_conntrack_ipv4,xt_conntrack
```

I copied rules from Gentoo wiki examples.

```
$ cat /etc/conf.d/nftables.rules

#!/sbin/nft -f

flush ruleset

# filter, inet

table inet filter {

        chain output {

                type filter hook output priority 0; policy accept;

                counter comment "count accepted packets"

        }

        chain forward {

                type filter hook forward priority 0; policy drop;

                counter comment "count dropped packets"

        }

        chain input {

                type filter hook input priority 0; policy drop;

                ct state invalid counter drop comment "drop invalid packets"

                ct state {established, related} counter accept comment "accept all connections related to connections made by us"

                iifname lo accept comment "accept loopback"

                iifname != lo ipv4 daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

                iifname != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"

                ip protocol icmp counter accept comment "accept all icmp types"

                ip6 nexthdr icmpv6 counter accept comment "accept all icmp types"

                tcp dport 22 counter accept comment "accept ssh"

                counter comment "count dropped packets"

        }

}
```

I get sytax error  :Sad: 

```
$ sudo nft -f /etc/conf.d/nftables.rules

/etc/conf.d/nftables.rules:22:36-40: Error: syntax error, unexpected daddr

                iifname != lo ipv4 daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

                                   ^^^^^
```

----------

## guitou

Hello, got absolutely lo knowledge of the subjet, but after a quick glance at some docs, I think your mistake is at "ipv4" (should be simply "ip" instead, no?)

++

Gi)

----------

## josephg

 *guitou wrote:*   

> Hello, got absolutely lo knowledge of the subjet, but after a quick glance at some docs, I think your mistake is at "ipv4" (should be simply "ip" instead, no?)

 

Hello thank you for the initiative  :Smile:  Yes I think you're right. I looked at the nftables wiki, and changed "ipv4" to "ip". That error has gone away. Perhaps the gentoo wiki needs to be corrected?

----------

## josephg

Now that error is gone, but I have a whole raft of new errors

```
$ sudo nft -f /etc/conf.d/nftables.rules

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Address family not supported by protocol

table inet filter {

^^

/etc/conf.d/nftables.rules:7:15-20: Error: Could not process rule: Address family not supported by protocol

        chain output {

              ^^^^^^

/etc/conf.d/nftables.rules:12:15-21: Error: Could not process rule: Address family not supported by protocol

        chain forward {

              ^^^^^^^

/etc/conf.d/nftables.rules:17:15-19: Error: Could not process rule: Address family not supported by protocol

        chain input {

              ^^^^^

/etc/conf.d/nftables.rules:20:26-47: Error: Could not process rule: Address family not supported by protocol

                ct state {established, related} counter accept comment "accept all connections related to connections made by us"

                         ^^^^^^^^^^^^^^^^^^^^^^

/etc/conf.d/nftables.rules:20:26-47: Error: Could not process rule: Address family not supported by protocol

                ct state {established, related} counter accept comment "accept all connections related to connections made by us"

                         ^^^^^^^^^^^^^^^^^^^^^^

/etc/conf.d/nftables.rules:9:17-23: Error: Could not process rule: Address family not supported by protocol

                counter comment "count accepted packets"

                ^^^^^^^

/etc/conf.d/nftables.rules:14:17-23: Error: Could not process rule: Address family not supported by protocol

                counter comment "count dropped packets"

                ^^^^^^^

/etc/conf.d/nftables.rules:19:17-45: Error: Could not process rule: Address family not supported by protocol

                ct state invalid counter drop comment "drop invalid packets"

                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

/etc/conf.d/nftables.rules:20:17-62: Error: Could not process rule: Address family not supported by protocol

                ct state {established, related} counter accept comment "accept all connections related to connections made by us"

                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

/etc/conf.d/nftables.rules:21:17-33: Error: Could not process rule: Address family not supported by protocol

                iifname lo accept comment "accept loopback"

                ^^^^^^^^^^^^^^^^^

/etc/conf.d/nftables.rules:23:17-63: Error: Could not process rule: Address family not supported by protocol

                iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

/etc/conf.d/nftables.rules:24:17-60: Error: Could not process rule: Address family not supported by protocol

                iifname != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"

                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

/etc/conf.d/nftables.rules:25:17-47: Error: Could not process rule: Address family not supported by protocol

                ip protocol icmp counter accept comment "accept all icmp types"

                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

/etc/conf.d/nftables.rules:26:17-49: Error: Could not process rule: Address family not supported by protocol

                ip6 nexthdr icmpv6 counter accept comment "accept all icmp types"

                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

/etc/conf.d/nftables.rules:27:17-43: Error: Could not process rule: Address family not supported by protocol

                tcp dport 22 counter accept comment "accept ssh"

                ^^^^^^^^^^^^^^^^^^^^^^^^^^^

/etc/conf.d/nftables.rules:28:17-23: Error: Could not process rule: Address family not supported by protocol

                counter comment "count dropped packets"
```

I manually added the table/chains before trying again, but same errors again as above.

Maybe I'm doing it without understanding all of this and simply blind copying from Gentoo Wiki and hoping the wiki is telling me right.

----------

## spidark

 *josephg wrote:*   

> Maybe I'm doing it without understanding all of this and simply blind copying from Gentoo Wiki and hoping the wiki is telling me right.

 

Don;t know if you already solved your issue.

I have no idea (yet) what im doing.

But this works ( crippled i think but it works)

Can't remember where i got it from  :Sad:   Sorry original author, and thanks )

However it does timeout my eix-sync  and dhclient complains about ipv6 not permitted because of the drop state ( working on that )

Maybe you can figure it out.

