这是我的 nftables.conf:
#!/usr/bin/env nft -f
flush ruleset
define interface = "venet0"
table inet filter {
set tcp_ok {
type inet_service
}
set udp_ok {
type inet_service
}
set trusted {
type ipv4_addr
}
set filter {
type ipv4_addr
}
set martians {
type ipv4_addr
flags constant, interval
elements = {
0.0.0.0/8
127.0.0.0/8
}
}
chain input {
type filter hook input priority 0
policy drop
ct state established,related accept
iif lo accept
iifname $interface ip saddr @trusted accept
ip saddr @filter drop
ip saddr @martians drop
ip daddr @martians drop
iifname $interface tcp dport 22 accept
iifname $interface tcp dport @tcp_ok accept
iifname $interface udp dport @udp_ok accept
}
}
这些是错误消息,服务无法启动,有人能帮帮我吗?
/etc/nftables.conf:10:13-13: Error: syntax error, unexpected junk
nft[371]: set tcp_ok {
/etc/nftables.conf:11:19-19: Error: syntax error, unexpected junk, expecting newline or semicolon or .
type inet_service
nftables.service: Main process exited, code=exited, status=1/FAILURE
nftables.service: Failed with result 'exit-code'.
systemd[1]: Failed to start nftables.
答案1
您的规则集中存在语法错误。列表元素之间需要用逗号分隔;而不是:
set martians {
type ipv4_addr
flags constant, interval
elements = {
0.0.0.0/8
127.0.0.0/8
}
}
你需要:
set martians {
type ipv4_addr
flags constant, interval
elements = {
0.0.0.0/8,
127.0.0.0/8
}
}
请注意后面额外的逗号0.0.0.0/8。