主页 / unix / 问题 / 408497
Accepted
user223600
Asked: 2017-12-03 22:09:23 +0800 CST

Nftables 配置错误:指定的协议冲突:inet-service v. icmp

  • 772

我正在尝试按照Arch Linux nftables 指南使用nftables构建一个简单的状态防火墙。我在 Arch Linux 论坛上发布了这个问题,但从未收到答案。

完成指南并重新启动我的机器后,systemd无法加载nftables.service。要解决我运行的错误:

systemctl status nftables

这是相关的输出:

/etc/nftables.conf:7:17-25: Error: conflicting protocols specified: inet-service v. icmp

该错误是抱怨我为在输入链中接受新 ping (icmp) 设置的规则。这是规则,我看不出有什么问题:

icmp type echo-request ct state new accept

如果我删除该规则,它将起作用。但我想要规则。

这是我完成指南后在nftables.conf中的规则集:

    table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state established,related accept
        iif "lo" accept
        ct state invalid drop
        icmp type echo-request ct state new accept
        ip protocol udp ct state new jump UDP
        tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP
        ip protocol udp reject
        ip protocol tcp reject with tcp reset
        meta nfproto ipv4 counter packets 0 bytes 0 reject with icmp type prot-unreachable
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }

    chain TCP {
        tcp dport http accept
        tcp dport https accept
        tcp dport ssh accept
        tcp dport domain accept
    }

    chain UDP {
        tcp dport domain accept
    }
}

我错过了什么?先感谢您。

arch-linux systemd

1 个回答

  1. Best Answer

    这是 nftables 0.7(或其他几个版本)的语法限制:它不认为 ICMP 和 ICMPv6 可直接用于双 IPv4/IPv6 表中inet,而没有明确说明首先使用哪个 IP 协议:

    所以规则:

    icmp type echo-request ct state new accept

    要同时在 IPv4 和 IPv6 上工作,必须像这样编写两次:

    更新:实际上不应该依赖 IPv6nexthdr指向上层协议:在固定头和上层头(最后出现)之间可以有扩展头。添加正确的语法(使用已经提供协议信息的元信息),并留下我原来的答案,因为我不知道“正确”的语法是否适用于 nftables 0.7:

    meta nfproto ipv4 meta l4proto icmp icmp type echo-request ct state new accept
meta nfproto ipv6 meta l4proto icmpv6 icmpv6 type echo-request ct state new accept

    ip protocol icmp icmp type echo-request ct state new accept
ip6 nexthdr icmpv6 icmpv6 type echo-request ct state new accept

    给出相应的字节码(用 显示nft --debug=netlink list ruleset -a):

    inet filter input 9 8 
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x00000002 ]
  [ payload load 1b @ network header + 9 => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]
  [ payload load 1b @ transport header + 0 => reg 1 ]
  [ cmp eq reg 1 0x00000008 ]
  [ ct load state => reg 1 ]
  [ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
  [ cmp neq reg 1 0x00000000 ]
  [ immediate reg 0 accept ]

inet filter input 10 9 
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x0000000a ]
  [ payload load 1b @ network header + 6 => reg 1 ]
  [ cmp eq reg 1 0x0000003a ]
  [ payload load 1b @ transport header + 0 => reg 1 ]
  [ cmp eq reg 1 0x00000080 ]
  [ ct load state => reg 1 ]
  [ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
  [ cmp neq reg 1 0x00000000 ]
  [ immediate reg 0 accept ]

    ICMP 是 IP 协议 1,echo-r​​equest 值
    8。ICMPv6 是 IPv6 协议 58 (0x3a),它的 echo-r​​equest 值 128 (0x80)。

    较新的 nftables 0.9 直接接受 rule icmp type echo-request ct state new accept,但其对应的字节码只有:

    inet filter input 9 8 
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x00000002 ]
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000001 ]
  [ payload load 1b @ transport header + 0 => reg 1 ]
  [ cmp eq reg 1 0x00000008 ]
  [ ct load state => reg 1 ]
  [ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
  [ cmp neq reg 1 0x00000000 ]
  [ immediate reg 0 accept ]

    这意味着它只处理 ICMP,而不是 ICMPv6,它仍然应该添加一个附加规则,就像:

    icmpv6 type echo-request ct state new accept

    返还之前版本的等效字节码:

    inet filter input 10 9 
  [ meta load nfproto => reg 1 ]
  [ cmp eq reg 1 0x0000000a ]
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x0000003a ]
  [ payload load 1b @ transport header + 0 => reg 1 ]
  [ cmp eq reg 1 0x00000080 ]
  [ ct load state => reg 1 ]
  [ bitwise reg 1 = (reg=1 & 0x00000008 ) ^ 0x00000000 ]
  [ cmp neq reg 1 0x00000000 ]
  [ immediate reg 0 accept ]
    • 3

相关问题