Join Log in
Score:1
user22866 avatar Server

How do debug nft_table allow rule thats contradictory

eg flag
user22866

I have some nftable rules in the inet firewalld table

        chain filter_FWD_policy_externalTolxc {
                jump filter_FWD_policy_externalTolxc_pre
                jump filter_FWD_policy_externalTolxc_log
                jump filter_FWD_policy_externalTolxc_deny
                jump filter_FWD_policy_externalTolxc_allow
                jump filter_FWD_policy_externalTolxc_post
                log prefix "filter_FWD_policy_externalTolxc_REJECT: "
                reject with icmpx admin-prohibited
        }

        chain filter_FWD_policy_externalTolxc_pre {
        }

        chain filter_FWD_policy_externalTolxc_log {
        }

        chain filter_FWD_policy_externalTolxc_deny {
        }

        chain filter_FWD_policy_externalTolxc_allow {
                tcp dport 443 ct state { new, untracked } meta nftrace set 1 accept
                tcp dport 80 ct state { new, untracked } accept
                tcp dport 25 ct state { new, untracked } accept
                tcp dport 587 ct state { new, untracked } accept
        }

And it should be that acces to port 443 should be allowed on the FORWARD chain, when traced i see this:

trace id 9d541079 inet firewalld filter_FWD_policy_externalTolxc_allow packet: iif "eth0" oif "lxc33eaff370fce" ether saddr d2:74:7f:6e:37:e3 ether daddr 96:00:01:a8:60
:90 ip saddr 197.232.61.231 ip daddr 172.20.4.138 ip dscp cs0 ip ecn not-ect ip ttl 49 ip id 14423 ip protocol tcp ip length 60 tcp sport 34150 tcp dport 443 tcp flags 
== syn tcp window 64240 
trace id 9d541079 inet firewalld filter_FWD_policy_externalTolxc_allow rule tcp dport 443 ct state { new, untracked } meta nftrace set 1 accept (verdict accept)
trace id 9d541079 ip mangle POSTROUTING packet: iif "eth0" oif "lxc33eaff370fce" ether saddr d2:74:7f:6e:37:e3 ether daddr 96:00:01:a8:60:90 ip saddr 197.232.61.231 ip daddr 172.20.4.138 ip dscp cs0 ip ecn not-ect ip ttl 49 ip id 14423 ip length 60 tcp sport 34150 tcp dport 443 tcp flags == syn tcp window 64240 
trace id 9d541079 ip mangle POSTROUTING verdict continue 
trace id 9d541079 ip mangle POSTROUTING policy accept 
...
...
trace id 9d541079 inet firewalld nat_POST_trusted_allow verdict continue 
trace id 9d541079 inet firewalld nat_POST_trusted rule jump nat_POST_trusted_post (verdict jump nat_POST_trusted_post)
trace id 9d541079 inet firewalld nat_POST_trusted_post verdict continue 
trace id 9d541079 inet firewalld nat_POST_trusted rule jump nat_POSTROUTING_POLICIES_post (verdict jump nat_POSTROUTING_POLICIES_post)
trace id 9d541079 inet firewalld nat_POSTROUTING_POLICIES_post verdict continue
trace id 9d541079 inet firewalld nat_POST_trusted verdict continue

No hints of any reject, but on firewalld's end, i see the rejects:

[36250.863779] filter_FWD_policy_externalTolxc_REJECT: IN=eth0 OUT=lxc33eaff370fce MAC=96:00:01:a8:60:90:d2:74:7f:6e:37:e3:08:00 SRC=197.XXX.XXX.XXX DST=172.20.4.138 LEN=569 TOS=0x00 PREC=0x00 TTL=49 ID=40925 DF PROTO=TCP SPT=43482 DPT=443 WINDOW=502 RES=0x00 ACK PSH URGP=0

How do i figure out where things are going wrong? what more is going on that i dont see with the rejection and where to correct it?

49
0 + 2
A.B avatar
cl flag
A.B
The rejected packet is probably not in new state (eg: it's not a syn) and nothing tells if it's untracked or not. You might have to correlate this with conntrack state. The conntrackd daemon usually ships with an example configuration to log states (but this can become verbose too) in case it can't be triggered on demand. I suspect you might actually have an INVALID packet triggering a REJECT. newer documentation warns about this. Proper firewall rules drop invalid packets, they never reject them.
0
Reply
A.B avatar
cl flag
A.B
Actually I can see no rule that accepts established packets, nor any rule that makes a packet untracked. Is your ruleset incomplete?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.