[Error] Nftables error applying changes/error while running DNS nftable rule

[fraschm1998]

Please, check the FAQ and Known Problems pages before creating the bug report: https://github.com/evilsocket/opensnitch/wiki/FAQs https://github.com/evilsocket/opensnitch/wiki/Known-problems

Describe the bug

   1   │ [2023-06-24 18:06:54]  IMP  Start writing logs to /var/log/opensnitchd.log
   2   │ [2023-06-24 18:06:54]  WAR  nftables: error applying changes: conn.Receive: netlink receive: no such file or directory
   3   │ [2023-06-24 18:06:54]  ERR  Error while running DNS nftables rule: Error adding DNS interception rules
   4   │ [2023-06-24 18:06:54]  WAR  nftables: error applying changes: conn.Receive: netlink receive: no such file or directory
   5   │ [2023-06-24 18:06:54]  ERR  Error while running conntrack nftables rule: Error adding interception rule 
   6   │ [2023-06-24 18:06:55]  IMP  UI connected, dispathing queued alerts: 0
   7   │ [2023-06-24 18:07:04]  WAR  nfables filter rules not loaded: 0
   8   │ [2023-06-24 18:07:04]  IMP  nftables firewall rules changed, reloading
   9   │ [2023-06-24 18:07:04]  WAR  nftables: error applying changes: conn.Receive: netlink receive: no such file or directory
  10   │ [2023-06-24 18:07:04]  ERR  Error while running DNS nftables rule: Error adding DNS interception rules
  11   │ [2023-06-24 18:07:04]  WAR  nftables: error applying changes: conn.Receive: netlink receive: no such file or directory
  12   │ [2023-06-24 18:07:04]  ERR  Error while running conntrack nftables rule: Error adding interception rule 

Include the following information:

• OpenSnitch version: 1.6.0
• OS: Gentoo
• Version: Latest
• Window Manager: Hyprland
• Kernel version: 6.3.9-gentoo-x86_64

Steps to reproduce the behavior:

• Start opensnitch and check error logs

[gustavo-iniguez-goya]

Hi @fraschm1998 ,

Could you execute this command as root and post the results: opensnitchd -check-requirements?

[fraschm1998]

opensnitchd -check-requirements

        Checking => CONFIG_KPROBES=y
        Checking => CONFIG_KPROBES_ON_FTRACE=y
        Checking => CONFIG_KPROBES_ON_FTRACE=y
        Checking => CONFIG_HAVE_KPROBES=y
        Checking => CONFIG_HAVE_KPROBES_ON_FTRACE=y
        Checking => CONFIG_KPROBE_EVENTS=y

        * kprobes        ✔

        Checking => CONFIG_UPROBES=y
        Checking => CONFIG_UPROBE_EVENTS=y

        * uprobes        ✔

        Checking => CONFIG_FTRACE=y

        * ftrace         ✔

        Checking => CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
        Checking => CONFIG_FTRACE_SYSCALLS=y

        * syscalls       ✔

        Checking => CONFIG_NETFILTER_XT_TARGET_NFQUEUE=[my]

        * nfqueue        ✔

[gustavo-iniguez-goya]

thank you.

Post please the output of the following commands: lsmod and grep -E "(NETFILTER|NETLINK)" /boot/config-$(uname -r) (if /boot/config-* doesn't exist, try it with /proc/config.gz)

[fraschm1998]

thank you.

Post please the output of the following commands: lsmod and grep -E "(NETFILTER|NETLINK)" /boot/config-$(uname -r) (if /boot/config-* doesn't exist, try it with /proc/config.gz)

lsmod

Module                  Size  Used by                                                                                                  
nft_ct                 20480  0                                                                                                        
nft_chain_nat          16384  0                                                                                                        
nf_tables             323584  12 nft_ct,nft_chain_nat                                                                                  
iwlmvm                487424  0                                                                                                        
btusb                  57344  0                                                                                                        
btrtl                  24576  1 btusb                                                                                                  
btbcm                  24576  1 btusb                                                                                                  
btintel                45056  1 btusb                                                                                                  
nvidia_drm             77824  10                                                                                                       
bluetooth             815104  27 btrtl,btintel,btbcm,btusb                                                                             
nvidia_modeset       1372160  2 nvidia_drm                                                                                             
mac80211             1060864  1 iwlmvm                                                                                                 
ax88179_178a           32768  0                                                                                                        
ecdh_generic           16384  2 bluetooth                                                                                              
ecc                    36864  1 ecdh_generic                                                                                           
usbnet                 40960  1 ax88179_178a                                                                                           
libarc4                16384  1 mac80211                                                                                               
nvidia_uvm           1630208  0                                                                                                        
amdgpu               9232384  120                                                                                                      
i2c_algo_bit           16384  1 amdgpu                                                                                                 
iwlwifi               458752  1 iwlmvm                                                                                                 
drm_ttm_helper         16384  1 amdgpu                                                                                                 
nvidia               7036928  166 nvidia_uvm,nvidia_modeset
ttm                    86016  2 amdgpu,drm_ttm_helper
mfd_core               16384  1 amdgpu
drm_buddy              20480  1 amdgpu
cfg80211             1056768  3 iwlmvm,iwlwifi,mac80211
gpu_sched              49152  1 amdgpu
drm_display_helper    155648  1 amdgpu
cec                    57344  1 drm_display_helper
efivarfs               24576  1

grep -E "(NETFILTER|NETLINK)" /boot/config-$(uname -r)

CONFIG_COMPAT_NETLINK_MESSAGES=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_BRIDGE_NETFILTER=y
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_EGRESS=y
CONFIG_NETFILTER_SKIP_EGRESS=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_FAMILY_BRIDGE=y
# CONFIG_NETFILTER_NETLINK_HOOK is not set
# CONFIG_NETFILTER_NETLINK_ACCT is not set
CONFIG_NETFILTER_NETLINK_QUEUE=y
CONFIG_NETFILTER_NETLINK_LOG=y
# CONFIG_NETFILTER_NETLINK_OSF is not set
CONFIG_NF_CT_NETLINK=y
# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XTABLES_COMPAT=y
CONFIG_NETFILTER_XT_MARK=m
# CONFIG_NETFILTER_XT_CONNMARK is not set
# CONFIG_NETFILTER_XT_TARGET_AUDIT is not set
# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
# CONFIG_NETFILTER_XT_TARGET_CLASSIFY is not set
# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=y
# CONFIG_NETFILTER_XT_TARGET_DSCP is not set
# CONFIG_NETFILTER_XT_TARGET_HL is not set
# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
# CONFIG_NETFILTER_XT_TARGET_LED is not set
CONFIG_NETFILTER_XT_TARGET_LOG=m
# CONFIG_NETFILTER_XT_TARGET_MARK is not set
CONFIG_NETFILTER_XT_NAT=m
# CONFIG_NETFILTER_XT_TARGET_NETMAP is not set
CONFIG_NETFILTER_XT_TARGET_NFLOG=y
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_MASQUERADE=m
# CONFIG_NETFILTER_XT_TARGET_TEE is not set
# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
CONFIG_NETFILTER_XT_TARGET_SECMARK=y
CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
# CONFIG_NETFILTER_XT_MATCH_BPF is not set
# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
# CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set
CONFIG_NETFILTER_XT_MATCH_COMMENT=y
# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set
# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
# CONFIG_NETFILTER_XT_MATCH_CONNLIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_CONNMARK is not set
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
# CONFIG_NETFILTER_XT_MATCH_CPU is not set
# CONFIG_NETFILTER_XT_MATCH_DCCP is not set
# CONFIG_NETFILTER_XT_MATCH_DEVGROUP is not set
# CONFIG_NETFILTER_XT_MATCH_DSCP is not set
# CONFIG_NETFILTER_XT_MATCH_ECN is not set
# CONFIG_NETFILTER_XT_MATCH_ESP is not set
# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_HELPER is not set
# CONFIG_NETFILTER_XT_MATCH_HL is not set
# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
CONFIG_NETFILTER_XT_MATCH_IPVS=y
# CONFIG_NETFILTER_XT_MATCH_L2TP is not set
# CONFIG_NETFILTER_XT_MATCH_LENGTH is not set
# CONFIG_NETFILTER_XT_MATCH_LIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_MAC is not set
# CONFIG_NETFILTER_XT_MATCH_MARK is not set
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
# CONFIG_NETFILTER_XT_MATCH_OSF is not set
# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
CONFIG_NETFILTER_XT_MATCH_POLICY=y
# CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set
# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set
# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set
# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
# CONFIG_NETFILTER_XT_MATCH_REALM is not set
# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
# CONFIG_NETFILTER_XT_MATCH_SCTP is not set
# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
CONFIG_NETFILTER_XT_MATCH_STATE=y
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
# CONFIG_NETFILTER_XT_MATCH_STRING is not set
# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set
# CONFIG_NETFILTER_XT_MATCH_TIME is not set
# CONFIG_NETFILTER_XT_MATCH_U32 is not set
# CONFIG_NETLINK_DIAG is not set
CONFIG_ETHTOOL_NETLINK=y
# CONFIG_THERMAL_NETLINK is not set
CONFIG_QUOTA_NETLINK_INTERFACE=y

[gustavo-iniguez-goya]

Thank you @fraschm1998 , your kernel needs to load at least the following modules:

nf_tables, nft_queue, nft_ct, nf_conntrack, nf_conntrack_netlink, nfnetlink, nfnetlink_queue, nf_conntrack_netlink

The corresponding kernel config options are: CONFIG_NF_TABLES, CONFIG_NFT_QUEUE, CONFIG_NFT_CT, CONFIG_NF_CONNTRACK, CONFIG_NF_CT_NETLINK, CONFIG_NETFILTER_NETLINK_ACCT, CONFIG_NETFILTER_NETLINK_QUEUE, CONFIG_NF_CT_NETLINK

Your kernel lacks support for at least CONFIG_NETFILTER_NETLINK_ACCT -> # CONFIG_NETFILTER_NETLINK_ACCT is not set

Could you recompile your kernel with these options, ensure that the modules are loaded or load them manually, and confirm that the needed rules are added?

[fraschm1998]

@gustavo-iniguez-goya That fixed it! Perhaps add those kernel checks under the opensnitchd -check-requirements for nftables?

[gustavo-iniguez-goya]

sure, I'll add it ASAP . Thank you for reporting this :)