From noreply at release.debian.org Mon Oct 23 04:39:10 2017 From: noreply at release.debian.org (Debian testing watch) Date: Mon, 23 Oct 2017 04:39:10 +0000 Subject: [pkg-netfilter-team] nftables 0.8-1 MIGRATED to testing Message-ID: FYI: The status of the nftables source package in Debian's testing distribution has changed. Previous version: 0.7-2 Current version: 0.8-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. From wanglustar at hotmail.com Tue Oct 24 12:50:55 2017 From: wanglustar at hotmail.com (Lu Wang) Date: Tue, 24 Oct 2017 12:50:55 +0000 Subject: [pkg-netfilter-team] Bug#879684: nftables: cannot set rules with a script Message-ID: Package: nftables Version: 0.8-1 Severity: important Dear Maintainer, I use a script to set the rules with nft. It worked well before the updating today. I don't know what are updated. My (executable) script is ------------------- #!/usr/sbin/nft -f flush ruleset #include "nftables.conf" # define inner_net = {10.0.0.0/8,10.14.129.0/24,10.110.64.0/24} # ipp:631, mldonkey:4000, mldonkey_http:4080, rpc:111, ftp:21, ssh:22 define tcp_port = {111,22} # 1701:l2tpd, dns:53, ipp:631, mdns:5353 define udp_port = {53,631,5353} # 21688 for mldonkey (TCP) 21688+4 for mldonkey (UDP) define ml_tcp_port= {21688, 51413} define ml_udp_port= {21692, 51413} add table vnat add table myfilter add chain myfilter tcp_chain add chain myfilter udp_chain add chain myfilter myinput { type filter hook input priority 0; policy drop; ct state established,related accept; #ip protocol icmp counter accept ; ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept; ct state new tcp flags syn tcp dport $tcp_port jump tcp_chain; ct state new udp dport $udp_port jump udp_chain; ct state new tcp flags syn tcp dport $ml_tcp_port accept; ct state new udp dport $ml_udp_port accept; ip protocol icmp ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept; } #add rule myfilter tcp_chain ip saddr $inner_net accept; add rule myfilter tcp_chain ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept; add rule myfilter tcp_chain limit rate 5/hour counter; #add rule myfilter udp_chain ip saddr $inner_net accept; add rule myfilter udp_chain ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept; add rule myfilter udp_chain limit rate 5/hour counter; ---------------------------- after setting the ruleset with the script, I check the ruleset with nft list ruleset the output is table ip vnat { } table ip myfilter { chain tcp_chain { ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept limit rate 5/hour counter packets 0 bytes 0 } chain udp_chain { ip saddr 127.0.0.1 ip daddr 127.0.0.1 accept limit rate 5/hour counter packets 0 bytes 0 } chain myinput { type filter hook input priority 0; policy drop; } } This shows most of rules in the script are not read. Because my policy is 'drop', the net disconnects. I have to set the policy 'accept'. I think this may be a bug. Best regards Lu Wang -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages nftables depends on: ii dpkg 1.18.24 ii libc6 2.24-17 ii libgmp10 2:6.1.2+dfsg-1.1 ii libmnl0 1.0.4-2 ii libnftnl7 1.0.8-1 ii libreadline7 7.0-3 ii libxtables12 1.6.1-2+b1 nftables recommends no packages. nftables suggests no packages. -- no debconf information -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner at bugs.debian.org Thu Oct 26 09:09:07 2017 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 26 Oct 2017 09:09:07 +0000 Subject: [pkg-netfilter-team] Processed: Bug#868097 marked as pending References: Message-ID: Processing commands for control at bugs.debian.org: > tag 868097 pending Bug #868097 [ipset] ipset: clean up legacy conf files Added tag(s) pending. > thanks Stopping processing here. Please contact me if you need assistance. -- 868097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868097 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From ftpmaster at ftp-master.debian.org Thu Oct 26 09:19:00 2017 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 26 Oct 2017 09:19:00 +0000 Subject: [pkg-netfilter-team] Processing of ipset_6.34-1_amd64.changes Message-ID: ipset_6.34-1_amd64.changes uploaded successfully to localhost along with the files: ipset_6.34-1.dsc ipset_6.34.orig.tar.bz2 ipset_6.34-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org) From ftpmaster at ftp-master.debian.org Thu Oct 26 09:34:25 2017 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Thu, 26 Oct 2017 09:34:25 +0000 Subject: [pkg-netfilter-team] ipset_6.34-1_amd64.changes ACCEPTED into unstable Message-ID: Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 26 Oct 2017 15:53:31 +0700 Source: ipset Binary: ipset libipset-dev libipset3 Architecture: source Version: 6.34-1 Distribution: unstable Urgency: medium Maintainer: Debian Netfilter Packaging Team Changed-By: Neutron Soutmun Description: ipset - administration tool for kernel IP sets libipset-dev - development files for IP sets libipset3 - library for IP sets Closes: 868097 Changes: ipset (6.34-1) unstable; urgency=medium . * [da82b06] New upstream version 6.34 * [9cb150f] Drop d/p/fix-ipset-cmd-replacement.patch: Merged upstream * [745be35] Bump Standard-Versions to 4.1.1 * Change package priority from `extra` (deprecated) to `optional` * [c0ec139] Update lib new symbols. * [5886e8d] Add lintian overrides for * ipset source: debian-watch-uses-insecure-uri. * [85ee414] Cleanup obsoleted bash completion configuration file. Closes: #868097 * [2606f64] Update d/p/adjust-test-scripts-for-debian.patch * All workaround patches are not needed, supported by Debian's kernel. * Drop the upstream test case for 'Add more than 2^31 elements in a range', It's not yet supported by Debian's kernel. Checksums-Sha1: 21a39607494bad9c03b4d680c05e17d8fc4e6ff7 2223 ipset_6.34-1.dsc 0254f979d4a54316aa51a10228c0e0cf4dbf783d 547940 ipset_6.34.orig.tar.bz2 3fef2dd7487dbaa52187b4d819978a4e44ccd497 10200 ipset_6.34-1.debian.tar.xz Checksums-Sha256: 2231eeb4952cf257855de17d805def4216ab0c7b2acffdb15f9783ced0bc09bc 2223 ipset_6.34-1.dsc d70e831b670b7aa25dde81fd994d3a7ce0c0e801559a557105576df66cd8d680 547940 ipset_6.34.orig.tar.bz2 90c006983a1dc4ab0e74c5885a2a15253ac09371eb6d017b176540462d50ffd5 10200 ipset_6.34-1.debian.tar.xz Files: 7be10b6991ac61147323182d8ce2b033 2223 net optional ipset_6.34-1.dsc 51bd03f976a1501fd45e1d71a1e2e6bf 547940 net optional ipset_6.34.orig.tar.bz2 281960805eb6f6ab89822521857d3377 10200 net optional ipset_6.34-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE9TLaEOVj7oRECXehnQRwvabNxFcFAlnxpKcACgkQnQRwvabN xFd6PQ/+PXArWfrftDgarDV8/gOcJcWpyVYxROg7qsTd5lVNdMWRY0voDYyKhmLI +IXIqMLpcIqMsC0Pcxhh3AVoeJUdcwqEYk3kQ4HEzeVBG5CgVUQ36ANA5m1kVo5y 4p6YjFjprP5E0KiuCy+13vxRE2aaKTqqLOo78jb2/HXgp+WXGE/8U6NJEiYCrCmC 1r1Aha3Lqw6iWj2P5f7yE4rf6/kZ+MOj/DHc4sL/nO72KnOubR0gqtObh11bb3p1 ASgEbMfNac+vDwkMeUKlbDCaJT7bcbbwOaFhSoRYgZs1C4SGiU+tK3i6QmsaePJ5 MurEQvTldFj6p4fsJiyM0MUed7ZtO9/loPR1/moa4PcEnf6G7teqwX7A4Tymvm+F J+TiAWwJTpkqzsIYfIkdBxmm+W2WjZPPqRDmyspNRiGaQxW3IJGPg8o5V7e13kzS gYJv8RIcS3/U2n8FI5IJwmnHGyTs9pHxNiKcAHsTgNQXuBlJnCqxQ6QZj/vIIvCO mfIIkyoNUqf4kMLnKX5kc3tLI3Tjfptpq6MEOobl9uoAWrS9kZska0E8O9r80mES ycuul4O5jEOLKjNN3sZaeIQjQxIRbglqh10KvkVNQXrWueMGORjITztYdsyYW91v 88b7Zauw5Om0xv7Aa50e6op1aCqLf0QzEPlkHvP4SOr+CiWd3xA= =eCag -----END PGP SIGNATURE----- Thank you for your contribution to Debian. From owner at bugs.debian.org Thu Oct 26 09:36:03 2017 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Thu, 26 Oct 2017 09:36:03 +0000 Subject: [pkg-netfilter-team] Bug#868097: marked as done (ipset: clean up legacy conf files) References: <149981927733.2652.17332242688183055827.reportbug@heisenberg.scientia.net> Message-ID: Your message dated Thu, 26 Oct 2017 09:34:25 +0000 with message-id and subject line Bug#868097: fixed in ipset 6.34-1 has caused the Debian Bug report #868097, regarding ipset: clean up legacy conf files to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 868097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=868097 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Christoph Anton Mitterer Subject: ipset: clean up legacy conf files Date: Wed, 12 Jul 2017 02:27:57 +0200 Size: 2588 URL: -------------- next part -------------- An embedded message was scrubbed... From: Neutron Soutmun Subject: Bug#868097: fixed in ipset 6.34-1 Date: Thu, 26 Oct 2017 09:34:25 +0000 Size: 5856 URL: From arturo at debian.org Fri Oct 27 11:00:41 2017 From: arturo at debian.org (Arturo Borrero Gonzalez) Date: Fri, 27 Oct 2017 13:00:41 +0200 Subject: [pkg-netfilter-team] Bug#879684: nftables: cannot set rules with a script References: Message-ID: Hi! thanks for the bug report :-) This seems to be some kind of issue with the syntax. If you rearrange the rules like in the attached file (based on yours) then all the ruleset loads fine. You seem to be mixing 2 syntax in the same 'batch', which seems to be the cause of the confusion for nftables. Syntax 1) add table mytable add chain mytable mychain add rule mytable mychain ip saddr 1.1.1.1 counter accept Syntax 2) table mytable { chain mychain { ip saddr 1.1.1.1 counter accept } } Both are suitable for 'nft -f', but you are mixing both. Pick one :-) Closing this bug now, please, feel free to reopen. -------------- next part -------------- A non-text attachment was scrubbed... Name: t.nft Type: application/octet-stream Size: 1266 bytes Desc: not available URL: From owner at bugs.debian.org Fri Oct 27 11:03:06 2017 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Fri, 27 Oct 2017 11:03:06 +0000 Subject: [pkg-netfilter-team] Bug#879684: marked as done (nftables: cannot set rules with a script) References: Message-ID: Your message dated Fri, 27 Oct 2017 13:00:41 +0200 with message-id and subject line Re: nftables: cannot set rules with a script has caused the Debian Bug report #879684, regarding nftables: cannot set rules with a script to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 879684: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879684 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Lu Wang Subject: nftables: cannot set rules with a script Date: Tue, 24 Oct 2017 12:50:55 +0000 Size: 16707 URL: -------------- next part -------------- An embedded message was scrubbed... From: Arturo Borrero Gonzalez Subject: Re: nftables: cannot set rules with a script Date: Fri, 27 Oct 2017 13:00:41 +0200 Size: 5901 URL: From ftpmaster at ftp-master.debian.org Fri Oct 27 11:12:14 2017 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Fri, 27 Oct 2017 11:12:14 +0000 Subject: [pkg-netfilter-team] Processing of libnftnl_1.0.8-1~bpo9+1_amd64.changes Message-ID: libnftnl_1.0.8-1~bpo9+1_amd64.changes uploaded successfully to localhost along with the files: libnftnl_1.0.8-1~bpo9+1.dsc libnftnl_1.0.8.orig.tar.bz2 libnftnl_1.0.8.orig.tar.bz2.asc libnftnl_1.0.8-1~bpo9+1.debian.tar.xz libnftnl-dev_1.0.8-1~bpo9+1_amd64.deb libnftnl7-dbgsym_1.0.8-1~bpo9+1_amd64.deb libnftnl7_1.0.8-1~bpo9+1_amd64.deb libnftnl_1.0.8-1~bpo9+1_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) From ftpmaster at ftp-master.debian.org Fri Oct 27 11:18:53 2017 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Fri, 27 Oct 2017 11:18:53 +0000 Subject: [pkg-netfilter-team] libnftnl_1.0.8-1~bpo9+1_amd64.changes is NEW Message-ID: binary:libnftnl-dev is NEW. binary:libnftnl7 is NEW. binary:libnftnl-dev is NEW. binary:libnftnl7 is NEW. source:libnftnl is NEW. Your package has been put into the NEW queue, which requires manual action from the ftpteam to process. The upload was otherwise valid (it had a good OpenPGP signature and file hashes are valid), so please be patient. Packages are routinely processed through to the archive, and do feel free to browse the NEW queue[1]. If there is an issue with the upload, you will receive an email from a member of the ftpteam. If you have any questions, you may reply to this email. [1]: https://ftp-master.debian.org/new.html or https://ftp-master.debian.org/backports-new.html for *-backports From aurinko at asauna.io Sun Oct 29 23:22:00 2017 From: aurinko at asauna.io (aurinko) Date: Mon, 30 Oct 2017 01:22:00 +0200 Subject: [pkg-netfilter-team] Bug#880145: nftables: When more than 2-3 elements are in an anonymous set the rule does not match to any of them Message-ID: <150931932059.29332.16426260065078180654.reportbug@punishedkorppu> Package: nftables Version: 0.8-1 