```
#==== TO LIST sudo nft list ruleset

#==== TO DISCRIBE PORTS do sudo nft describe tcp dport

flush ruleset

table inet filter {

    set tcp_accepted {

        type inet_service; flags interval;

        elements = {

            http, https,rsync,

                   }

    }

    set udp_accepted {

        type inet_service; flags interval;

        elements = {

            domain,

        }

    }

    chain base_checks {

        # allow established/related connections

        ct state {established, related} accept

        # early drop of invalid connections

        ct state invalid log prefix "Invalid Input Connection: " drop

    }

    chain input {

        type filter hook input priority 0; policy drop;

        jump base_checks

        # allow from loopback

        iifname lo accept

        # allow icmp

        ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept

        ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept

        # allow ports

        #tcp dport @tcp_accepted accept

        #udp dport @udp_accepted accept

        # everything else

        reject with icmpx type port-unreachable

    }

    chain forward {

        type filter hook forward priority 0; policy drop;

        log prefix "Dropped Forward Connection: "

    }

    chain output {

        type filter hook output priority 0; policy drop;

        jump base_checks

        # allow ports

        tcp dport @tcp_accepted accept

        udp dport @udp_accepted accept

        #log prefix "Invalid Output Connection: " Warning : This floods logs 

    }

}

```

----------

## josephg

 *spidark wrote:*   

>  *josephg wrote:*   Maybe I'm doing it without understanding all of this and simply blind copying from Gentoo Wiki and hoping the wiki is telling me right. 
> 
> Don;t know if you already solved your issue.
> 
> I have no idea (yet) what im doing.

 

thank you spidark. i've abandoned nftables and removed those modules from kernel, as i was getting weird issues that seem to have since disappeared which might be completely unrelated. i felt like i was groping too much in the dark, and the nftables error messages felt too cryptic for me.

----------

## spidark

 *josephg wrote:*   

> 
> 
> thank you spidark. i've abandoned nftables and removed those modules from kernel, as i was getting weird issues that seem to have since disappeared which might be completely unrelated. i felt like i was groping too much in the dark, and the nftables error messages felt too cryptic for me.

 

No Problem Josephg,

I read your  Kernel paging issue post, I do not have that issue and  i'm running same kernel 4.14.65-gentoo.

Maybe not related,but Just in case.  :Wink: 

```

CONFIG_KALLSYMS=y

# CONFIG_KALLSYMS_ALL is not set

CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y

CONFIG_KALLSYMS_BASE_RELATIVE=y

CONFIG_NF_TABLES=y

CONFIG_NF_TABLES_INET=m

CONFIG_NF_TABLES_NETDEV=m

CONFIG_NF_TABLES_IPV4=m

# CONFIG_NF_TABLES_ARP is not set

CONFIG_NF_TABLES_IPV6=m

[I] net-firewall/nftables

     Available versions:  0.8-r3 ~0.8.5 ~0.9.0 {debug doc +gmp json +readline KERNEL="linux"}

     Installed versions:  0.8-r3(09:57:13 AM 09/12/2018)(gmp readline -debug -doc KERNEL="linux")

```

----------

## josephg

thank you spidark  :Smile:  you whet my appetite again

so now i have

```
CONFIG_KALLSYMS=y

# CONFIG_KALLSYMS_ALL is not set

# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set

CONFIG_KALLSYMS_BASE_RELATIVE=y
```

CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y, depends on KALLSYMS=y which is not set. i see you have it on.

```
CONFIG_NF_TABLES=m

# CONFIG_NF_TABLES_NETDEV is not set

CONFIG_NF_TABLES_IPV4=m

# CONFIG_NF_TABLES_ARP is not set
```

i don't need the netdev table yet, nor ip6.

i see your ruleset has "ct state", "log", "nexthdr", "reject", etc. i think you need additional kernel module(s) for those to work. do you not have them in your running kernel?

----------

## Anon-E-moose

rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables?

----------

## spidark

 *josephg wrote:*   

> thank you spidark  you whet my appetite again
> 
> i see your ruleset has "ct state", "log", "nexthdr", "reject", etc. i think you need additional kernel module(s) for those to work. do you not have them in your running kernel?

 

Hi Josephg,

Ok let's compare .config, see what you don't or do have.

