[SOLVED] nftables deactivates itself

m3nhir · 2022-02-27 21:07:02

If I check the state of nftables, active at boot, it deactivates itself, although there are no errors in the configuration file /etc/nftables.conf. the same configuration I use on other machines and I have no problems. If I give the command.

"systemctl status nftables.service"

I have this output:

"nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Sun 2022-02-27 15:59:46 CET; 5h 58min ago
Docs: man:nft(8)
Main PID: 3971 (code=exited, status=0/SUCCESS)
CPU: 28ms

feb 27 15:59:46 systemd[1]: Starting Netfilter Tables...
feb 27 15:59:46 systemd[1]: nftables.service: Deactivated successfully.
feb 27 15:59:46 systemd[1]: Finished Netfilter Tables."

I can't understand why it doesn't work. do you have any ideas?

Last edited by m3nhir (2022-02-27 22:20:59)

V1del · 2022-02-27 21:40:25

Why do you think it doesn't work? It's not an actively running service, it runs and configures it's rules and then stops. It's a oneshot, which is generally a service that does one small thing and then is expected to stop, which it does and does so successfully, as seen by the exit status declaring success.

Last edited by V1del (2022-02-27 21:41:02)

Tarqi · 2022-02-27 21:40:31

This is a oneshot service; it load the rules and exits. Use

nft list ruleset

to show them.

Edit: ninjaed by V1del...

Last edited by Tarqi (2022-02-27 21:42:03)

m3nhir · 2022-02-27 22:20:12

V1del wrote:

Why do you think it doesn't work? It's not an actively running service, it runs and configures it's rules and then stops. It's a oneshot, which is generally a service that does one small thing and then is expected to stop, which it does and does so successfully, as seen by the exit status declaring success.

Not exactly. In the meantime I have tried to modify the file
"/usr/lib/systemd/system/nftables.service" gives like this:
"[Unit]
Description = Netfilter Tables
Documentation = man: nft (8)
Wants = network-pre.target
Before = network-pre.target

[Service]
Type = oneshot
ExecStart = / usr / bin / nft -f /etc/nftables.conf

[Install]
WantedBy = multi-user.target "
to this:
"[Unit]
Description = Netfilter Tables
Documentation = man: nft (8)
Wants = network-pre.target
Before = network-pre.target

[Service]
Type = oneshot
RemainAfterExit = yes
StandardInput = null
ProtectSystem = full
ProtectHome = true
ExecStart = / usr / sbin / nft -f /etc/nftables.conf
ExecReload = / usr / sbin / nft -f /etc/nftables.conf
ExecStop = / usr / sbin / nft flush ruleset

[Install]
WantedBy = multi-user.target "
And now the output of "Systemctl status nftables.service is:
"systemctl status nftables
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: active (exited) since Sun 2022-02-27 22:19:17 CET; 11s Aug
Docs: man: nft (8)
Process: 14562 ExecStart = / usr / sbin / nft -f /etc/nftables.conf (code = exited, status = 0 / SUCCESS)
Main PID: 14562 (code = exited, status = 0 / SUCCESS)
CPU: 57ms

Feb 27 22:19:17 systemd [1]: Starting Netfilter Tables ...
Feb 27 22:19:17 systemd [1]: Finished Netfilter Tables. "
As you can see it is now active (exited) while before it was inactive (dead).

Tarqi · 2022-02-27 22:40:13

This is nonsense; do not copy and paste things you don't understand and do not change files handled by pacman. To get what you want, the following would be correct:

# /etc/systemd/system/nftables.service.d/override.conf
[Service]
RemainAfterExit=true

However, it's superfluous.

Last edited by Tarqi (2022-02-27 23:42:49)

m3nhir · 2022-02-28 21:03:09

Tarqi wrote:

This is nonsense; do not copy and paste things you don't understand and do not change files handled by pacman. To get what you want, the following would be correct:
# /etc/systemd/system/nftables.service.d/override.conf
[Service]
RemainAfterExit=true
However, it's superfluous.

I have copied those config from another OS where nftables works. Also in Arch it worked the same way before and gave the same output. It was only after some updates that the anomaly occurred.

V1del · 2022-03-01 02:11:14

It's not an anomaly and not a bug, there's no functional difference (actually yes, but I doubt your change was motivated by the functional reasoning) between your change other than the systemctl status output looking prettier, but if it helps you understanding and reading the output then feel free to do so.

FWIW the simplification of the service file was done intentionally, see: https://github.com/archlinux/svntogit-p … 25742a4964

Last edited by V1del (2022-03-01 02:14:03)

m3nhir · 2022-03-02 22:27:48

OK. I have read the link you posted and will restore the original configuration. Thank you

Arch Linux

#1 2022-02-27 21:07:02

[SOLVED] nftables deactivates itself

#2 2022-02-27 21:40:25

Re: [SOLVED] nftables deactivates itself

#3 2022-02-27 21:40:31

Re: [SOLVED] nftables deactivates itself

#4 2022-02-27 22:20:12

Re: [SOLVED] nftables deactivates itself

#5 2022-02-27 22:40:13

Re: [SOLVED] nftables deactivates itself

#6 2022-02-28 21:03:09

Re: [SOLVED] nftables deactivates itself

#7 2022-03-01 02:11:14

Re: [SOLVED] nftables deactivates itself

#8 2022-03-02 22:27:48

Re: [SOLVED] nftables deactivates itself

Board footer