Error: syntax error, unexpected table

"support@xxxxxxx" <support@xxxxxxx> · Thu, 7 Jun 2018 10:18:31 +0200



given:

	% uname -a
	Linux 4.13.0-45-generic #50~16.04.1-Ubuntu SMP
	x86_64 x86_64 x86_64 GNU/Linux

	% cat /etc/lsb-release
	DISTRIB_ID=Ubuntu
	DISTRIB_RELEASE=16.04
	DISTRIB_CODENAME=xenial
	DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"

	no iptables installed
	distributed nftables purged

	nftables installed from git
	with duncans hint ./configure --prefix=/usr
	& ln -s  /usr/sbin/nft  /usr/local/sbin/nft
	% nft -v
	nftables v0.8.5 (Joe Btfsplk)

	
	still the problem :

nft -f /etc/nftables/bastion-ruleset.nft
In file included from /etc/nftables/bastion-ruleset.nft:16:1-48:
/etc/nftables/bastion-ipv4-filter.nft:5:1-5: Error: syntax error,
unexpected table
table ip filter {
^^^^^
In file included from /etc/nftables/bastion-ruleset.nft:16:1-48:
/etc/nftables/bastion-ipv4-filter.nft:32:15-19: Error: invalid hook input
	chain input { type filter hook input priority 0; policy drop;
	             ^^^^^


	content of /etc/nftables/bastion-ipv4-filter.nft
#--------------------snip
#!/usr/sbin/nft -f

table ip filter{

     include "/etc/nftables/bastion-ipv4-filter-sets.nft"

     chain global {
        ct state established,related accept
        ct state invalid drop
        ip protocol icmp accept
        udp dport $port_dns accept
     }

     chain dmz_in {
        # your rules for traffic to your dmz servers
        ip saddr @lxdIPs accept
     }

     chain dmz_out {
        # your rules for traffic from the dmz to internet
     }

        chain lan_in {
        # your rules for traffic to your LAN nodes
        }
        chain lan_out {
        # your rules for traffic from the LAN to the internet
        }


        chain input { type filter hook input priority 0; policy drop;
          jump global
          iifname $nic_lxd tcp dport $port_dns drop
          iifname $nic_lxd udp dport $port_dns accept
          iifname $nic_lxd udp dport $port_bootps accept
          udp dport $port_fwd_vpn1 accept
     }

        chain forward { type filter hook forward priority 0; policy drop;
          jump global
          oifname vmap { $nic_dmz : jump dmz_in  }
          oifname $nic_int iifname vmap { $nic_dmz : jump dmz_out }
     }

        chain output { type filter hook output priority 0; policy drop;
          ct state new accept
          oifname $nic_lxd tcp sport $port_dns drop
          oifname $nic_lxd udp sport $port_dns accept
          oifname $nic_lxd udp sport $port_bootps drop
     }
}
#--------------------snap	


	karl
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html