cubox-i;buster;nftables.services doesn't start after reboot

[wanda]

Armbianmonitor:

http://ix.io/1Og1

I just switched from iptables to netfilter.

After a reboot I get this kind of status for the service

systemctl status nftables
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Fri 2019-07-12 16:04:59 CEST; 4min 28s ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 287 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=3)
 Main PID: 287 (code=exited, status=3)

Jul 12 16:04:59 cubox nft[287]: netlink.c:62: Unable to initialize Netlink socket: Protocol not supported
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.


+++++++++++++++++++++++++++++++++++++
nftables installed ?
+++++++++++++++++++++++++++++++++++++
p  libnftables-dev - Development files for libnftables
i A libnftables0 - Netfilter nftables high level userspace API library
i  nftables - Program to control packet filtering rules by Netfilter project
+++++++++++++++++++++++++++++++++++++
update alternatives setup 
+++++++++++++++++++++++++++++++++++++
ip6tables                      auto     /usr/sbin/ip6tables-nft
iptables                       auto     /usr/sbin/iptables-nft

Anyway, a manual restart of the service works and the rules in /etc/nftables.conf are load properly.

I suppose there is a problem with a kernel module?

 

Doing the same upgrade on raspberries worked :

Linux bowerick 4.19.50-v7+ #896 SMP Thu Jun 20 16:11:44 BST 2019 armv7l GNU/Linux
No LSB modules are available.
Distributor ID: Raspbian
Description:    Raspbian GNU/Linux 10 (buster)
Release:        10
Codename:       buster

 

[Igor]

2 hours ago, wanda said:

I suppose there is a problem with a kernel module?

Possible.

I would do it this way, but you can also do it. Compare cubox-i kernel config with the one from RPi .. and prepare a PR with missing components in and around NETFILTER section.

 

(1) https://superuser.com/questions/287371/obtain-kernel-config-from-currently-running-linux-system

(2) https://docs.armbian.com/Process_Contribute/

(3) https://github.com/armbian/build/tree/master/config/kernel (try to fix also for 5.1.y kernel)

[wanda]

17 hours ago, Igor said:

Possible.

In the meantime I found a workaround by inserting

 

cat /etc/rc.local
[...]
systemctl restart nftables
exit 0

Anyway, my first idea of a missing driver, is probably not correct:

It doesn't explain the correct working restart of nftables.service, when the system is up.

 

Regarding to your approach:
raspian and cubox is different hardware, so will the comparison really be helpfull?

cubox
lshw -c network
  *-network:0 DISABLED      
       description: Ethernet interface
       physical id: 3
       logical name: dummy0
       serial: 92:c8:2f:98:51:2c
       capabilities: ethernet physical
       configuration: broadcast=yes driver=dummy driverversion=1.0
  *-network:1
       description: Wireless interface
       physical id: 4
       logical name: wlan0
       serial: 6c:ad:f8:1d:95:8b
       capabilities: ethernet physical wireless
       configuration: broadcast=yes driver=brcmfmac driverversion=5.90.125.104 firmware=5.90.125.104 multicast=yes wireless=IEEE 802.11
  *-network:2
       description: Ethernet interface
       physical id: 5
       logical name: eth0
       serial: d0:63:b4:00:c4:0f
       size: 1Gbit/s
       capacity: 1Gbit/s
       capabilities: ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
       configuration: autonegotiation=on broadcast=yes driver=fec driverversion=Revision: 1.0 duplex=full ip=nnn.nnn.nnn.nnn link=yes multicast=yes port=MII speed=1Gbit/s

raspberry
lshw -c network
  *-usb:0                   
       description: Ethernet interface
       vendor: Standard Microsystems Corp.
       physical id: 1
       bus info: usb@1:1.1.1
       logical name: eth0
       version: 3.00
       serial: b8:27:eb:6c:7d:7d
       size: 1Gbit/s
       capacity: 1Gbit/s
       capabilities: usb-2.10 ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
       configuration: autonegotiation=on broadcast=yes driver=lan78xx duplex=full ip=nnn.nnn.nnn.nnn link=yes maxpower=2mA multicast=yes port=MII speed=1Gbit/s
  *-network
       description: Wireless interface
       physical id: 2
       logical name: wlan0
       serial: b8:27:eb:39:28:28
       capabilities: ethernet physical wireless
       configuration: broadcast=yes driver=brcmfmac driverversion=7.45.154 firmware=01-4fbe0b04 multicast=yes wireless=IEEE 802.11

