Re: nft add chain ... No such file or directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Chris,

On Sun, Jul 29, 2018 at 03:30:42PM +0100, Christopher Baines wrote:
> Hey,
>
> So I've just started trying out nftables, but I've hit a snag:
>
>   ~# nft add chain inet filter input { type filter hook input priority 0 \; }
>   Error: Could not process rule: No such file or directory
>   add chain inet filter input { type filter hook input priority 0 ; }
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> The most promising description I could find about this, suggested that
> it was missing Linux modules that I needed to load, but I'm not sure
> which I'm missing. I've tried loading some randomly, but it hasn't
> helped [1]. The list tables command shows "table inet filter", so I
> think I have the prerequsites to create a chain.
>
> Any suggestions?
>
> Thanks,
>
> Chris
>
>
> 1: ~# lsmod | grep nf
> nf_socket_ipv4         16384  0
> nf_reject_ipv4         16384  0
> nft_reject             16384  0
> nft_limit              16384  0
> nft_log                16384  0
> nft_counter            16384  0
> nft_compat             20480  0
> nft_nat                16384  0
> nf_conntrack_ipv4      16384  1
> nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
> nf_nat_ipv4            16384  0
> nf_nat                 32768  2 nft_nat,nf_nat_ipv4
> nf_conntrack          126976  4 nf_conntrack_ipv4,nf_nat,nft_nat,nf_nat_ipv4
> libcrc32c              16384  2 nf_conntrack,nf_nat
> nft_set_bitmap         16384  0
> nft_set_hash           24576  0
> nft_set_rbtree         16384  0
> nf_tables              98304  9 nft_compat,nft_set_rbtree,nft_log,nft_nat,nft_set_bitmap,nft_counter,nft_limit,nft_set_hash,nft_reject
> x_tables               40960  3 iptable_filter,nft_compat,ip_tables
> nfnetlink              16384  2 nft_compat,nf_tables

Possibly nothing, but nft_compat is loaded - do you have iptables rules? Some
possible conflict?

Another thing you could try is use nft's debug facility. Below is a session
using your rule starting from an empty ruleset. At what point does your output
start to differ?

Cheers ... Duncan.

===================================================

09:51:52# nft list ruleset
09:52:03# nft --debug netlink,mnl,proto-ctx,segtree add table inet filter
----------------        ------------------
|  0000000020  |        | message length |
| 00016 | R--- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 0a 00  |        |  extra header  |
----------------        ------------------
----------------        ------------------
|  0000000040  |        | message length |
| 02560 | R--- |        |  type | flags  |
|  0000000001  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 01 00 00 00  |        |  extra header  |
|00011|--|00001|        |len |flags| type|
| 66 69 6c 74  |        |      data      |       f i l t
| 65 72 00 00  |        |      data      |       e r
|00008|--|00002|        |len |flags| type|
| 00 00 00 00  |        |      data      |
----------------        ------------------
----------------        ------------------
|  0000000020  |        | message length |
| 00017 | R--- |        |  type | flags  |
|  0000000002  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 0a 00  |        |  extra header  |
----------------        ------------------
09:56:01# nft --debug netlink,mnl,proto-ctx,segtree add chain inet filter input { type filter hook input priority 0 \; }
----------------        ------------------
|  0000000020  |        | message length |
| 02576 | R--- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 00 00  |        |  extra header  |
----------------        ------------------
----------------        ------------------
|  0000000020  |        | message length |
| 02561 | R--- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 00 00  |        |  extra header  |
----------------        ------------------
----------------        ------------------
|  0000000032  |        | message length |
| 02570 | R-A- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 01 00 00 00  |        |  extra header  |
|00011|--|00001|        |len |flags| type|
| 66 69 6c 74  |        |      data      |       f i l t
| 65 72 00 00  |        |      data      |       e r
----------------        ------------------
----------------        ------------------
|  0000000020  |        | message length |
| 02564 | R--- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 01 00 00 00  |        |  extra header  |
----------------        ------------------
----------------        ------------------
|  0000000032  |        | message length |
| 02583 | R-A- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 01 00 00 00  |        |  extra header  |
|00011|--|00001|        |len |flags| type|
| 66 69 6c 74  |        |      data      |       f i l t
| 65 72 00 00  |        |      data      |       e r
----------------        ------------------
----------------        ------------------
|  0000000032  |        | message length |
| 02579 | R-A- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 01 00 00 00  |        |  extra header  |
|00011|--|00001|        |len |flags| type|
| 66 69 6c 74  |        |      data      |       f i l t
| 65 72 00 00  |        |      data      |       e r
----------------        ------------------
inet filter input use 0 type filter hook input prio 0 packets 0 bytes 0
----------------        ------------------
|  0000000020  |        | message length |
| 00016 | R--- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 0a 00  |        |  extra header  |
----------------        ------------------
----------------        ------------------
|  0000000076  |        | message length |
| 02563 | R--- |        |  type | flags  |
|  0000000001  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 01 00 00 00  |        |  extra header  |
|00011|--|00001|        |len |flags| type|
| 66 69 6c 74  |        |      data      |       f i l t
| 65 72 00 00  |        |      data      |       e r
|00010|--|00003|        |len |flags| type|
| 69 6e 70 75  |        |      data      |       i n p u
| 74 00 00 00  |        |      data      |       t
|00020|N-|00004|        |len |flags| type|
|00008|--|00001|        |len |flags| type|
| 00 00 00 01  |        |      data      |
|00008|--|00002|        |len |flags| type|
| 00 00 00 00  |        |      data      |
|00011|--|00007|        |len |flags| type|
| 66 69 6c 74  |        |      data      |       f i l t
| 65 72 00 00  |        |      data      |       e r
----------------        ------------------
----------------        ------------------
|  0000000020  |        | message length |
| 00017 | R--- |        |  type | flags  |
|  0000000002  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 0a 00  |        |  extra header  |
----------------        ------------------
09:56:40# uname -r
4.17.11-k8_64
09:59:27# nft -v
nftables v0.9.0 (Fearless Fosdick)
10:01:52# lsmod | grep nf
nf_tables             114688  0
nfnetlink              16384  1 nf_tables
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux