netfilter buglog - Jun 2018 - [Bug 1263] New: Device or resource busy on nat loading.

https://bugzilla.netfilter.org/show_bug.cgi?id=1263

            Bug ID: 1263
           Summary: Device or resource busy on nat loading.
           Product: nftables
           Version: unspecified
          Hardware: x86_64
                OS: Gentoo
            Status: NEW
          Severity: normal
          Priority: P5
         Component: kernel
          Assignee: pablo at netfilter.org
          Reporter: koalinux at gmail.com

Hi,

I receive such a kind of message when I try to load the following table
on any vanilla kernel > 4.15.18:

table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                oifname "wlp3s0" masquerade
                oifname "tun0" masquerade
        }
}

kernel config looks like:

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_FAMILY_BRIDGE=y
CONFIG_NETFILTER_FAMILY_ARP=y
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_LOG_COMMON=m
# CONFIG_NF_LOG_NETDEV is not set
CONFIG_NETFILTER_CONNCOUNT=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
CONFIG_NF_CT_PROTO_DCCP=y
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_CT_PROTO_UDPLITE=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_SNMP=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_PROTO_DCCP=y
CONFIG_NF_NAT_PROTO_UDPLITE=y
CONFIG_NF_NAT_PROTO_SCTP=y
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_REDIRECT=m
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NF_TABLES=m
# CONFIG_NF_TABLES_INET is not set
# CONFIG_NF_TABLES_NETDEV is not set
CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_RT=m
CONFIG_NFT_NUMGEN=m
CONFIG_NFT_CT=m
CONFIG_NFT_SET_RBTREE=m
CONFIG_NFT_SET_HASH=m
CONFIG_NFT_SET_BITMAP=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_OBJREF=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_QUOTA=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_HASH=m
CONFIG_NFT_FIB=m
# CONFIG_NF_FLOW_TABLE is not set
CONFIG_NETFILTER_XTABLES=m

The interfaces exists and are valid, created by netifrc:

3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group
default qlen 1000
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast
state UP group default qlen 100

This load correctly in 4.15.18, so looks like a regression after that. I'll
update with the exact output in the near future.

Jos�

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180621/cf64b1d8/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1263

Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fw at strlen.de

--- Comment #1 from Florian Westphal <fw at strlen.de> ---
make sure iptable_nat and ip6table_nat modules are not present/loaded.
This restriction was added in 4.16 as parallel use of iptables/nftables nat
doesn't work.  The next Linux release (4.18?) doesn't have this
limitation
anymore.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180621/8b70b8bf/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1263

--- Comment #2 from Jos� Pekkarinen <koalinux at gmail.com> ---
Exact output:

# rc-service nftables restart
 * Loading nftables state and starting firewall ...
/var/lib/nftables/rules-save:25:15-24: Error: Could not process rule: Device or
resource busy
        chain prerouting {
                     ^^^^^^^^^^
/var/lib/nftables/rules-save:29:15-25: Error: Could not process rule: Device or
resource busy
        chain postrouting {
                     ^^^^^^^^^^^
/var/lib/nftables/rules-save:31:17-43: Error: Could not process rule: No such
file or directory
                oifname "wlp3s0" masquerade
                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^
/var/lib/nftables/rules-save:32:17-41: Error: Could not process rule: No such
file or directory
                oifname "tun0" masquerade
                              ^^^^^^^^^^^^^^^^^^^^^^^^^                        
                                                                               
                                                                               
                         [ !! ]
 * ERROR: nftables failed to start

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180621/44d4a07e/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1263

--- Comment #3 from Jos� Pekkarinen <koalinux at gmail.com> ---
Created attachment 540
  --> https://bugzilla.netfilter.org/attachment.cgi?id=540&action=edit
dmesg

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180621/62bac0af/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1263

--- Comment #4 from Jos� Pekkarinen <koalinux at gmail.com> ---
(In reply to Florian Westphal from comment #1)
> make sure iptable_nat and ip6table_nat modules are not present/loaded.
> This restriction was added in 4.16 as parallel use of iptables/nftables nat
> doesn't work.  The next Linux release (4.18?) doesn't have this
limitation
> anymore.
Seems they get auto loaded. I tried blacklisting on /etc/modprobe.d and
on kernel cmd, both doesn't prevent them from loading. When trying to
modprobe -r, ip6table_nat does, iptable_nat doesn't, and it gets in a
rabbit hole of used by others, nf_nat_ipv4 between others.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180621/8ced849c/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1263

--- Comment #5 from Jos� Pekkarinen <koalinux at gmail.com> ---
I confirm that changing:

# CONFIG_IP_NF_NAT is not set
# CONFIG_IP6_NF_NAT is not set

Stops loading the modules and loads the table correct.
Thanks guys!

Jos�.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180621/a0bdcc2b/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1263

Jos� Pekkarinen <koalinux at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WORKSFORME

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20180621/16fa049d/attachment.html>