Closed pkuzak closed 4 months ago
Can't really reproduce this on a Debian 11. Are you running rtpengine --nftables-status
under sudo
?
Strange. Yes, I run it as root
. Does your nft list ruleset
output look the same as I've posted?
Strange. Yes, I run it as
root
. Does yournft list ruleset
output look the same as I've posted?
It does (almost) except for the additional complaint about not knowing what RTPENGINE
is, which is at the very top of the output.
XT target RTPENGINE not found
XT target RTPENGINE not found
table ip filter {
chain rtpengine {
counter packets 6 bytes 989
}
chain INPUT {
type filter hook input priority filter; policy accept;
ip protocol udp counter packets 6 bytes 989 jump rtpengine
}
}
table ip6 filter {
...
OK I know what's the difference between your and my setup. I initially have rules in iptables
. When I start nftables
some of the rules get migrated there (and the content of iptables
gets flushed). So my nftables
rule set is not empty. When I start the nftables
service with an empty iptables
list, the check command succeeds as well.
There should be a compatibility package that lets you use iptables together with nftables, but it looks like that doesn't exist in Debian 11?
I think I can use both together, this is not the issue. After starting nftables
service I can fill back my iptables
rules and everything works OK. Just the question whether the nftables-status
command is broken or not for not empty nftables
rule set.
Ok I see the problem. Patch is coming.
rtpengine version the issue has been seen with
Master branch, commit 840c2a84e3e3e40c3c73a9faa9a48e3ffbb5de9e
Used distribution and its version
Debian 11
Linux kernel version used
5.10.0-27-amd64
CPU architecture issue was seen on (see
uname -m
)x86_64
Expected behaviour you didn't see
Getting
Netfilter rules check SUCCESSFUL
upon executingrtpengine --nftables-status
Unexpected behaviour you saw
Getting
Netfilter rules check NOT successful: immediate-goto rule not found
upon executingrtpengine --nftables-status
Steps to reproduce the problem
Start
rtpengine
without anynftables*
options in configuration file and executertpengine --nftables-status
after successfully starting the service with Kernel forwarding support.Additional program output to the terminal or logs illustrating the issue
No response
Anything else?
Actually I am not sure if this is a bug in the code or a bug in my configuration. As mentioned, I do not have any
nftables*
options present in my configuration file, so default values are used. The output ofnft list ruleset
looks OK to me compared to the example from the doc:When making a call, the logs look also OK and counters in
/proc/rtpengine/0/list
are also increased during the call. (0 is the configured Kernel table in configuration file). For more background information: We want to migrate to a newerrtpengine
version which usesnftables
. We still want to useiptables
for managing the firewall, and usenftables
just to forward RT(C)P packets tortpengine
Kernel module. I think this should be doable, at least this is how I understand the comment in #1739.