```
CONFIG_NF_TABLES=y

CONFIG_NF_TABLES_INET=m

CONFIG_NF_TABLES_NETDEV=m

CONFIG_NF_TABLES_IPV4=m

# CONFIG_NF_TABLES_ARP is not set

CONFIG_NF_TABLES_IPV6=m

CONFIG_NETFILTER=y

# CONFIG_NETFILTER_ADVANCED is not set

# Core Netfilter Configuration

CONFIG_NETFILTER_INGRESS=y

CONFIG_NETFILTER_NETLINK=y

CONFIG_NETFILTER_NETLINK_LOG=y

# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set

CONFIG_NETFILTER_XTABLES=y

CONFIG_NETFILTER_XT_MARK=m

CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y

CONFIG_NETFILTER_XT_TARGET_LOG=m

CONFIG_NETFILTER_XT_NAT=m

# CONFIG_NETFILTER_XT_TARGET_NETMAP is not set

CONFIG_NETFILTER_XT_TARGET_NFLOG=y

# CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set

CONFIG_NETFILTER_XT_TARGET_SECMARK=y

CONFIG_NETFILTER_XT_TARGET_TCPMSS=y

CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m

CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y

CONFIG_NETFILTER_XT_MATCH_POLICY=y

CONFIG_NETFILTER_XT_MATCH_STATE=y

# IP: Netfilter Configuration

# IPv6: Netfilter Configuration

# iptables trigger is under Netfilter config (LED target)

CONFIG_NF_DEFRAG_IPV6=y

CONFIG_NF_CONNTRACK_IPV6=y

# CONFIG_NF_SOCKET_IPV6 is not set

CONFIG_NF_TABLES_IPV6=m

# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set

CONFIG_NFT_REJECT_IPV6=m

# CONFIG_NFT_DUP_IPV6 is not set

# CONFIG_NFT_FIB_IPV6 is not set

# CONFIG_NF_DUP_IPV6 is not set

CONFIG_NF_REJECT_IPV6=y

CONFIG_NF_LOG_IPV6=m

CONFIG_IP6_NF_MATCH_IPV6HEADER=y

CONFIG_NF_DEFRAG_IPV4=y

CONFIG_NF_CONNTRACK_IPV4=y

# CONFIG_NF_SOCKET_IPV4 is not set

CONFIG_NF_TABLES_IPV4=m

# CONFIG_NFT_CHAIN_ROUTE_IPV4 is not set

CONFIG_NFT_REJECT_IPV4=m

# CONFIG_NFT_DUP_IPV4 is not set

# CONFIG_NFT_FIB_IPV4 is not set

# CONFIG_NF_DUP_IPV4 is not set

CONFIG_NF_LOG_IPV4=m

CONFIG_NF_REJECT_IPV4=y

CONFIG_NF_NAT_IPV4=m

# CONFIG_NFT_CHAIN_NAT_IPV4 is not set

CONFIG_NF_NAT_MASQUERADE_IPV4=m

# CONFIG_NFT_MASQ_IPV4 is not set

# CONFIG_NFT_REDIR_IPV4 is not set

```

You should lookup the difference between ip and inet.

inet is stacked ipv4 combined with ipv6

Ip separates ipv4 from ipv6

But its documented on Gentoo.

And flush your rule set always, or weird stuff will happen.

This was a Test rule that also worked.

Change the inet to ip, and enjoy the errors.  :Laughing: 

Funny thing about the code below, its inet, but i still can use ip6 to block all ipv6 traffic.

I still have to look into that.

```
flush ruleset

table inet filter {

   chain input {

      type filter hook input priority 0; policy accept;

      ct state established,related accept

      ct state invalid counter packets 0 bytes 0 drop comment "drop invalid packets"

      ct state != related drop

      iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"

      iif "lo" accept

      ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } drop

      ip protocol icmp icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } drop

      ip protocol igmp drop

      counter packets 0 bytes 0 drop

   }

   chain output {

      type filter hook output priority 0; policy drop;

      ct state related accept

      oif "lo" accept

      oif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"

      tcp dport smtp accept

      tcp dport domain accept

      tcp dport http accept

      tcp dport https accept

      udp dport domain accept

      tcp dport rsync accept

      tcp dport git accept

      tcp dport 9050 accept

      counter packets 0 bytes 0 drop comment "count accepted packets"

   }

   chain forward {

      type filter hook forward priority 0; policy drop;

      counter packets 0 bytes 0 comment "count dropped packets"

   }

}

table ip6 filter6 {

   chain input {

      type filter hook input priority 0; policy drop;

      counter packets 0 bytes 0 comment "count dropped packets"

   }

   chain output {

      type filter hook output priority 0; policy drop;

      counter packets 0 bytes 0 comment "count dropped packets"

   }

   chain forward {

      type filter hook forward priority 0; policy drop;

      counter packets 0 bytes 0 comment "count dropped packets"

   }

}

```

Let me know if it worked.

----------

## spidark

 *Anon-E-moose wrote:*   

> rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables?

 

Seriously Anon-E-moose, this tool exist  :Shocked: 

I'm guessing enabling nftables useflag on iptable package ?

----------

## Anon-E-moose

 *spidark wrote:*   

>  *Anon-E-moose wrote:*   rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables? 
> 
> Seriously Anon-E-moose, this tool exist 
> 
> I'm guessing enabling nftables useflag on iptable package ?

 

Yep, I ran across it when researching using nftables, it does it line by line but still it's a start.

And yes it gets created with the nftables tag when emerging iptables. 

You give it the old line, it gives you the nftables equiv.

Edit to add: for example from my iptables file

iptables-translate -A INPUT -i eth0 -p tcp -s 0/0 --dport 25 -m limit --limit 2/minute -j LOG --log-prefix="IPTABLES:mail "

output: 

nft add rule ip filter INPUT iifname eth0 tcp dport 25 limit rate 2/minute burst 5 packets counter log prefix \"IPTABLES:mail \"

----------

## josephg

A.N..D... voila i get it again

```
BUG: unable to handle kernel paging request at 0002ffa8

IP: __radix_tree_lookup+0x11/0xe0

*pdpt = 00000000206fc001 *pde = 0000000000000000 

Oops: 0000 [#1] SMP

Modules linked in: nft_meta nft_log nft_counter nft_ct nf_tables_ipv4 nf_tables nfnetlink ctr ccm af_packet nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 xt_pkttype xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_multiport xt_conntrack nf_conntrack iptable_filter ip_tables x_tables zram zsmalloc ext4 crc16 mbcache jbd2 arc4 ath9k ath9k_common bfq ath9k_hw mac80211 coretemp i915 ath cfg80211 i2c_algo_bit hwmon snd_hda_codec_realtek snd_hda_codec_generic input_leds rfkill drm_kms_helper cfbfillrect psmouse snd_hda_intel atkbd snd_hda_codec sr_mod ehci_pci evdev syscopyarea cfbimgblt sysfillrect sdhci_pci libps2 lpc_ich snd_hwdep ehci_hcd sdhci mmc_core cdrom snd_hda_core mfd_core sysimgblt fb_sys_fops cfbcopyarea i2c_i801 led_class snd_pcm pcspkr fan thermal button usbcore drm

 battery snd_timer intel_agp video intel_gtt pcc_cpufreq rtc_cmos backlight acpi_cpufreq agpgart ac i8042 serio snd soundcore usb_common

