rfuchs
commented
4 months ago Can't really reproduce this on a Debian 11. Are you running rtpengine --nftables-status under sudo?
Closed pkuzak closed 4 months ago
rfuchs
commented
4 months ago Can't really reproduce this on a Debian 11. Are you running rtpengine --nftables-status under sudo?
pkuzak
commented
4 months ago Strange. Yes, I run it as root. Does your nft list ruleset output look the same as I've posted?
rfuchs
commented
4 months ago Strange. Yes, I run it as
root. Does yournft list rulesetoutput look the same as I've posted?
It does (almost) except for the additional complaint about not knowing what RTPENGINE is, which is at the very top of the output.
XT target RTPENGINE not found
XT target RTPENGINE not found
table ip filter {
chain rtpengine {
counter packets 6 bytes 989
}
chain INPUT {
type filter hook input priority filter; policy accept;
ip protocol udp counter packets 6 bytes 989 jump rtpengine
}
}
table ip6 filter {
...OK I know what's the difference between your and my setup. I initially have rules in iptables. When I start nftables some of the rules get migrated there (and the content of iptables gets flushed). So my nftables rule set is not empty. When I start the nftables service with an empty iptables list, the check command succeeds as well.
rfuchs
commented
4 months ago There should be a compatibility package that lets you use iptables together with nftables, but it looks like that doesn't exist in Debian 11?
pkuzak
commented
4 months ago I think I can use both together, this is not the issue. After starting nftables service I can fill back my iptables rules and everything works OK. Just the question whether the nftables-status command is broken or not for not empty nftables rule set.
rfuchs
commented
4 months ago Ok I see the problem. Patch is coming.
rtpengine version the issue has been seen with
Master branch, commit 840c2a84e3e3e40c3c73a9faa9a48e3ffbb5de9e
Used distribution and its version
Debian 11
Linux kernel version used
5.10.0-27-amd64
CPU architecture issue was seen on (see
uname -m)x86_64
Expected behaviour you didn't see
Getting
Netfilter rules check SUCCESSFULupon executingrtpengine --nftables-statusUnexpected behaviour you saw
Getting
Netfilter rules check NOT successful: immediate-goto rule not foundupon executingrtpengine --nftables-statusSteps to reproduce the problem
Start
rtpenginewithout anynftables*options in configuration file and executertpengine --nftables-statusafter successfully starting the service with Kernel forwarding support.Additional program output to the terminal or logs illustrating the issue
No response
Anything else?
Actually I am not sure if this is a bug in the code or a bug in my configuration. As mentioned, I do not have any
nftables*options present in my configuration file, so default values are used. The output ofnft list rulesetlooks OK to me compared to the example from the doc:When making a call, the logs look also OK and counters in
/proc/rtpengine/0/listare also increased during the call. (0 is the configured Kernel table in configuration file). For more background information: We want to migrate to a newerrtpengineversion which usesnftables. We still want to useiptablesfor managing the firewall, and usenftablesjust to forward RT(C)P packets tortpengineKernel module. I think this should be doable, at least this is how I understand the comment in #1739.