* nft ingress won't work on wireless ?
@ 2020-03-09 13:36 sean darcy
2020-03-09 16:13 ` sean darcy
2020-03-09 19:50 ` Pablo Neira Ayuso
0 siblings, 2 replies; 5+ messages in thread
From: sean darcy @ 2020-03-09 13:36 UTC (permalink / raw)
To: netfilter
Fedora 31. nftables-0.9.1-3.fc31.x86_64
The same ingress rule works on the ethernet port, but not on wireless.
This works:
cat ipv4-netdev-asterisk
# /opt/nftables/ipv4-filter-asterisk
include "/opt/nftables/whitelist1"
include "/opt/nftables/ip.blacklist1"
table netdev netdev1 {
set whitelist {
type ipv4_addr
flags interval
auto-merge
elements = $whitelist_ips
}
set blacklist {
type ipv4_addr
flags interval
auto-merge
elements = $blacklist_ips
}
chain ingress1 {
type filter hook ingress device enp5s0 priority 0; policy accept;
udp dport { 6000-31000 } accept comment rtp_ports
#accept whitelist
ip saddr @whitelist accept
tcp dport { 3478, 5349, 554, 5222, 5269, 19294 }
counter accept comment "stun stun-tls rtsp and gv"
udp dport { 3478, 4893, 19295, 19302 } counter accept
comment "stun and gv"
#drop blacklist
ip saddr @blacklist counter drop
}
}
But if I change the device in the ingress1 chain to wlp4s0, which exists:
ifconfig | grep -A 1 wlp4s0
wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.61 netmask 255.255.255.0 broadcast 10.0.0.255
it fails.
nft[4158]: In file included from /opt/nftables/whitelist1:39:2-39:
nft[4158]: from
/opt/nftables/ipv4-netdev-asterisk-wlp4s0:6:1-35:
nft[4158]: from /etc/sysconfig/nftables.conf:17:1-52:
nft[4158]: /opt/nftables/ip.blacklist1:1124:15-22: Error: Could not
process rule: Device or resource busy
systemd[1]: nftables.service: Main process exited, code=exited,
status=1/FAILURE
Just to repeat: the only change is the device. The other files are all
the same.
Puzzled,
sean
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nft ingress won't work on wireless ?
2020-03-09 13:36 nft ingress won't work on wireless ? sean darcy
@ 2020-03-09 16:13 ` sean darcy
2020-03-09 19:50 ` Pablo Neira Ayuso
1 sibling, 0 replies; 5+ messages in thread
From: sean darcy @ 2020-03-09 16:13 UTC (permalink / raw)
To: netfilter
On 3/9/20 9:36 AM, sean darcy wrote:
> Fedora 31. nftables-0.9.1-3.fc31.x86_64
>
> The same ingress rule works on the ethernet port, but not on wireless.
>
> This works:
>
>
> cat ipv4-netdev-asterisk
> # /opt/nftables/ipv4-filter-asterisk
>
> include "/opt/nftables/whitelist1"
> include "/opt/nftables/ip.blacklist1"
>
> table netdev netdev1 {
> set whitelist {
> type ipv4_addr
> flags interval
> auto-merge
> elements = $whitelist_ips
> }
>
> set blacklist {
> type ipv4_addr
> flags interval
> auto-merge
> elements = $blacklist_ips
> }
>
> chain ingress1 {
> type filter hook ingress device enp5s0 priority 0; policy accept;
> udp dport { 6000-31000 } accept comment rtp_ports
> #accept whitelist
> ip saddr @whitelist accept
> tcp dport { 3478, 5349, 554, 5222, 5269, 19294 }
> counter accept comment "stun stun-tls rtsp and gv"
> udp dport { 3478, 4893, 19295, 19302 } counter accept
> comment "stun and gv"
> #drop blacklist
> ip saddr @blacklist counter drop
> }
> }
>
>
> But if I change the device in the ingress1 chain to wlp4s0, which exists:
>
> ifconfig | grep -A 1 wlp4s0
> wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 10.0.0.61 netmask 255.255.255.0 broadcast 10.0.0.255
>
> it fails.
