1 1
cyagon

odroidxu4: iptables-nft issue with buster

Recommended Posts

Armbianmonitor:

Hello,

 

Since debian buster switched to nftables as default, when i want to use the ufw-firewall, the following happens:

root@homecloud:~# ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
ERROR: problem running ufw-init
ip6tables-restore v1.8.3 (nf_tables): unknown option "--icmpv6-type"
Error occurred at line: 36
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Problem running '/etc/ufw/before6.rules'

root@homecloud:~#

I installed both iptables and nftables, and also tried the buster-backports versions of both programs, same issue.

When i run the ufw-check-requirements script, i get this:

root@homecloud:~# /usr/share/ufw/check-requirements
Has python: pass (binary: python2.7, version: 2.7.16, py2)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-unreachable): FAIL
error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (packet-too-big): FAIL
error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (time-exceeded): FAIL
error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (parameter-problem): FAIL
error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 (echo-request): FAIL
error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (neighbor-solicitation): FAIL
error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (neighbor-advertisement): FAIL
error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (router-solicitation): FAIL
error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
icmpv6 with hl (router-advertisement): FAIL
error was: ip6tables v1.8.3 (nf_tables): unknown option "--icmpv6-type"
Try `ip6tables -h' or 'ip6tables --help' for more information.
ipv6 rt: pass

FAIL: check your kernel and that you have iptables >= 1.4.0
root@homecloud:~#

Could this be a kernel issue with the standard 4.14 kernel? because i have no issues with the 5.1 dev kernel:

root@homecloud:~# /usr/share/ufw/check-requirements
Has python: pass (binary: python2.7, version: 2.7.16, py2)
Has iptables: pass
Has ip6tables: pass

Has /proc/net/dev: pass
Has /proc/net/if_inet6: pass

This script will now attempt to create various rules using the iptables
and ip6tables commands. This may result in module autoloading (eg, for
IPv6).
Proceed with checks (Y/n)? y
== IPv4 ==
Creating 'ufw-check-requirements'... done
Inserting RETURN at top of 'ufw-check-requirements'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
addrtype (LOCAL): pass
addrtype (MULTICAST): pass
addrtype (BROADCAST): pass
icmp (destination-unreachable): pass
icmp (source-quench): pass
icmp (time-exceeded): pass
icmp (parameter-problem): pass
icmp (echo-request): pass

== IPv6 ==
Creating 'ufw-check-requirements6'... done
Inserting RETURN at top of 'ufw-check-requirements6'... done
TCP: pass
UDP: pass
destination port: pass
source port: pass
ACCEPT: pass
DROP: pass
REJECT: pass
LOG: pass
hashlimit: pass
limit: pass
ctstate (NEW): pass
ctstate (RELATED): pass
ctstate (ESTABLISHED): pass
ctstate (INVALID): pass
ctstate (new, recent set): pass
ctstate (new, recent update): pass
ctstate (new, limit): pass
interface (input): pass
interface (output): pass
multiport: pass
comment: pass
icmpv6 (destination-unreachable): pass
icmpv6 (packet-too-big): pass
icmpv6 (time-exceeded): pass
icmpv6 (parameter-problem): pass
icmpv6 (echo-request): pass
icmpv6 with hl (neighbor-solicitation): pass
icmpv6 with hl (neighbor-advertisement): pass
icmpv6 with hl (router-solicitation): pass
icmpv6 with hl (router-advertisement): pass
ipv6 rt: pass

All tests passed
root@homecloud:~#

And the ufw-firewall can be enabled without issue.

Currently, the solution for the odroidxu4 with the standard 4.14 kernel is to switch from iptables-nft (nftables as backend) to iptables-legacy as described here: https://wiki.debian.org/nftables

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

Is there a way to fix it so nftables can be used with the standard 4.14 kernel?


Sincerely,

cyagon

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
1 1