CPU: 0 PID: 18186 Comm: DOM Worker Tainted: G     U          4.14.65-gentoo-jgv #23

Hardware name: TOSHIBA Satellite Pro A300/Portable PC, BIOS 2.20 12/07/2009

task: f141b000 task.stack: e0192000

EIP: __radix_tree_lookup+0x11/0xe0

EFLAGS: 00210286 CPU: 0

EAX: 0002ffa4 EBX: a11df000 ECX: 00000000 EDX: 01ffffff

ESI: 01ffffff EDI: 00000000 EBP: 0002ffa0 ESP: e0193de4

 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068

CR0: 80050033 CR2: 0002ffa8 CR3: 24be3860 CR4: 000006f0

Call Trace:

 ? radix_tree_lookup_slot+0xb/0x20

 ? find_get_entry+0x19/0xe0

 ? pagecache_get_page+0x1c/0x210

 ? lookup_swap_cache+0x30/0xf0

 ? swap_readahead_detect+0x60/0x2a0

 ? do_swap_page+0xbb/0x790

 ? mem_cgroup_commit_charge+0x62/0x3e0

 ? reuse_swap_page+0x2f/0x150

 ? page_add_new_anon_rmap+0x5d/0xa0

 ? handle_mm_fault+0x669/0xf00

 ? __do_page_fault+0x19b/0x400

 ? vmalloc_sync_all+0x10/0x10

 ? common_exception+0x52/0x5a

Code: d5 8b 74 24 14 8b 5c 24 18 85 d2 0f 84 0b ff ff ff e9 f5 fe ff ff 8d 74 26 00 55 57 56 53 83 ec 08 89 04 24 89 4c 24 04 8b 04 24 <8b> 70 04 89 f0 83 e0 03 83 f8 01 0f 85 a6 00 00 00 89 f0 83 e0

EIP: __radix_tree_lookup+0x11/0xe0 SS:ESP: 0068:e0193de4

CR2: 000000000002ffa8

---[ end trace 54e0e562fff73ff2 ]---
```

----------

## josephg

 *Anon-E-moose wrote:*   

> rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables?

 

i couldn't get nftables to work.. that's why. i didn't understand nftables and those cryptic error messages don't help.. is probably another reason. i assumed i could start with something dependable, and hence picked from the gentoo wiki. 

now that i understand nftables a bit better, i can say that i got lost following the gentoo wiki. i'll start building my ruleset, once i have nftables working.

----------

## josephg

to get iptables-translate tool in gentoo

```
# USE="nftables" emerge net-firewall/iptables
```

i found iptables-translate to be very useful, and it is very easy to use, but not always very accurate. don't blind copy, but try and understand what it's doing, and use the output as hints or tips to write your ruleset.

you can translate iptables rules line by line, or your entire ruleset at one go.

ref: http://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

----------

## spidark

 *josephg wrote:*   

> A.N..D... voila i get it again
> 
> 

 

Faulty mem ,hardware maybe  :Confused: 

----------

## spidark

 *Anon-E-moose wrote:*   

> 
> 
> Yep, I ran across it when researching using nftables, it does it line by line but still it's a start.
> 
> And yes it gets created with the nftables tag when emerging iptables. 
> ...

 

Nice tip , thanks Anon-E-moose

 *josephg wrote:*   

> 
> 
> i found iptables-translate to be very useful,

 

Yes it is  :Laughing: 

----------

## josephg

maybe  :Sad:  but why only when i'm playing with nftables modules? never had it before.. could it be having both iptables and nftables?

----------

## Anon-E-moose

What kernel version are you using?

----------

## josephg

 *Anon-E-moose wrote:*   

> What kernel version are you using?

 

sys-kernel/gentoo-sources:4.14.65 x86

----------

## Anon-E-moose

You might try a newer kernel and see if the problem persists (using basically the same .config)

as far as it being because of both iptables and nftables, I wouldn't think so, unless you're mixing the two together at the same time.

----------

## josephg

 *Anon-E-moose wrote:*   

> You might try a newer kernel and see if the problem persists (using basically the same .config)

 

i'm a bit reluctant in upgrading kernels as i use btrfs.

i had been blindly enabling whatever modules gentoo wiki told me, and then when something fails enabling more modules without understanding whether they were needed or not. i seem to have a better understanding now, and seem to have got on top of it.. cutting and pruning down to only modules wanted by my ruleset

```
CONFIG_NF_CONNTRACK=m

CONFIG_NF_LOG_COMMON=m

CONFIG_NF_TABLES=m

CONFIG_NF_DEFRAG_IPV4=m

CONFIG_NF_CONNTRACK_IPV4=m

CONFIG_NF_TABLES_IPV4=m

CONFIG_NF_LOG_IPV4=m

CONFIG_NF_REJECT_IPV4=m

CONFIG_IP_NF_IPTABLES=m

CONFIG_IP_NF_FILTER=m

CONFIG_IP_NF_TARGET_REJECT=m
```

```
CONFIG_NFT_META=m

CONFIG_NFT_CT=m

CONFIG_NFT_COUNTER=m

CONFIG_NFT_LOG=m

CONFIG_NFT_REJECT=m

CONFIG_NFT_REJECT_IPV4=m
```

so far i haven't got any further oops.. fingers crossed.

 *Anon-E-moose wrote:*   

> as far as it being because of both iptables and nftables, I wouldn't think so, unless you're mixing the two together at the same time.

 

i did mix the two together at times, and wondered if that perhaps contributed to my issues.

 *nftables wiki wrote:*   

> Beware of using both the nft and the legacy tools at the same time. That means using both x_tables and nf_tables kernel subsystems at the same time, and could lead to unexpected results.

 

Apparently you can run both together. The result is an AND of both their rulesets.

http://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F

But that is not my intention. I like how nfttables is so much more cleaner than iptables.

----------

## spidark

 *josephg wrote:*   

> so far i haven't got any further oops.. fingers crossed.

 

Glad you got things working  :Smile: 

----------

## josephg

Could that be because I haven't nftables yet perhaps? I noticed that those modules are not loaded till I run the nftables command. I can start testing nftables again in a few days when I'll have more time.

----------

## spidark

 *josephg wrote:*   

> Could that be because I haven't nftables yet perhaps? I noticed that those modules are not loaded till I run the nftables command. I can start testing nftables again in a few days when I'll have more time.

 

I'm not sure,

Maybe not relevant, but i do not have iptables installed, i don't use NetworkManager and i have iproute2 installed with -iptables use flag.

All the [0] modules get loaded when i run nftables.

