Hi Florian,
OK, I understand now.
- on RHEL/CentOS 8 I *was* using existing network interfaces, but
there are *no* nf_flow kernel modules available, and
- on Fedora 30/33 there *are* nf_flow kernel modules available, but I
was *not* using existing interface names
Both cases give off the same error message, which confused me.
I guess then this makes it problematic to use logical interfaces such
as bonds or bridges with flow tables, correct? In Fedora the systemd
unit file for the nftables.services states that nftables should start
before the network.pre-target:
[root@localhost system]# cat nftables.service
[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target
[Service]
Type=oneshot
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include
"/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
At this stage Network Manager hasn't even begun to initialize, much
less create any logical interfaces. Therefore any bond or bridge
logical interface do not yet exist, and if they are referred to in the
*.nft files the nftables.service will simply fail with the "Error:
Could not process rule: No such file or directory" message.
Ideally I'd want to start nftables before the network comes online to
make sure everything is secure, but if I use logical interfaces is my
only recourse to change the nftables.service file so that nftables
only starts up after the network-online.target, which would open a
very short window where the network is up but not yet protected by
nftables yet? Or is there another way that I am not seeing?
Thanks,
-Martin
