Bug#913877: [pkg-netfilter-team] Bug#913877: iptables 1.8.2: ERROR when adding REJECT target to custom chains
On 11/16/18 1:18 PM, Amos Jeffries wrote: > My kernel version is 3.16.0-4-amd64. > This kernel is very very old. First thing to do is to upgrade your kernel to something modern. Is not related to the hardware. Both x_tables and nf_tables kernel subsystem received severe updates since 3.16. By mixing modern userspace components with old kernelside modules you are exposed to severe limitations to say the least. > > The main problem as I see it is that the packaging switched straight to > the -nft versions without sufficient checking that it was not breaking > the system by doing so. Surely there are tests that can be done on > install to select the auto/default flavour better? > I don't have time to work on such magic migration mechanisms. But as I said, your issue is not with iptables-nft or nftables itself. You are using a very old kernel which won't work. thanks!
Bug#913877: iptables 1.8.2: ERROR when adding REJECT target to custom chains
My kernel version is 3.16.0-4-amd64. That is due to unrelated driver errors the newer kernels have consistently had on this hardware. I am surely not the only one in this situation. I see there was NEWS mention of unspecified impact with the 1.8.1+ versions but did not pay much attention to since I am not upgrading "between Debian versions" here. The machine in question has always run Sid and gets weekly updates of everything short of full reboot. The main problem as I see it is that the packaging switched straight to the -nft versions without sufficient checking that it was not breaking the system by doing so. Surely there are tests that can be done on install to select the auto/default flavour better? AYJ
Bug#913877: iptables 1.8.2: ERROR when adding REJECT target to custom chains
Control: tag -1 unreproducible On Fri, 16 Nov 2018 23:20:02 +1300 Amos Jeffries wrote: > Followup experiments isolating the custom sub-chain are showing even > worse behaviour from the new iptables (-nft flavour). > > These commands > > iptables -N test-foo > iptables -I test-foo 1 -s 127.0.0.1 -j REJECT > > Produces this output: > > iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument): > rule in chain test-foo > > > And this absurd syslog message: > > x_tables: ip_tables: REJECT target: used from hooks FORWARD, but only > usable from INPUT/FORWARD/OUTPUT > > > Upstream reports that this does work on other systems. Which kernel are you running? Mine is: arturo@endurance:~ $ uname -r 4.18.0-2-amd64 This is my local test: arturo@endurance:~ $ sudo iptables-nft -N test-foo arturo@endurance:~ $ sudo iptables-nft -I test-foo 1 -s 127.0.0.1 -j REJECT arturo@endurance:~ $ sudo iptables-nft-save # Generated by xtables-save v1.8.2 on Fri Nov 16 12:40:51 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :test-foo - [0:0] -A test-foo -s 127.0.0.1/32 -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Fri Nov 16 12:40:51 2018 Closing bug now, feel free to reopen if required. Thanks for reporting.
Bug#913877: iptables 1.8.2: ERROR when adding REJECT target to custom chains
Followup experiments isolating the custom sub-chain are showing even worse behaviour from the new iptables (-nft flavour). These commands iptables -N test-foo iptables -I test-foo 1 -s 127.0.0.1 -j REJECT Produces this output: iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument): rule in chain test-foo And this absurd syslog message: x_tables: ip_tables: REJECT target: used from hooks FORWARD, but only usable from INPUT/FORWARD/OUTPUT For anyone else encountering issues from the new packages these commands: update-alternatives --config iptables update-alternatives --config ip6tables to manually override the automatic package default with the '-legacy' flavour is required to restore proper behaviour. AYJ
Bug#913877: [pkg-netfilter-team] Bug#913877: iptables 1.8.2: ERROR when adding REJECT target to custom chains
Control: forward -1 https://bugzilla.netfilter.org/show_bug.cgi?id=1298 Your bug report has been forwarded upstream.
Bug#913877: iptables 1.8.2: ERROR when adding REJECT target to custom chains
Package: iptables Version: 1.8.2-2 Severity: grave The fail2ban attack prevention software scans log files and adds firewall rules dynamically to iptables/ip6tables to prevent DoS and login scanning attacks in realtime. Since upgrading iptables to the 1.8.2 version it has been completely unable to do that vital task due to problems within nftables / iptables. The example that I am facing right now is with active and large DoS attacks email spam attacks. When fail2ban attempts to add the firewall blocks, such as; iptables -w -I f2b-postfix-sasl 1 -s 80.82.70.189 \ -j REJECT --reject-with icmp-port-unreachable iptables produces an error: iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument): rule in chain f2b-postfix-sasl the system log matching that iptables update attempt states: x_tables: ip_tables: REJECT target: used from hooks FORWARD/OUTPUT/POSTROUTING, but only usable from INPUT/FORWARD/OUTPUT Which appears to be a lie. The f2b-postfix-sasl is a sub-chain of the INPUT table and is not in any way connected to the FORWARD, OUTPUT nor POSTROUTING tables. iptables -L -nv Chain INPUT (policy ACCEPT 1727M packets, 3523G bytes) pkts bytes target prot opt in out source destination 9531 7001K f2b-postfix-sasl tcp -- * * 0.0.0.0/0 0.0.0.0/0multiport dports 25,465,587,143,993,110,995 9531 7001K f2b-courier-auth tcp -- * * 0.0.0.0/0 0.0.0.0/0multiport dports 25,465,587,143,993,110,995 8629 6907K f2b-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0multiport dports 25,465,587 2994 278K f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0multiport dports 22 6412K 2086M f2b-postfix-sasl tcp -- * * 0.0.0.0/0 0.0.0.0/0multiport dports 25,465,587,143,993,110,995 6412K 2086M f2b-courier-auth tcp -- * * 0.0.0.0/0 0.0.0.0/0multiport dports 25,465,587,143,993,110,995 3053K 829M f2b-postfix tcp -- * * 0.0.0.0/0 0.0.0.0/0multiport dports 25,465,587 11M 663M f2b-sshd tcp -- * * 0.0.0.0/0 0.0.0.0/0multiport dports 22 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1230M packets, 132G bytes) pkts bytes target prot opt in out source destination Chain f2b-sshd (2 references) pkts bytes target prot opt in out source destination 5988 556K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain f2b-postfix (2 references) pkts bytes target prot opt in out source destination 17258 14M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain f2b-courier-auth (2 references) pkts bytes target prot opt in out source destination 19062 14M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 Chain f2b-postfix-sasl (2 references) pkts bytes target prot opt in out source destination 19062 14M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 AYJ