Nf_tables modules not found.

Technical issues/questions of an intermediate or advanced nature.
Testuser
Samurai
Samurai
Posts: 137
Joined: 26 May 2021, 15:11
Distribution: Porteus-v5.0-64-LXDE

Nf_tables modules not found.

Post#1 by Testuser » 04 Nov 2022, 12:53

I tried to setup nftables in Porteus but got "Initialisation Error" since nf_tables module is missing.

I tried to enable it but since kernel config does not have NFT it also failed.

root@porteus:/home/guest# modprobe configs && zcat /proc/config.gz | grep NFT
root@porteus:/home/guest#

show no ouput

How can I change and enable NFT config in the kernel.

Do I need to create custom kernel :no:

Please advise. :)

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 3924
Joined: 20 Mar 2012, 03:42
Distribution: v5.0-64bit
Location: australia
Contact:

Nf_tables modules not found.

Post#2 by ncmprhnsbl » 04 Nov 2022, 13:25

Testuser wrote:
04 Nov 2022, 12:53
Do I need to create custom kernel
as it is now:

Code: Select all

# CONFIG_NF_TABLES is not set
yes, or perhaps request this be enabled here: Porteus Kernel Builder and someone might built it ;)
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44

User avatar
Blaze
DEV Team
DEV Team
Posts: 3869
Joined: 28 Dec 2010, 11:31
Distribution: ⟰ Porteus current ☯ all DEs ☯
Location: ☭ Russian Federation, Lipetsk region, Dankov
Contact:

Nf_tables modules not found.

Post#3 by Blaze » 05 Nov 2022, 11:51

Linux 6.6.11-porteus #1 SMP PREEMPT_DYNAMIC Sun Jan 14 12:07:37 MSK 2024 x86_64 Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz GenuineIntel GNU/Linux
MS-7A12 » [AMD/ATI] Navi 23 [Radeon RX 6600] [1002:73ff] (rev c7) » Vengeance LPX 16GB DDR4 K2 3200MHz C16

Testuser
Samurai
Samurai
Posts: 137
Joined: 26 May 2021, 15:11
Distribution: Porteus-v5.0-64-LXDE

Nf_tables modules not found.

Post#4 by Testuser » 06 Nov 2022, 17:56

Thanks much ncmp and Blaze for the quick reply. :)

Blaze, I will try the kernel you provided and test it. :good:

Testuser
Samurai
Samurai
Posts: 137
Joined: 26 May 2021, 15:11
Distribution: Porteus-v5.0-64-LXDE

Nf_tables modules not found.

Post#5 by Testuser » 04 Dec 2022, 18:23

Hi Blaze,

I have tried nftables again.

root@porteus:/home/guest# iptables-restore-translate -f iptables_rules.txt > nft_ruleset.nft
root@porteus:/home/guest# nft -f nft_ruleset.nft
nft_ruleset.nft:2:1-20: Error: Could not process rule: Operation not supported
add table ip filter
^^^^^^^^^^^^^^^^^^^^
nft_ruleset.nft:3:14-19: Error: No such file or directory; did you mean chain ‘INPUT’ in table ip ‘filter’?
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }

-----------------------------------------------------------------------------------------------------------------------------------

guest@porteus:~$ sudo modinfo nf_tables
name: nf_tables
filename: (builtin)
alias: nfnetlink-subsys-10
author: Patrick McHardy <kaber@trash.net>
license: GPL
file: net/netfilter/nf_tables

Seems nf_tables is builtin to kernel but, sudo modproble shows nothing - guest@porteus:~$ sudo modprobe nf_tables


Seems we need to have below config enabled in kernel, not sure

sudo modprobe configs && zcat /proc/config.gz | grep NF_TAB
Password:
CONFIG_NF_TABLES=y
# CONFIG_NF_TABLES_INET is not set
# CONFIG_NF_TABLES_NETDEV is not set
# CONFIG_NF_TABLES_IPV4 is not set
# CONFIG_NF_TABLES_ARP is not set
# CONFIG_NF_TABLES_IPV6 is not set
# CONFIG_NF_TABLES_BRIDGE is not set
# CONFIG_NF_FLOW_TABLE is not set
:%) :no:

User avatar
babam
Warlord
Warlord
Posts: 526
Joined: 16 Nov 2016, 10:30
Distribution: Porteus 5.0rc3 Xfce K6.1.1
Location: Rainy city

Nf_tables modules not found.

Post#6 by babam » 05 Dec 2022, 04:28

On Slackware

Code: Select all

CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_NF_TABLES_ARP=y
CONFIG_NF_TABLES_IPV6=y
CONFIG_NF_TABLES_BRIDGE=m
Sorry, my English is bad.

