----- Original Nachricht ----
Von: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
An: giorgio.nicole@xxxxxxxx
Datum: 20.10.2015 12:39
Betreff: Re: nft 'script' not working
> On Tue, Oct 20, 2015 at 10:02:00AM +0200, giorgio.nicole@xxxxxxxx wrote:
> > Hi,
> >
> > I'm facing problems trying to run a simple nft script to
> > setup a very simple firewall.
> >
> > Here are the script pieces:
> >
> > # cat /etc/nftables/fw_basic.nft
> > #!/sbin/nft -f
> > flush ruleset
> > include "/etc/nftables/ipv4-nat"
> > include "/etc/nftables/ipv6-nat"
> > table inet filter {
> > chain input {
> > type filter hook input priority 0; policy accept;
> > iif lo accept
> > ct state established,related accept
> > ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request,
> nd-router-advert, nd-neighbor-advert } accept
> > tcp dport { 22, 80, 443 } accept
> > udp dport { 5353 } accept
> > }
> > }
> > include "/var/lib/nftables/user.nft"
> >
> > and:
> >
> > # cat /var/lib/nftables/user.nft
> > add chain inet filter input { policy drop; }
> > #
> >
> > And here is the result:
> > # /etc/nftables/fw_basic.nft
> > In file included from ./fw_basic.nft:15:1-37:
> > /var/lib/nftables/user.nft:1:1-45: Error: Could not process rule: No such
> file or directory
> > add chain inet filter input { policy drop; }
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> This is not related to the scripting, it's currently a kernel
> limitation. You can reproduce this problem with the following script:
>
> - ruleset.file -
> #!/usr/sbin/nft
>
> add table filter
> add chain filter output { type nat hook output priority 0 ; }
> add chain filter output { policy drop ; }
> - EOF ruleset.file -
>
> % nft -f ruleset.file
> ruleset.file:5:1-42: Error: Could not process rule: No such file or
> directory
> add chain filter output { policy drop ; }
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> The real problem is that we currently cannot update an object that it
> is being created from the same batch. This existing limitation was
> already discussed on the -devel ML, and it should be easy to remove it.
>
> > Further, I noticed that if I remove the last 'include' from the main
> script, 'fw_basic.nft',
> > and issue the last command manually:
> > # nft add chain inet filter input { policy drop\; }
> > #
> >
> > it works.
> >
> > My second question is:
> >
> > should it be possible to 'include' empty .nft files in a script without
> having errors ?
>
> This works here with nft 0.5:
>
> % touch empty.file
> % cat x
> #!/usr/sbin/nft
>
> include "empty.file"
> % nft -f x
Hi,
thanks for your answer,
your answer to the first question confirms what I already supposed,
my workaround is now to add a last 'drop' rule to the input table
instead of changing the table policy:
add rule inet filter input drop
instead of
add chain inet filter input { policy drop; }
Regarding the second question about including empty files I think it was just
a consequence of the other errors, now it works as expected.
Thanks again for your quick support.
giorgio
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
