| View previous topic :: View next topic |
| Author |
Message |
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
 Posted: Mon Sep 17, 2018 8:09 am Post subject: nftables rules syntax error |
 |
|
Trying to migrate from iptables to nftables, I followed the Gentoo nftables wiki re kernel config.
| Code: | $ lsmod | grep ^nf
nft_limit 12288 0
nft_counter 12288 0
nft_log 12288 0
nf_tables 61440 3 nft_limit,nft_counter,nft_log
nfnetlink 12288 1 nf_tables
nf_log_ipv4 12288 3
nf_log_common 12288 1 nf_log_ipv4
nf_reject_ipv4 12288 1 ipt_REJECT
nf_conntrack_ipv4 12288 8
nf_defrag_ipv4 12288 1 nf_conntrack_ipv4
nf_conntrack 45056 2 nf_conntrack_ipv4,xt_conntrack |
I copied rules from Gentoo wiki examples.
| Code: | $ cat /etc/conf.d/nftables.rules
#!/sbin/nft -f
flush ruleset
# filter, inet
table inet filter {
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "drop invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iifname lo accept comment "accept loopback"
iifname != lo ipv4 daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
iifname != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp counter accept comment "accept all icmp types"
ip6 nexthdr icmpv6 counter accept comment "accept all icmp types"
tcp dport 22 counter accept comment "accept ssh"
counter comment "count dropped packets"
}
} |
I get sytax error 
| Code: | $ sudo nft -f /etc/conf.d/nftables.rules
/etc/conf.d/nftables.rules:22:36-40: Error: syntax error, unexpected daddr
iifname != lo ipv4 daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
^^^^^ |
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Last edited by josephg on Wed Sep 19, 2018 10:51 am; edited 1 time in total |
|
| Back to top |
|
 |
guitou
Guru
Joined: 02 Oct 2003
Posts: 534
Location: France
|
| Posted: Mon Sep 17, 2018 11:20 am Post subject: |
|
|
Hello, got absolutely lo knowledge of the subjet, but after a quick glance at some docs, I think your mistake is at "ipv4" (should be simply "ip" instead, no?)
++
Gi) |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Wed Sep 19, 2018 10:44 am Post subject: |
|
|
| guitou wrote: | | Hello, got absolutely lo knowledge of the subjet, but after a quick glance at some docs, I think your mistake is at "ipv4" (should be simply "ip" instead, no?) |
Hello thank you for the initiative  Yes I think you're right. I looked at the nftables wiki, and changed "ipv4" to "ip". That error has gone away. Perhaps the gentoo wiki needs to be corrected?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Wed Sep 19, 2018 10:50 am Post subject: |
|
|
Now that error is gone, but I have a whole raft of new errors
| Code: | $ sudo nft -f /etc/conf.d/nftables.rules
/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Address family not supported by protocol
table inet filter {
^^
/etc/conf.d/nftables.rules:7:15-20: Error: Could not process rule: Address family not supported by protocol
chain output {
^^^^^^
/etc/conf.d/nftables.rules:12:15-21: Error: Could not process rule: Address family not supported by protocol
chain forward {
^^^^^^^
/etc/conf.d/nftables.rules:17:15-19: Error: Could not process rule: Address family not supported by protocol
chain input {
^^^^^
/etc/conf.d/nftables.rules:20:26-47: Error: Could not process rule: Address family not supported by protocol
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:20:26-47: Error: Could not process rule: Address family not supported by protocol
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:9:17-23: Error: Could not process rule: Address family not supported by protocol
counter comment "count accepted packets"
^^^^^^^
/etc/conf.d/nftables.rules:14:17-23: Error: Could not process rule: Address family not supported by protocol
counter comment "count dropped packets"
^^^^^^^
/etc/conf.d/nftables.rules:19:17-45: Error: Could not process rule: Address family not supported by protocol
ct state invalid counter drop comment "drop invalid packets"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:20:17-62: Error: Could not process rule: Address family not supported by protocol
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:21:17-33: Error: Could not process rule: Address family not supported by protocol
iifname lo accept comment "accept loopback"
^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:23:17-63: Error: Could not process rule: Address family not supported by protocol
iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:24:17-60: Error: Could not process rule: Address family not supported by protocol
iifname != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:25:17-47: Error: Could not process rule: Address family not supported by protocol
ip protocol icmp counter accept comment "accept all icmp types"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:26:17-49: Error: Could not process rule: Address family not supported by protocol
ip6 nexthdr icmpv6 counter accept comment "accept all icmp types"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:27:17-43: Error: Could not process rule: Address family not supported by protocol
tcp dport 22 counter accept comment "accept ssh"
^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/conf.d/nftables.rules:28:17-23: Error: Could not process rule: Address family not supported by protocol
counter comment "count dropped packets" |
I manually added the table/chains before trying again, but same errors again as above.
Maybe I'm doing it without understanding all of this and simply blind copying from Gentoo Wiki and hoping the wiki is telling me right. |
|
| Back to top |
|
|
spidark
Tux's lil' helper
Joined: 01 Sep 2011
Posts: 147
|
| Posted: Fri Sep 21, 2018 7:25 pm Post subject: |
|
|
| josephg wrote: | | Maybe I'm doing it without understanding all of this and simply blind copying from Gentoo Wiki and hoping the wiki is telling me right. |
Don;t know if you already solved your issue.
I have no idea (yet) what im doing.
But this works ( crippled i think but it works)
Can't remember where i got it from Sorry original author, and thanks )
However it does timeout my eix-sync and dhclient complains about ipv6 not permitted because of the drop state ( working on that )
Maybe you can figure it out.
| Code: | #==== TO LIST sudo nft list ruleset
#==== TO DISCRIBE PORTS do sudo nft describe tcp dport
flush ruleset
table inet filter {
set tcp_accepted {
type inet_service; flags interval;
elements = {
http, https,rsync,
}
}
set udp_accepted {
type inet_service; flags interval;
elements = {
domain,
}
}
chain base_checks {
# allow established/related connections
ct state {established, related} accept
# early drop of invalid connections
ct state invalid log prefix "Invalid Input Connection: " drop
}
chain input {
type filter hook input priority 0; policy drop;
jump base_checks
# allow from loopback
iifname lo accept
# allow icmp
ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept
# allow ports
#tcp dport @tcp_accepted accept
#udp dport @udp_accepted accept
# everything else
reject with icmpx type port-unreachable
}
chain forward {
type filter hook forward priority 0; policy drop;
log prefix "Dropped Forward Connection: "
}
chain output {
type filter hook output priority 0; policy drop;
jump base_checks
# allow ports
tcp dport @tcp_accepted accept
udp dport @udp_accepted accept
#log prefix "Invalid Output Connection: " Warning : This floods logs
}
}
|
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Wed Sep 26, 2018 10:16 am Post subject: |
|
|
| spidark wrote: | | josephg wrote: | | Maybe I'm doing it without understanding all of this and simply blind copying from Gentoo Wiki and hoping the wiki is telling me right. |
Don;t know if you already solved your issue.
I have no idea (yet) what im doing. |
thank you spidark. i've abandoned nftables and removed those modules from kernel, as i was getting weird issues that seem to have since disappeared which might be completely unrelated. i felt like i was groping too much in the dark, and the nftables error messages felt too cryptic for me.
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey |
|
| Back to top |
|
|
spidark
Tux's lil' helper
Joined: 01 Sep 2011
Posts: 147
|
| Posted: Wed Sep 26, 2018 8:56 pm Post subject: |
|
|
| josephg wrote: |
thank you spidark. i've abandoned nftables and removed those modules from kernel, as i was getting weird issues that seem to have since disappeared which might be completely unrelated. i felt like i was groping too much in the dark, and the nftables error messages felt too cryptic for me. |
No Problem Josephg,
I read your Kernel paging issue post, I do not have that issue and i'm running same kernel 4.14.65-gentoo.
Maybe not related,but Just in case. 
| Code: |
CONFIG_KALLSYMS=y
# CONFIG_KALLSYMS_ALL is not set
CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y
CONFIG_KALLSYMS_BASE_RELATIVE=y
CONFIG_NF_TABLES=y
CONFIG_NF_TABLES_INET=m
CONFIG_NF_TABLES_NETDEV=m
CONFIG_NF_TABLES_IPV4=m
# CONFIG_NF_TABLES_ARP is not set
CONFIG_NF_TABLES_IPV6=m
[I] net-firewall/nftables
Available versions: 0.8-r3 ~0.8.5 ~0.9.0 {debug doc +gmp json +readline KERNEL="linux"}
Installed versions: 0.8-r3(09:57:13 AM 09/12/2018)(gmp readline -debug -doc KERNEL="linux")
|
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Thu Sep 27, 2018 1:30 pm Post subject: |
|
|
thank you spidark you whet my appetite again
so now i have
| Code: | CONFIG_KALLSYMS=y
# CONFIG_KALLSYMS_ALL is not set
# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set
CONFIG_KALLSYMS_BASE_RELATIVE=y |
CONFIG_KALLSYMS_ABSOLUTE_PERCPU=y, depends on KALLSYMS=y which is not set. i see you have it on.
| Code: | CONFIG_NF_TABLES=m
# CONFIG_NF_TABLES_NETDEV is not set
CONFIG_NF_TABLES_IPV4=m
# CONFIG_NF_TABLES_ARP is not set |
i don't need the netdev table yet, nor ip6.
i see your ruleset has "ct state", "log", "nexthdr", "reject", etc. i think you need additional kernel module(s) for those to work. do you not have them in your running kernel?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6247
Location: Dallas area
|
| Posted: Thu Sep 27, 2018 2:52 pm Post subject: |
|
|
rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables?
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
spidark
Tux's lil' helper
Joined: 01 Sep 2011
Posts: 147
|
| Posted: Thu Sep 27, 2018 3:45 pm Post subject: |
|
|
| josephg wrote: | thank you spidark you whet my appetite again
i see your ruleset has "ct state", "log", "nexthdr", "reject", etc. i think you need additional kernel module(s) for those to work. do you not have them in your running kernel? |
Hi Josephg,
Ok let's compare .config, see what you don't or do have.
| Code: | CONFIG_NF_TABLES=y
CONFIG_NF_TABLES_INET=m
CONFIG_NF_TABLES_NETDEV=m
CONFIG_NF_TABLES_IPV4=m
# CONFIG_NF_TABLES_ARP is not set
CONFIG_NF_TABLES_IPV6=m
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_ADVANCED is not set
# Core Netfilter Configuration
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_LOG=y
# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_NAT=m
# CONFIG_NETFILTER_XT_TARGET_NETMAP is not set
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
# CONFIG_NETFILTER_XT_TARGET_REDIRECT is not set
CONFIG_NETFILTER_XT_TARGET_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
CONFIG_NETFILTER_XT_MATCH_POLICY=y
CONFIG_NETFILTER_XT_MATCH_STATE=y
# IP: Netfilter Configuration
# IPv6: Netfilter Configuration
# iptables trigger is under Netfilter config (LED target)
CONFIG_NF_DEFRAG_IPV6=y
CONFIG_NF_CONNTRACK_IPV6=y
# CONFIG_NF_SOCKET_IPV6 is not set
CONFIG_NF_TABLES_IPV6=m
# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set
CONFIG_NFT_REJECT_IPV6=m
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_FIB_IPV6 is not set
# CONFIG_NF_DUP_IPV6 is not set
CONFIG_NF_REJECT_IPV6=y
CONFIG_NF_LOG_IPV6=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=y
CONFIG_NF_DEFRAG_IPV4=y
CONFIG_NF_CONNTRACK_IPV4=y
# CONFIG_NF_SOCKET_IPV4 is not set
CONFIG_NF_TABLES_IPV4=m
# CONFIG_NFT_CHAIN_ROUTE_IPV4 is not set
CONFIG_NFT_REJECT_IPV4=m
# CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_FIB_IPV4 is not set
# CONFIG_NF_DUP_IPV4 is not set
CONFIG_NF_LOG_IPV4=m
CONFIG_NF_REJECT_IPV4=y
CONFIG_NF_NAT_IPV4=m
# CONFIG_NFT_CHAIN_NAT_IPV4 is not set
CONFIG_NF_NAT_MASQUERADE_IPV4=m
# CONFIG_NFT_MASQ_IPV4 is not set
# CONFIG_NFT_REDIR_IPV4 is not set
|
You should lookup the difference between ip and inet.
inet is stacked ipv4 combined with ipv6
Ip separates ipv4 from ipv6
But its documented on Gentoo.
