bugzilla-daemon at netfilter.org
2018-Nov-16 10:02 UTC
[Bug 1298] New: Issue with REJECT in custom chains
https://bugzilla.netfilter.org/show_bug.cgi?id=1298
Bug ID: 1298
Summary: Issue with REJECT in custom chains
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: iptables over nftable
Assignee: pablo at netfilter.org
Reporter: arturo at debian.org
Original bug report: https://bugs.debian.org/913877
=== 8< ==
Since upgrading iptables to the 1.8.2 version it has been completely
unable to do that vital task due to problems within nftables / iptables.
The example that I am facing right now is with active and large DoS
attacks email spam attacks. When fail2ban attempts to add the firewall
blocks, such as;
iptables -w -I f2b-postfix-sasl 1 -s 80.82.70.189 \
-j REJECT --reject-with icmp-port-unreachable
iptables produces an error:
iptables v1.8.2 (nf_tables): RULE_INSERT failed (Invalid argument):
rule in chain f2b-postfix-sasl
the system log matching that iptables update attempt states:
x_tables: ip_tables: REJECT target: used from hooks
FORWARD/OUTPUT/POSTROUTING, but only usable from INPUT/FORWARD/OUTPUT
=== 8< ==
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181116/6d5bd715/attachment.html>
bugzilla-daemon at netfilter.org
2018-Nov-16 11:35 UTC
[Bug 1298] Issue with REJECT in custom chains
https://bugzilla.netfilter.org/show_bug.cgi?id=1298
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fw at strlen.de
--- Comment #1 from Florian Westphal <fw at strlen.de> ---
(In reply to Arturo Borrero Gonzalez from comment #0)> Original bug report: https://bugs.debian.org/913877
>
> === 8< ==>
> Since upgrading iptables to the 1.8.2 version it has been completely
> unable to do that vital task due to problems within nftables / iptables.
>
> The example that I am facing right now is with active and large DoS
> attacks email spam attacks. When fail2ban attempts to add the firewall
> blocks, such as;
>
> iptables -w -I f2b-postfix-sasl 1 -s 80.82.70.189 \
> -j REJECT --reject-with icmp-port-unreachable
Works fine for me.
Upstream report claims this doesn't work:
iptables -N test-foo
iptables -I test-foo 1 -s 127.0.0.1 -j REJECT
It works fine for me on Fedrora 29, using 4.18 based kernel with iptables-nft
1.8.2 on x86_64
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181116/4bbd6c6e/attachment.html>
bugzilla-daemon at netfilter.org
2018-Nov-16 11:44 UTC
[Bug 1298] Issue with REJECT in custom chains
https://bugzilla.netfilter.org/show_bug.cgi?id=1298
Arturo Borrero Gonzalez <arturo at debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
--- Comment #2 from Arturo Borrero Gonzalez <arturo at debian.org> ---
Ok, we can close the bug and reopen if required. Thanks!
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181116/a4a4dad2/attachment.html>
Possibly Parallel Threads
- [Bug 1087] New: Window Tracking not disabled
- [Bug 1347] New: ebtables-nft: regression in -o option
- [Bug 1073] New: inet-service vs icmp conflict
- [Bug 1394] New: "Bad argument `ACCEPT'" when iptables-restore (nft) parses stdin
- [Bug 1196] New: nft does not allow comments within sets: Error: syntax error, unexpected newline