NFT:不支持该操作

时间:2019-09-09 14:28:43

标签: networking debian firewall nftables

我正在尝试通过netdev类型挂钩ingress,但是出现错误。

root@debian10:~# nft flush ruleset
root@debian10:~# nft add table netdev filter
root@debian10:~# nft -- add chain netdev filter input { type filter hook ingress priority 0 \; policy accept \; }
Error: Could not process rule: Operation not supported
add chain netdev filter input { type filter hook ingress priority 0 ; policy accept ; }

我是Debian 10上的人,并且已经具有可以正常运行的带有不同钩子的nft防火墙。这里有一些更多信息:

# uname -a
Linux debian10.localdomain 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64 GNU/Linux
# grep INGRESS= /boot/config-`uname -r`
CONFIG_NET_INGRESS=y
CONFIG_NETFILTER_INGRESS=y
CONFIG_NET_SCH_INGRESS=m
# find /lib/modules -name "*nf_tables*"
/lib/modules/4.19.0-5-amd64/kernel/net/netfilter/nf_tables_set.ko
/lib/modules/4.19.0-5-amd64/kernel/net/netfilter/nf_tables.ko

完整的调试跟踪:

root@debian10:/etc# nft --debug all -- add chain netdev filter input { type filter hook ingress priority 0 \; policy accept \; }
Entering state 0
Reducing stack by rule 1 (line 747):
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --accepting rule at line 275 ("add")
Next token is token "add" (: )
Shifting token "add" (: )
Entering state 19
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 247 ("chain")
Next token is token "chain" (: )
Shifting token "chain" (: )
Entering state 11
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 273 ("netdev")
Next token is token "netdev" (: )
Shifting token "netdev" (: )
Entering state 18
Reducing stack by rule 251 (line 1850):
   $1 = token "netdev" (: )
-> $$ = nterm family_spec_explicit (: )
Stack now 0 1 19 11
Entering state 47
Reducing stack by rule 245 (line 1842):
   $1 = nterm family_spec_explicit (: )
-> $$ = nterm family_spec (: )
Stack now 0 1 19 11
Entering state 46
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 602 ("filter")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 53
Reducing stack by rule 239 (line 1818):
   $1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 19 11 46
Entering state 250
Reducing stack by rule 252 (line 1853):
   $1 = nterm family_spec (: )
   $2 = nterm identifier (: )
-> $$ = nterm table_spec (: )
Stack now 0 1 19 11
Entering state 48
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 602 ("input")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 53
Reducing stack by rule 239 (line 1818):
   $1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 19 11 48
Entering state 251
Reducing stack by rule 254 (line 1871):
   $1 = nterm table_spec (: )
   $2 = nterm identifier (: )
-> $$ = nterm chain_spec (: )
Stack now 0 1 19 11
Entering state 58
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 209 ("{")
Next token is token '{' (: )
Reducing stack by rule 154 (line 1470):
-> $$ = nterm chain_block_alloc (: )
Stack now 0 1 19 11 58
Entering state 339
Next token is token '{' (: )
Shifting token '{' (: )
Entering state 815
Reducing stack by rule 155 (line 1476):
-> $$ = nterm chain_block (: )
Stack now 0 1 19 11 58 339 815
Entering state 998
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 374 ("type")
Next token is token "type" (: )
Shifting token "type" (: )
Entering state 1130
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 602 ("filter")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1228
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 242 ("hook")
Next token is token "hook" (: )
Shifting token "hook" (: )
Entering state 1303
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 602 ("ingress")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 1338
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 425 ("priority")
Next token is token "priority" (: )
Reducing stack by rule 235 (line 1800):
-> $$ = nterm dev_spec (: )
Stack now 0 1 19 11 58 339 815 998 1130 1228 1303 1338
Entering state 1369
Next token is token "priority" (: )
Shifting token "priority" (: )
Entering state 1399
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 566 ("0")
Next token is token "number" (: )
Shifting token "number" (: )
Entering state 1346
Reducing stack by rule 232 (line 1795):
   $1 = token "number" (: )
-> $$ = nterm prio_spec (: )
Stack now 0 1 19 11 58 339 815 998 1130 1228 1303 1338 1369 1399
Entering state 1411
Reducing stack by rule 231 (line 1767):
   $1 = token "type" (: )
   $2 = token "string" (: )
   $3 = token "hook" (: )
   $4 = token "string" (: )
   $5 = nterm dev_spec (: )
   $6 = token "priority" (: )
   $7 = nterm prio_spec (: )
-> $$ = nterm hook_spec (: )
Stack now 0 1 19 11 58 339 815 998
Entering state 1134
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 208 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 767):
   $1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 19 11 58 339 815 998 1134
Entering state 1229
Reducing stack by rule 158 (line 1479):
   $1 = nterm chain_block (: )
   $2 = nterm hook_spec (: )
   $3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 19 11 58 339 815
Entering state 998
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 301 ("policy")
Next token is token "policy" (: )
Shifting token "policy" (: )
Entering state 1129
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 264 ("accept")
Next token is token "accept" (: )
Shifting token "accept" (: )
Entering state 1225
Reducing stack by rule 237 (line 1814):
   $1 = token "accept" (: )
-> $$ = nterm chain_policy (: )
Stack now 0 1 19 11 58 339 815 998 1129
Entering state 1227
Reducing stack by rule 236 (line 1803):
   $1 = token "policy" (: )
   $2 = nterm chain_policy (: )
-> $$ = nterm policy_spec (: )
Stack now 0 1 19 11 58 339 815 998
Entering state 1135
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 208 (";")
Next token is token "semicolon" (: )
Shifting token "semicolon" (: )
Entering state 5
Reducing stack by rule 4 (line 767):
   $1 = token "semicolon" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 19 11 58 339 815 998 1135
Entering state 1230
Reducing stack by rule 159 (line 1480):
   $1 = nterm chain_block (: )
   $2 = nterm policy_spec (: )
   $3 = nterm stmt_separator (: )
-> $$ = nterm chain_block (: )
Stack now 0 1 19 11 58 339 815
Entering state 998
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 210 ("}")
Next token is token '}' (: )
Shifting token '}' (: )
Entering state 1131
Reducing stack by rule 34 (line 889):
   $1 = token "chain" (: )
   $2 = nterm chain_spec (: )
   $3 = nterm chain_block_alloc (: )
   $4 = token '{' (: )
   $5 = nterm chain_block (: )
   $6 = token '}' (: )
-> $$ = nterm add_cmd (: )
Stack now 0 1 19
Entering state 66
Reducing stack by rule 17 (line 858):
   $1 = token "add" (: )
   $2 = nterm add_cmd (: )
-> $$ = nterm base_cmd (: )
Stack now 0 1
Entering state 44
Reading a token: --accepting rule at line 611 ("
")
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 766):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 44
Entering state 249
Reducing stack by rule 14 (line 824):
   $1 = nterm base_cmd (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm line (: )
Stack now 0 1
Entering state 43
Reducing stack by rule 2 (line 748):
   $1 = nterm input (: )
   $2 = nterm line (: )
Evaluate add
add chain netdev filter input { type filter hook ingress priority 0 ; policy accept ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


