Hello,
On Mon, Oct 03, 2022 at 05:36:19PM -0400, Greg Wooledge wrote:
> On Mon, Oct 03, 2022 at 05:01:21PM -0400, Dave Parker wrote:
> > Oct 03 16:48:55 host systemd[1]: Starting nftables...
> > Oct 03 16:48:55 host nft[926]: /etc/nftables.conf:4:1-37: Error: File not
> > found: /root/nftables/ruleset.txt
>
> Sounds like the service might be chrooted.
… so OP please show us
$ systemctl cat nftables.service
to see if there are any interesting options about restricting
access to the filesystem.
Hello,
Thanks for pointing me in the right direction. I checked the service as you suggested:
----------
~# systemctl cat nftables.service
# /lib/systemd/system/nftables.service
[Unit]
Description=nftables
Documentation=man:nft(8)
http://wiki.nftables.orgWants=network-pre.target
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no
[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
ExecStart=/usr/sbin/nft -f /etc/nftables.conf
ExecReload=/usr/sbin/nft -f /etc/nftables.conf
ExecStop=/usr/sbin/nft flush ruleset
[Install]
WantedBy=sysinit.target
----------
It turns out that the problem was the "ProtectHome=true" in the service config. According to the systemd documentation[1]:
"If true, the directories /home, /root and /run/user are made inaccessible and empty for processes invoked by this unit."
So, I copied /lib/systemd/system/nftables.service to /etc/systemd/system/nftables.service, set ProtectHome=false, ran "systemctl daemon-reload", and now it works!
Thank you!
--
Dave Parker '11
Database & Systems Administrator
Utica University
Integrated Information Technology Services
315-792-3229
He/Him