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 3924
Joined: 20 Mar 2012, 03:42
Distribution: v5.0-64bit
Location: australia
Contact:

Nf_tables modules not found.

Post#7 by ncmprhnsbl » 05 Dec 2022, 04:44

Testuser wrote:
04 Dec 2022, 18:23
Seems we need to have below config enabled in kernel, not sure
possibly more too..
here's what the standard arch kernel(@6.0.10) has:

Code: Select all

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_EGRESS=y
CONFIG_NETFILTER_SKIP_EGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_FAMILY_BRIDGE=y
CONFIG_NETFILTER_FAMILY_ARP=y
CONFIG_NETFILTER_NETLINK_HOOK=m
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_OSF=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_LOG_SYSLOG=m
CONFIG_NETFILTER_CONNCOUNT=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
CONFIG_NF_CT_PROTO_DCCP=y
CONFIG_NF_CT_PROTO_GRE=y
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_CT_PROTO_UDPLITE=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_SNMP=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CT_NETLINK_TIMEOUT=m
CONFIG_NF_CT_NETLINK_HELPER=m
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NF_NAT=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_REDIRECT=y
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NFT_NUMGEN=m
CONFIG_NFT_CT=m
CONFIG_NFT_FLOW_OFFLOAD=m
CONFIG_NFT_CONNLIMIT=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_TUNNEL=m
CONFIG_NFT_OBJREF=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_QUOTA=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_HASH=m
CONFIG_NFT_FIB=m
CONFIG_NFT_FIB_INET=m
CONFIG_NFT_XFRM=m
CONFIG_NFT_SOCKET=m
CONFIG_NFT_OSF=m
CONFIG_NFT_TPROXY=m
CONFIG_NFT_SYNPROXY=m
CONFIG_NF_DUP_NETDEV=m
CONFIG_NFT_DUP_NETDEV=m
CONFIG_NFT_FWD_NETDEV=m
CONFIG_NFT_FIB_NETDEV=m
CONFIG_NFT_REJECT_NETDEV=m
CONFIG_NF_FLOW_TABLE_INET=m
CONFIG_NF_FLOW_TABLE=m
CONFIG_NF_FLOW_TABLE_PROCFS=y
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XTABLES_COMPAT=y
#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_SOCKET_IPV4=m
CONFIG_NF_TPROXY_IPV4=m
CONFIG_NF_TABLES_IPV4=y
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_DUP_IPV4=m
CONFIG_NFT_FIB_IPV4=m
CONFIG_NF_TABLES_ARP=y
CONFIG_NF_DUP_IPV4=m
CONFIG_NF_LOG_ARP=m
CONFIG_NF_LOG_IPV4=m
CONFIG_NF_REJECT_IPV4=m
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_SYNPROXY=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_SECURITY=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# end of IP: Netfilter Configuration

#
# IPv6: Netfilter Configuration
#
CONFIG_NF_SOCKET_IPV6=m
CONFIG_NF_TPROXY_IPV6=m
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_DUP_IPV6=m
CONFIG_NFT_FIB_IPV6=m
CONFIG_NF_DUP_IPV6=m
CONFIG_NF_REJECT_IPV6=m
CONFIG_NF_LOG_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_RPFILTER=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_SRH=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_TARGET_SYNPROXY=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP6_NF_SECURITY=m
CONFIG_IP6_NF_NAT=m
CONFIG_IP6_NF_TARGET_MASQUERADE=m
CONFIG_IP6_NF_TARGET_NPT=m
# end of IPv6: Netfilter Configuration
and below that, some more:

Code: Select all

CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_TABLES_BRIDGE=m
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
CONFIG_NF_CONNTRACK_BRIDGE=m
CONFIG_BRIDGE_NF_EBTABLES=m
possibly other stuff that isn't explicitly "NF"
what is or isn't relevent here, i've no idea.. seems like a lot though..
ooops, ;P prolly should have looked at our config first.. most of that is already there :roll: ..carry on
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44

User avatar
babam
Warlord
Warlord
Posts: 526
Joined: 16 Nov 2016, 10:30
Distribution: Porteus 5.0rc3 Xfce K6.1.1
Location: Rainy city

Nf_tables modules not found.

Post#8 by babam » 05 Dec 2022, 08:04

Sorry, my English is bad.

User avatar
Blaze
DEV Team
DEV Team
Posts: 3869
Joined: 28 Dec 2010, 11:31
Distribution: ⟰ Porteus current ☯ all DEs ☯
Location: ☭ Russian Federation, Lipetsk region, Dankov
Contact:

Nf_tables modules not found.

