Daniel Lakeland

Enabling basically all the nftables configs did in fact make it all work fine. I'll look into how to do the PR. Thanks for the hints!

First time I've built a kernel in probably a decade as the Debian supplied ones essentially include EVERYTHING by modules so it's rarely needed these days... First one enabled not quite all the nft functions I needed (I accidentally left out NAT functions) but it was working a lot better. Trying again to add those options, but it doesn't seem like the config persists after the docker goes down? Building in Docker is opaque to me. I run "compile.sh docker", step through the menu config and it builds... I'll read up on how it works, maybe get a shell in the docker container and poke around.

Yay, now I get to figure out how to turn my desktop machine into a router and reconfigure docker to accept my nftables :-) Fortunately after only an hour or so, I did manage to make it work, including a bunch of this kind of stuff: https://gist.github.com/dearing/9388218f3c6ef6e48114 doing a docker based build of the kernel now... How about the part about reporting a bug where nftables is enabled but with all the important functionality disabled?

SOLUTION: Apparently the kernel was compiled with nftables support, but not actually NF_TABLES_IPV4, NF_TABLES_IPV6, NF_TABLES_ARP ... NF_TABLES_INET so basically you can create tables but they can't actually *DO* anything. This seems like a bug, and someone should look into it. Where can I report it? Also how do I compile my own kernel with these enabled on this little board? Is there a HOWTO for recompiling kernels on Armbian?

I don't know if this is some strange thing about the kernel supplied for the Espressobin or what, but I am unable to load even the most basic rule set in nftables, the empty one that comes with the nftables package: root@tottenham:~# cat /etc/nftables.conf flush ruleset table inet filter { chain input { type filter hook input priority 0; policy accept; } chain forward { type filter hook forward priority 0; policy accept; } chain output { type filter hook output priority 0; policy accept; } } root@tottenham:~# nft -f /etc/nftables.conf /etc/nftables.conf:5:15-19: Error: Could not process rule: No such file or directory chain input { type filter hook input priority 0; policy accept; } ^^^^^ /etc/nftables.conf:6:15-21: Error: Could not process rule: No such file or directory chain forward { ^^^^^^^ /etc/nftables.conf:9:15-20: Error: Could not process rule: No such file or directory chain output { ^^^^^^ root@tottenham:~# cat /proc/version Linux version 4.19.12-mvebu64 (root@nightly) (gcc version 7.2.1 20171011 (Linaro GCC 7.2-2017.11)) #5.68 SMP PREEMPT Fri Dec 28 20:24:51 CET 2018 Does anyone have any idea why it seems to think "type filter hook input priority 0;" is not OK? if I create just *empty* chains it does work: root@tottenham:~# nft create table inet filter root@tottenham:~# nft create chain inet filter input root@tottenham:~# nft list ruleset table inet filter { chain input { } }