nftables create /etc/modules-load.d/nftables.conf

diederick76 · 2018-01-01 21:23:48

Hi,

I'm trying to setup a firewall using nftables, but when adding a rule, I get an error: "Error: Could not process rule: No such file or directory".

The Wiki tells me to

create /etc/modules-load.d/nftables.conf with all of the nftables related modules you require as entries for the systemd service to work correctly. You can get a list of modules using this command:
$ lsmod | grep '^nf'

But it isn't very clear how to do that. lsmod gives me already loaded modules, so how do I know hat modules I need?

lo1 · 2018-01-01 22:20:54

Most likely you'd need to add such modules into /etc/modules-load-d/nftables.conf. Since I never used nftables, can I have a look at that?

cat /etc/modules-load.d/nftables.conf

diederick76 · 2018-01-02 09:53:47

lo1 wrote:

Most likely you'd need to add such modules into /etc/modules-load-d/nftables.conf. Since I never used nftables, can I have a look at that?
cat /etc/modules-load.d/nftables.conf

That file actually does not exists yet. I gather I have to create it and put the module names inside. That's what I'm unclear about. What I also don't understand is why udev wouldn't pick them up.

lo1 · 2018-01-02 11:42:57

man modules-load.d

...
Each configuration file is named in the style of /etc/modules-load.d/program.conf.
...
CONFIGURATION FORMAT
The configuration files should simply contain a list of kernel module names to
load, separated by newlines. Empty lines and lines whose first non-whitespace
character is # or ; are ignored.

Again, I don't know how nftables works but it seems it relies on the modules you put inside modules-load.d, so have a look at those modules, understand what they're for, which of them are mandatory to use nftables and create that file.

ayekat · 2018-01-02 12:33:27

nftables should not require any additional modules to be loaded; I'm not sure why the wiki mentions that (and that note in particular is just badly written).

The only thing that might be required is to blacklist the iptable_nat module, as it conflicts with the nf_nat module for setting NAT (pre/postrouting) rules, but that's only tangential to this issue here.

What does your nftables.conf look like?
Or do you set ephemeral rules simply with the `nft` command? If so, what are the commands you run?

Last edited by ayekat (2018-01-02 12:35:15)

diederick76 · 2018-01-02 18:20:06

I have an empty nftables.conf, since I first want to learn how to do this, and then want to populate that file. The command I run is:

$ sudo nft add rule ip filter input ip saddr 192.168.1.102 drop
Error: Could not process rule: No such file or directory
add rule ip filter input ip saddr 192.168.1.102 drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Because I want to test that the machine drops any packets coming from 192.168.1.102. The nf_nat module isn't loaded, and if I interpret the name correctly, I won't need it for this command.

Perhaps, the fragment on the wiki was added because on https://wiki.nftables.org/wiki-nftables … leshooting it mentions:

Question 2: No such file or directory when adding chain
You may also hit this problem if you forgot to compile the module that enables this chain type in your Linux kernel.

But if the modules aren't the problem here, what file is nft talking about? Is nft storing temporary rules as files somewhere or do I need tables and chains for them?

Last edited by diederick76 (2018-01-02 18:34:20)

progandy · 2018-01-02 18:41:14

If I read the wiki and the manpage correctly, the first thing you have to do is creating tables and chains. Only then you can add rules.

diederick76 · 2018-01-02 20:12:06

progandy wrote:

If I read the wiki and the manpage correctly, the first thing you have to do is creating tables and chains. Only then you can add rules.

Indeed. This worked:

$ sudo nft add table ip filter
$ sudo nft add chain ip filter input { type filter hook input priority 0 \; }
$ sudo nft add rule ip filter input ip saddr 192.168.1.102 drop

in the sense that when inputing those while nftables.service was started, that machine didn't respond anymore from only the machine with that ip, until I stopped nftables.service.

Thanks!

Arch Linux

#1 2018-01-01 21:23:48

nftables create /etc/modules-load.d/nftables.conf

#2 2018-01-01 22:20:54

Re: nftables create /etc/modules-load.d/nftables.conf

#3 2018-01-02 09:53:47

Re: nftables create /etc/modules-load.d/nftables.conf

#4 2018-01-02 11:42:57

Re: nftables create /etc/modules-load.d/nftables.conf

#5 2018-01-02 12:33:27

Re: nftables create /etc/modules-load.d/nftables.conf

#6 2018-01-02 18:20:06

Re: nftables create /etc/modules-load.d/nftables.conf

#7 2018-01-02 18:41:14

Re: nftables create /etc/modules-load.d/nftables.conf

#8 2018-01-02 20:12:06

Re: nftables create /etc/modules-load.d/nftables.conf

Board footer