# nftables starting trouble [abandoned]

## josephg

i'm having some starting trouble migrating from iptables to nftables following the wiki.

these rules are from http://wiki.gentoo.org/wiki/nftables/Examples#Typical_workstation_.28separate_IPv4_and_IPv6.29

```
$ cat /etc/conf.d/nftables.rules

#!/sbin/nft -f

flush ruleset

# filter

table ip filter {

        chain input {

                type filter hook input priority 0; policy drop;

                ct state invalid counter drop comment "drop invalid packets"

                ct state {established, related} counter accept comment "accept all connections related to connections made by us"

                iifname lo accept comment "accept loopback"

                iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

                ip protocol icmp counter accept comment "accept all icmp types"

                tcp dport 22 counter accept comment "accept ssh"

                counter comment "count dropped packets"

        }

        chain output {

                type filter hook output priority 0; policy accept;

                counter comment "count accepted packets"

        }

        chain forward {

                type filter hook forward priority 0; policy drop;

                counter comment "count dropped packets"

        }

}
```

```
# nft list tables

# nft -f /etc/conf.d/nftables.rules

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Operation not supported

table ip filter {

^^

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory

table ip filter {

^^

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Protocol wrong type for socket

table ip filter {

^^

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Protocol wrong type for socket

table ip filter {

^^

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory

table ip filter {

^^

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory

table ip filter {

^^

# nft list tables

#
```

Last edited by josephg on Sat Jun 17, 2017 8:53 pm; edited 5 times in total

----------

## josephg

** deleted **Last edited by josephg on Sat Jun 17, 2017 9:26 pm; edited 4 times in total

----------

## Ant P.

/var/lib/nftables/rules-save is the correct location if using OpenRC.

----------

## josephg

 *Ant P. wrote:*   

> /var/lib/nftables/rules-save is the correct location if using OpenRC.

 

```
# cat /var/lib/nftables/rules-save

#
```

nothing there, presumably because i cannot config nft as in my first post. i get errors trying the rules from gentoo wiki sample config. what am i missing?Last edited by josephg on Fri Jun 16, 2017 11:27 pm; edited 2 times in total

----------

## Ant P.

Are you expecting something to load "/etc/conf.d/nftables.rules" automatically? Have you pointed the init script at that file or manually saved after running it? There's no references to that path in the init script, the corresponding conf.d file or the libexec script it calls.

----------

## josephg

 *Ant P. wrote:*   

> Are you expecting something to load "/etc/conf.d/nftables.rules" automatically? Have you pointed the init script at that file or manually saved after running it? There's no references to that path in the init script, the corresponding conf.d file or the libexec script it calls.

 

i'm loading rules manually, but they don't load because of errors.. see my first post.Last edited by josephg on Sat Jun 17, 2017 8:59 pm; edited 3 times in total

----------

## Ant P.

What does the initscript output when you run the save command?

----------

## josephg

 *Ant P. wrote:*   

> What does the initscript output when you run the save command?

 

```
$ sudo service nftables save

 * Saving nftables state ...
```

ruleset is empty. there is nothing to save, as my rules seem to have errors and aren't loaded. see op.Last edited by josephg on Sat Jun 17, 2017 9:02 pm; edited 3 times in total

----------

## josephg

what am i supposed to do with this file?

```
$ cat /etc/conf.d/nftables.rules

#!/sbin/nft -f

flush ruleset

# filter

table ip filter {

        chain input {

                type filter hook input priority 0; policy drop;

                ct state invalid counter drop comment "drop invalid packets"

                ct state {established, related} counter accept comment "accept all connections related to connections made by us"

                iifname lo accept comment "accept loopback"

                iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

                ip protocol icmp counter accept comment "accept all icmp types"

                tcp dport 22 counter accept comment "accept ssh"

                counter comment "count dropped packets"

        }

        chain output {

                type filter hook output priority 0; policy accept;

                counter comment "count accepted packets"

        }

        chain forward {

                type filter hook forward priority 0; policy drop;

                counter comment "count dropped packets"

        }

}
```

----------

## Ant P.

Put it in /var/lib/nftables/rules-save, or fix /etc/conf.d/nftables.

----------

## josephg

 *Ant P. wrote:*   

> Put it in /var/lib/nftables/rules-save, or fix /etc/conf.d/nftables.

 

i copied /etc/conf.d/nftables.rules to /var/lib/nftables/rules-save, and got errors when i restart nftables service. same errors as when i run nft -f /etc/conf.d/nftables.rules. as in my first post above. i must be missing something critical.

what can i fix in this file?

```
$ cat /etc/conf.d/nftables

# /etc/conf.d/nftables

# Location in which nftables initscript will save set rules on

# service shutdown

NFTABLES_SAVE="/var/lib/nftables/rules-save"

# Options to pass to nft on save

SAVE_OPTIONS="-n"

# Save state on stopping nftables

SAVE_ON_STOP="yes"

# If you need to log nftables messages as soon as nftables starts,

# AND your logger does NOT depend on the network, then you may wish

# to uncomment the next line.

# If your logger depends on the network, and you uncomment this line

# you will create an unresolvable circular dependency during startup.

# After commenting or uncommenting this line, you must run 'rc-update -u'.

#rc_use="logger"
```

----------

## josephg

```
$ sudo cat /etc/conf.d/nftables.rules

#!/sbin/nft -f

flush ruleset

## filter

table ip filter {

        chain input {

                type filter hook input priority 0; policy drop;

                ct state invalid counter drop comment "drop invalid packets"

                ct state {established, related} counter accept comment "accept all connections related to connections made by us"

                iifname lo accept comment "accept loopback"

                iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

                ip protocol icmp counter accept comment "accept all icmp types"

                tcp dport 22 counter accept comment "accept ssh"

                counter comment "count dropped packets"

        }

        chain output {

                type filter hook output priority 0; policy accept;

                counter comment "count accepted packets"

        }

        chain forward {

                type filter hook forward priority 0; policy drop;

                counter comment "count dropped packets"

        }

}
```

```
$ sudo nft -f /etc/conf.d/nftables.rules

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: Operation not supported

table ip filter {

^^

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory

table ip filter {

^^

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory

table ip filter {

^^

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory

table ip filter {

^^

/etc/conf.d/nftables.rules:6:1-2: Error: Could not process rule: No such file or directory

table ip filter {

^^
```

why am i getting these errors, and how do i fix them?

----------

## josephg

i seem to be getting closer.. is there nobody here who understands nftables?

```
# nft -f /etc/conf.d/nftables.rules

#
```

works without errors, if i comment out some of the lines. but now i seem to have no network  :Sad: 

```
#!/sbin/nft -f

flush ruleset

## filter

table ip filter {

   chain input {

      type filter hook input priority 0; policy drop;

      ct state invalid counter drop comment "drop invalid packets"

#      ct state {established, related} counter accept comment "accept all connections related to connections made by us"

#      iifname lo accept comment "accept loopback"

#      iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"

#      ip protocol icmp counter accept comment "accept all icmp types"

#      tcp dport 22 counter accept comment "accept ssh"

      counter comment "count dropped packets"

   }

   chain output {

      type filter hook output priority 0; policy accept;

      counter comment "count accepted packets"

   }

   chain forward {

      type filter hook forward priority 0; policy drop;

      counter comment "count dropped packets"

   }

}
```

----------

## josephg

i'm going back to iptables.. had enough of nftables  :Sad:  i think there's something not quite right in gentoo-sources or my .config

----------