Post#9 by Blaze » 05 Dec 2022, 15:45

@guys, how about remove iptables and switch on Nftables in kernel?
Any suggestions are welcome!
Linux 6.6.11-porteus #1 SMP PREEMPT_DYNAMIC Sun Jan 14 12:07:37 MSK 2024 x86_64 Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz GenuineIntel GNU/Linux
MS-7A12 » [AMD/ATI] Navi 23 [Radeon RX 6600] [1002:73ff] (rev c7) » Vengeance LPX 16GB DDR4 K2 3200MHz C16

User avatar
ncmprhnsbl
DEV Team
DEV Team
Posts: 3924
Joined: 20 Mar 2012, 03:42
Distribution: v5.0-64bit
Location: australia
Contact:

Nf_tables modules not found.

Post#10 by ncmprhnsbl » 06 Dec 2022, 00:35

Blaze wrote:
05 Dec 2022, 15:45
@guys, how about remove iptables and switch on Nftables in kernel?
Any suggestions are welcome!
the only reason i'd be hesitant(to remove iptables) at this point would be that our firewall script could be broken by this...
for sure, this is something that is old and needs work...
Forum Rules : https://forum.porteus.org/viewtopic.php?f=35&t=44

User avatar
Blaze
DEV Team
DEV Team
Posts: 3869
Joined: 28 Dec 2010, 11:31
Distribution: ⟰ Porteus current ☯ all DEs ☯
Location: ☭ Russian Federation, Lipetsk region, Dankov
Contact:

Nf_tables modules not found.

Post#11 by Blaze » 06 Dec 2022, 15:32

ncmprhnsbl, openwrt project is removed iptables and now is use Nftables
Linux 6.6.11-porteus #1 SMP PREEMPT_DYNAMIC Sun Jan 14 12:07:37 MSK 2024 x86_64 Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz GenuineIntel GNU/Linux
MS-7A12 » [AMD/ATI] Navi 23 [Radeon RX 6600] [1002:73ff] (rev c7) » Vengeance LPX 16GB DDR4 K2 3200MHz C16

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Nf_tables modules not found.

Post#12 by donald » 06 Dec 2022, 15:43

Hmmm...as long as iptables does what it is supposed to do, why change it?
What would be the advantage of using nftables?

User avatar
Blaze
DEV Team
DEV Team
Posts: 3869
Joined: 28 Dec 2010, 11:31
Distribution: ⟰ Porteus current ☯ all DEs ☯
Location: ☭ Russian Federation, Lipetsk region, Dankov
Contact:

Nf_tables modules not found.

Post#13 by Blaze » 06 Dec 2022, 17:18

Hi Testuser.
Ok, can you test nftables with this kernel Porteus Kernel Builder (Пост Blaze #91916) ?
donald wrote:
06 Dec 2022, 15:43
What would be the advantage of using nftables?
:unknown: but more info is here nftables vs. iptables
Linux 6.6.11-porteus #1 SMP PREEMPT_DYNAMIC Sun Jan 14 12:07:37 MSK 2024 x86_64 Intel(R) Xeon(R) CPU E3-1270 v6 @ 3.80GHz GenuineIntel GNU/Linux
MS-7A12 » [AMD/ATI] Navi 23 [Radeon RX 6600] [1002:73ff] (rev c7) » Vengeance LPX 16GB DDR4 K2 3200MHz C16

User avatar
babam
Warlord
Warlord
Posts: 526
Joined: 16 Nov 2016, 10:30
Distribution: Porteus 5.0rc3 Xfce K6.1.1
Location: Rainy city

Nf_tables modules not found.

Post#14 by babam » 06 Dec 2022, 17:43

ncmprhnsbl wrote:
05 Dec 2022, 04:44
possibly other stuff that isn't explicitly "NF"
what is or isn't relevent here, i've no idea.. seems like a lot though..
I think it needs all CONFIG_NF_TABLES* and CONFIG_NFT_* from Slackware.

https://wiki.nftables.org/wiki-nftables ... stallation
Sorry, my English is bad.

Testuser
Samurai
Samurai
Posts: 137
Joined: 26 May 2021, 15:11
Distribution: Porteus-v5.0-64-LXDE

Nf_tables modules not found.

Post#15 by Testuser » 06 Dec 2022, 18:47

Blaze wrote:
06 Dec 2022, 17:18
Ok, can you test nftables with this kernel Porteus Kernel Builder (Пост Blaze #91916) ?
Thanks Blaze and I will test and update once I am free :)

Post Reply