0
Daniel Lakeland

Strange result from nftables on espressobin?

Recommended Posts

I don't know if this is some strange thing about the kernel supplied for the Espressobin or what, but I am unable to load even the most basic rule set in nftables, the empty one that comes with the nftables package:

 

root@tottenham:~# cat /etc/nftables.conf 

flush ruleset

table inet filter {
	chain input { type filter hook input priority 0; policy accept;	}
	chain forward {
		type filter hook forward priority 0; policy accept;
	}
	chain output {
		type filter hook output priority 0; policy accept;
	}
}
root@tottenham:~# nft -f /etc/nftables.conf 
/etc/nftables.conf:5:15-19: Error: Could not process rule: No such file or directory
	chain input { type filter hook input priority 0; policy accept;	}
	             ^^^^^
/etc/nftables.conf:6:15-21: Error: Could not process rule: No such file or directory
	chain forward {
	             ^^^^^^^
/etc/nftables.conf:9:15-20: Error: Could not process rule: No such file or directory
	chain output {
	             ^^^^^^
root@tottenham:~# cat /proc/version
Linux version 4.19.12-mvebu64 (root@nightly) (gcc version 7.2.1 20171011 (Linaro GCC 7.2-2017.11)) #5.68 SMP PREEMPT Fri Dec 28 20:24:51 CET 2018

Does anyone have any idea why it seems to think "type filter hook input priority 0;" is not OK?

 

if I create just *empty* chains it does work:

 

root@tottenham:~# nft create table inet filter
root@tottenham:~# nft create chain inet filter input
root@tottenham:~# nft list ruleset
table inet filter {
	chain input {
	}
}

 

Share this post


Link to post
Share on other sites

SOLUTION:

 

Apparently the kernel was compiled with nftables support, but not actually NF_TABLES_IPV4, NF_TABLES_IPV6, NF_TABLES_ARP ... NF_TABLES_INET so basically you can create tables but they can't actually *DO* anything.

 

This seems like a bug, and someone should look into it. Where can I report it? Also how do I compile my own kernel with these enabled on this little board? Is there a HOWTO for recompiling kernels on Armbian?

 

Share this post


Link to post
Share on other sites

Yay, now I get to figure out how to turn my desktop machine into a router and reconfigure docker to accept my nftables :-)

 

Fortunately after only an hour or so, I did manage to make it work, including a bunch of this kind of stuff: https://gist.github.com/dearing/9388218f3c6ef6e48114

 

doing a docker based build of the kernel now...

 

How about the part about reporting a bug where nftables is enabled but with all the important functionality disabled?

Share this post


Link to post
Share on other sites

First time I've built a kernel in probably a decade as the Debian supplied ones essentially include EVERYTHING by modules so it's rarely needed these days... First one enabled not quite all the nft functions I needed (I accidentally left out NAT functions) but it was working a lot better. Trying again to add those options, but it doesn't seem like the config persists after the docker goes down?

 

Building in Docker is opaque to me. I run "compile.sh docker", step through the menu config and it builds... I'll read up on how it works, maybe get a shell in the docker container and poke around.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
0