----------------    ------------------
|  0000000020  |    | message length |
| 02576 | R--- |    |  type | flags  |
|  0000000000  |    | sequence number|
|  0000000000  |    |     port ID    |
----------------    ------------------
| 00 00 00 00  |    |  extra header  |
----------------    ------------------
----------------    ------------------
|  0000000020  |    | message length |
| 02561 | R--- |    |  type | flags  |
|  0000000000  |    | sequence number|
|  0000000000  |    |     port ID    |
----------------    ------------------
| 00 00 00 00  |    |  extra header  |
----------------    ------------------
----------------    ------------------
|  0000000032  |    | message length |
| 02570 | R-A- |    |  type | flags  |
|  0000000000  |    | sequence number|
|  0000000000  |    |     port ID    |
----------------    ------------------
| 05 00 00 00  |    |  extra header  |
|00011|--|00001|    |len |flags| type|
| 66 69 6c 74  |    |      data      |   f i l t
| 65 72 00 00  |    |      data      |   e r
----------------    ------------------
----------------    ------------------
|  0000000020  |    | message length |
| 02564 | R--- |    |  type | flags  |
|  0000000000  |    | sequence number|
|  0000000000  |    |     port ID    |
----------------    ------------------
| 05 00 00 00  |    |  extra header  |
----------------    ------------------
----------------    ------------------
|  0000000032  |    | message length |
| 02583 | R-A- |    |  type | flags  |
|  0000000000  |    | sequence number|
|  0000000000  |    |     port ID    |
----------------    ------------------
| 05 00 00 00  |    |  extra header  |
|00011|--|00001|    |len |flags| type|
| 66 69 6c 74  |    |      data      |   f i l t
| 65 72 00 00  |    |      data      |   e r
----------------    ------------------
----------------    ------------------
|  0000000032  |    | message length |
| 02579 | R-A- |    |  type | flags  |
|  0000000000  |    | sequence number|
|  0000000000  |    |     port ID    |
----------------    ------------------
| 05 00 00 00  |    |  extra header  |
|00011|--|00001|    |len |flags| type|
| 66 69 6c 74  |    |      data      |   f i l t
| 65 72 00 00  |    |      data      |   e r
----------------    ------------------
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token "end of file" (: )
Entering state 2
Stack now 0 1 2
Cleanup: popping token "end of file" (: )
Cleanup: popping nterm input (: )
netdev filter input use 0 type filter hook ingress prio 0 policy accept packets 0 bytes 0
----------------    ------------------
|  0000000020  |    | message length |
| 00016 | R--- |    |  type | flags  |
|  0000000000  |    | sequence number|
|  0000000000  |    |     port ID    |
----------------    ------------------
| 00 00 0a 00  |    |  extra header  |
----------------    ------------------
----------------    ------------------
|  0000000084  |    | message length |
| 02563 | R--- |    |  type | flags  |
|  0000000001  |    | sequence number|
|  0000000000  |    |     port ID    |
----------------    ------------------
| 05 00 00 00  |    |  extra header  |
|00011|--|00001|    |len |flags| type|
| 66 69 6c 74  |    |      data      |   f i l t
| 65 72 00 00  |    |      data      |   e r
|00010|--|00003|    |len |flags| type|
| 69 6e 70 75  |    |      data      |   i n p u
| 74 00 00 00  |    |      data      |   t
|00020|N-|00004|    |len |flags| type|
|00008|--|00001|    |len |flags| type|
| 00 00 00 00  |    |      data      |
|00008|--|00002|    |len |flags| type|
| 00 00 00 00  |    |      data      |
|00008|--|00005|    |len |flags| type|
| 00 00 00 01  |    |      data      |
|00011|--|00007|    |len |flags| type|
| 66 69 6c 74  |    |      data      |   f i l t
| 65 72 00 00  |    |      data      |   e r
----------------    ------------------
----------------    ------------------
|  0000000020  |    | message length |
| 00017 | R--- |    |  type | flags  |
|  0000000002  |    | sequence number|
|  0000000000  |    |     port ID    |
----------------    ------------------
| 00 00 0a 00  |    |  extra header  |
----------------    ------------------
Error: Could not process rule: Operation not supported
add chain netdev filter input { type filter hook ingress priority 0 ; policy accept ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

这个想法来自本文,我尝试复制https://blog.cloudflare.com/how-to-drop-10-million-packets/

0 个答案:

没有答案