>
> nft[4158]: In file included from /opt/nftables/whitelist1:39:2-39:
> nft[4158]: from
> /opt/nftables/ipv4-netdev-asterisk-wlp4s0:6:1-35:
> nft[4158]: from /etc/sysconfig/nftables.conf:17:1-52:
> nft[4158]: /opt/nftables/ip.blacklist1:1124:15-22: Error: Could not
> process rule: Device or resource busy
> systemd[1]: nftables.service: Main process exited, code=exited,
> status=1/FAILURE
>
> Just to repeat: the only change is the device. The other files are all
> the same.
>
> Puzzled,
>
> sean
>
>
kernel 5.5.7
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nft ingress won't work on wireless ?
2020-03-09 13:36 nft ingress won't work on wireless ? sean darcy
2020-03-09 16:13 ` sean darcy
@ 2020-03-09 19:50 ` Pablo Neira Ayuso
2020-03-10 1:14 ` sean darcy
1 sibling, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2020-03-09 19:50 UTC (permalink / raw)
To: sean darcy; +Cc: netfilter
On Mon, Mar 09, 2020 at 09:36:40AM -0400, sean darcy wrote:
> Fedora 31. nftables-0.9.1-3.fc31.x86_64
>
> The same ingress rule works on the ethernet port, but not on wireless.
>
> This works:
>
>
> cat ipv4-netdev-asterisk
> # /opt/nftables/ipv4-filter-asterisk
flush ruleset is fine here? More comments below.
> include "/opt/nftables/whitelist1"
> include "/opt/nftables/ip.blacklist1"
>
> table netdev netdev1 {
> set whitelist {
> type ipv4_addr
> flags interval
> auto-merge
> elements = $whitelist_ips
> }
>
> set blacklist {
> type ipv4_addr
> flags interval
> auto-merge
> elements = $blacklist_ips
> }
>
> chain ingress1 {
> type filter hook ingress device enp5s0 priority 0; policy accept;
> udp dport { 6000-31000 } accept comment rtp_ports
> #accept whitelist
> ip saddr @whitelist accept
> tcp dport { 3478, 5349, 554, 5222, 5269, 19294 } counter
> accept comment "stun stun-tls rtsp and gv"
> udp dport { 3478, 4893, 19295, 19302 } counter accept
> comment "stun and gv"
> #drop blacklist
> ip saddr @blacklist counter drop
> }
> }
>
>
> But if I change the device in the ingress1 chain to wlp4s0, which exists:
>
> ifconfig | grep -A 1 wlp4s0
> wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 10.0.0.61 netmask 255.255.255.0 broadcast 10.0.0.255
>
> it fails.
>
> nft[4158]: In file included from /opt/nftables/whitelist1:39:2-39:
> nft[4158]: from
> /opt/nftables/ipv4-netdev-asterisk-wlp4s0:6:1-35:
> nft[4158]: from /etc/sysconfig/nftables.conf:17:1-52:
> nft[4158]: /opt/nftables/ip.blacklist1:1124:15-22: Error: Could not process
> rule: Device or resource busy
> systemd[1]: nftables.service: Main process exited, code=exited,
> status=1/FAILURE
>
> Just to repeat: the only change is the device. The other files are all the
> same.
Are you re-using your existing 'ingress1' chain?
I mean:
# nft add table netdev x
# nft add chain netdev x x { type filter hook ingress device eth0 priority 0\; }
# nft add chain netdev x x { type filter hook ingress device wlan0 priority 0\; }
Error: Could not process rule: Device or resource busy
add chain netdev x x { type filter hook ingress device wlan0 priority 0; }
If you try to update the chain 'x' to use device 'wlan0' (different
device), then nft reports that this chain is already busy.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nft ingress won't work on wireless ?
