Hi,
I'm facing problems trying to run a simple nft script to
setup a very simple firewall.
Here are the script pieces:
# cat /etc/nftables/fw_basic.nft
#!/sbin/nft -f
flush ruleset
include "/etc/nftables/ipv4-nat"
include "/etc/nftables/ipv6-nat"
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
iif lo accept
ct state established,related accept
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
tcp dport { 22, 80, 443 } accept
udp dport { 5353 } accept
}
}
include "/var/lib/nftables/user.nft"
and:
# cat /var/lib/nftables/user.nft
add chain inet filter input { policy drop; }
#
And here is the result:
# /etc/nftables/fw_basic.nft
In file included from ./fw_basic.nft:15:1-37:
/var/lib/nftables/user.nft:1:1-45: Error: Could not process rule: No such file or directory
add chain inet filter input { policy drop; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#
Further, I noticed that if I remove the last 'include' from the main script, 'fw_basic.nft',
and issue the last command manually:
# nft add chain inet filter input { policy drop\; }
#
it works.
My second question is:
should it be possible to 'include' empty .nft files in a script without having errors ?
thanks,
giorgio
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
