google/nftables

Not able to change ruleset

ziggie1984 opened this issue · 2 comments

ziggie1984 commented

I was trying to change the nft ruleset via this library, but I am having problems modifying the tables.

I am able to get all chains but as soon as I want to add my own table it is somehow not taking any effect:

        option := nftables.AsLasting()

        clientNFT, error := nftables.New(option)

        defer clientNFT.CloseLasting()

	wgTable := nftables.Table{
		Name:   "testtable",
		Family: nftables.TableFamilyINet,
	}

	prerouting := nftables.Chain{
		Name:     "testchain",
		Table:    &wgTable,
		Hooknum:  nftables.ChainHookPrerouting,
		Priority: nftables.ChainPriorityNATDest,
		Type:     nftables.ChainTypeNAT,
	}
	fmt.Printf("Chain Self-Created: %v\n", prerouting)
	clientNFT.AddTable(&wgTable)
	clientNFT.AddChain(&prerouting)


	clientNFT.Flush()

Pretty sure I am doing something wrong, but the tables are not changed on my host system?

ziggie1984 commented

I could track the error down, somehow as soon as nftables fails to add a rule it fails everything, in the case above somehow nftables works only with chains from type Filter, all other two (route, nat) will fail silently although they were allowed for that specific hook:
Does work:

	wgTable := &nftables.Table{
		Name:   "wg0",
		Family: nftables.TableFamilyINet,
	}
	clientNFT.AddTable(wgTable)
	clientNFT.Flush()

	prerouting := clientNFT.AddChain(&nftables.Chain{
		Name:     "base-chain",
		Table:    wgTable,
		Type:     nftables.ChainTypeFilter,
		Hooknum:  nftables.ChainHookPrerouting,
		Priority: nftables.ChainPriorityNATDest,
	})

	fmt.Printf("Chain Self-Created: %v\n", prerouting)
	prerouting = clientNFT.AddChain(prerouting)

	clientNFT.Flush()

Does not work with ChainType: Nat or Route

	prerouting := clientNFT.AddChain(&nftables.Chain{
		Name:     "base-chain",
		Table:    wgTable,
		Type:     nftables.ChainTypeNAT,
		Hooknum:  nftables.ChainHookPrerouting,
		Priority: nftables.ChainPriorityNATDest,
	})

or

prerouting := clientNFT.AddChain(&nftables.Chain{
		Name:     "base-chain",
		Table:    wgTable,
		Type:     nftables.ChainTypeRoute,
		Hooknum:  nftables.ChainHookOutput,
		Priority: nftables.ChainPriorityNATDest,
	})

According to https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks the chaintypes should work for the specific hooks?

ziggie1984 commented

Found the bug, nothing with this lib, seems like compatibility was added in later version I was running
nftables v0.9.0 (Fearless Fosdick), which did not support inet chaintype route or nat