Kernel doesn't have CONFIG_NF_TABLES_NETDEV support

[omkhar]

Please include CONFIG_NF_TABLES_NETDEV support

[fenrus75]

eh... CONFIG_NF_TABLES_NETDEV=y so we for sure have this...

On Sun, Apr 23, 2023 at 6:28 AM Omkhar Arasaratnam @.***> wrote:

Please include CONFIG_NF_TABLES_NETDEV support

— Reply to this email directly, view it on GitHub https://github.com/clearlinux/distribution/issues/2880, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FNJDSJIYTM4YP7AIATXCUU63ANCNFSM6AAAAAAXIRGA7M . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[omkhar]

Here's a comparison Debian (Sid) vs Clear Linux. Other thoughts?

[omkhar]

omkhar@clearlinux-test~ $ cat test.nft
table netdev filter {

    chain ingress {
        type filter hook ingress device enp1s0 priority -500;
    }
}
omkhar@clearlinux-test~ $ sudo nft -f test.nft
Password: 
test.nft:4:3-54: Error: Chain of type "filter" is not supported, perhaps kernel support is missing?
        type filter hook ingress device enp1s0 priority -500;
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
omkhar@clearlinux-test~ $ uname -r
6.2.11-1297.native
omkhar@clearlinux-test~ $ swupd --version
swupd-client 5.0.3
   Copyright (C) 2012-2019 Intel Corporation

Compile-time options: +BZIP2 +SIGVERIFY -COVERAGE -BSDTAR -XATTRS -TAR_SELINUX +STATELESS +THIRDPARTY -DEBUG_MODE -FORCE_TARTAR
Compile-time configuration:
mount point                  /
state directory              /var/lib/swupd
bundles directory            /usr/share/clear/bundles
certificate path             /usr/share/clear/update-ca/Swupd_Root.pem
fallback certificate path    /usr/share/ca-certs/.prebuilt-store/anchors
config file path             /usr/share/defaults/swupd:/run/swupd:/etc/swupd
systemd unitdir              /usr/lib/systemd/system
content URL                  https://cdn.download.clearlinux.org/update/
version URL                  https://cdn.download.clearlinux.org/update/
format ID                    34
build number                 376
pre-update hook              
post-update hook             /usr/bin/update-helper

omkhar@clearlinux-test~ $ sudo nft --version
nftables v1.0.7 (Old Doc Yak)
omkhar@clearlinux-test~ $

[omkhar]

root@debian-test:~# cat test.nft 
table netdev filter {

    chain ingress {
        type filter hook ingress device enp1s0 priority -500;
    }
}
root@debian-test:~# nft -f test.nft
root@debian-test:~# uname -r
6.1.0-7-amd64
root@debian-test:~# cat /etc/issue.net 
Debian GNU/Linux 12
root@debian-test:~# nft --version
nftables v1.0.7 (Old Doc Yak)
root@debian-test:~#  nft list ruleset
table netdev filter {
    chain ingress {
        type filter hook ingress device "enp1s0" priority -500; policy accept;
    }
}

[justingraves]

I'm trying to use a netdev filter in nftables and experiencing the same issue as @omkhar

NFT says: Error: Chain of type "filter" is not supported, perhaps kernel support is missing?

For the statement: type filter hook ingress device enp1s0f1 priority 0;

nft --version nftables v1.0.8 (Old Doc Yak #2)

uname -r 6.11.3-1472.native

[fenrus75]

config:CONFIG_NF_TABLES_NETDEV=y

in our native kernel... and we enable pretty much all the pieces behind that as loadable modules so I'm slightly puzzled exactly what is missing

On Wed, Oct 16, 2024 at 9:34 AM Justin Graves @.***> wrote:

I'm trying to use a netdev filter in nftables and experiencing the same issue as @omkhar https://github.com/omkhar

NFT says: Error: Chain of type "filter" is not supported, perhaps kernel support is missing?

For the statement: type filter hook ingress device enp1s0f1 priority 0;

nft --version nftables v1.0.8 (Old Doc Yak #2 https://github.com/clearlinux/distribution/issues/2)

uname -r 6.11.3-1472.native

— Reply to this email directly, view it on GitHub https://github.com/clearlinux/distribution/issues/2880#issuecomment-2417344425, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ54FNZZH2NOXQ5N5GNIFDZ32ISJAVCNFSM6AAAAABQB34JAGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMJXGM2DINBSGU . You are receiving this because you commented.Message ID: @.***>