Nftables cannot process any commands

Question

After updating from Stretch to Buster and moving from iptables to nftables, the nft command doesn't process any given command except for list, which doesn't print anything.

The input nft flush ruleset prints:

Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^

nft create table inet filter

Error: Could not process rule: Invalid argument
create table inet filter
^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Invalid argument
create table inet filter
^^^^^^^^^^^^^^^^^^^^^^^^^

Even with the initial config in the debian package, it prints an error for each line in it.

nft -f /etc/nftables.conf

/etc/nftables.conf :

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0;
    }
    chain forward {
        type filter hook forward priority 0;
    }
    chain output {
        type filter hook output priority 0;
    }
}

/etc/nftables.conf:3:1-14: Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
/etc/nftables.conf:5:1-2: Error: Could not process rule: Invalid argument
table inet filter {
^^
/etc/nftables.conf:6:15-19: Error: Could not process rule: Invalid argument
    chain input {
                 ^^^^^
/etc/nftables.conf:9:15-21: Error: Could not process rule: Invalid argument
    chain forward {
                 ^^^^^^^
/etc/nftables.conf:12:15-20: Error: Could not process rule: Invalid argument
    chain output {
                 ^^^^^^
/etc/nftables.conf:3:1-14: Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
/etc/nftables.conf:5:1-2: Error: Could not process rule: Invalid argument
table inet filter {
^^
/etc/nftables.conf:6:15-19: Error: Could not process rule: Invalid argument
    chain input {
                 ^^^^^
/etc/nftables.conf:9:15-21: Error: Could not process rule: Invalid argument
    chain forward {
                 ^^^^^^^
/etc/nftables.conf:12:15-20: Error: Could not process rule: Invalid argument
    chain output {
                 ^^^^^^

Distro: Debian GNU/Linux 10 (buster)

nft: nftables v0.9.0 (Fearless Fosdick)

That problem is interesting. I have never experienced it. Please, could you run `strace nft list ruleset` and provide its output? Could you also check for relevant data in journal by running `journalctl -f` concurrently? What modules (`lsmod`) are loaded in your kernel? — Anderson Medeiros Gomes, Oct 04 '19 at 17:41
Ohhhh, yeah, that's probably it. I have this problem on a VPS running in openVZ, which is a container system for Linux OSes, kinda like LXC. In such environment, lsmod displays nothing and modules can't be installed or removed, because the kernel is shared between multiple systems, so the provider probably just doesn't load the nft module. — Martin Horský, Oct 05 '19 at 06:48
Then, we may have reached the point. Under a containerized environment, I believe `nft` will work correctly after having it initialized on the host system. In such scenario, because concurrent use of both `iptables` and `nftables` is not supported, I recommend disabling `iptables` modules explicitly: `# echo -e 'blacklist xtables\ninstall x_tables /bin/false' > /etc/modprobe.d/x_tables-disable.conf`. For the sake of documentation, please could you answer your own question? I do not have an openVZ environment handy. — Anderson Medeiros Gomes, Oct 05 '19 at 07:00

score 0 · Accepted Answer · answered Oct 06 '19 at 09:06

Found out the issue was, that the nf_tables module wasn't loaded. The problem persisted on the VPS, that was running in openVZ, which is a container based virtualisation. And since the iptables and nftables modules cannot run simultaneously, the provider rather wouldn't break everyones systems just to support nftables.

Nftables cannot process any commands

1 Answers1