Open emanruse opened 5 months ago
CONFIG_NFT_CONNLIMIT
is available as a module in Qubes kernels 6.6.x and 6.8.x.
Using modprobe works for me with kernel 6.8.4:
sudo modprobe nft_connlimit
lsmod | grep nft_connlimit
nft_connlimit 12288 0
CONFIG_NFT_OSF
is not used in the current Qubes kernel config. It's not enabled in the Fedora kernel config file too and Qubes uses it as a base, so I don't think it will be enabled unless it's required for something Qubes related.
If you know how to build kernels with the qubes-builder, you can enable it in the config to use it.
Default kernel is being switched to 6.6.x, so the problem will go away. But I can enable CONFIG_NFT_CONNLIMIT in the 6.1 config.
I don't know what the reason for lacking this module in 6.1 is.
According to nftables wiki "connlimits require at least nftables 0.9.0 and Linux kernel 4.19.10", which I read as "every kernel newer than that should support it".
After updating the system, the new kernel is 6.6.25-1. I confirm the following result:
CONFIG_NFT_CONNLIMIT=m
nft_connlimit 12288 0
Qubes OS release
4.2.1
Brief summary
The example from nftables wiki does not work due to missing kernel module
nft_connlimit
.Steps to reproduce
In a Debian- or Fedora-based qube, using kernel provided by dom0:
Expected behavior
nft_connlimit module should be available and the example should work.
Actual behavior
The module is not available.
An expert on netfilter mailing list says:
I don't know if Qubes OS qualifies as a mainstream distribution but based on that info, a further check also shows 1 other module missing: