CentOS 8 nftable segmentation fault with big ip set
Posted: 2020/12/13 17:45:55
Hello to all.
I am newbie to firewalls especially in nftables.
I try to drop package from regions/"bad IPs" in result I have list of 1103505 CIDRs.
My nftable configuration have 2 files.
main.ntf
bad_actors_set
when I try to reload ntf a get error
Is this known issue? Any known workarounds? Or simply I do something really wrong (but i would expect different error message).
More info about my system.
I am newbie to firewalls especially in nftables.
I try to drop package from regions/"bad IPs" in result I have list of 1103505 CIDRs.
My nftable configuration have 2 files.
main.ntf
Code: Select all
flush ruleset
include "./bad_actors_set"
table inet firewall {
# protocols to allow
set allowed_protocols {
type inet_proto
elements = { icmp, icmpv6 }
}
# interfaces to accept any traffic on
set allowed_interfaces {
type ifname
elements = { "lo" }
}
# services to allow
set allowed_tcp_dports {
type inet_service
elements = { ssh, http, https }
}
# ip of bad actors to ban
set bad_actors{
type ipv4_addr
flags interval
elements={$bad_actors_set}
}
# this chain gathers all accept conditions
chain allow {
ct state established,related accept
meta l4proto @allowed_protocols accept
iifname @allowed_interfaces accept
tcp dport @allowed_tcp_dports accept
}
# base-chain for traffic to this host
chain INPUT {
type filter hook input priority filter + 20
policy accept
ip saddr @bad_actors counter drop
jump allow
reject with icmpx type port-unreachable
}
}
Code: Select all
define bad_actors_set={
0.0.0.0/8,
1.0.1.0/24,
1.0.2.0/23,
1.0.4.1,
1.0.5.1,
and a lot of more... total 1103505 CIDRs
}
Code: Select all
#nft -f main.nft
Segmentation fault
More info about my system.
Code: Select all
# uname -a
Linux hestia 4.18.0-240.1.1.el8_3.x86_64 #1 SMP Thu Nov 19 17:20:08 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
#cat /etc/redhat-release
CentOS Linux release 8.3.2011
# nft -v
nftables v0.9.3 (Topsy)