1 1
wanda

cubox-i;buster;nftables.services doesn't start after reboot

Recommended Posts

Armbianmonitor:

I just switched from iptables to netfilter.

After a reboot I get this kind of status for the service

systemctl status nftables
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Fri 2019-07-12 16:04:59 CEST; 4min 28s ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 287 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=3)
 Main PID: 287 (code=exited, status=3)

Jul 12 16:04:59 cubox nft[287]: netlink.c:62: Unable to initialize Netlink socket: Protocol not supported
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.


+++++++++++++++++++++++++++++++++++++
nftables installed ?
+++++++++++++++++++++++++++++++++++++
p  libnftables-dev - Development files for libnftables
i A libnftables0 - Netfilter nftables high level userspace API library
i  nftables - Program to control packet filtering rules by Netfilter project
+++++++++++++++++++++++++++++++++++++
update alternatives setup 
+++++++++++++++++++++++++++++++++++++
ip6tables                      auto     /usr/sbin/ip6tables-nft
iptables                       auto     /usr/sbin/iptables-nft

Anyway, a manual restart of the service works and the rules in /etc/nftables.conf are load properly.

I suppose there is a problem with a kernel module?

 

Doing the same upgrade on raspberries worked :

Linux bowerick 4.19.50-v7+ #896 SMP Thu Jun 20 16:11:44 BST 2019 armv7l GNU/Linux
No LSB modules are available.
Distributor ID: Raspbian
Description:    Raspbian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

 

Share this post


Link to post
Share on other sites
2 hours ago, wanda said:

I suppose there is a problem with a kernel module?


Possible.

I would do it this way, but you can also do it. Compare cubox-i kernel config with the one from RPi .. and prepare a PR with missing components in and around NETFILTER section.

 

(1) https://superuser.com/questions/287371/obtain-kernel-config-from-currently-running-linux-system

(2) https://docs.armbian.com/Process_Contribute/

(3) https://github.com/armbian/build/tree/master/config/kernel (try to fix also for 5.1.y kernel)

Share this post


Link to post
Share on other sites
17 hours ago, Igor said:

Possible.

In the meantime I found a workaround by inserting

 

cat /etc/rc.local
[...]
systemctl restart nftables
exit 0

Anyway, my first idea of a missing driver, is probably not correct:

It doesn't explain the correct working restart of nftables.service, when the system is up.

 

Regarding to your approach:
raspian and cubox is different hardware, so will the comparison really be helpfull?

cubox
lshw -c network
  *-network:0 DISABLED      
       description: Ethernet interface
       physical id: 3
       logical name: dummy0
       serial: 92:c8:2f:98:51:2c
       capabilities: ethernet physical
       configuration: broadcast=yes driver=dummy driverversion=1.0
  *-network:1
       description: Wireless interface
       physical id: 4
       logical name: wlan0
       serial: 6c:ad:f8:1d:95:8b
       capabilities: ethernet physical wireless
       configuration: broadcast=yes driver=brcmfmac driverversion=5.90.125.104 firmware=5.90.125.104 multicast=yes wireless=IEEE 802.11
  *-network:2
       description: Ethernet interface
       physical id: 5
       logical name: eth0
       serial: d0:63:b4:00:c4:0f
       size: 1Gbit/s
       capacity: 1Gbit/s
       capabilities: ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
       configuration: autonegotiation=on broadcast=yes driver=fec driverversion=Revision: 1.0 duplex=full ip=nnn.nnn.nnn.nnn link=yes multicast=yes port=MII speed=1Gbit/s
raspberry
lshw -c network
  *-usb:0                   
       description: Ethernet interface
       vendor: Standard Microsystems Corp.
       physical id: 1
       bus info: usb@1:1.1.1
       logical name: eth0
       version: 3.00
       serial: b8:27:eb:6c:7d:7d
       size: 1Gbit/s
       capacity: 1Gbit/s
       capabilities: usb-2.10 ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
       configuration: autonegotiation=on broadcast=yes driver=lan78xx duplex=full ip=nnn.nnn.nnn.nnn link=yes maxpower=2mA multicast=yes port=MII speed=1Gbit/s
  *-network
       description: Wireless interface
       physical id: 2
       logical name: wlan0
       serial: b8:27:eb:39:28:28
       capabilities: ethernet physical wireless
       configuration: broadcast=yes driver=brcmfmac driverversion=7.45.154 firmware=01-4fbe0b04 multicast=yes wireless=IEEE 802.11

