Strange result from nftables on espressobin?

[Daniel Lakeland]

I don't know if this is some strange thing about the kernel supplied for the Espressobin or what, but I am unable to load even the most basic rule set in nftables, the empty one that comes with the nftables package:

 

root@tottenham:~# cat /etc/nftables.conf 

flush ruleset

table inet filter {
	chain input { type filter hook input priority 0; policy accept;	}
	chain forward {
		type filter hook forward priority 0; policy accept;
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}
root@tottenham:~# nft -f /etc/nftables.conf 
/etc/nftables.conf:5:15-19: Error: Could not process rule: No such file or directory
	chain input { type filter hook input priority 0; policy accept;	}
	             ^^^^^
/etc/nftables.conf:6:15-21: Error: Could not process rule: No such file or directory
	chain forward {
	             ^^^^^^^
/etc/nftables.conf:9:15-20: Error: Could not process rule: No such file or directory
	chain output {
	             ^^^^^^
root@tottenham:~# cat /proc/version
Linux version 4.19.12-mvebu64 (root@nightly) (gcc version 7.2.1 20171011 (Linaro GCC 7.2-2017.11)) #5.68 SMP PREEMPT Fri Dec 28 20:24:51 CET 2018

Does anyone have any idea why it seems to think "type filter hook input priority 0;" is not OK?

 

if I create just *empty* chains it does work:

 

root@tottenham:~# nft create table inet filter
root@tottenham:~# nft create chain inet filter input
root@tottenham:~# nft list ruleset
table inet filter {
	chain input {
	}
}

 

[Daniel Lakeland]

SOLUTION:

 

Apparently the kernel was compiled with nftables support, but not actually NF_TABLES_IPV4, NF_TABLES_IPV6, NF_TABLES_ARP ... NF_TABLES_INET so basically you can create tables but they can't actually *DO* anything.

 

This seems like a bug, and someone should look into it. Where can I report it? Also how do I compile my own kernel with these enabled on this little board? Is there a HOWTO for recompiling kernels on Armbian?

 

[martinayotte]

21 minutes ago, Daniel Lakeland said:

Is there a HOWTO for recompiling kernels on Armbian?

https://docs.armbian.com/Developer-Guide_Build-Preparation/

[Daniel Lakeland]

Yay, now I get to figure out how to turn my desktop machine into a router and reconfigure docker to accept my nftables :-)

 

Fortunately after only an hour or so, I did manage to make it work, including a bunch of this kind of stuff: https://gist.github.com/dearing/9388218f3c6ef6e48114

 

doing a docker based build of the kernel now...

 

How about the part about reporting a bug where nftables is enabled but with all the important functionality disabled?

[martinayotte]

If you've got it working with your own build, then you can submit a PR for your changes :

https://docs.armbian.com/Process_Contribute/

[Daniel Lakeland]

First time I've built a kernel in probably a decade as the Debian supplied ones essentially include EVERYTHING by modules so it's rarely needed these days... First one enabled not quite all the nft functions I needed (I accidentally left out NAT functions) but it was working a lot better. Trying again to add those options, but it doesn't seem like the config persists after the docker goes down?

 

Building in Docker is opaque to me. I run "compile.sh docker", step through the menu config and it builds... I'll read up on how it works, maybe get a shell in the docker container and poke around.

 

[Daniel Lakeland]

Enabling basically all the nftables configs did in fact make it all work fine. I'll look into how to do the PR. Thanks for the hints!