Nf_tables modules not found.

Post#1 by **Testuser** » 04 Nov 2022, 12:53

I tried to setup nftables in Porteus but got "Initialisation Error" since nf_tables module is missing.

I tried to enable it but since kernel config does not have NFT it also failed.

root@porteus:/home/guest# modprobe configs && zcat /proc/config.gz | grep NFT
root@porteus:/home/guest#

show no ouput

How can I change and enable NFT config in the kernel.

Do I need to create custom kernel

Please advise.

Post#2 by **ncmprhnsbl** » 04 Nov 2022, 13:25

Testuser wrote: ↑
04 Nov 2022, 12:53
Do I need to create custom kernel

as it is now:

Code: Select all

# CONFIG_NF_TABLES is not set

yes, or perhaps request this be enabled here: Porteus Kernel Builder and someone might built it

Post#3 by **Blaze** » 05 Nov 2022, 11:51

Hi Testuser.
Try this kernel Porteus Kernel Builder (Пост Blaze #91353)

Post#4 by **Testuser** » 06 Nov 2022, 17:56

Thanks much ncmp and Blaze for the quick reply.

Blaze, I will try the kernel you provided and test it.

Post#5 by **Testuser** » 04 Dec 2022, 18:23

Hi Blaze,

I have tried nftables again.

root@porteus:/home/guest# iptables-restore-translate -f iptables_rules.txt > nft_ruleset.nft
root@porteus:/home/guest# nft -f nft_ruleset.nft
nft_ruleset.nft:2:1-20: Error: Could not process rule: Operation not supported
add table ip filter
^^^^^^^^^^^^^^^^^^^^
nft_ruleset.nft:3:14-19: Error: No such file or directory; did you mean chain ‘INPUT’ in table ip ‘filter’?
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }

-----------------------------------------------------------------------------------------------------------------------------------

guest@porteus:~$ sudo modinfo nf_tables
name: nf_tables
filename: (builtin)
alias: nfnetlink-subsys-10
author: Patrick McHardy <[email protected]>
license: GPL
file: net/netfilter/nf_tables

Seems nf_tables is builtin to kernel but, sudo modproble shows nothing - guest@porteus:~$ sudo modprobe nf_tables

Seems we need to have below config enabled in kernel, not sure

sudo modprobe configs && zcat /proc/config.gz | grep NF_TAB
Password:
CONFIG_NF_TABLES=y
# CONFIG_NF_TABLES_INET is not set
# CONFIG_NF_TABLES_NETDEV is not set
# CONFIG_NF_TABLES_IPV4 is not set
# CONFIG_NF_TABLES_ARP is not set
# CONFIG_NF_TABLES_IPV6 is not set
# CONFIG_NF_TABLES_BRIDGE is not set
# CONFIG_NF_FLOW_TABLE is not set

Post#6 by **babam** » 05 Dec 2022, 04:28

On Slackware

Code: Select all

CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_NF_TABLES_ARP=y
CONFIG_NF_TABLES_IPV6=y
CONFIG_NF_TABLES_BRIDGE=m

Post#7 by **ncmprhnsbl** » 05 Dec 2022, 04:44

Testuser wrote: ↑
04 Dec 2022, 18:23
Seems we need to have below config enabled in kernel, not sure

possibly more too..
here's what the standard arch kernel(@6.0.10) has:

Code: Select all

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_EGRESS=y
CONFIG_NETFILTER_SKIP_EGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_FAMILY_BRIDGE=y
CONFIG_NETFILTER_FAMILY_ARP=y
CONFIG_NETFILTER_NETLINK_HOOK=m
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_OSF=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_LOG_SYSLOG=m
CONFIG_NETFILTER_CONNCOUNT=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
CONFIG_NF_CT_PROTO_DCCP=y
CONFIG_NF_CT_PROTO_GRE=y
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_CT_PROTO_UDPLITE=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_SNMP=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CT_NETLINK_TIMEOUT=m
CONFIG_NF_CT_NETLINK_HELPER=m
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NF_NAT=m
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_REDIRECT=y
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NFT_NUMGEN=m
CONFIG_NFT_CT=m
CONFIG_NFT_FLOW_OFFLOAD=m
CONFIG_NFT_CONNLIMIT=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_TUNNEL=m
CONFIG_NFT_OBJREF=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_QUOTA=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_HASH=m
CONFIG_NFT_FIB=m
CONFIG_NFT_FIB_INET=m
CONFIG_NFT_XFRM=m
CONFIG_NFT_SOCKET=m
CONFIG_NFT_OSF=m
CONFIG_NFT_TPROXY=m
CONFIG_NFT_SYNPROXY=m
CONFIG_NF_DUP_NETDEV=m
CONFIG_NFT_DUP_NETDEV=m
CONFIG_NFT_FWD_NETDEV=m
CONFIG_NFT_FIB_NETDEV=m
CONFIG_NFT_REJECT_NETDEV=m
CONFIG_NF_FLOW_TABLE_INET=m
CONFIG_NF_FLOW_TABLE=m
CONFIG_NF_FLOW_TABLE_PROCFS=y
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XTABLES_COMPAT=y
#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_SOCKET_IPV4=m
CONFIG_NF_TPROXY_IPV4=m
CONFIG_NF_TABLES_IPV4=y
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_DUP_IPV4=m
CONFIG_NFT_FIB_IPV4=m
CONFIG_NF_TABLES_ARP=y
CONFIG_NF_DUP_IPV4=m
CONFIG_NF_LOG_ARP=m
CONFIG_NF_LOG_IPV4=m
CONFIG_NF_REJECT_IPV4=m
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_RPFILTER=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_SYNPROXY=m
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_SECURITY=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# end of IP: Netfilter Configuration

