nftables doesnt start && nftables.conf syntax error

Question

This is my nftables.conf:

#!/usr/bin/env nft -f

flush ruleset
define interface = "venet0"



table inet filter {

set tcp_ok {
    type inet_service
    }

set udp_ok {
    type inet_service
    }

set trusted {
    type ipv4_addr
    }

set filter {
    type ipv4_addr
    }

set martians {
    type ipv4_addr
    flags constant, interval
    elements = {
        0.0.0.0/8
        127.0.0.0/8
    }
    }



chain input {
    type filter hook input priority 0

    policy drop

    ct state established,related accept

    iif lo accept

    iifname $interface ip saddr @trusted accept

    ip saddr @filter drop

    ip saddr @martians drop
    ip daddr @martians drop

    iifname $interface tcp dport 22 accept

    iifname $interface tcp dport @tcp_ok accept
    iifname $interface udp dport @udp_ok accept
    }
}

And this are the error messages, the service is not able to start can someone help me?

 /etc/nftables.conf:10:13-13: Error: syntax error, unexpected junk
 nft[371]: set tcp_ok {

 /etc/nftables.conf:11:19-19: Error: syntax error, unexpected junk, expecting newline or semicolon or .
         type inet_service

nftables.service: Main process exited, code=exited, status=1/FAILURE
 nftables.service: Failed with result 'exit-code'.
 systemd[1]: Failed to start nftables.

score 0 · Answer 1 · answered Jan 10 '23 at 18:57

You have a syntax error in your ruleset. You need a comma between elements of a list; instead of:

set martians {
    type ipv4_addr
    flags constant, interval
    elements = {
        0.0.0.0/8
        127.0.0.0/8
    }
    }

You need:

set martians {
    type ipv4_addr
    flags constant, interval
    elements = {
        0.0.0.0/8,
        127.0.0.0/8
    }
    }

Note the additional comma after 0.0.0.0/8.

nftables doesnt start && nftables.conf syntax error

1 Answers1