nftables errors [solved]

josephg5 · 2017-08-19 09:39:51

i'm having some starting trouble with nftables. what am i missing?

$ sudo systemctl start nftables
Job for nftables.service failed because the control process exited with error code.
See "systemctl  status nftables.service" and "journalctl  -xe" for details.

$ systemctl status nftables

● nftables.service - Netfilter Tables
   Loaded: loaded (/usr/lib/systemd/system/nftables.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Sat 2017-08-19 10:13:21 BST; 5min ago
     Docs: man:nft(8)
  Process: 9320 ExecStart=/usr/bin/nft -f /etc/nftables.conf (code=exited, status=3)
 Main PID: 9320 (code=exited, status=3)

Aug 19 10:13:21 localhost systemd[1]: Starting Netfilter Tables...
Aug 19 10:13:21 localhost nft[9320]: netlink.c:59: Unable to initialize Netlink socket: Protocol not supported
Aug 19 10:13:21 localhost systemd[1]: nftables.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
Aug 19 10:13:21 localhost systemd[1]: Failed to start Netfilter Tables.
Aug 19 10:13:21 localhost systemd[1]: nftables.service: Unit entered failed state.
Aug 19 10:13:21 localhost systemd[1]: nftables.service: Failed with result 'exit-code'.

i don't quite understand, but the error seems to be

nft[9320]: netlink.c:59: Unable to initialize Netlink socket: Protocol not supported

$ cat /etc/nftables.conf
#!/sbin/nft -f
flush ruleset
table ip filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state invalid counter drop comment "drop invalid packets"
                ct state {established, related} counter accept comment "accept all connections related to connections made by us"
                iifname lo accept comment "accept loopback"
                iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
                ip protocol icmp counter accept comment "accept all icmp types"
                #tcp dport 22 counter accept comment "accept ssh"
                counter comment "count dropped packets"
        }
        chain output {
                type filter hook output priority 0; policy accept;
                counter comment "count accepted packets"
        }
        chain forward {
                type filter hook forward priority 0; policy drop;
                counter comment "count dropped packets"
        }
}

$ sudo nft -f /etc/nftables.conf
netlink.c:59: Unable to initialize Netlink socket: Protocol not supported

Last edited by josephg5 (2017-08-19 16:58:35)

x33a · 2017-08-19 14:26:37

Why does your conf file contain /sbin/nft? Try changing it to /usr/bin/nft.

josephg5 · 2017-08-19 16:41:50

x33a wrote:

Why does your conf file contain /sbin/nft? Try changing it to /usr/bin/nft.

hmm.. never thought of that. probably because i could never run nft as user. it only works as sudo nft. i can see nft at both locations, and diff says both are same. i wonder why?

thank you for responding. i tried again and it seems to be working now. i changed nothing, except a shutdown. i had this problem right after a pacman -Syu. perhaps something got stuck.

now that nftables service up, i have enabled it and disabled iptables. i will mark this solved.

Last edited by josephg5 (2017-08-19 16:42:16)

x33a · 2017-08-19 18:37:20

josephg5 wrote:

x33a wrote:
Why does your conf file contain /sbin/nft? Try changing it to /usr/bin/nft.
hmm.. never thought of that. probably because i could never run nft as user. it only works as sudo nft. i can see nft at both locations, and diff says both are same. i wonder why?

Because /sbin is a symlink to /usr/bin in Arch. But sometimes, commands can behave differently when invoked differently.

thank you for responding. i tried again and it seems to be working now. i changed nothing, except a shutdown. i had this problem right after a pacman -Syu. perhaps something got stuck.
now that nftables service up, i have enabled it and disabled iptables. i will mark this solved.

Then, it was perhaps a module loading issue.

Arch Linux

#1 2017-08-19 09:39:51

nftables errors [solved]

#2 2017-08-19 14:26:37

Re: nftables errors [solved]

#3 2017-08-19 16:41:50

Re: nftables errors [solved]

#4 2017-08-19 18:37:20

Re: nftables errors [solved]

Board footer