rtpengine[629]: Fatal error: Failed to create nftables chains or rules: error returned from netlink for add rule (No such file or directory)

9to1url commented 1 year ago

Hello,

I built and install RtpEngine on Debian : Linux rtpengine2 6.1.0-12-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) x86_64 GNU/Linux

Failed to start with:

Sep 30 13:48:08 rtpengine2 rtpengine[629]: INFO: [crypto] Generating new DTLS certificate
Sep 30 13:48:08 rtpengine2 rtpengine[629]: Fatal error: Failed to create nftables chains or rules: error returned from netlink for add rule (No such file or directory)
Sep 30 13:48:08 rtpengine2 rtpengine[629]: CRIT: [core] Fatal error: Failed to create nftables chains or rules: error returned from netlink for add rule (No such file or directo>
Sep 30 13:48:08 rtpengine2 systemd[1]: ngcp-rtpengine-daemon.service: Main process exited, code=exited, status=255/EXCEPTION

But same instructions successful and running fine on Debian: Linux rtpengine 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64 GNU/Linux

This is the link I followed with some minor changes like g729 with VER=1.1.1 https://nickvsnetworking.com/rtpengine-installation-configuration/

Also I found this newer Debian looks like to use a dummy iptables and iptables-dev, this is what RtpEngine rely on right?

I googled and search in this repo and found nothing, so could you point me direction on how to debug this and how to fix this? thanks

9to1url commented 1 year ago

I also found out the working version is: git checkout b9af9d0e493302f5b9d404492768de050368c93c

I think current head version is: 794f8e3c017847697ff7f20217d6de2a6bc98952

amessina commented 1 year ago

@9to1url I see something similar, though mine is preceded by a kernel message.

kernel: xt_RTPENGINE ID too high (32764 >= 64)
rtpengine[581494]: CRIT: [core] Fatal error: Failed to create nftables chains or rules: error returned from netlink for add rule (Invalid argument)

9to1url commented 1 year ago

I didn't configure kernel mode yet, but will do it soon.

I can run successful by using the build I mentioned above: git checkout b9af9d0e493302f5b9d404492768de050368c93c

You can give it a try.

dilyanpalauzov commented 1 year ago

With commit 794f8e3c0178476, which adds nftables and is actually the last commit on the master branch I get Failed to create nftables chains or rules: error returned from netlink for add rule (Invalid argument).

I run rtpengine as root, as in strace -s2048 -f /usr/bin/rtpengine &> strace.txt.

The file strace.txt is attached.

I have kernel 5.10.190, libmnl 1.0.4, libnftl-1.2.4. If newer versions of the latter are needed, I can install them. I can also recomplie the kernel with different options (which ones), load extra modules, etc, if I am told what to try.

rfuchs commented 1 year ago

I built and install RtpEngine on Debian : Linux rtpengine2 6.1.0-12-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07) x86_64 GNU/Linux

Failed to start with:
Sep 30 13:48:08 rtpengine2 rtpengine[629]: INFO: [crypto] Generating new DTLS certificate
Sep 30 13:48:08 rtpengine2 rtpengine[629]: Fatal error: Failed to create nftables chains or rules: error returned from netlink for add rule (No such file or directory)
Sep 30 13:48:08 rtpengine2 rtpengine[629]: CRIT: [core] Fatal error: Failed to create nftables chains or rules: error returned from netlink for add rule (No such file or directo>
Sep 30 13:48:08 rtpengine2 systemd[1]: ngcp-rtpengine-daemon.service: Main process exited, code=exited, status=255/EXCEPTION
But same instructions successful and running fine on Debian: Linux rtpengine 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64 GNU/Linux

Do you actually expect the kernel mode to work on a system with a "cloud" kernel? Is it possible to load the kernel module and do you have it compiled and installed?

9to1url commented 1 year ago

Yes, even this is a Cloud kernel, but I use it to launched a VM, I can install anything. Kernel mode is the next thing I will try. thanks

amessina commented 1 year ago

Thank you @rfuchs. I can confirm nftables kernel forwarding is now working (Fedora 36 x86_64) entirely with nftables and no iptables, and using firewalld for the main firewall configuration.

Of course, nft list ruleset shows XT target RTPENGINE not found, can you confirm that's to be expected?

nftables-chain = rtpengine
nftables-base-chain =

table ip filter {
        chain rtpengine {
                type filter hook input priority filter; policy accept;
                # RTPENGINE id:0 counter packets 949 bytes 297733
        }
}
table ip6 filter {
        chain rtpengine {
                type filter hook input priority filter; policy accept;
                counter packets 24559 bytes 24004864
        }
}

iptables -S & ip6tables -S

# Table `filter' contains incompatible base-chains, use 'nft' tool to list them.
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

# Table `filter' contains incompatible base-chains, use 'nft' tool to list them.
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

rfuchs commented 1 year ago

Of course, nft list ruleset shows XT target RTPENGINE not found, can you confirm that's to be expected?

Yes, AFAIK there is no way to make the nft tool print or manage these rules properly in any way

dilyanpalauzov commented 1 year ago

iptables -S & ip6tables -S

Here it is unclear, whether iptables is a symlink to xtables-legacy-multi or to xtables-nft-multi. Having rtpengine+nftables I get

# xtables-legacy-multi iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
# xtables-nft-multi iptables -S 
# Warning: iptables-legacy tables present, use iptables-legacy to see them
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N rtpengine
-A INPUT -p udp -j rtpengine
-A rtpengine -j RTPENGINE --id 30

so itables -S can print an rtpengine related rule.

On the other side I get

# nft list ruleset                    
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
                ip protocol udp counter packets 504238 bytes 85641358 jump rtpengine
        }

        chain rtpengine {
                xt target "RTPENGINE" counter packets 504238 bytes 85641358
        }
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
        chain INPUT {
                type filter hook input priority filter; policy accept;
                ip6 nexthdr udp counter packets 241 bytes 11809 jump rtpengine
        }

        chain rtpengine {
                # Warning: XT target RTPENGINE not found
xt target "RTPENGINE" counter packets 241 bytes 11809
        }
}

On my system IPv6 is not configured, but probably provided by the kernel. Under these circumstance the command nft list ruleset prints # Warning: XT target RTPENGINE not found only for IPv6, not for IPv4.

9to1url commented 12 months ago

@rfuchs thank you for your pointing at the Cloud image. :-) It's really cost me sometime to make it works.

here is the steps:

lsmod : shows not loaded in kernel
apt search linux-headers-$(uname -r) : found the headers
apt install linux-headers-$(uname -r) : install it
apt install rtpengine-utils
reboot machine, then all running fine and kernal lsmod found , no error in rtpengine startup

sipwise / rtpengine

rtpengine[629]: Fatal error: Failed to create nftables chains or rules: error returned from netlink for add rule (No such file or directory) #1731