And flush your rule set always, or weird stuff will happen.
This was a Test rule that also worked.
Change the inet to ip, and enjoy the errors. 
Funny thing about the code below, its inet, but i still can use ip6 to block all ipv6 traffic.
I still have to look into that.
| Code: | flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
ct state established,related accept
ct state invalid counter packets 0 bytes 0 drop comment "drop invalid packets"
ct state != related drop
iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
iif "lo" accept
ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } drop
ip protocol icmp icmp type { destination-unreachable, router-advertisement, router-solicitation, time-exceeded, parameter-problem } drop
ip protocol igmp drop
counter packets 0 bytes 0 drop
}
chain output {
type filter hook output priority 0; policy drop;
ct state related accept
oif "lo" accept
oif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
tcp dport smtp accept
tcp dport domain accept
tcp dport http accept
tcp dport https accept
udp dport domain accept
tcp dport rsync accept
tcp dport git accept
tcp dport 9050 accept
counter packets 0 bytes 0 drop comment "count accepted packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter packets 0 bytes 0 comment "count dropped packets"
}
}
table ip6 filter6 {
chain input {
type filter hook input priority 0; policy drop;
counter packets 0 bytes 0 comment "count dropped packets"
}
chain output {
type filter hook output priority 0; policy drop;
counter packets 0 bytes 0 comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter packets 0 bytes 0 comment "count dropped packets"
}
}
|
Let me know if it worked.
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz |
|
| Back to top |
|
|
spidark
Tux's lil' helper
Joined: 01 Sep 2011
Posts: 147
|
| Posted: Thu Sep 27, 2018 3:57 pm Post subject: |
|
|
| Anon-E-moose wrote: | | rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables? |
Seriously Anon-E-moose, this tool exist 
I'm guessing enabling nftables useflag on iptable package ?
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6247
Location: Dallas area
|
| Posted: Thu Sep 27, 2018 4:02 pm Post subject: |
|
|
| spidark wrote: | | Anon-E-moose wrote: | | rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables? |
Seriously Anon-E-moose, this tool exist
I'm guessing enabling nftables useflag on iptable package ? |
Yep, I ran across it when researching using nftables, it does it line by line but still it's a start.
And yes it gets created with the nftables tag when emerging iptables.
You give it the old line, it gives you the nftables equiv.
Edit to add: for example from my iptables file
iptables-translate -A INPUT -i eth0 -p tcp -s 0/0 --dport 25 -m limit --limit 2/minute -j LOG --log-prefix="IPTABLES:mail "
output:
nft add rule ip filter INPUT iifname eth0 tcp dport 25 limit rate 2/minute burst 5 packets counter log prefix \"IPTABLES:mail \"
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Thu Sep 27, 2018 5:11 pm Post subject: |
|
|
A.N..D... voila i get it again
| Code: | BUG: unable to handle kernel paging request at 0002ffa8
IP: __radix_tree_lookup+0x11/0xe0
*pdpt = 00000000206fc001 *pde = 0000000000000000
Oops: 0000 [#1] SMP
Modules linked in: nft_meta nft_log nft_counter nft_ct nf_tables_ipv4 nf_tables nfnetlink ctr ccm af_packet nf_log_ipv4 nf_log_common xt_LOG ipt_REJECT nf_reject_ipv4 xt_pkttype xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_multiport xt_conntrack nf_conntrack iptable_filter ip_tables x_tables zram zsmalloc ext4 crc16 mbcache jbd2 arc4 ath9k ath9k_common bfq ath9k_hw mac80211 coretemp i915 ath cfg80211 i2c_algo_bit hwmon snd_hda_codec_realtek snd_hda_codec_generic input_leds rfkill drm_kms_helper cfbfillrect psmouse snd_hda_intel atkbd snd_hda_codec sr_mod ehci_pci evdev syscopyarea cfbimgblt sysfillrect sdhci_pci libps2 lpc_ich snd_hwdep ehci_hcd sdhci mmc_core cdrom snd_hda_core mfd_core sysimgblt fb_sys_fops cfbcopyarea i2c_i801 led_class snd_pcm pcspkr fan thermal button usbcore drm
