nftables on openmediavault

To: debian-firewall@lists.debian.org
Subject: nftables on openmediavault
From: Dennis Filder <d.filder@web.de>
Date: Sun, 10 Jan 2021 20:32:29 +0100
Message-id: <[🔎] 20210110193229.GA3699@reader>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 7d7b7bca-1ea6-898e-8dda-e7b61dcaded8@mi.parisdescartes.fr>
References: <[🔎] 7d7b7bca-1ea6-898e-8dda-e7b61dcaded8@mi.parisdescartes.fr>

On Sun, Jan 10, 2021 at 07:12:04PM +0100, François Patte wrote:
> So, I think that some script, somewhere, intercepts the nftables config but
> I don't understand how.

I suspect you're running into the legacy compatibility converter for
the old iptables rules (iptables-nft).  IIRC that may kick in if it
detects that some old iptables kernel modules have been loaded and
overwrite your rules with the autoconverted old rules.  If they are
loaded you may have to manually unload them first.

I run nftables and on my system the command

  lsmod | grep 'x_\|table\|nft'

gives this output:

iptable_filter         16384  0
nft_fib_inet           16384  1
nft_fib_ipv4           16384  1 nft_fib_inet
nft_fib_ipv6           16384  1 nft_fib_inet
nft_fib                16384  3 nft_fib_ipv6,nft_fib_ipv4,nft_fib_inet
nft_counter            16384  28
nft_redir_ipv6         16384  1
nft_chain_nat_ipv6     16384  1
nf_nat_ipv6            16384  1 nft_chain_nat_ipv6
nft_redir_ipv4         16384  1
nft_redir              16384  2 nft_redir_ipv6,nft_redir_ipv4
nft_objref             16384  4
nft_log                16384  13
nf_tables_set          32768  28
nft_ct                 20480  92
nft_chain_nat_ipv4     16384  1
nf_nat_ipv4            16384  1 nft_chain_nat_ipv4
nf_nat                 36864  4 nf_nat_ipv6,nf_nat_ipv4,nft_redir_ipv6,nft_redir_ipv4
nf_conntrack          172032  9 nf_nat,nft_ct,nf_nat_ipv6,nf_nat_ipv4,nf_conntrack_sip,nft_redir,nf_conntrack_netlink,nft_redir_ipv6,nft_redir_ipv4
nf_tables             143360  448 nft_ct,nft_log,nft_chain_nat_ipv6,nft_chain_nat_ipv4,nft_fib_ipv6,nft_objref,nft_redir,nft_fib_ipv4,nft_counter,nft_redir_ipv6,nft_redir_ipv4,nf_tables_set,nft_fib,nft_fib_inet
nfnetlink              16384  8 nf_conntrack_netlink,nf_tables
ip_tables              28672  1 iptable_filter
x_tables               45056  2 iptable_filter,ip_tables

If you have e.g. iptable_mangle or any other of the ipt_ modules listed by

  ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_*

loaded, unload them first with rmmod.  For that you have to first
flush the tables with iptables -F as otherwise the rules might prevent
a module from being unloaded.

Also some scripts may be thrown off if some symlinks are configured in
a certain way through the update-alternatives subsystem.

On my system

  update-alternatives --list iptables

gives:

/usr/sbin/iptables-legacy
/usr/sbin/iptables-nft

My symlink still points to iptables-legacy (which was probably the
version that worked as I needed it during the migration), but since I
no longer use that and have forgotten exactly how it affected all of
this you may have to figure that out on your own.  If all else fails
you may have to uninstall any iptables packages altogether to
eliminate all possible sources of interference.

Good luck,
Dennis.

Reply to:

References:
- nftables on openmediavault
  - From: François Patte <francois.patte@mi.parisdescartes.fr>

Prev by Date: nftables on openmediavault
Next by Date: new to nft
Previous by thread: nftables on openmediavault
Next by thread: new to nft
Index(es):
- Date
- Thread