Closed 9to1url closed 1 year ago
I also found out the working version is: git checkout b9af9d0e493302f5b9d404492768de050368c93c
I think current head version is: 794f8e3c017847697ff7f20217d6de2a6bc98952
@9to1url I see something similar, though mine is preceded by a kernel message.
kernel: xt_RTPENGINE ID too high (32764 >= 64)
rtpengine[581494]: CRIT: [core] Fatal error: Failed to create nftables chains or rules: error returned from netlink for add rule (Invalid argument)
I didn't configure kernel mode yet, but will do it soon.
I can run successful by using the build I mentioned above: git checkout b9af9d0e493302f5b9d404492768de050368c93c
You can give it a try.
With commit 794f8e3c0178476, which adds nftables and is actually the last commit on the master branch I get Failed to create nftables chains or rules: error returned from netlink for add rule (Invalid argument)
.
I run rtpengine as root, as in strace -s2048 -f /usr/bin/rtpengine &> strace.txt
.
The file strace.txt is attached.
I have kernel 5.10.190, libmnl 1.0.4, libnftl-1.2.4. If newer versions of the latter are needed, I can install them. I can also recomplie the kernel with different options (which ones), load extra modules, etc, if I am told what to try.
I built and install RtpEngine on Debian : Linux rtpengine2 6.1.0-12-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) x86_64 GNU/Linux
Failed to start with:
Sep 30 13:48:08 rtpengine2 rtpengine[629]: INFO: [crypto] Generating new DTLS certificate Sep 30 13:48:08 rtpengine2 rtpengine[629]: Fatal error: Failed to create nftables chains or rules: error returned from netlink for add rule (No such file or directory) Sep 30 13:48:08 rtpengine2 rtpengine[629]: CRIT: [core] Fatal error: Failed to create nftables chains or rules: error returned from netlink for add rule (No such file or directo> Sep 30 13:48:08 rtpengine2 systemd[1]: ngcp-rtpengine-daemon.service: Main process exited, code=exited, status=255/EXCEPTION
But same instructions successful and running fine on Debian: Linux rtpengine 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64 GNU/Linux
Do you actually expect the kernel mode to work on a system with a "cloud" kernel? Is it possible to load the kernel module and do you have it compiled and installed?
Yes, even this is a Cloud kernel, but I use it to launched a VM, I can install anything. Kernel mode is the next thing I will try. thanks
Thank you @rfuchs. I can confirm nftables kernel forwarding is now working (Fedora 36 x86_64) entirely with nftables and no iptables, and using firewalld for the main firewall configuration.
Of course, nft list ruleset
shows XT target RTPENGINE not found
, can you confirm that's to be expected?
nftables-chain = rtpengine
nftables-base-chain =
table ip filter {
chain rtpengine {
type filter hook input priority filter; policy accept;
# RTPENGINE id:0 counter packets 949 bytes 297733
}
}
table ip6 filter {
chain rtpengine {
type filter hook input priority filter; policy accept;
counter packets 24559 bytes 24004864
}
}
iptables -S & ip6tables -S
# Table `filter' contains incompatible base-chains, use 'nft' tool to list them.
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
# Table `filter' contains incompatible base-chains, use 'nft' tool to list them.
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
Of course,
nft list ruleset
showsXT target RTPENGINE not found
, can you confirm that's to be expected?
Yes, AFAIK there is no way to make the nft
tool print or manage these rules properly in any way
iptables -S & ip6tables -S
Here it is unclear, whether iptables
is a symlink to xtables-legacy-multi
or to xtables-nft-multi
. Having rtpengine+nftables I get
# xtables-legacy-multi iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
# xtables-nft-multi iptables -S
# Warning: iptables-legacy tables present, use iptables-legacy to see them
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N rtpengine
-A INPUT -p udp -j rtpengine
-A rtpengine -j RTPENGINE --id 30
so itables -S
can print an rtpengine
related rule.
On the other side I get
# nft list ruleset
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
ip protocol udp counter packets 504238 bytes 85641358 jump rtpengine
}
chain rtpengine {
xt target "RTPENGINE" counter packets 504238 bytes 85641358
}
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy accept;
ip6 nexthdr udp counter packets 241 bytes 11809 jump rtpengine
}
chain rtpengine {
# Warning: XT target RTPENGINE not found
xt target "RTPENGINE" counter packets 241 bytes 11809
}
}
On my system IPv6 is not configured, but probably provided by the kernel. Under these circumstance the command nft list ruleset
prints # Warning: XT target RTPENGINE not found
only for IPv6, not for IPv4.
@rfuchs thank you for your pointing at the Cloud image. :-) It's really cost me sometime to make it works.
here is the steps:
Hello,
I built and install RtpEngine on Debian : Linux rtpengine2 6.1.0-12-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) x86_64 GNU/Linux
Failed to start with:
But same instructions successful and running fine on Debian: Linux rtpengine 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64 GNU/Linux
This is the link I followed with some minor changes like g729 with VER=1.1.1 https://nickvsnetworking.com/rtpengine-installation-configuration/
Also I found this newer Debian looks like to use a dummy iptables and iptables-dev, this is what RtpEngine rely on right?
I googled and search in this repo and found nothing, so could you point me direction on how to debug this and how to fix this? thanks