Severity: normal Dear Maintainer, * What led up to the situation? Upgrading the kernel to 4.13 and nftables to version 0.8 caused this issue to occur. In previous releases the configuration below worked flawlessly. The configuration below causes no error-messages and when issuing nft -nna list ruleset, all rules are shown. The real issue is that the sets which have more than 2 elements in input chain never match a packet. For example on line "add rule ip filter INPUT iif $lan-if tcp dport {22.445,3000,19999,64738} counter accept". This never matches a packet. When issuing a trace, the packet goes straight to the last rule which just drops the packet. * What exactly did you do (or not do) that was effective (or ineffective)? When using named set instead of anonymous sets, there is no issue. This works everytime I reload the configuration file. Sets with less or equal than 2 elements seem to work just fine or at least match some of the elements.. * What outcome did you expect instead? I expected this configuration to work with newer kernel and nftables. -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.13.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages nftables depends on: ii dpkg 1.18.24 ii libc6 2.24-17 ii libgmp10 2:6.1.2+dfsg-1.1 ii libmnl0 1.0.4-2 ii libnftnl7 1.0.8-1 ii libreadline7 7.0-3 ii libxtables12 1.6.1-2+b1 nftables recommends no packages. nftables suggests no packages. -- Configuration Files: /etc/nftables.conf changed: flush ruleset define lan-if = {enp6s0f1, enp7s0f0} define wan-if = enp6s0f0 define drop-wan-tcp = {0,25,135-139,179,445,593,1433-1434,7547} define drop-wan-udp = {25,135-139,161,445,593,1433-1434,1900} define drop-wan-dst-ip = {10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4} add table ip filter add chain ip filter INPUT { type filter hook input priority 0; } add chain ip filter FORWARD { type filter hook forward priority 0; } add chain ip filter OUTPUT { type filter hook output priority 0; } add map filter ct_map { type ct_state : verdict; } add element filter ct_map { established : accept } add element filter ct_map { related : accept } add element filter ct_map { invalid : drop } add rule ip filter INPUT iif lo counter accept add rule ip filter INPUT ct state vmap @ct_map add rule ip filter INPUT icmp type {1,6,8,11-14} counter accept add rule ip filter INPUT iif $lan-if udp dport {53,67,1200,64738} accept add rule ip filter INPUT iif $lan-if tcp dport {22.445,3000,19999,64738} accept add rule ip filter INPUT iif $wan-if udp dport {1200,1201} accept add rule ip filter INPUT iif $wan-if tcp dport {22,64738} accept add rule ip filter INPUT iifname {rex0,mei0} tcp dport {22,80,445,3000,19999} accept add rule ip filter INPUT counter drop add rule ip filter FORWARD ct state vmap @ct_map add rule ip filter FORWARD oif $wan-if tcp dport $drop-wan-tcp log prefix "FORWARD TCP1 : " counter drop add rule ip filter FORWARD oif $wan-if udp dport $drop-wan-udp log prefix "FORWARD UDP1: " counter drop add rule ip filter FORWARD oif $wan-if ip daddr $drop-wan-dst-ip log prefix "FORWARD WAN SRC1: " counter drop add rule ip filter FORWARD oif $wan-if icmp type != {0,1,6,8,11-14} counter drop add rule ip filter FORWARD iif $lan-if oif $wan-if counter accept add rule ip filter FORWARD counter drop add rule ip filter OUTPUT oif $wan-if tcp dport $drop-wan-tcp log prefix "OUTPUT TCP1: " counter drop add rule ip filter OUTPUT oif $wan-if udp dport $drop-wan-udp log prefix "OUTPUT UDP1: " counter drop add rule ip filter OUTPUT oif $wan-if ip daddr $drop-wan-dst-ip log prefix "OUTPUT SRC1: " counter drop add table ip nat add chain ip nat PREROUTING { type nat hook prerouting priority 0; } add chain ip nat POSTROUTING { type nat hook postrouting priority 0; } add rule ip nat POSTROUTING oif $wan-if counter masquerade add rule ip nat PREROUTING tcp dport 6060 counter dnat 192.168.23.1:22 add table ip mangle add chain ip mangle POSTROUTING { type filter hook output priority 0; } add rule ip mangle POSTROUTING oif $lan-if ip saddr {192.168.23.0/24, 10.8.0.0/24} counter meta priority set 1:3 -- no debconf information