Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Single v6 IP within other /64 range: Error: conflicting intervals specified #9

Open
iso8601x opened this issue May 15, 2023 · 3 comments
Open

Single v6 IP within other /64 range: Error: conflicting intervals specified #9

iso8601x opened this issue May 15, 2023 · 3 comments

Comments

@iso8601x
Copy link

iso8601x commented May 15, 2023
edited
Loading

I use nftfw on a VPS and today, when the system was rebooted, nftfw seemed to encounter a config error and seemed to default to a state where all inbound connections were permitted - I received a Shodan open port alert.

In whitelist.d I have a couple of /64 ranges. The problem seems to have been triggered because I had a single v6 IP in addition to a /64 range. The single v6 IP happened to be within one of the /64 ranges.

With the v6 IP file in whitelist.d, the error in nftfw load is as follows:

# nftfw load
nftfw[1119]: Loading data from /etc/nftfw
nftfw[1119]: Creating reference files in /var/lib/nftfw/build.d
nftfw[1119]: Testing new nftables installation
nftfw[1119]: Testing nft rulesets from nftfw_init.nft
nftfw[1119]: nft using /var/lib/nftfw/build.d/nftfw_init.nft: failed
nftfw[1119]: In file included from /var/lib/nftfw/build.d/nftfw_init.nft:182:1-29:
/var/lib/nftfw/build.d/whitelist_sets.nft:10:1-20: Error: conflicting intervals specified
<redacted: single IPv6 IP>:,
^^^^^^^^^^^^^^^^^^^^~~~
In file included from /var/lib/nftfw/build.d/nftfw_init.nft:182:1-29:
/var/lib/nftfw/build.d/whitelist_sets.nft:9:1-21: Error: Could not process rule: File exists
add element ip6 filter w_all {<redacted: IPv6 /64 range>,

After a reboot, this was the output of nft list ruleset:

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

When the single v6 IP is rm'd and then doing an nftfw load, the ruleset is then loaded correctly.

Hopefully I've explained this OK. Sorry if not.

Version: 0.9.13
Linux 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux
@pcollinson
Copy link
Owner

pcollinson commented May 17, 2023
edited
Loading

This is a problem where nftables in the kernel is reporting an error with the information you have supplied it. nftfw can only report the error, and doesn't know how to fix it, which you've done by removing the single IPv6 address.

The nft ruleset that you saw is the default setting when no nftables instructions have been found on reboot. It would be wise to ensure that /etc/nftables.conf is loaded by the nft command when the system reboots. On Debian, this is done by the nftables package. nftfw will not change /etc/nftables.conf when the test phase of the load process fails.

@syndicateops
Copy link

syndicateops commented Mar 19, 2025 via email

@pcollinson
Copy link
Owner

pcollinson commented Mar 19, 2025
edited
Loading

have you worked much with nftables along side running kubernettes?

Sorry I have not.

@pcollinson pcollinson reopened this Mar 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pcollinson @syndicateops @iso8601x