nftables does not work on raspbian and nf_tables kernel module missing

[blzbrg]

Has anyone gotten nftables working on raspberry pi? I am having a lot of trouble.
nftables seems to install from apt-get alright (the nft command runs) but all nft command operations fail, e.g.

Code: Select all

 
 $ sudo nft -f /etc/nftables/inet-filter 
/etc/nftables/inet-filter:3:1-2: Error: Could not add table: Invalid argument
table inet filter {
^^

etc/nftables/inet-filter comes with the nftables install so I am reasonably confident it is not broken.
It turns out that the kernel module nf_tables needed for nftables (source) is missing:

Code: Select all

$ modinfo nf_tables
modinfo: ERROR: Module nf_tables not found.

This is a fairly fresh raspbian coming from the image "2017-07-05-raspbian-jessie-lite" using the jessie repos.
The kernel number should be high enough for nftables:

Code: Select all

$ uname -a
Linux raspberrypi 4.9.35-v7+ #1014 SMP Fri Jun 30 14:47:43 BST 2017 armv7l GNU/Linux

Any suggestions appreciated, thanks.

[topguy]

I just tested on Raspbian Stretch Lite, installed nftables. That did not give me any example scripts in /etc but there are som in /usr/doc

ref.
https://packages.debian.org/stretch/arm ... s/filelist

After testing with one of those scripts with no error there is a "nfnetlink" module on top when I do "lsmod".

Also example from here worked: https://wiki.nftables.org/wiki-nftables ... orkstation

[blzbrg]

I have nfnetlink also, do you not have the module nf_tables? My laptop computer has nf_tables kernel module loaded to support nftables.

Code: Select all

$ zcat /proc/conifig.gz | grep NF_TABLES
# CONFIG_NF_TABLES is not set

I _think_ shows that the kernel was built without the options NF_TABLES set and cannot be used with nftables, but I am not totally certain.
I am trying an upgrade right now since nothing was keeping me on the old stable other than noticing that a new stable was out

[topguy]

I couldnt find a copy of the kernel config in boot or in /proc so I went here https://github.com/raspberrypi/linux/bl ... _defconfig and looked at what I assumed was the config.

I could find CONFIG_NETFILTER and thought that might enough but I see my Ubuntu has a "CONFIG_NF_TABLES=m" so you are probably right. And those examples I tested might not use the "tables" functionality of Netfilter.

[rpdom]

I couldnt find a copy of the kernel config in boot or in /proc

sudo modprobe configs

Will make the /proc/config.gz file available.

[blzbrg]

And those examples I tested might not use the "tables" functionality of Netfilter.

Those are nftables rules files, and the nft command is frontend for nftables, so I think that should exercise it.

After I got on a similar version to you I still don't have the kernel mod nf_tables. While there is no error text, there is an error return code:

Code: Select all

$ sudo nft -f /usr/share/doc/nftables/examples/syntax/inet-filter
$ echo $?
255
$ sudo nft list table inet filter
internal:0:0-0: Error: Could not receive tables from kernel: Invalid argument

'list table inet filter' works on my arch computer using nftables _and_ is documented syntax (naturally there is undocumented nftables sytnax, but let's not get into that). Additionally, it is not just an inet family problem:

Code: Select all

$ sudo nft -f /usr/share/doc/nftables/examples/syntax/ipv4-filter
$ sudo nft list table ipv4-filter
internal:0:0-0: Error: Could not receive tables from kernel: Invalid argument

So it is presumably broken in the same way for you. man nft does not document what error code 255 means
Finally, man nft says that errors like I was initially seeing where the entire error is underlined indicate kernel errors (rather than syntax errors), which lends further credence to my theory that the kernel support is just missing from raspbian kernel.

[raspi-user.france]

nftables support was not included in Raspbian Stretch (unlike Debian Stretch) unfortunately. Cf. this ticket:

https://github.com/raspberrypi/linux/issues/2177

[blzbrg]

nftables support was not included in Raspbian Stretch (unlike Debian Stretch) unfortunately. Cf. this ticket:

https://github.com/raspberrypi/linux/issues/2177

many thanks for the reference, I will go there for any further discussion, or complaining to the package maintainers and devs. I wish they had completely removed the nftables package if they knew it wasn't going to work with their kernel, but maybe they didn't know until after release.