```

# lsmod 

Module                  Size  Used by

nf_log_ipv6            16384  0

nf_log_ipv4            16384  0

nf_log_common          16384  2 nf_log_ipv4,nf_log_ipv6

nft_reject_inet        16384  0

nft_reject             16384  1 nft_reject_inet

nft_meta               16384  0

nft_log                16384  0

nft_ct                 16384  0

nft_set_bitmap         16384  0

nft_set_hash           20480  0

nft_set_rbtree         16384  0

nf_tables_inet         16384  0

nf_tables_ipv6         16384  1 nf_tables_inet

nf_tables_ipv4         16384  1 nf_tables_inet

```

----------

## Anon-E-moose

 *josephg wrote:*   

>  *Anon-E-moose wrote:*   as far as it being because of both iptables and nftables, I wouldn't think so, unless you're mixing the two together at the same time. 
> 
> i did mix the two together at times, and wondered if that perhaps contributed to my issues.
> 
>  *nftables wiki wrote:*   Beware of using both the nft and the legacy tools at the same time. That means using both x_tables and nf_tables kernel subsystems at the same time, and could lead to unexpected results. 
> ...

 

I think what they meant by both is the rules being written either way will work (with the correct kernel settings and modules), 

but I'm not sure them mean run ip_tables and nf_tables modules at the same time, especially if they're both trying to work on the same packet.

That would probably cause conflict, 2 different modules trying to handle a single incoming packet, I would think that would be a bad idea.

IPtables could be built along with nftables, but you might blacklist the iptables modules 

or if you've run iptables, before running nftables, make sure that the iptables modules are unloaded first.

In other words don't have /etc/init.d/iptables and /etc/init.d/nftables active at the same time.

Edit to add: This seems like a reasonable intro https://linux-audit.com/nftables-beginners-guide-to-traffic-filtering/

and this https://linux-audit.com/differences-between-iptables-and-nftables-explained/

----------

## josephg

thanks folks for your kind encouragement. i have persevered and i think i have got nftables working now. i stopped iptables, and ensured none of those modules were loaded. nftables is working with these modules loaded:

```
$ lsmod | egrep "table|nf"

nf_log_ipv4            16384  3

nf_log_common          16384  1 nf_log_ipv4

nft_log                16384  3

nf_conntrack_ipv4      16384  5

nf_defrag_ipv4         16384  1 nf_conntrack_ipv4

nft_counter            16384  15

nft_meta               16384  8

nft_ct                 16384  5

nf_conntrack           53248  2 nft_ct,nf_conntrack_ipv4

nf_tables_ipv4         16384  4

nf_tables              69632  63 nft_ct,nf_tables_ipv4,nft_meta,nft_counter,nft_log

nfnetlink              16384  1 nf_tables
```

now i can focus on getting my rules right.

----------

## josephg

i do have a slight problem though. i can't seem to use sets in my ruleset.

for example, this works

```
udp dport 137 counter drop

udp dport 57621 counter drop
```

but this doesn't work

```
udp dport {137,57621} counter drop
```

giving errors like so

```
nftables.rules:16:27-37: Error: Could not process rule: Operation not supported

                udp dport {137,57621} counter drop

                          ^^^^^^^^^^^

nftables.rules:16:27-37: Error: Could not process rule: No such file or directory

                udp dport {137,57621} counter drop

                          ^^^^^^^^^^P
```

is there some kernel module for sets?

----------

## josephg

similarly, this works

```
tcp dport 57621 counter drop

udp dport 57621 counter drop
```

but this doesn't work

```
{tcp,udp} dport 57621 counter drop
```

gives error

```
nftables.rules.jgv:18:27-31: Error: syntax error, unexpected dport

                {tcp,udp} dport 57621 counter drop
```

----------

## Anon-E-moose

```
iptables -A INPUT -p tcp -m multiport --dports 0:18,26:52,54:66,69:79,81:442,444:1024 -j LOG --log-prefix="IPTABLES:deny-tcp " --log-tcp-options --log-ip-options 

nft add rule ip filter INPUT ip protocol tcp tcp dport { 0-18,26-52,54-66,69-79,81-442,444-1024} counter log prefix \"IPTABLES:deny-tcp \" flags tcp options flags ip options
```

This is what iptables-translate shows me *shrugs*

Edit to add: all the examples seem to show a space after the opening curly brace, you might put them in and see if they work.

----------

## josephg

 *Anon-E-moose wrote:*   

> all the examples seem to show a space after the opening curly brace, you might put them in and see if they work.

 

i don't think that space matters, but i'm still learning. i have seen all sorts of combinations with and without spaces in various examples. i have tried with spaces between curly braces and after commas, etc. and without.. they all give me the same error  :Sad: 

fyi http://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Simple_IP.2FIPv6_Firewall

----------

## Anon-E-moose

Under iptables you would need the xt_multiport modules, but I don't know what the equivalent is under nftables, if there is one.

Edit to add: You might need the nft_set* modules whatever they're called.

You need them set in the kernel configuration 

CONFIG_NFT_SET_RBTREE=m

CONFIG_NFT_SET_HASH=m

CONFIG_NFT_SET_BITMAP=m

----------

## josephg

 *Anon-E-moose wrote:*   

> Under iptables you would need the xt_multiport modules, but I don't know what the equivalent is under nftables, if there is one.

 

yes iptables needs multiport module. that's why i wondered if the something similar with nftables. all the docs i've read seem to suggest that this is nftables advantage over iptables and an integral part of nftables.

also, the nftables sets are not just for ports. you can combine just about everything, like protocols, flags, etc.

----------

## Anon-E-moose

See My above post, I was adding as you responded   :Embarassed: 

When I get ready to go to nftables I'll do the same as iptables, I will set all options in kernel, even if I don't think I need them

----------

## josephg

i went through each nft module many times over and still missed that keyword. compiling my kernel now. thanks.

----------

## josephg

Anon-E-moose, Thank you! It is CONFIG_NFT_SET_HASH that I was missing  :Embarassed:  I was clearly looking for set or something like that and went over many times over..

----------

## Anon-E-moose

So it's all working now? Sweet, if so. 

I wasn't sure which set was needed, and unless you select help it doesn't show the name, 

but I looked at what was set in .config (I've set them but haven't compiled them yet)

----------

## josephg

 *Anon-E-moose wrote:*   

> So it's all working now? Sweet, if so.

 

yes thanks all working now.. i need to refine my rules some more.

 *Anon-E-moose wrote:*   

> I wasn't sure which set was needed, and unless you select help it doesn't show the name, 
> 
> but I looked at what was set in .config (I've set them but haven't compiled them yet)

 

i was pretty sure i had looked at the help for each module.. now obvious i hadn't or didn't quite understand then

----------

## spidark

Sorry Guys, been busy,  have a new adventure libressl / btrfs  :Very Happy: 

But i read that all worked out  :Wink: 

```

CONFIG_NFT_EXTHDR=m

CONFIG_NFT_META=m

CONFIG_NFT_RT=m

# CONFIG_NFT_NUMGEN is not set

CONFIG_NFT_CT=m

CONFIG_NFT_SET_RBTREE=m

CONFIG_NFT_SET_HASH=m

CONFIG_NFT_SET_BITMAP=m

CONFIG_NFT_COUNTER=m

CONFIG_NFT_LOG=m

CONFIG_NFT_LIMIT=m

CONFIG_NFT_MASQ=m

CONFIG_NFT_REDIR=m

CONFIG_NFT_NAT=m

CONFIG_NFT_OBJREF=m

CONFIG_NFT_QUOTA=m

CONFIG_NFT_REJECT=m

CONFIG_NFT_REJECT_INET=m

CONFIG_NFT_COMPAT=m

CONFIG_NFT_HASH=m

# CONFIG_NFT_DUP_NETDEV is not set

# CONFIG_NFT_FWD_NETDEV is not set

# CONFIG_NFT_CHAIN_ROUTE_IPV4 is not set

CONFIG_NFT_REJECT_IPV4=m

# CONFIG_NFT_DUP_IPV4 is not set

# CONFIG_NFT_FIB_IPV4 is not set

# CONFIG_NFT_CHAIN_NAT_IPV4 is not set

# CONFIG_NFT_MASQ_IPV4 is not set

# CONFIG_NFT_REDIR_IPV4 is not set

# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set

CONFIG_NFT_REJECT_IPV6=m

# CONFIG_NFT_DUP_IPV6 is not set

# CONFIG_NFT_FIB_IPV6 is not set

# CONFIG_NFTL is not set

```

----------

## josephg

 *spidark wrote:*   

> Sorry Guys, been busy,  have a new adventure libressl / btrfs 

 

i love btrfs  :Smile:  using it solely for the past few years.. no problems ever, except this one time with gentoo kernel 4.12 fiasco. now i stick with lts kernels only. currently my most stable is 4.9, and 4.14 is not stable enough. all these recent kernel problems that i've had is with 4.14 since i switched. i'm back to 4.9 now and no problems with nftables or oops.

 *spidark wrote:*   

> But i read that all worked out 

 

yes thank you. i had all but given up if not for you  :Rolling Eyes: 

i've removed iptables from my kernel, and i'm solely running nftables. still getting my head around, and need to fine tune my ruleset. so i'll keep this thread open for now. i still have some rule issues.

 *spidark wrote:*   

> 
> 
> ```
> 
> CONFIG_NFT_EXTHDR=m
> ...

 

you know, not everything above is needed. i like to keep my kernel trim and remove what i don't use. i don't need routing, nat, ip6, etc. on this laptop and my current kernel is gentoo-sources-4.9.122. i think the number shows how many times i call them in my ruleset. i don't have any rbtree rules and nft_set_rbtree is not used. i can remove it, but it keeps getting loaded at boot. the ones in use can't be removed. you can see mine here.

```
$ lsmod | egrep "table|nf|xt_"

nf_log_ipv4            12288  3

nf_log_common          12288  1 nf_log_ipv4

nft_log                12288  3

nf_conntrack_ipv4      12288  6

nf_defrag_ipv4         12288  1 nf_conntrack_ipv4

nft_ct                 12288  6

nf_conntrack           45056  2 nft_ct,nf_conntrack_ipv4

nft_counter            12288  17

nft_meta               12288  14

nft_set_hash           16384  2

nft_set_rbtree         12288  0

nf_tables_ipv4         12288  5

nf_tables              53248  85 nft_ct,nft_set_hash,nf_tables_ipv4,nft_meta,nft_set_rbtree,nft_counter,nft_log