Anyway I compared the netfilter section  as you suggested:
raspian config.gz exists after

sudo modprobe configs

 

diff -y -W 200 --suppress-common-lines raspian_nf cubox_nf
# CONFIG_NF_LOG_NETDEV is not set                                   |    CONFIG_NF_LOG_NETDEV=m
                                                                    >    CONFIG_NF_CONNTRACK_SECMARK=y
# CONFIG_NF_CONNTRACK_TIMEOUT is not set                            |    CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CT_PROTO_GRE=m                                            |    CONFIG_NF_CT_PROTO_GRE=y
                                                                    >    CONFIG_NF_CT_NETLINK_TIMEOUT=m
CONFIG_NF_NAT_PROTO_DCCP=y                                          <
CONFIG_NF_NAT_PROTO_UDPLITE=y                                       <
CONFIG_NF_NAT_PROTO_SCTP=y                                          <
                                                                    >    CONFIG_NF_NAT_MASQUERADE=y
                                                                    >    CONFIG_NETFILTER_SYNPROXY=m
                                                                    >    CONFIG_NFT_XFRM=m
CONFIG_NF_DUP_NETDEV=m                                              |    # CONFIG_NF_DUP_NETDEV is not set
CONFIG_NFT_DUP_NETDEV=m                                             |    # CONFIG_NFT_DUP_NETDEV is not set
CONFIG_NFT_FWD_NETDEV=m                                             |    # CONFIG_NFT_FWD_NETDEV is not set
                                                                    >    CONFIG_NETFILTER_XT_TARGET_AUDIT=m
                                                                    >    CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
                                                                    >    CONFIG_NETFILTER_XT_TARGET_SECMARK=m
# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set                       |    CONFIG_NETFILTER_XT_MATCH_CGROUP=m
# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set                       |    CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
# CONFIG_IP_SET_HASH_IPMARK is not set                              |    CONFIG_IP_SET_HASH_IPMARK=m
# CONFIG_IP_SET_HASH_IPMAC is not set                               |    CONFIG_IP_SET_HASH_IPMAC=m
# CONFIG_IP_SET_HASH_MAC is not set                                 |    CONFIG_IP_SET_HASH_MAC=m
# CONFIG_IP_SET_HASH_NETPORTNET is not set                          |    CONFIG_IP_SET_HASH_NETPORTNET=m
# CONFIG_IP_SET_HASH_NETNET is not set                              |    CONFIG_IP_SET_HASH_NETNET=m
# CONFIG_IP_VS_IPV6 is not set                                      |    CONFIG_IP_VS_IPV6=y

To be honest, I have no idea of all that options.

 

[wanda]

Just stumbled across something inconsistent after replacing iptables with nftables (the default on debian buster 10):

 

 A check with lynis gave me a warning about the "leftover" iptables package:

 -[ Lynis 2.7.5 Results ]-

  Warnings (2):
  ----------------------------
 [...]
  ! iptables module(s) loaded, but no rules active [FIRE-4512] 
      https://cisofy.com/lynis/controls/FIRE-4512/

Is this dependency necessary?

 aptitude purge iptables
The following packages will be REMOVED:  
  iptables{p} 
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 1.444 kB will be freed.
The following packages have unmet dependencies:
 armbian-config : Depends: iptables but it is not going to be installed
The following actions will resolve these dependencies:

     Remove the following packages:       
1)     armbian-config [5.90 (buster, now)]

 

[lanefu]

Just stumbled across something inconsistent after replacing iptables with nftables (the default on debian buster 10):
 
 A check with lynis gave me a warning about the "leftover" iptables package:

 -[ Lynis 2.7.5 Results ]- Warnings (2): ----------------------------[...] ! iptables module(s) loaded, but no rules active [FIRE-4512]      https://cisofy.com/lynis/controls/FIRE-4512/

Is this dependency necessary?

 aptitude purge iptablesThe following packages will be REMOVED:   iptables{p} 0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.Need to get 0 B of archives. After unpacking 1.444 kB will be freed.The following packages have unmet dependencies:armbian-config : Depends: iptables but it is not going to be installedThe following actions will resolve these dependencies:    Remove the following packages:       1)     armbian-config [5.90 (buster, now)]

 

Hey Wanda
I found this. Not sure what it would take to reconcile.

https://github.com/armbian/config/blob/167e0dc2d81a2327c05740c5abfc6fa1fd99f9d9/debian-config-functions-network#L613


Sent from my iPad using Tapatalk

[wanda]

On 7/15/2019 at 4:52 AM, lanefu said:

I found this. Not sure what it would take to reconcile.

https://github.com/armbian/config/blob/167e0dc2d81a2327c05740c5abfc6fa1fd99f9d9/debian-config-functions-network#L613

 

Hi, thanks for the hint. To be honest  I don't get the content of the link, I mean referring to my question about the package dependency armbian-config and iptables.

 

nft list ruleset (without any f2b-entry) is fine, it will be created with the first ban action.