Kees de Jong
2021-Oct-12 18:58 UTC
[CentOS] nftables not working (missing kernel modules?)
It seems like I'm missing some modules or something?
I can't seem to load the default /etc/nftables/main.nft on my CentOS 8
ISO. I get the following errors:
```
nft -f /etc/nftables/main.nft
/etc/nftables/main.nft:21:6-22: Error: Could not process rule:
Operation not supported
set allowed_protocols {
^^^^^^^^^^^^^^^^^
/etc/nftables/main.nft:21:6-22: Error: Could not process rule: No such
file or directory
set allowed_protocols {
^^^^^^^^^^^^^^^^^
/etc/nftables/main.nft:27:6-23: Error: Could not process rule:
Operation not supported
set allowed_interfaces {
^^^^^^^^^^^^^^^^^^
/etc/nftables/main.nft:27:6-23: Error: Could not process rule: No such
file or directory
set allowed_interfaces {
^^^^^^^^^^^^^^^^^^
/etc/nftables/main.nft:33:6-23: Error: Could not process rule:
Operation not supported
set allowed_tcp_dports {
^^^^^^^^^^^^^^^^^^
/etc/nftables/main.nft:33:6-23: Error: Could not process rule: No such
file or directory
set allowed_tcp_dports {
^^^^^^^^^^^^^^^^^^
/etc/nftables/main.nft:40:3-37: Error: Could not process rule: No such
file or directory
ct state established,related accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables/main.nft:42:3-40: Error: Could not process rule: No such
file or directory
meta l4proto @allowed_protocols accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables/main.nft:43:3-36: Error: Could not process rule: No such
file or directory
iifname @allowed_interfaces accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables/main.nft:44:3-38: Error: Could not process rule: No such
file or directory
tcp dport @allowed_tcp_dports accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/nftables/main.nft:53:3-41: Error: Could not process rule: No such
file or directory
reject with icmpx type port-unreachable
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
```
After loading some modules, the errors are reduced to just one.
```
nf_defrag_ipv6
nf_defrag_ipv4
nft_ct
nf_conntrack
nf_tables_set
nf_tables
nfnetlink
```
What could I still be missing here? Is there a way to simply get full
support to do firewalling in these cases?
```
nft -f /etc/nftables/main.nft
/etc/nftables/main.nft:53:3-41: Error: Could not process rule: No such
file or directory
reject with icmpx type port-unreachable
```
--
Kees de Jong | Supercomputing | https://www.surf.nl/en/about-surf
OpenPGP fingerprint: 0x0E45C98AB51428E6