battery snd_timer intel_agp video intel_gtt pcc_cpufreq rtc_cmos backlight acpi_cpufreq agpgart ac i8042 serio snd soundcore usb_common
CPU: 0 PID: 18186 Comm: DOM Worker Tainted: G U 4.14.65-gentoo-jgv #23
Hardware name: TOSHIBA Satellite Pro A300/Portable PC, BIOS 2.20 12/07/2009
task: f141b000 task.stack: e0192000
EIP: __radix_tree_lookup+0x11/0xe0
EFLAGS: 00210286 CPU: 0
EAX: 0002ffa4 EBX: a11df000 ECX: 00000000 EDX: 01ffffff
ESI: 01ffffff EDI: 00000000 EBP: 0002ffa0 ESP: e0193de4
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
CR0: 80050033 CR2: 0002ffa8 CR3: 24be3860 CR4: 000006f0
Call Trace:
? radix_tree_lookup_slot+0xb/0x20
? find_get_entry+0x19/0xe0
? pagecache_get_page+0x1c/0x210
? lookup_swap_cache+0x30/0xf0
? swap_readahead_detect+0x60/0x2a0
? do_swap_page+0xbb/0x790
? mem_cgroup_commit_charge+0x62/0x3e0
? reuse_swap_page+0x2f/0x150
? page_add_new_anon_rmap+0x5d/0xa0
? handle_mm_fault+0x669/0xf00
? __do_page_fault+0x19b/0x400
? vmalloc_sync_all+0x10/0x10
? common_exception+0x52/0x5a
Code: d5 8b 74 24 14 8b 5c 24 18 85 d2 0f 84 0b ff ff ff e9 f5 fe ff ff 8d 74 26 00 55 57 56 53 83 ec 08 89 04 24 89 4c 24 04 8b 04 24 <8b> 70 04 89 f0 83 e0 03 83 f8 01 0f 85 a6 00 00 00 89 f0 83 e0
EIP: __radix_tree_lookup+0x11/0xe0 SS:ESP: 0068:e0193de4
CR2: 000000000002ffa8
---[ end trace 54e0e562fff73ff2 ]--- |
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Thu Sep 27, 2018 5:17 pm Post subject: |
|
|
| Anon-E-moose wrote: | | rather than copy the example from gentoo wiki why didn't you use the iptables-translate to convert to nftables? |
i couldn't get nftables to work.. that's why. i didn't understand nftables and those cryptic error messages don't help.. is probably another reason. i assumed i could start with something dependable, and hence picked from the gentoo wiki.
now that i understand nftables a bit better, i can say that i got lost following the gentoo wiki. i'll start building my ruleset, once i have nftables working.
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Thu Sep 27, 2018 5:31 pm Post subject: |
|
|
to get iptables-translate tool in gentoo
| Code: | | # USE="nftables" emerge net-firewall/iptables |
i found iptables-translate to be very useful, and it is very easy to use, but not always very accurate. don't blind copy, but try and understand what it's doing, and use the output as hints or tips to write your ruleset.
you can translate iptables rules line by line, or your entire ruleset at one go.
ref: http://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables |
|
| Back to top |
|
|
spidark
Tux's lil' helper
Joined: 01 Sep 2011
Posts: 147
|
| Posted: Thu Sep 27, 2018 6:42 pm Post subject: |
|
|
Faulty mem ,hardware maybe 
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz |
|
| Back to top |
|
|
spidark
Tux's lil' helper
Joined: 01 Sep 2011
Posts: 147
|
| Posted: Thu Sep 27, 2018 6:46 pm Post subject: |
|
|
| Anon-E-moose wrote: |
Yep, I ran across it when researching using nftables, it does it line by line but still it's a start.
And yes it gets created with the nftables tag when emerging iptables.
You give it the old line, it gives you the nftables equiv.
Edit to add: for example from my iptables file
iptables-translate -A INPUT -i eth0 -p tcp -s 0/0 --dport 25 -m limit --limit 2/minute -j LOG --log-prefix="IPTABLES:mail "
output:
nft add rule ip filter INPUT iifname eth0 tcp dport 25 limit rate 2/minute burst 5 packets counter log prefix \"IPTABLES:mail \" |
Nice tip , thanks Anon-E-moose
| josephg wrote: |
i found iptables-translate to be very useful, |
Yes it is
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Thu Sep 27, 2018 6:47 pm Post subject: |
|
|
maybe but why only when i'm playing with nftables modules? never had it before.. could it be having both iptables and nftables?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6247
Location: Dallas area
|
| Posted: Thu Sep 27, 2018 7:07 pm Post subject: |
|
|
What kernel version are you using?
