You are not logged in.
Pages: 1
I'm trying to set up NFT and installed the package through pacman. I have enabled the service but am unable to start it. Here is a little output to give some context.
[chris@arch ~]$ systemctl status nftables
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2018-11-02 19:41:07 PDT; 3min 21s ago
Docs: man:nft(8)
Process: 26652 ExecStart=/usr/bin/nft -f /etc/nftables.conf (code=exited, status=3)
Main PID: 26652 (code=exited, status=3)[chris@arch ~]$ nft help
netlink.c:62: Unable to initialize Netlink socket: Protocol not supported
[chris@arch ~]$ nft list ruleset
netlink.c:62: Unable to initialize Netlink socket: Protocol not supportedI seem to get the error no matter what I try. I cannot seem to find stuff online about it, so I have no idea what I'm doing wrong here. Running lsmod | grep '^nf' like the wiki says returns absolutely nothing at all. How can I go about fixing this problem? Am I better off just using and learning iptables? I wanted to go with nftables because I was reading that it is the new and better way to go, but I'm struggling to even get started.
Offline
Is there some other form of firewall installed/enabled like iptables or ufw? Which DE do you use? Which network manager? Root account or sudo user? Whole system updated (pacman -Syu)? What's in the /etc/nftables.conf ?
And post journalctl -xe (e. g.)
Last edited by equalizer876 (2018-11-03 10:23:59)
Offline
Running lsmod | grep '^nf' like the wiki says returns absolutely nothing at all.
It seems the required kernel modules weren't loaded so you need to find out why. I'm running nftables on a number of machines and when I run this command the output is similar to the following:
nft_masq_ipv4 16384 1
nf_nat_masquerade_ipv4 16384 1 nft_masq_ipv4
nft_masq 16384 1 nft_masq_ipv4
nft_reject_ipv4 16384 3
nf_reject_ipv4 16384 1 nft_reject_ipv4
nft_reject 16384 1 nft_reject_ipv4
nft_counter 16384 11
nft_ct 20480 6
nft_set_bitmap 16384 0
nft_set_hash 20480 2
nft_set_rbtree 16384 2
nft_meta 16384 7
nft_chain_nat_ipv4 16384 2
nf_conntrack_ipv4 16384 8
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
nf_nat_ipv4 16384 1 nft_chain_nat_ipv4
nf_nat 36864 2 nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_conntrack 155648 7 nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_nat,nft_ct,nf_nat_ipv4,nft_masq,nft_masq_ipv4
nf_tables_ipv4 16384 5
nf_tables 106496 66 nf_tables_ipv4,nft_reject_ipv4,nft_ct,nft_set_rbtree,nft_chain_nat_ipv4,nft_set_bitmap,nft_counter,nft_masq,nft_meta,nft_masq_ipv4,nft_set_hash,nft_reject
nfnetlink 16384 1 nf_tablesWhat is the output of:
ls -l /usr/lib/modules/$(uname -r)/kernel/net/netfilter | grep nftIf this is empty, then perhaps you haven't rebooted since a kernel upgrade.
Failing that, please post complete journal output as equalizer mentioned as well as the the output from dmesg.
Am I better off just using and learning iptables? I wanted to go with nftables because I was reading that it is the new and better way to go, but I'm struggling to even get started.
I definitely appreciate the more concise configuration of nftables. I wasn't familiar with any particular firewall when I set out to implement one so learning the newer nftables made sense as I was starting from the beginning either way. I find I end up learning a bit about iptables as a by product anyway since the majority of online firewall related resources are based on it. I don't necessarily think this is a bad thing.
Offline
Pages: 1