2020-03-09 19:50 ` Pablo Neira Ayuso
@ 2020-03-10 1:14 ` sean darcy
2020-03-17 15:46 ` sean darcy
0 siblings, 1 reply; 5+ messages in thread
From: sean darcy @ 2020-03-10 1:14 UTC (permalink / raw)
To: netfilter
On 3/9/20 3:50 PM, Pablo Neira Ayuso wrote:
> On Mon, Mar 09, 2020 at 09:36:40AM -0400, sean darcy wrote:
>> Fedora 31. nftables-0.9.1-3.fc31.x86_64
>>
>> The same ingress rule works on the ethernet port, but not on wireless.
>>
>> This works:
>>
>>
>> cat ipv4-netdev-asterisk
>> # /opt/nftables/ipv4-filter-asterisk
>
> flush ruleset is fine here? More comments below.
>
>> include "/opt/nftables/whitelist1"
>> include "/opt/nftables/ip.blacklist1"
>>
>> table netdev netdev1 {
>> set whitelist {
>> type ipv4_addr
>> flags interval
>> auto-merge
>> elements = $whitelist_ips
>> }
>>
>> set blacklist {
>> type ipv4_addr
>> flags interval
>> auto-merge
>> elements = $blacklist_ips
>> }
>>
>> chain ingress1 {
>> type filter hook ingress device enp5s0 priority 0; policy accept;
>> udp dport { 6000-31000 } accept comment rtp_ports
>> #accept whitelist
>> ip saddr @whitelist accept
>> tcp dport { 3478, 5349, 554, 5222, 5269, 19294 } counter
>> accept comment "stun stun-tls rtsp and gv"
>> udp dport { 3478, 4893, 19295, 19302 } counter accept
>> comment "stun and gv"
>> #drop blacklist
>> ip saddr @blacklist counter drop
>> }
>> }
>>
>>
>> But if I change the device in the ingress1 chain to wlp4s0, which exists:
>>
>> ifconfig | grep -A 1 wlp4s0
>> wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>> inet 10.0.0.61 netmask 255.255.255.0 broadcast 10.0.0.255
>>
>> it fails.
>>
>> nft[4158]: In file included from /opt/nftables/whitelist1:39:2-39:
>> nft[4158]: from
>> /opt/nftables/ipv4-netdev-asterisk-wlp4s0:6:1-35:
>> nft[4158]: from /etc/sysconfig/nftables.conf:17:1-52:
>> nft[4158]: /opt/nftables/ip.blacklist1:1124:15-22: Error: Could not process
>> rule: Device or resource busy
>> systemd[1]: nftables.service: Main process exited, code=exited,
>> status=1/FAILURE
>>
>> Just to repeat: the only change is the device. The other files are all the
>> same.
>
> Are you re-using your existing 'ingress1' chain?
>
> I mean:
>
> # nft add table netdev x
> # nft add chain netdev x x { type filter hook ingress device eth0 priority 0\; }
> # nft add chain netdev x x { type filter hook ingress device wlan0 priority 0\; }
> Error: Could not process rule: Device or resource busy
> add chain netdev x x { type filter hook ingress device wlan0 priority 0; }
>
> If you try to update the chain 'x' to use device 'wlan0' (different
> device), then nft reports that this chain is already busy.
>
I'm not using nft from the command line. I'm restarting nft altogether
using systemd.
systemctl stop nftables
[change the device in ingress1]
systemctl start nftables
cat /usr/lib/systemd/system/nftables.service
[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target
[Service]
Type=oneshot
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include
"/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
sean
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: nft ingress won't work on wireless ?
2020-03-10 1:14 ` sean darcy
@ 2020-03-17 15:46 ` sean darcy
0 siblings, 0 replies; 5+ messages in thread
From: sean darcy @ 2020-03-17 15:46 UTC (permalink / raw)
To: netfilter
On 3/9/20 9:14 PM, sean darcy wrote:
> On 3/9/20 3:50 PM, Pablo Neira Ayuso wrote:
>> On Mon, Mar 09, 2020 at 09:36:40AM -0400, sean darcy wrote:
>>> Fedora 31. nftables-0.9.1-3.fc31.x86_64
>>>
>>> The same ingress rule works on the ethernet port, but not on wireless.
