search

raspberrypi / linux

Kernel source tree for Raspberry Pi-provided kernel builds. Issues unrelated to the linux kernel should be posted on the community forum at https://forums.raspberrypi.com/
Other
11k stars 4.95k forks source link

nftables kernel modules missing #3615

Open steveharriss opened 4 years ago

steveharriss commented 4 years ago

Errors on running nft as kernel modules are missing from: /lib/modules/5.4.40-v7l+/kernel/net/netfilter

Missing nftables.ko and all relevant nft*.ko files

sudo apt install nftables nftables v0.9.0 (Fearless Fosdick) nftables.service loaded failed failed nftables

If you delete the minimal nftables.conf file you can start the service systemctl status nftables ● nftables.service - nftables Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled) Active: active (exited) since Fri 2020-05-15 15:50:03 BST; 1min 40s ago Docs: man:nft(8) http://wiki.nftables.org Process: 1986 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS) Main PID: 1986 (code=exited, status=0/SUCCESS)

May 15 15:50:03 raspberrypi systemd[1]: Starting nftables... May 15 15:50:03 raspberrypi systemd[1]: Started nftables.

But with anything in .conf file service fails with errors: /etc/nftables.conf:2:1-14: Error: Could not process rule: Operation not supported flush ruleset

Same for running nft in an interactive session

Linux raspberrypi 5.4.40-v7l+ #1316 SMP Tue May 12 13:10:42 BST 2020 armv7l GNU/Linux pi4 4Gb Ram Generated using pi-gen, https://github.com/RPi-Distro/pi-gen, 5f884374b6ac6e155330c58caa1fb7249b8badf1, stage4 version 21bfdeee3a6ea823e2113b983390acd1eec8edfb (clean) (release) (start)

pelwell commented 4 years ago

They do indeed appear to be missing from the 32-bit bcm2711_defconfig and the 64-bit bcmrpi3_defconfig. The squashing that takes place on our new branches makes it hard to work out what went wrong, but I suspect there was a merge problem and it ended up half-and-half.

That's fixed in the rpi-5.4.y branch of the kernel source, and the modules will appear in future releases.

mys721tx commented 3 years ago

nftables on aarch64 does not support sets at 08ae2dd with the following minimal nftables.conf.

#!/usr/bin/nft -f

define IP_DROPS = {
    172.16.0.0/24
}

table inet filter {
    chain input {
        type filter hook input priority 0; policy accept;

        ip saddr $IP_DROPS drop
    }
}
mys721tx commented 3 years ago

Also the output from nft:

$ sudo nft flush ruleset; sudo nft -f /etc/nftables.conf
/etc/nftables.conf:3:19-1: Error: Could not process rule: Operation not supported
define IP_DROPS = {

/etc/nftables.conf:3:19-1: Error: Could not process rule: No such file or directory
define IP_DROPS = {

/etc/nftables.conf:11:9-31: Error: Could not process rule: No such file or directory
        ip saddr $IP_DROPS drop
        ^^^^^^^^^^^^^^^^^^^^^^^
mys721tx commented 3 years ago

The problem is resolved at 9007908.

popcornmix commented 3 years ago

@steveharriss are you happy this issue is resolved?

ghost commented 3 years ago

Hello, this issue appears related to my issue.

Therefore may I humbly suggest that this issue is not resolved. Please advise whether I should I raise a new issue if not.

It appears a further module NF_LOG_ARP is missing from the netfilter .kconfig and presumably some files that go with it.

Kernel: root@laptop:/lib/modules/5.10.27-v8+/kernel/net/netfilter# uname -a Linux laptop 5.10.27-v8+ #1409 SMP PREEMPT Tue Apr 6 18:29:13 BST 2021 aarch64 GNU/Linux

For reference, the netfilter team has suggested the fix here: https://bugzilla.netfilter.org/show_bug.cgi?id=1521

Thanks

pelwell commented 3 years ago

I'm happy to add NF_LOG_ARP=m (and NF_LOG_NETDEV=m - another missing option in that category) - see ad26fd4.