nfnetlink              12288  1 nf_tables
```

can you show me yours?

----------

## josephg

 *spidark wrote:*   

> Can't remember where i got it from   Sorry original author, and thanks )
> 
> However it does timeout my eix-sync  and dhclient complains about ipv6 not permitted because of the drop state ( working on that )
> 
> Maybe you can figure it out.
> ...

 

i have a few suggestions. i'd write all your rules inline, and make everything work first before making lots of chains. good thing you don't have a big ruleset.

you could combine your ip and ip6 rules to make them simpler, unless you want to do different things. i can't understand what you're trying to do with your icmp rules. perhaps this might help. http://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Icmp

the logic is the same as iptables. remove "ct state {established,related} accept" from base_checks and add it in input. add "ct state {established,new} accept" in output. unless this is a web/rsync serverremove the tcp_aacepted and udp_aacepted. your ruleset should work now.

----------

## josephg

on second thoughts, i've just re-written your rules as per my above suggestion. easier to write than explain. perhaps you can compare and understand. i have removed all spurious lines including comments etc.. so you can see the clean rules and perhaps follow the logic. hope this helps.

```
flush ruleset

table inet filter {

    chain input {

        type filter hook input priority 0; policy drop;

        ct state invalid log prefix "Invalid Input Connection: " drop

        ct state {established,related} accept

        iif lo accept

        log prefix "Dropped Input Connection: " drop

    }

    chain output {

        type filter hook output priority 0; policy drop;

        ct state invalid log prefix "Invalid Output Connection: " drop

        ct state {established,new} accept

        oif lo accept

        log prefix "Dropped Output Connection: " drop

    }

    chain forward {

        type filter hook forward priority 0; policy drop;

        log prefix "Dropped Forward Connection: " drop

    }

}
```

----------

## spidark

 *josephg wrote:*   

> i love btrfs  using it solely for the past few years.. no problems ever, except this one time with gentoo kernel 4.12 fiasco. now i stick with lts kernels only. currently my most stable is 4.9, and 4.14 is not stable enough. all these recent kernel problems that i've had is with 4.14 since i switched. i'm back to 4.9 now and no problems with nftables or oops.

 

Hi Josephg,

So that's what it was, IO /freezing issues, Yep i'm on 4.14.65-gentoo, did not dig deeper into it yet, but i'm back on ext2/4 for the meantime  :Smile: 

```
you know, not everything above is needed. i like to keep my kernel trim and remove what i don't use. i don't need routing, nat, ip6, etc. on this laptop and my current kernel is gentoo-sources-4.9.122. i think the number shows how many times i call them in my ruleset. i don't have any rbtree rules and nft_set_rbtree is not used. i can remove it, but it keeps getting loaded at boot. the ones in use can't be removed. you can see mine here.
```

I reinstalled from scratch (libressl jeej  :Laughing:  ) , and trimmed lot of stuff i don't use or don't need, Next on the list nftables unneeded  modules trimming session  :Laughing: 

I think i'm there already, but not sure.

There's mine.

```

lsmod | egrep "table|nf|xt_"

nf_log_ipv6            16384  2

nf_log_ipv4            16384  2

nf_log_common          16384  2 nf_log_ipv4,nf_log_ipv6

nft_reject_inet        16384  1

nft_reject             16384  1 nft_reject_inet

nft_meta               16384  7

nft_log                16384  2

nft_ct                 16384  2

nft_set_bitmap         16384  2

nft_set_hash           20480  1

nft_set_rbtree         16384  2

nf_tables_inet         16384  4

nf_tables_ipv6         16384  1 nf_tables_inet

nf_tables_ipv4         16384  1 nf_tables_inet

```

----------

## spidark

My Latest Toy  :Laughing: 

Used Anon-E-moose iptables-translate tip

Getting Better at it, and starting to understand those cryptic errors.

```
#! /bin/bash

#4TESTING j.i.c i need theInterface name, but its Laptop not a server.

#My_Wifi=`ip addr | grep ^3 | cut -c 3-8 | cut -d ' ' -f 2`

#FLUSH RULESET

nft flush ruleset

# CREATE FILTER TABLE

nft add table ip filter

# CHAIN POLICIES ! EVERY TRAFFIC DROPPED !

nft add chain ip filter input {' type filter hook input priority 0 ; policy drop;' }

nft add chain ip filter forward {' type filter hook forward priority 0 ; policy drop; '  }

nft add chain ip filter output {' type filter hook output priority 0 ; policy drop; ' }

nft add rule  ip filter input ip protocol tcp tcp flags \& \(fin\|syn\|rst\|ack\) == syn ct state new counter reject with tcp reset

#DROP INVALIDS AND LOG

nft add rule ip filter input ct state invalid log prefix \"Invalid Input Connection: \" counter drop 

#ACCEPT RELATED ESTABLISHED

nft add rule ip filter input ct state related,established counter accept

#nft add rule ip filter input  udp dport 5060 notrack NEED FIX!!!

#DROP lo SPOOFED PACKAGES

nft add rule ip filter input oif != "lo" ip daddr 127.0.0.0/8 counter packets 0 log prefix \" Spoofed ! Lo Packets: \" drop

#ACCEPT LO 

nft add rule ip filter input iifname lo counter accept

nft add rule ip filter input icmp type destination-unreachable counter accept

nft add rule ip filter input icmp type time-exceeded counter accept

nft add rule ip filter input icmp type parameter-problem counter accept

#DROP INVALID OUTGOING CONNECTIONS

nft add rule ip filter output  ct state invalid log prefix \"Invalid Output Connection:  \" counter drop

#DEBUG TRACE OPTION COOL NEW OPTION !!