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Thu Sep 27, 2018 8:04 pm Post subject: |
|
|
| Anon-E-moose wrote: | | What kernel version are you using? |
sys-kernel/gentoo-sources:4.14.65 x86 |
|
| Back to top |
|
|
Anon-E-moose
Watchman
Joined: 23 May 2008
Posts: 6247
Location: Dallas area
|
| Posted: Thu Sep 27, 2018 8:06 pm Post subject: |
|
|
You might try a newer kernel and see if the problem persists (using basically the same .config)
as far as it being because of both iptables and nftables, I wouldn't think so, unless you're mixing the two together at the same time.
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Thu Sep 27, 2018 10:33 pm Post subject: |
|
|
| Anon-E-moose wrote: | | You might try a newer kernel and see if the problem persists (using basically the same .config) |
i'm a bit reluctant in upgrading kernels as i use btrfs.
i had been blindly enabling whatever modules gentoo wiki told me, and then when something fails enabling more modules without understanding whether they were needed or not. i seem to have a better understanding now, and seem to have got on top of it.. cutting and pruning down to only modules wanted by my ruleset
| Code: | CONFIG_NF_CONNTRACK=m
CONFIG_NF_LOG_COMMON=m
CONFIG_NF_TABLES=m
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_TABLES_IPV4=m
CONFIG_NF_LOG_IPV4=m
CONFIG_NF_REJECT_IPV4=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m |
| Code: | CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_IPV4=m |
so far i haven't got any further oops.. fingers crossed.
| Anon-E-moose wrote: | | as far as it being because of both iptables and nftables, I wouldn't think so, unless you're mixing the two together at the same time. |
i did mix the two together at times, and wondered if that perhaps contributed to my issues.
| nftables wiki wrote: | | Beware of using both the nft and the legacy tools at the same time. That means using both x_tables and nf_tables kernel subsystems at the same time, and could lead to unexpected results. |
Apparently you can run both together. The result is an AND of both their rulesets.
http://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F
But that is not my intention. I like how nfttables is so much more cleaner than iptables.
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey |
|
| Back to top |
|
|
spidark
Tux's lil' helper
Joined: 01 Sep 2011
Posts: 147
|
| Posted: Sun Sep 30, 2018 3:00 pm Post subject: |
|
|
| josephg wrote: | | so far i haven't got any further oops.. fingers crossed. |
Glad you got things working
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Sun Sep 30, 2018 11:03 pm Post subject: |
|
|
Could that be because I haven't nftables yet perhaps? I noticed that those modules are not loaded till I run the nftables command. I can start testing nftables again in a few days when I'll have more time.
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey |
|
| Back to top |
|
|
spidark
Tux's lil' helper
Joined: 01 Sep 2011
Posts: 147
|
| Posted: Mon Oct 01, 2018 1:00 pm Post subject: |
|
|
| josephg wrote: | | Could that be because I haven't nftables yet perhaps? I noticed that those modules are not loaded till I run the nftables command. I can start testing nftables again in a few days when I'll have more time. |
I'm not sure,
Maybe not relevant, but i do not have iptables installed, i don't use NetworkManager and i have iproute2 installed with -iptables use flag.
All the [0] modules get loaded when i run nftables.
| Code: |
# lsmod
Module Size Used by
nf_log_ipv6 16384 0
nf_log_ipv4 16384 0
nf_log_common 16384 2 nf_log_ipv4,nf_log_ipv6
nft_reject_inet 16384 0
nft_reject 16384 1 nft_reject_inet
nft_meta 16384 0
nft_log 16384 0
nft_ct 16384 0
nft_set_bitmap 16384 0
nft_set_hash 20480 0
nft_set_rbtree 16384 0
nf_tables_inet 16384 0
nf_tables_ipv6 16384 1 nf_tables_inet
nf_tables_ipv4 16384 1 nf_tables_inet
|
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz |
|
| Back to top |
|
|
|
Networking & Security