>>>
>>> This works:
>>>
>>>
>>> cat ipv4-netdev-asterisk
>>> # /opt/nftables/ipv4-filter-asterisk
>>
>> flush ruleset is fine here? More comments below.
>>
>>> include "/opt/nftables/whitelist1"
>>> include "/opt/nftables/ip.blacklist1"
>>>
>>> table netdev netdev1 {
>>> set whitelist {
>>> type ipv4_addr
>>> flags interval
>>> auto-merge
>>> elements = $whitelist_ips
>>> }
>>>
>>> set blacklist {
>>> type ipv4_addr
>>> flags interval
>>> auto-merge
>>> elements = $blacklist_ips
>>> }
>>>
>>> chain ingress1 {
>>> type filter hook ingress device enp5s0 priority 0; policy
>>> accept;
>>> udp dport { 6000-31000 } accept comment rtp_ports
>>> #accept whitelist
>>> ip saddr @whitelist accept
>>> tcp dport { 3478, 5349, 554, 5222, 5269, 19294 }
>>> counter
>>> accept comment "stun stun-tls rtsp and gv"
>>> udp dport { 3478, 4893, 19295, 19302 } counter accept
>>> comment "stun and gv"
>>> #drop blacklist
>>> ip saddr @blacklist counter drop
>>> }
>>> }
>>>
>>>
>>> But if I change the device in the ingress1 chain to wlp4s0, which
>>> exists:
>>>
>>> ifconfig | grep -A 1 wlp4s0
>>> wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
>>> inet 10.0.0.61 netmask 255.255.255.0 broadcast 10.0.0.255
>>>
>>> it fails.
>>>
>>> nft[4158]: In file included from /opt/nftables/whitelist1:39:2-39:
>>> nft[4158]: from
>>> /opt/nftables/ipv4-netdev-asterisk-wlp4s0:6:1-35:
>>> nft[4158]: from /etc/sysconfig/nftables.conf:17:1-52:
>>> nft[4158]: /opt/nftables/ip.blacklist1:1124:15-22: Error: Could not
>>> process
>>> rule: Device or resource busy
>>> systemd[1]: nftables.service: Main process exited, code=exited,
>>> status=1/FAILURE
>>>
>>> Just to repeat: the only change is the device. The other files are
>>> all the
>>> same.
>>
>> Are you re-using your existing 'ingress1' chain?
>>
>> I mean:
>>
>> # nft add table netdev x
>> # nft add chain netdev x x { type filter hook ingress device eth0
>> priority 0\; }
>> # nft add chain netdev x x { type filter hook ingress device wlan0
>> priority 0\; }
>> Error: Could not process rule: Device or resource busy
>> add chain netdev x x { type filter hook ingress device wlan0 priority
>> 0; }
>>
>> If you try to update the chain 'x' to use device 'wlan0' (different
>> device), then nft reports that this chain is already busy.
>>
>
> I'm not using nft from the command line. I'm restarting nft altogether
> using systemd.
>
> systemctl stop nftables
> [change the device in ingress1]
> systemctl start nftables
>
> cat /usr/lib/systemd/system/nftables.service
> [Unit]
> Description=Netfilter Tables
> Documentation=man:nft(8)
> Wants=network-pre.target
> Before=network-pre.target
>
> [Service]
> Type=oneshot
> ProtectSystem=full
> ProtectHome=true
> ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
> ExecReload=/sbin/nft 'flush ruleset; include
> "/etc/sysconfig/nftables.conf";'
> ExecStop=/sbin/nft flush ruleset
> RemainAfterExit=yes
>
> [Install]
> WantedBy=multi-user.target
>
>
> sean
>
>
>
For whatever reason, wireless works if I reboot.
sean
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-03-17 15:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-09 13:36 nft ingress won't work on wireless ? sean darcy
2020-03-09 16:13 ` sean darcy
2020-03-09 19:50 ` Pablo Neira Ayuso
2020-03-10 1:14 ` sean darcy
2020-03-17 15:46 ` sean darcy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.