nftables service fails on boot

CaffeineAddict

Well-Known Member
Joined
Jan 21, 2024
Messages
1,679
Reaction score
1,174
Credits
13,940
Bash:
sudo lnav /var/log/boot.log

Boot log:
Ruby:
System: clean, 617934/28925952 files, 45069605/115700736 blocks                                                                                                                                                 │
[FAILED] Failed to start nftables.service - nftables.                                                                                                                                                           │
[FAILED] Failed to start nftables.service - nftables.                                                                                                                                                           │
[  OK  ] Finished plymouth-read-write.service - Tell Plymouth To Write Out Runtime Data.                                                                                                                        │
         Mounting proc-sys-fs-binfmt_misc.mount - Arbitrary Executable File Formats File System...                                                                                                              │
[  OK  ] Mounted proc-sys-fs-binfmt_misc.mount - Arbitrary Executable File Formats File System.                                                                                                                 │
[  OK  ] Finished systemd-binfmt.service - Set Up Additional Binary Formats.
etc...

Firewall service after boot is fine though, or is it not?:

Bash:
sudo systemctl status nftables

● nftables.service - nftables
     Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset: enabled)
     Active: active (exited) since Tue 2024-10-01 20:39:26 CEST; 1h 56min ago
       Docs: man:nft(8)
             http://wiki.nftables.org
    Process: 905 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
   Main PID: 905 (code=exited, status=0/SUCCESS)
        CPU: 21ms

lis 01 20:39:26 msi systemd[1]: Starting nftables.service - nftables...
lis 01 20:39:26 msi systemd[1]: Finished nftables.service - nftables.

All firewall rules are loaded, and confirmed with sudo nft list ruleset after login to system.

How to troubleshoot failure during boot? which log to look into to figure out the problem?
 


Are you able to run the script without systemd? A systemd script must return 0 to be considered successful. What exit code are you getting? Run the script from the command line and then use echo $? to find out.

Signed,

Matthew Campbell
 
Are you able to run the script without systemd? A systemd script must return 0 to be considered successful. What exit code are you getting? Run the script from the command line and then use echo $? to find out.

Signed,

Matthew Campbell
I have no issues loading ruleset, during boot all that's done is nftables service running exported ruleset from /etc/nftables.conf
There are no exit codes from what I know.
 
Are you manually able to start the nftables service after the system is booted?
 
Are you manually able to start the nftables service after the system is booted?
it's already started, and I can stop\start\restart it without issues.
I can also reload ruleset from /etc/nftables.conf without error as well as list ruleset to confirm it's loaded.
 
it's already started, and I can stop\start\restart it without issues.
I don't get the problem them? The ruleset loads, you are only getting the problem during boot that it says that the nftables.service failed?
 
I don't get the problem them? The ruleset loads, you are only getting the problem during boot that it says that the nftables.service failed?
Yes, it's really strange, I'm now going to roll back my commits to github until offended commit is found.
I suspect the problem is that ruleset load fails during boot because at that stage no network is established.
So I'll go figure out which rules are affecting that and then share feedback if any.
 
Yes, it's really strange, I'm now going to roll back my commits to github until offended commit is found.
Yeah that's what I would have suggested then, or load a default ruleset and see what happens then. After which you can add one rule add a time until you come across the one that causes it.
 
I have no issues loading ruleset, during boot all that's done is nftables service running exported ruleset from /etc/nftables.conf
There are no exit codes from what I know.
Every script has an exit code. Try running the script by itself without systemd running it at boot time, after clearing all firewall rules so that doesn't get in the way, and then use echo $? to see the exit code from the script. You will need a script in /etc/init.d/ with the correct header to use a systemd unit file.

Signed,

Matthew Campbell
 
This is my script /etc/init.d/ftpd:

Code:
#!/bin/bash

### BEGIN INIT INFO
# Provides:          ftpd
# Required-Start:
# Required-Stop:
# Default-Start:     4 5
# Default-Stop:      0 1 2 3 6
# Short-Description: Starts the anonymous ftp server.
# Description:
### END INIT INFO

#
# Start the ftpd server.
#
/usr/sbin/ftpd -4 -A -D --umask 0777
#
exit 0
#
# EOF

This should provide an example of what you'll need for your firewall script.

Signed,

Matthew Campbell
 
Yeah that's what I would have suggested then, or load a default ruleset and see what happens then. After which you can add one rule add a time until you come across the one that causes it.
Figured out the problem was with the ingress hook which looks like this:

Bash:
#!/usr/sbin/nft -f

add table netdev nic_table

add chain netdev nic_table wifi_in {
    # filter = 0
    type filter hook ingress devices = $physical_nic priority filter; policy drop;
}

# What follows is allow rules of various sorts, no matter what rules are in place ingress hook will produce the failure
$physical_nic is an array of all physical NIC's on my PC so that I capture them all at once.

Every script has an exit code. Try running the script by itself without systemd running it at boot time, after clearing all firewall rules so that doesn't get in the way, and then use echo $? to see the exit code from the script.
I guess this applies to bash scripts, but all my rule and chain scripts are nft scripts which don't produce exist codes.

---

Now while the issue is known, what's unknown is why ingress hook fails?

It doesn't matter if I set it to all NIC's or only specific NIC, e.g

Bash:
add chain netdev nic_table wifi_in {
    # filter = 0
    type filter hook ingress device wlan0 priority filter; policy drop;
}

I assume the device(s) are not UP during boot so the hook fails.
However the question is, how to make use of netdev chain then?
 
Figured out the problem was with the ingress hook which looks like this:

Bash:
#!/usr/sbin/nft -f

add table netdev nic_table

add chain netdev nic_table wifi_in {
    # filter = 0
    type filter hook ingress devices = $physical_nic priority filter; policy drop;
}

# What follows is allow rules of various sorts, no matter what rules are in place ingress hook will produce the failure
$physical_nic is an array of all physical NIC's on my PC so that I capture them all at once.


I guess this applies to bash scripts, but all my rule and chain scripts are nft scripts which don't produce exist codes.

---

Now while the issue is known, what's unknown is why ingress hook fails?

It doesn't matter if I set it to all NIC's or only specific NIC, e.g

Bash:
add chain netdev nic_table wifi_in {
    # filter = 0
    type filter hook ingress device wlan0 priority filter; policy drop;
}

I assume the device(s) are not UP during boot so the hook fails.
However the question is, how to make use of netdev chain then?
The network devices do not need to be up before setting up the firewall. I set up my firewall in single user mode while the network devices are still down. Are you sure you're allowed to use an array like that? You might try setting each rule for one address at a time. nft uses addresses for the rules. It might use a device, but I'm not sure. I've never tried to use it that way.

SIgned,

Matthew Campbell
 
The network devices do not need to be up before setting up the firewall. I set up my firewall in single user mode while the network devices are still down. Are you sure you're allowed to use an array like that? You might try setting each rule for one address at a time. nft uses addresses for the rules. It might use a device, but I'm not sure. I've never tried to use it that way.
Yes, it works with devices being down in all cases like you said, except for netdev family.

I'm sure I can use an array, I've learned about it from a tutorial, but that doesn't matter, even if I specify only one device it also doesn't work.

Reason why I need netdev is to be able to filter layer 2 traffic and to implement DDoS rules which should be placed there (before filtering) for performance reasons:

See netdev description at the bottom:
 


Top