[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed

Mon Nov 11 20:46:57 CET 2024

https://bugzilla.netfilter.org/show_bug.cgi?id=1777

--- Comment #15 from fs3000 at proton.me ---
This is the original /etc/nftables.conf right after a clean install. "nft list
ruleset" is empy. The nftables service is inactive.


root at bpi-r4 /root $ cat /etc/nftables.conf
#!/usr/sbin/nft -f

define iflan="lanbr0"
define ifinternal={$iflan,"wlan0","wlan1"}

#define ifwan="ppp0"
define ifwan="ppp8"
define ifexternal={"wan",$ifwan,"ppp9"}

flush ruleset

table inet filter {
#       flowtable f {
#               hook ingress priority filter
#               devices = { lan0, lan1, lan2, lan3, wan }
#               #devices = { lan0, lan1, lan2, lan3, wan, wlan0, wlan1 }
#               flags offload
#       }
        chain input {
                type filter hook input priority filter;policy drop;
                iifname "lo" accept comment "accept loopback"
                limit rate 5/second icmp type {echo-request, echo-reply} accept
comment "limit icmp to 5/s"
                tcp dport ssh limit rate 10/second accept comment "limit SSH"
                #iifname $ifinternal tcp dport ssh limit rate 10/second accept
comment "limit SSH"
                ct state { established, related } accept comment "allow
connections initiated"

                iifname $ifinternal accept comment "allow traffic from internal
interfaces"
                tcp sport ftp-data ct state established,related accept comment
"allow active/passive FTP"
                #reject
        }
        chain forward {
                type filter hook forward priority filter;policy drop;
                ct state invalid counter drop comment "early drop of invalid
packets"
                #ct state {established,related} accept comment "allow
connections initiated"
                #limit rate 5/second icmp type { echo-reply, echo-request }
accept comment "limit icmp to 5/s"
                oifname $ifexternal tcp flags syn tcp option maxseg size set rt
mtu
                #split new connections from known, syn-ack=ct-established
                ct state vmap { established : jump forward-known, related :
jump forward-known, new : jump forward-new }
        }
        chain forward-new {
                #oifname $ifexternal ip saddr $iprangesblocked reject comment
"block internal ip ranges to have only internal access"
                #oifname $ifwan tcp dport domain reject comment "block external
dns in forward"
                #limit rate 10/minute counter log prefix "NF-FWD-NEW: " level
debug
                #int <=> ext
                iifname $ifinternal oifname $ifinternal accept comment "allow
int => int"
                iifname $ifinternal oifname $ifexternal accept comment "allow
int => ext"
                iifname $ifexternal oifname $ifinternal ct state
established,related accept comment "allow ext => int (only
established/related)"
        }
        chain forward-known {
#               ct state established flow offload @f counter
                accept
        }
        chain output {
                type filter hook output priority filter;
        }
}

table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                oifname $ifexternal masquerade comment "NAT on all external
interfaces"
        }
}

include "/etc/nftables/*.nft"

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241111/a3830d5e/attachment.html>