如何调试 nft_table 允许矛盾的规则

tag-icon tag-icon firewalld nftables fedora-server
如何调试 nft_table 允许矛盾的规则

我在 inetfirewalld 表中有一些 nftable 规则

        chain filter_FWD_policy_externalTolxc {
                jump filter_FWD_policy_externalTolxc_pre
                jump filter_FWD_policy_externalTolxc_log
                jump filter_FWD_policy_externalTolxc_deny
                jump filter_FWD_policy_externalTolxc_allow
                jump filter_FWD_policy_externalTolxc_post
                log prefix "filter_FWD_policy_externalTolxc_REJECT: "
                reject with icmpx admin-prohibited
        }

        chain filter_FWD_policy_externalTolxc_pre {
        }

        chain filter_FWD_policy_externalTolxc_log {
        }

        chain filter_FWD_policy_externalTolxc_deny {
        }

        chain filter_FWD_policy_externalTolxc_allow {
                tcp dport 443 ct state { new, untracked } meta nftrace set 1 accept
                tcp dport 80 ct state { new, untracked } accept
                tcp dport 25 ct state { new, untracked } accept
                tcp dport 587 ct state { new, untracked } accept
        }

并且应该在 FORWARD 链上允许访问端口 443,当跟踪时我看到以下内容:

trace id 9d541079 inet firewalld filter_FWD_policy_externalTolxc_allow packet: iif "eth0" oif "lxc33eaff370fce" ether saddr d2:74:7f:6e:37:e3 ether daddr 96:00:01:a8:60
:90 ip saddr 197.232.61.231 ip daddr 172.20.4.138 ip dscp cs0 ip ecn not-ect ip ttl 49 ip id 14423 ip protocol tcp ip length 60 tcp sport 34150 tcp dport 443 tcp flags 
== syn tcp window 64240 
trace id 9d541079 inet firewalld filter_FWD_policy_externalTolxc_allow rule tcp dport 443 ct state { new, untracked } meta nftrace set 1 accept (verdict accept)
trace id 9d541079 ip mangle POSTROUTING packet: iif "eth0" oif "lxc33eaff370fce" ether saddr d2:74:7f:6e:37:e3 ether daddr 96:00:01:a8:60:90 ip saddr 197.232.61.231 ip daddr 172.20.4.138 ip dscp cs0 ip ecn not-ect ip ttl 49 ip id 14423 ip length 60 tcp sport 34150 tcp dport 443 tcp flags == syn tcp window 64240 
trace id 9d541079 ip mangle POSTROUTING verdict continue 
trace id 9d541079 ip mangle POSTROUTING policy accept 
...
...
trace id 9d541079 inet firewalld nat_POST_trusted_allow verdict continue 
trace id 9d541079 inet firewalld nat_POST_trusted rule jump nat_POST_trusted_post (verdict jump nat_POST_trusted_post)
trace id 9d541079 inet firewalld nat_POST_trusted_post verdict continue 
trace id 9d541079 inet firewalld nat_POST_trusted rule jump nat_POSTROUTING_POLICIES_post (verdict jump nat_POSTROUTING_POLICIES_post)
trace id 9d541079 inet firewalld nat_POSTROUTING_POLICIES_post verdict continue
trace id 9d541079 inet firewalld nat_POST_trusted verdict continue

没有任何拒绝的迹象,但在防火墙的末端,我看到了拒绝:

[36250.863779] filter_FWD_policy_externalTolxc_REJECT: IN=eth0 OUT=lxc33eaff370fce MAC=96:00:01:a8:60:90:d2:74:7f:6e:37:e3:08:00 SRC=197.XXX.XXX.XXX DST=172.20.4.138 LEN=569 TOS=0x00 PREC=0x00 TTL=49 ID=40925 DF PROTO=TCP SPT=43482 DPT=443 WINDOW=502 RES=0x00 ACK PSH URGP=0

我如何找出问题所在?在被拒绝时我没发现还发生了什么,又该如何纠正?

相关内容