cyagon Posted July 31, 2019 Posted July 31, 2019 Armbianmonitor: http://ix.io/1Q6D Hello, Since debian buster switched to nftables as default, when i want to use the ufw-firewall, the following happens: root@homecloud:~# ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y ERROR: problem running ufw-init ip6tables-restore v1.8.3 (nf_tables): unknown option "--icmpv6-type" Error occurred at line: 36 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. Problem running '/etc/ufw/before6.rules' root@homecloud:~# I installed both iptables and nftables, and also tried the buster-backports versions of both programs, same issue. When i run the ufw-check-requirements script, i get this: root@homecloud:~# /usr/share/ufw/check-requirements Has python: pass (binary: python2.7, version: 2.7.16, py2) Has iptables: pass Has ip6tables: pass Has /proc/net/dev: pass Has /proc/net/if_inet6: pass This script will now attempt to create various rules using the iptables and ip6tables commands. This may result in module autoloading (eg, for IPv6). Proceed with checks (Y/n)? y == IPv4 == Creating 'ufw-check-requirements'... done Inserting RETURN at top of 'ufw-check-requirements'... done TCP: pass UDP: pass destination port: pass source port: pass ACCEPT: pass DROP: pass REJECT: pass LOG: pass hashlimit: pass limit: pass ctstate (NEW): pass ctstate (RELATED): pass ctstate (ESTABLISHED): pass ctstate (INVALID): pass ctstate (new, recent set): pass ctstate (new, recent update): pass ctstate (new, limit): pass interface (input): pass interface (output): pass multiport: pass comment: pass addrtype (LOCAL): pass addrtype (MULTICAST): pass addrtype (BROADCAST): pass icmp (destination-unreachable): pass icmp (source-quench): pass icmp (time-exceeded): pass icmp (parameter-problem): pass icmp (echo-request): pass == IPv6 == Creating 'ufw-check-requirements6'... done Inserting RETURN at top of 'ufw-check-requirements6'... done TCP: pass UDP: pass destination port: pass source port: pass ACCEPT: pass DROP: pass REJECT: pass LOG: pass hashlimit: pass limit: pass ctstate (NEW): pass ctstate (RELATED): pass ctstate (ESTABLISHED): pass ctstate (INVALID): pass ctstate (new, recent set): pass ctstate (new, recent update): pass ctstate (new, limit): pass interface (input): pass interface (output): pass multiport: pass comment: pass icmpv6 (destination-unreachable): FAIL error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type" Try `ip6tables -h' or 'ip6tables --help' for more information. icmpv6 (packet-too-big): FAIL error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type" Try `ip6tables -h' or 'ip6tables --help' for more information. icmpv6 (time-exceeded): FAIL error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type" Try `ip6tables -h' or 'ip6tables --help' for more information. icmpv6 (parameter-problem): FAIL error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type" Try `ip6tables -h' or 'ip6tables --help' for more information. icmpv6 (echo-request): FAIL error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type" Try `ip6tables -h' or 'ip6tables --help' for more information. icmpv6 with hl (neighbor-solicitation): FAIL error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type" Try `ip6tables -h' or 'ip6tables --help' for more information. icmpv6 with hl (neighbor-advertisement): FAIL error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type" Try `ip6tables -h' or 'ip6tables --help' for more information. icmpv6 with hl (router-solicitation): FAIL error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type" Try `ip6tables -h' or 'ip6tables --help' for more information. icmpv6 with hl (router-advertisement): FAIL error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type" Try `ip6tables -h' or 'ip6tables --help' for more information. ipv6 rt: pass FAIL: check your kernel and that you have iptables >= 1.4.0 root@homecloud:~# Could this be a kernel issue with the standard 4.14 kernel? because i have no issues with the 5.1 dev kernel: root@homecloud:~# /usr/share/ufw/check-requirements Has python: pass (binary: python2.7, version: 2.7.16, py2) Has iptables: pass Has ip6tables: pass Has /proc/net/dev: pass Has /proc/net/if_inet6: pass This script will now attempt to create various rules using the iptables and ip6tables commands. This may result in module autoloading (eg, for IPv6). Proceed with checks (Y/n)? y == IPv4 == Creating 'ufw-check-requirements'... done Inserting RETURN at top of 'ufw-check-requirements'... done TCP: pass UDP: pass destination port: pass source port: pass ACCEPT: pass DROP: pass REJECT: pass LOG: pass hashlimit: pass limit: pass ctstate (NEW): pass ctstate (RELATED): pass ctstate (ESTABLISHED): pass ctstate (INVALID): pass ctstate (new, recent set): pass ctstate (new, recent update): pass ctstate (new, limit): pass interface (input): pass interface (output): pass multiport: pass comment: pass addrtype (LOCAL): pass addrtype (MULTICAST): pass addrtype (BROADCAST): pass icmp (destination-unreachable): pass icmp (source-quench): pass icmp (time-exceeded): pass icmp (parameter-problem): pass icmp (echo-request): pass == IPv6 == Creating 'ufw-check-requirements6'... done Inserting RETURN at top of 'ufw-check-requirements6'... done TCP: pass UDP: pass destination port: pass source port: pass ACCEPT: pass DROP: pass REJECT: pass LOG: pass hashlimit: pass limit: pass ctstate (NEW): pass ctstate (RELATED): pass ctstate (ESTABLISHED): pass ctstate (INVALID): pass ctstate (new, recent set): pass ctstate (new, recent update): pass ctstate (new, limit): pass interface (input): pass interface (output): pass multiport: pass comment: pass icmpv6 (destination-unreachable): pass icmpv6 (packet-too-big): pass icmpv6 (time-exceeded): pass icmpv6 (parameter-problem): pass icmpv6 (echo-request): pass icmpv6 with hl (neighbor-solicitation): pass icmpv6 with hl (neighbor-advertisement): pass icmpv6 with hl (router-solicitation): pass icmpv6 with hl (router-advertisement): pass ipv6 rt: pass All tests passed root@homecloud:~# And the ufw-firewall can be enabled without issue. Currently, the solution for the odroidxu4 with the standard 4.14 kernel is to switch from iptables-nft (nftables as backend) to iptables-legacy as described here: https://wiki.debian.org/nftables update-alternatives --set iptables /usr/sbin/iptables-legacy update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy Is there a way to fix it so nftables can be used with the standard 4.14 kernel? Sincerely, cyagon
Recommended Posts