Dear Maintainer,
What led up to the situation?
Trying to configure and enable nftables to stop ip6 neighbor discovery packets
from being rejected by VPN
What exactly did you do (or not do) that was effective (or
ineffective)? Attempted to use workstation.nft in examples folder and
looked for documentation on the web.I couldn't find anything newer than 2014
and asked on Debian Forums and Linuxquestions.org
What was the outcome of this action?
Attempt to run 'sudo systemctl start nftables.service' and receive this error:
Job for nftables.service failed because the control process exited with error
code.
See "systemctl status nftables.service" and "journalctl -xeu nftables.service"
for details.
tmick@DebianTim:~/recap$ sudo systemctl status nftables.service
× nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor
preset: enabled)
Active: failed (Result: exit-code) since Sat 2022-05-28 16:39:05 CDT; 7s
ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 1704177 ExecStart=/usr/sbin/nft -f /etc/nftables.conf
(code=exited, status=1/FAILURE)
Main PID: 1704177 (code=exited, status=1/FAILURE)
CPU: 24ms
May 28 16:39:05 DebianTim nft[1704177]:
^^^^^^
May 28 16:39:05 DebianTim nft[1704177]: /etc/nftables.conf:18:3-6: Error:
syntax error, unexpected meta
May 28 16:39:05 DebianTim nft[1704177]: meta nexthdr ipv6
icmpv6 type { destination-unreachable, packet-too>
May 28 16:39:05 DebianTim nft[1704177]: ^^^^
May 28 16:39:05 DebianTim nft[1704177]: /etc/nftables.conf:19:8-12: Error:
syntax error, unexpected saddr, expecting string
May 28 16:39:05 DebianTim nft[1704177]: ipv6 saddr fe80::/10
icmpv6 type { 130, 131, 132, 134, 143, 151, 15>
May 28 16:39:05 DebianTim nft[1704177]: ^^^^^
May 28 16:39:05 DebianTim systemd[1]: nftables.service: Main process exited,
code=exited, status=1/FAILURE
May 28 16:39:05 DebianTim systemd[1]: nftables.service: Failed with result
'exit-code'.
May 28 16:39:05 DebianTim systemd[1]: Failed to start nftables.
I've tried other methods as inet etc and still get this type of error.
What outcome did you expect instead? For documentation to be clear enough for
this not to be a problem and the nftables to be able to add this filter.
This table declaration is missing family specificiation, which defaults to
IPv4. I think you canot use IPv6 stuff in v4 tables.
I think you may want to use a table in the 'inet' family, which is
dual-stack, and should accept both IPv4 and IPv6 stuff.
chain base_checks {
Hi Arturo, I changed that to inet and I had to change the line for my IPv6 to look like this: ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1 meta nfproto ipv6 icmpv6 type { destination- unreachable, packet-too-big, time-exceeded, parameter-problem, echo- reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor- solicit, nd-neighbor-advert, 148, 149 } accept #ipv6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 }accept I'm not sure why I needed to comment out the local loopback in IPv6 but it works now. I'll find out if the neighbor discovery packet quit getting rejected now. Thanks for the help, Tim
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation? corrected .conf file as suggested
* What exactly did you do (or not do) that was effective (or
ineffective)? type 134 is still being rejected
* What was the outcome of this action? still rejecting ICMP type 134
* What outcome did you expect instead? not to get these messages:
May 31 12:02:07 DebianTim kernel: [95243.373348] FW6 REJECT (input): IN=enp1s0
OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd
SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8
DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255
FLOWLBL=87 PROTO=ICMPv6 TYPE=134 CODE=0
*** End of the template - remove these template lines ***