search

pcollinson / nftfw

nftfw - nftables firewall builder for Debian
MIT License
37 stars 4 forks source link

Single v6 IP within other /64 range: Error: conflicting intervals specified #9

Closed iso8601x closed 1 year ago

iso8601x commented 1 year ago

I use nftfw on a VPS and today, when the system was rebooted, nftfw seemed to encounter a config error and seemed to default to a state where all inbound connections were permitted - I received a Shodan open port alert.

In whitelist.d I have a couple of /64 ranges. The problem seems to have been triggered because I had a single v6 IP in addition to a /64 range. The single v6 IP happened to be within one of the /64 ranges.

With the v6 IP file in whitelist.d, the error in nftfw load is as follows:

# nftfw load
nftfw[1119]: Loading data from /etc/nftfw
nftfw[1119]: Creating reference files in /var/lib/nftfw/build.d
nftfw[1119]: Testing new nftables installation
nftfw[1119]: Testing nft rulesets from nftfw_init.nft
nftfw[1119]: nft using /var/lib/nftfw/build.d/nftfw_init.nft: failed
nftfw[1119]: In file included from /var/lib/nftfw/build.d/nftfw_init.nft:182:1-29:
/var/lib/nftfw/build.d/whitelist_sets.nft:10:1-20: Error: conflicting intervals specified
<redacted: single IPv6 IP>:,
^^^^^^^^^^^^^^^^^^^^~~~
In file included from /var/lib/nftfw/build.d/nftfw_init.nft:182:1-29:
/var/lib/nftfw/build.d/whitelist_sets.nft:9:1-21: Error: Could not process rule: File exists
add element ip6 filter w_all {<redacted: IPv6 /64 range>,

After a reboot, this was the output of nft list ruleset:

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

When the single v6 IP is rm'd and then doing an nftfw load, the ruleset is then loaded correctly.

Hopefully I've explained this OK. Sorry if not.

Version: 0.9.13
Linux 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux
pcollinson commented 1 year ago

This is a problem where nftables in the kernel is reporting an error with the information you have supplied it. nftfw can only report the error, and doesn't know how to fix it, which you've done by removing the single IPv6 address.

The nft ruleset that you saw is the default setting when no nftables instructions have been found on reboot. It would be wise to ensure that /etc/nftables.conf is loaded by the nft command when the system reboots. On Debian, this is done by the nftables package. nftfw will not change /etc/nftables.conf when the test phase of the load process fails.