Arch Linux

archuser38013

Member

Registered: 2024-01-27

Posts: 96

Attempting to run nftables has broken wifi connection

As in my previous post, in replies, it was indicated the issues were due to libvirt switching to nftables, and that seeming to be what will replace ufw, I thought I would attempt to try it instead of ufw, since this is a fairly new arch install anyway.

It was already installed, but not running, and reading the nftables archwiki it notes the default config file 'comes with a simple and secure firewall'. I took that to mean I only had to start and enable it without any further editing.

Here is the config file, not changed from default:

#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:

# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.

destroy table inet filter
table inet filter {
  chain input {
    type filter hook input priority filter
    policy drop

    ct state invalid drop comment "early drop of invalid connections"
    ct state {established, related} accept comment "allow tracked connections"
    iifname lo accept comment "allow from loopback"
    ip protocol icmp accept comment "allow icmp"
    meta l4proto ipv6-icmp accept comment "allow icmp v6"
    tcp dport ssh accept comment "allow sshd"
    pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
    counter
  }
  chain forward {
    type filter hook forward priority filter
    policy drop
  }
}

I started and enabled and rebooted and on reboot I am greeted with my ip route having been deleted. Not only that, Network Manager no longer works and just hangs when I try to run the wifi connection manually with

nmcli connection up wifi-connection

I stopped and disabled nftables and reinstated ufw and rebooted however whatever nftables has done has remained and the above problems persist even though it isn't running. The route is still empty and I would have no idea how to reinstate that as Network Manager did that for me.

Here is the output from

$sudo systemctl status NetworkManager --nopager -l

:

Jun 09 06:56:06 machine NetworkManager[393]: <info>  [1717916166.9942] device (wlp0s21f0u7i2): supplicant interface state: disconnected -> scanning
Jun 09 06:56:32 machine NetworkManager[393]: <warn>  [1717916192.6952] device (wlp0s21f0u7i2): Activation: (wifi) association took too long, failing activation
Jun 09 06:56:32 machine NetworkManager[393]: <info>  [1717916192.6953] device (wlp0s21f0u7i2): state change: config -> failed (reason 'ssid-not-found', sys-iface-state: 'managed')
Jun 09 06:56:32 machine NetworkManager[393]: <info>  [1717916192.6961] manager: NetworkManager state is now DISCONNECTED
Jun 09 06:56:32 machine NetworkManager[393]: <warn>  [1717916192.6968] device (wlp0s21f0u7i2): Activation: failed for connection 'wifi-connection'
Jun 09 06:56:32 machine NetworkManager[393]: <info>  [1717916192.6976] device (wlp0s21f0u7i2): state change: failed -> disconnected (reason 'none', sys-iface-state: 'managed')
Jun 09 06:56:32 machine NetworkManager[393]: <info>  [1717916192.7443] device (wlp0s21f0u7i2): set-hw-addr: set MAC address to xx:xx:xx:xx:xx:xx (scanning)
Jun 09 06:56:32 machine NetworkManager[393]: <info>  [1717916192.7497] device (wlp0s21f0u7i2): supplicant interface state: scanning -> disconnected

Please advise how 1.) I get wifi/Network Manager working again and only then 2.) perhaps how to get a default nftables up and running the same as how ufw was to then see if the original issue I was trying to test is resolved by using nftables instead of ufw. The only settings I have for ufw are the basic default deny as per the archwiki basic setup.

EDIT: nmcli doesn't hang actually but returns the error after some time:

$ nmcli connection up wifi-connection
Error: Connection activation failed: The Wi-Fi network could not be found
Hint: use 'journalctl -xe NM_CONNECTION=aa630334-17b8-4b3a-abe6-8822e944b100 + NM_DEVICE=wlp0s21f0u7i2' to get more details.

The journalctl command indicated in the message seemed to just give the same output as in the systemctl status command I already posted above.

EDIT2: Ok nftables has somehow mucked up my ability to even ping 8.8.8.8 and even local network 192.168.1.1. This is even after having uninstalled it. How could it have mucked all that up?

I have a second, usb wifi device which I plugged in and was able to connect with network manager but when pinging host could not be reached even 192.xxx addresses. I have no idea what has changed? I noticed for this connection the familiar routing is back with ip route but nothing gets through when pinging.

However, and how I am able to post this now, the mobile wifi dongle still connects normally via ppp. I notice in ip route for this connection the ip block is much different starting with 10.xx....  so I guess somehow nftables has cocked up something which is still causing 192 related routes to be blocked? Any ideas how to find out where the issue may lie?

I have not experienced before a case where changes made in a program persist after having deleted it. Well the odd case of /etc/resolv.conf changes - which I also checked but besides that non name resolution, ip only, addresses still wouldn't ping either and indeed local ones too.

EDIT3: Ok I don't know how but it is working again. I didn't change any config files. I stopped for a break, had a bite, came back tried to scan for connections again with nmcli and now suddenly it worked to show ssids, Made a new profile and working again.

I would however still like to know how to setup nftables with a basic default deny config just as equivalent to ufw in order to test running that in place of ufw and trying running libvirt again so suggestions welcome for that issue.

Last edited by archuser38013 (2024-06-09 11:02:24)

AaAaAAaaAAaARCH

Member

Registered: 2024-02-29

Posts: 42

Re: Attempting to run nftables has broken wifi connection

Are you sure you uninstalled ufw? it is a wrapper for firewalls like iptables and nftables. Not the same thing.

pacman -Q iptables
pacman -Q ufw
pacman -Q nftables

List the complete set of firewall rules so we can debug them

sudo nft list ruleset

From what it looks like that default config you are using does not allow for the DHCP protocol.

table inet filter {
    chain input {
...
         ip saddr {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8} udp sport 67 udp dport 68 accept comment "allow dhcp"
...
    }

Last edited by AaAaAAaaAAaARCH (2024-06-11 05:18:05)

archuser38013

Member

Registered: 2024-01-27

Posts: 96

Re: Attempting to run nftables has broken wifi connection

Are you sure you uninstalled ufw? it is a wrapper for firewalls like iptables and nftables. Not the same thing.

pacman -Q iptables
pacman -Q ufw
pacman -Q nftables

List the complete set of firewall rules so we can debug them

sudo nft list ruleset

From what it looks like that default config you are using does not allow for the DHCP protocol.

table inet filter {
    chain input {
...
         ip saddr {192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8} udp sport 67 udp dport 68 accept comment "allow dhcp"
...
    }

Thanks for the reply.

I was able to get libvirtd working with iptables again as per this thread so am sticking with ufw for now until I may be forced to learn it if iptables becomes deprecated, but I have been bought some time for now .

Problem not solved, but averted .

Last edited by archuser38013 (2024-06-17 11:22:37)

cryptearth

Member

Registered: 2024-02-03

Posts: 1,214

Re: Attempting to run nftables has broken wifi connection

I still recommend you switching from virt-nat to a simple bridge

archuser38013

Member

Registered: 2024-01-27

Posts: 96

Re: Attempting to run nftables has broken wifi connection

I still recommend you switching from virt-nat to a simple bridge

Why? What is the advantage over current setup?