Hi everyone!
I got my first nftables-based firewall in production after many years with iptables. I opted to use a nft-script to manage the ruleset.
A small bash wrapper does some checks first and then loads the new ruleset.
One of those checks is a syntax-check with:
"nft -c -f #path-to-ruleset-file#"
For better readability I used newlines in some rules. Unfortunately at two places in the 2k lines script I failed to put a '\' at the end of a line which caused nftables to create two seperate rules instead of one.
I do not understand how nftables interpreted the rules and why nft -c did not throw an error.
Both rules looked something like this (forward chain, drop policy):
ip saddr { xxxxx } \
ip daddr { yyyyy } < missing \ here
ct state new accept;
Nftables created the rules like this:
1. ip saddr { xxxxx } ip daddr { yyyyy }
2. ct state new accept
I guess I do not have to tell u why this was catastrophic.
I do not understand why the first rule has is a valid rule since it does not contain a statement.
"nft -c" usually found other issues in the script and even in other included script-files (although the line numbers where never correct) so I assume it can check nft-scripts.
Is my understanding of the syntax wrong? Does a nftables rule not need a statement? If so is no statement equal to the statement "continue"?
Or is nft -c not checking this case?
kind regards
Alexander