Anyway I compared the netfilter section  as you suggested:
raspian config.gz exists after

sudo modprobe configs


 

diff -y -W 200 --suppress-common-lines raspian_nf cubox_nf
# CONFIG_NF_LOG_NETDEV is not set                                   |    CONFIG_NF_LOG_NETDEV=m
                                                                    >    CONFIG_NF_CONNTRACK_SECMARK=y
# CONFIG_NF_CONNTRACK_TIMEOUT is not set                            |    CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CT_PROTO_GRE=m                                            |    CONFIG_NF_CT_PROTO_GRE=y
                                                                    >    CONFIG_NF_CT_NETLINK_TIMEOUT=m
CONFIG_NF_NAT_PROTO_DCCP=y                                          <
CONFIG_NF_NAT_PROTO_UDPLITE=y                                       <
CONFIG_NF_NAT_PROTO_SCTP=y                                          <
                                                                    >    CONFIG_NF_NAT_MASQUERADE=y
                                                                    >    CONFIG_NETFILTER_SYNPROXY=m
                                                                    >    CONFIG_NFT_XFRM=m
CONFIG_NF_DUP_NETDEV=m                                              |    # CONFIG_NF_DUP_NETDEV is not set
CONFIG_NFT_DUP_NETDEV=m                                             |    # CONFIG_NFT_DUP_NETDEV is not set
CONFIG_NFT_FWD_NETDEV=m                                             |    # CONFIG_NFT_FWD_NETDEV is not set
                                                                    >    CONFIG_NETFILTER_XT_TARGET_AUDIT=m
                                                                    >    CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
                                                                    >    CONFIG_NETFILTER_XT_TARGET_SECMARK=m
# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set                       |    CONFIG_NETFILTER_XT_MATCH_CGROUP=m
# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set                       |    CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
# CONFIG_IP_SET_HASH_IPMARK is not set                              |    CONFIG_IP_SET_HASH_IPMARK=m
# CONFIG_IP_SET_HASH_IPMAC is not set                               |    CONFIG_IP_SET_HASH_IPMAC=m
# CONFIG_IP_SET_HASH_MAC is not set                                 |    CONFIG_IP_SET_HASH_MAC=m
# CONFIG_IP_SET_HASH_NETPORTNET is not set                          |    CONFIG_IP_SET_HASH_NETPORTNET=m
# CONFIG_IP_SET_HASH_NETNET is not set                              |    CONFIG_IP_SET_HASH_NETNET=m
# CONFIG_IP_VS_IPV6 is not set                                      |    CONFIG_IP_VS_IPV6=y

To be honest, I have no idea of all that options.

 

Share this post


Link to post
Share on other sites

Just stumbled across something inconsistent after replacing iptables with nftables (the default on debian buster 10):

 

 A check with lynis gave me a warning about the "leftover" iptables package:

 -[ Lynis 2.7.5 Results ]-

  Warnings (2):
  ----------------------------
 [...]
  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
      https://cisofy.com/lynis/controls/FIRE-4512/

Is this dependency necessary?

 aptitude purge iptables
The following packages will be REMOVED:  
  iptables{p} 
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 1.444 kB will be freed.
The following packages have unmet dependencies:
 armbian-config : Depends: iptables but it is not going to be installed
The following actions will resolve these dependencies:

     Remove the following packages:       
1)     armbian-config [5.90 (buster, now)]

 

Share this post


Link to post
Share on other sites
Just stumbled across something inconsistent after replacing iptables with nftables (the default on debian buster 10):
 
 A check with lynis gave me a warning about the "leftover" iptables package:
 -[ Lynis 2.7.5 Results ]- Warnings (2): ----------------------------[...] ! iptables module(s) loaded, but no rules active [FIRE-4512]      https://cisofy.com/lynis/controls/FIRE-4512/

Is this dependency necessary?

 aptitude purge iptablesThe following packages will be REMOVED:   iptables{p} 0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.Need to get 0 B of archives. After unpacking 1.444 kB will be freed.The following packages have unmet dependencies:armbian-config : Depends: iptables but it is not going to be installedThe following actions will resolve these dependencies:    Remove the following packages:       1)     armbian-config [5.90 (buster, now)]

 



Hey Wanda
I found this. Not sure what it would take to reconcile.

https://github.com/armbian/config/blob/167e0dc2d81a2327c05740c5abfc6fa1fd99f9d9/debian-config-functions-network#L613


Sent from my iPad using Tapatalk

Share this post


Link to post
Share on other sites
On 7/15/2019 at 4:52 AM, lanefu said:

Hi, thanks for the hint. To be honest  I don't get the content of the link, I mean referring to my question about the package dependency armbian-config and iptables.

 

nft list ruleset (without any f2b-entry) is fine, it will be created with the first ban action.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
1 1