search

QubesOS / qubes-issues

The Qubes OS Project issue tracker
https://www.qubes-os.org/doc/issue-tracking/
534 stars 47 forks source link

Missing kernel modules: nft_connlimit + nft_osf #9111

Open emanruse opened 5 months ago

emanruse commented 5 months ago

Qubes OS release

4.2.1

Brief summary

The example from nftables wiki does not work due to missing kernel module nft_connlimit.

Steps to reproduce

In a Debian- or Fedora-based qube, using kernel provided by dom0:

# cat connlimit-example 
#!/usr/sbin/nft -f

flush ruleset

table ip filter {
        set my_connlimit {
                type ipv4_addr
                size 65535
                flags dynamic
        }

        chain output {
                type filter hook output priority filter; policy accept;
                ct state new add @my_connlimit { ip saddr ct count over 20 } counter drop
        }
}

# nft flush ruleset
# nft list ruleset
# ./connlimit-example 
./connlimit-example:14:16-62: Error: Could not process rule: No such file or directory
                ct state new add @my_connlimit { ip saddr ct count over 20 } counter drop
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
#
# uname -r
6.1.75-1.qubes.fc37.x86_64
#
# zgrep NFT_CONNLIMIT /proc/config.gz
# CONFIG_NFT_CONNLIMIT is not set
#
# modprobe nft_connlimit
modprobe: FATAL: Module nft_connlimit not found in directory /lib/modules/6.1.75-1.qubes.fc37.x86_64

Expected behavior

nft_connlimit module should be available and the example should work.

Actual behavior

The module is not available.

An expert on netfilter mailing list says:

I would advise you to file bugs against the affected distros and demand that those responsible for their kernel packages rectify this. For any of the CONFIGNFT prefixed options to be disabled in a mainstream distribution is appalling. Rather, they should all be set to "m" so that the functionality of each is made available in the form of a loadable kernel module.

I don't know if Qubes OS qualifies as a mainstream distribution but based on that info, a further check also shows 1 other module missing:

# zgrep CONFIG_NFT_ /proc/config.gz | grep -v '=m'
# CONFIG_NFT_CONNLIMIT is not set
# CONFIG_NFT_OSF is not set
Minimalist73 commented 5 months ago

CONFIG_NFT_CONNLIMIT is available as a module in Qubes kernels 6.6.x and 6.8.x. Using modprobe works for me with kernel 6.8.4:

sudo modprobe nft_connlimit
lsmod | grep nft_connlimit
nft_connlimit          12288  0

CONFIG_NFT_OSF is not used in the current Qubes kernel config. It's not enabled in the Fedora kernel config file too and Qubes uses it as a base, so I don't think it will be enabled unless it's required for something Qubes related. If you know how to build kernels with the qubes-builder, you can enable it in the config to use it.

marmarek commented 5 months ago

Default kernel is being switched to 6.6.x, so the problem will go away. But I can enable CONFIG_NFT_CONNLIMIT in the 6.1 config.

emanruse commented 5 months ago

I don't know what the reason for lacking this module in 6.1 is.

According to nftables wiki "connlimits require at least nftables 0.9.0 and Linux kernel 4.19.10", which I read as "every kernel newer than that should support it".

emanruse commented 5 months ago

After updating the system, the new kernel is 6.6.25-1. I confirm the following result:

zgrep NFT_CONNLIMIT /proc/config.gz

CONFIG_NFT_CONNLIMIT=m

modprobe nft_connlimit

lsmod | grep -E '^nft_connlimit'

nft_connlimit 12288 0