On Mon, Mar 19, 2018 at 10:02:06PM +1100, Duncan Roe wrote:
> On Mon, Mar 19, 2018 at 11:14:58AM +0100, Darius wrote:
> > I actually have same problem if I use config file and there families are defined:
> >
> > #!/usr/sbin/nft -f
> >
> > table ip ipv4_filter {
> >
> > chain incoming{
> > type filter hook input priority 0; policy drop;
> >
> > tcp dport {ssh} log accept
> > }
> > }
> >
> I am at a loss to explain this. I tried your command on my system:
>
> > nft add rule ip IP FILTER_INPUT tcp dport {ssh} log accept
>
> (except with my table and chain names) and the command was accepted.
>
> This has been working since January - is your nft older?
> >
> > > On March 19, 2018 at 12:52 AM Duncan Roe <duncan_roe@xxxxxxxxxxxxxxx> wrote:
> > >
> > >
> > > On Sun, Mar 18, 2018 at 11:29:35PM +0100, darius wrote:
> > > > Hi,
> > > >
> > > > Apparently, I can't add log statement in nft firewall. It does not
> > > > matter if I do it in config file or in command line. In any case I get
> > > > error:
> > > >
> > > > nft add rule filter input log
> > > > Error: Could not process rule: No such file or directory
> > > > add rule filter input log
> > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^
> > > >
> > > [...]
> > >
> > > Try inserting the family before the table name. nft always assumes "ip4" if you
> > > don't. You will then get the above error if table filter is ip6 (or inet).
> > >
> > > Cheers ... Duncan.
Check your kernel .config for including Netfilter LOG over NFNETLINK interface
(NETFILTER_NETLINK_LOG)
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
