On Thu, Jun 07, 2018 at 10:18:31AM +0200, support@xxxxxxx wrote:
>
> given:
>
> % uname -a
> Linux 4.13.0-45-generic #50~16.04.1-Ubuntu SMP
> x86_64 x86_64 x86_64 GNU/Linux
>
> % cat /etc/lsb-release
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=16.04
> DISTRIB_CODENAME=xenial
> DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
>
> no iptables installed
> distributed nftables purged
>
> nftables installed from git
> with duncans hint ./configure --prefix=/usr
> & ln -s /usr/sbin/nft /usr/local/sbin/nft
> % nft -v
> nftables v0.8.5 (Joe Btfsplk)
>
>
> still the problem :
>
> nft -f /etc/nftables/bastion-ruleset.nft
> In file included from /etc/nftables/bastion-ruleset.nft:16:1-48:
> /etc/nftables/bastion-ipv4-filter.nft:5:1-5: Error: syntax error,
> unexpected table
> table ip filter {
> ^^^^^
> In file included from /etc/nftables/bastion-ruleset.nft:16:1-48:
> /etc/nftables/bastion-ipv4-filter.nft:32:15-19: Error: invalid hook input
> chain input { type filter hook input priority 0; policy drop;
> ^^^^^
>
>
> content of /etc/nftables/bastion-ipv4-filter.nft
> #--------------------snip
> #!/usr/sbin/nft -f
>
> table ip filter{
>
> include "/etc/nftables/bastion-ipv4-filter-sets.nft"
>
> chain global {
> ct state established,related accept
> ct state invalid drop
> ip protocol icmp accept
> udp dport $port_dns accept
> }
>
> chain dmz_in {
> # your rules for traffic to your dmz servers
> ip saddr @lxdIPs accept
> }
>
> chain dmz_out {
> # your rules for traffic from the dmz to internet
> }
>
> chain lan_in {
> # your rules for traffic to your LAN nodes
> }
> chain lan_out {
> # your rules for traffic from the LAN to the internet
> }
>
>
> chain input { type filter hook input priority 0; policy drop;
> jump global
> iifname $nic_lxd tcp dport $port_dns drop
> iifname $nic_lxd udp dport $port_dns accept
> iifname $nic_lxd udp dport $port_bootps accept
> udp dport $port_fwd_vpn1 accept
> }
>
> chain forward { type filter hook forward priority 0; policy drop;
> jump global
> oifname vmap { $nic_dmz : jump dmz_in }
> oifname $nic_int iifname vmap { $nic_dmz : jump dmz_out }
> }
>
> chain output { type filter hook output priority 0; policy drop;
> ct state new accept
> oifname $nic_lxd tcp sport $port_dns drop
> oifname $nic_lxd udp sport $port_dns accept
> oifname $nic_lxd udp sport $port_bootps drop
> }
> }
> #--------------------snap
>
>
>
> karl
Please post /etc/nftables/bastion-ruleset.nft, and any file it includes prior to
line 16.
Sorry if you posted it previously: I didn't keep previous emails and anyway it's
best to post all files in same email.
Cheers ... Duncan.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