#
# IPv6: Netfilter Configuration
#
CONFIG_NF_SOCKET_IPV6=m
CONFIG_NF_TPROXY_IPV6=m
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_DUP_IPV6=m
CONFIG_NFT_FIB_IPV6=m
CONFIG_NF_DUP_IPV6=m
CONFIG_NF_REJECT_IPV6=m
CONFIG_NF_LOG_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_MATCH_AH=m
CONFIG_IP6_NF_MATCH_EUI64=m
CONFIG_IP6_NF_MATCH_FRAG=m
CONFIG_IP6_NF_MATCH_OPTS=m
CONFIG_IP6_NF_MATCH_HL=m
CONFIG_IP6_NF_MATCH_IPV6HEADER=m
CONFIG_IP6_NF_MATCH_MH=m
CONFIG_IP6_NF_MATCH_RPFILTER=m
CONFIG_IP6_NF_MATCH_RT=m
CONFIG_IP6_NF_MATCH_SRH=m
CONFIG_IP6_NF_TARGET_HL=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_TARGET_SYNPROXY=m
CONFIG_IP6_NF_MANGLE=m
CONFIG_IP6_NF_RAW=m
CONFIG_IP6_NF_SECURITY=m
CONFIG_IP6_NF_NAT=m
CONFIG_IP6_NF_TARGET_MASQUERADE=m
CONFIG_IP6_NF_TARGET_NPT=m
# end of IPv6: Netfilter Configuration

and below that, some more:

Code: Select all

CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_TABLES_BRIDGE=m
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
CONFIG_NF_CONNTRACK_BRIDGE=m
CONFIG_BRIDGE_NF_EBTABLES=m

possibly other stuff that isn't explicitly "NF"
what is or isn't relevent here, i've no idea.. seems like a lot though..
ooops, ;P prolly should have looked at our config first.. most of that is already there

..carry on

Post#8 by **babam** » 05 Dec 2022, 08:04

https://wiki.gentoo.org/wiki/Nftables#Kernel

Post#9 by **Blaze** » 05 Dec 2022, 15:45

@guys, how about remove iptables and switch on Nftables in kernel?
Any suggestions are welcome!

Post#10 by **ncmprhnsbl** » 06 Dec 2022, 00:35

Blaze wrote: ↑
05 Dec 2022, 15:45
@guys, how about remove iptables and switch on Nftables in kernel?
Any suggestions are welcome!

the only reason i'd be hesitant(to remove iptables) at this point would be that our firewall script could be broken by this...
for sure, this is something that is old and needs work...

Post#11 by **Blaze** » 06 Dec 2022, 15:32

ncmprhnsbl, openwrt project is removed iptables and now is use Nftables

Post#12 by **donald** » 06 Dec 2022, 15:43

Hmmm...as long as iptables does what it is supposed to do, why change it?
What would be the advantage of using nftables?

Post#13 by **Blaze** » 06 Dec 2022, 17:18

Hi Testuser.
Ok, can you test nftables with this kernel Porteus Kernel Builder (Пост Blaze #91916) ?

donald wrote: ↑
06 Dec 2022, 15:43
What would be the advantage of using nftables?

but more info is here nftables vs. iptables

Post#14 by **babam** » 06 Dec 2022, 17:43

ncmprhnsbl wrote: ↑
05 Dec 2022, 04:44
possibly other stuff that isn't explicitly "NF"
what is or isn't relevent here, i've no idea.. seems like a lot though..

I think it needs all CONFIG_NF_TABLES* and CONFIG_NFT_* from Slackware.

https://wiki.nftables.org/wiki-nftables ... stallation

Post#15 by **Testuser** » 06 Dec 2022, 18:47

Blaze wrote: ↑
06 Dec 2022, 17:18
Ok, can you test nftables with this kernel Porteus Kernel Builder (Пост Blaze #91916) ?

Thanks Blaze and I will test and update once I am free