#nft add rule ip filter output  tcp dport { domain, http, https, rsync, git } meta nftrace set 1 counter accept

#ALLOW TCP / DNS HTTP(s) SYNC and GIT 

nft add rule ip filter output  tcp dport { domain, http, https, rsync, git } counter accept

nft add rule ip filter output  udp dport { domain } accept

#nft add rule ip filter output  udp dport 5060 notrack

#------------------------------------------------------------

#IPV6 RULES

#------------------------------------------------------------

#CREATE IPV6 FILTER TABLE

nft add table ip6 filter

#IPV6 CHAIN POLICIES ! EVERY TRAFFIC BLOCKED !

nft add chain ip6 filter input {' type filter hook input priority 0; policy drop;' }

nft add chain ip6 filter forward {' type filter hook forward priority 0; policy drop;' }

nft add chain ip6 filter output {' type filter hook output priority 0; policy accept;' }

#ACCEPT lo

nft add rule ip6 filter input iifname lo accept 

#DROP INVALIDS AND LOG

nft add rule ip6 filter input ct state invalid log prefix \" IPV6 INVALID INPUT DROPPED: \" counter drop 

nft add rule ip6 filter   input iifname != lo ip6 daddr ::1/128 counter drop 

nft add rule ip6 filter input tcp  flags \& \(fin\|syn\|rst\|ack\) == syn ct state new counter reject with tcp reset

nft add rule ip6 filter input ct state {'established, related'} counter accept 

nft add rule ip6 filter input ip6 nexthdr icmpv6 counter accept 

# ALLOW IPV6 OUTGOING TRAFFIC ON Lo

nft add rule ip6 filter output iifname lo counter accept

#LET ME SEE THE RULESET

nft list ruleset

#SAVE THE RULESET j.i.c. I save it to the root Directory ( Root Has Guns )

nft list ruleset > /root/RULES_NFTABLES.txt

#SAVE THE DOT RULES FILE  IN /VAR/LIB SOMETHING?

rc-service nftables save

```

Off topic maybe, not sure, if it is, my bad.  :Embarassed: 

I'm missing something in the rules above.

Did not have this with iptables only with nftables rules.

It hangs for a while, shutting down nftables, it runs ok without the warnings.

I'm guessing a rule here?

Do you Have this issue ?

```
* Running emerge --sync

>>> Syncing repository 'gentoo' into '/usr/portage'...

 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc

 * Refreshing keys from keyserver ...OpenPGP keyring refresh failed:

gpg: connecting dirmngr at '/run/user/0/gnupg/d.x7a4zbgncn4uyt8r4qcfw3ub/S.dirmngr' failed: IPC connect call failed

gpg: keyserver refresh failed: No dirmngr

```

----------

## josephg

 *spidark wrote:*   

> My Latest Toy 

 

mine too  :Smile:  and i'm loving playing with it

i've migrated from iptables, except for minor niggles.

 *spidark wrote:*   

> #DEBUG TRACE OPTION COOL NEW OPTION !!

 

cool, i haven't used it yet.

 *spidark wrote:*   

> I'm missing something in the rules above.

 

it might be better looking at the nftables rules than these commands above. i had to rewrite them substantially, because i could combine multiple rules.

Looking at your translated iptables, i can see what you're missing from your initial rules you posted earlier in this thread. you need to add git to your @tcp_accepted set. that's why your sync wasn't working.

 *spidark wrote:*   

> Did not have this with iptables only with nftables rules.
> 
> It hangs for a while, shutting down nftables, it runs ok without the warnings.
> 
> I'm guessing a rule here?
> ...

 

no i have not had this issue with iptables or nftables. if it didn't spit any errors while feeding the ruleset, i have no issues during runtime.

 *spidark wrote:*   

> 
> 
> ```
> * Running emerge --sync
> 
> ...

 

i don't remember seeing the openpgp messages during sync. i just did one to check. nope nothing.

i also do not have /usr/share/openpgp-keys directory.

do you have some special configuration?

----------

## spidark

 *josephg wrote:*   

> 
> 
> ido you have some special configuration?

 

Hi Josephg,

No nothing special there,

Maybe it has something to do with portage news, not sure.

```

[15]     2018-01-30  Portage rsync tree verification

[16]     2018-03-13  Portage rsync tree verification unstable

```

But it has been fixed

I changed my output policy from drop to accept and remove all of the output rules.

```

# CHAIN POLICIES ! EVERY TRAFFIC DROPPED !

nft add chain ip filter input {' type filter hook input priority 0 ; policy drop;' }

nft add chain ip filter forward {' type filter hook forward priority 0 ; policy drop; '  }

nft add chain ip filter output {' type filter hook output priority 0 ; policy accept; ' }

```

If i keep the drop policy , i need to change the ct state to new,related,established counter accept 

which also fixes the IPC connect hang / error (emerge-sync).

```

nft add rule ip filter output  ct state new,related,established counter accept

```

Enjoying nftables so far  :Smile: 

----------

## josephg

 *spidark wrote:*   

> If i keep the drop policy , i need to change the ct state to new,related,established counter accept 
> 
> which also fixes the IPC connect hang / error (emerge-sync).

 

you don't need related for output chain. "ct state established,new accept" should be sufficient, which is what i do. i keep the drop policy on all chains. oh and i don't use counter on every rule unless i want to see the stats for that particular rule. probably lessen some overload.

as i mentioned yesterday, you can't use the same rules for input and output. i also attempted to rewrite your ruleset for you. did you see?

----------

## spidark

 *josephg wrote:*   

> 
> 
> you don't need related for output chain. 
> 
> 

 

Fixed it.  :Laughing: 

 *josephg wrote:*   

> 
> 
> oh and i don't use counter on every rule unless i want to see the stats for that particular rule.
> 
> 

 

Yes this i knew, but left it in for testing and stats purposes.

 *josephg wrote:*   

> 
> 
>  i also attempted to rewrite your ruleset for you. did you see?
> 
> 

 

Yes i did, and experimented with it, thanks for that Josephg.

----------

