Error could not process rule no such file or directory nft - Исправление ошибок и поиск оптимальных решений проблем

I am trying to apply below nftables rule which I adopted from this guide:

nft add rule filter INPUT tcp flags != syn counter drop

somehow this is ending up with:

Error: Could not process rule: No such file or directory

Can anyone spot what exactly I might be missing in this rule?

asked Aug 28, 2019 at 16:50

You’re probably missing your table or chain.

nft list ruleset

will give you what you are working with. If it prints out nothing, you’re missing both.

nft add table ip filter # create table
nft add chain ip filter INPUT { type filter hook input priority 0 ; } # create chain

Then you should be able to add your rule to the chain.

NOTE: If you’re logged in with ssh, your connection will be suspended.

answered Aug 28, 2019 at 19:15

AmosAmos

4013 silver badges6 bronze badges

I was getting Error: Could not process rule: No such file or directory for nftables counter rules on an embedded Linux system built with Yocto.

In my case, the issue was due to kernel configuration. I had to enable the following:

CONFIG_NFT_COUNTER=m so that I could create counters.
CONFIG_NFT_OBJREF=m so that I could refer to the counters by name in rules.

This mailing list post helped me:

[OpenWrt-Devel] nftables: named counters broken on 18.06.4 — September 2019

answered Sep 6, 2021 at 4:10

Источник

Index
» Networking, Server, and Protection
» nftables create /etc/modules-load.d/nftables.conf

Pages: 1

#1 2018-01-01 21:23:48

diederick76: Member; Registered: 2010-02-14; Posts: 145

nftables create /etc/modules-load.d/nftables.conf

Hi,

I’m trying to setup a firewall using nftables, but when adding a rule, I get an error: «Error: Could not process rule: No such file or directory».

The Wiki tells me to

create /etc/modules-load.d/nftables.conf with all of the nftables related modules you require as entries for the systemd service to work correctly. You can get a list of modules using this command:

But it isn’t very clear how to do that. lsmod gives me already loaded modules, so how do I know hat modules I need?

#2 2018-01-01 22:20:54

lo1: Member; Registered: 2017-09-25; Posts: 584

Re: nftables create /etc/modules-load.d/nftables.conf

Most likely you’d need to add such modules into /etc/modules-load-d/nftables.conf. Since I never used nftables, can I have a look at that?

cat /etc/modules-load.d/nftables.conf

#3 2018-01-02 09:53:47

diederick76: Member; Registered: 2010-02-14; Posts: 145

Re: nftables create /etc/modules-load.d/nftables.conf

lo1 wrote:

Most likely you’d need to add such modules into /etc/modules-load-d/nftables.conf. Since I never used nftables, can I have a look at that?
cat /etc/modules-load.d/nftables.conf

That file actually does not exists yet. I gather I have to create it and put the module names inside. That’s what I’m unclear about. What I also don’t understand is why udev wouldn’t pick them up.

#4 2018-01-02 11:42:57

lo1: Member; Registered: 2017-09-25; Posts: 584

Re: nftables create /etc/modules-load.d/nftables.conf

…
Each configuration file is named in the style of /etc/modules-load.d/program.conf.
…
CONFIGURATION FORMAT
The configuration files should simply contain a list of kernel module names to
load, separated by newlines. Empty lines and lines whose first non-whitespace
character is # or ; are ignored.

Again, I don’t know how nftables works but it seems it relies on the modules you put inside modules-load.d, so have a look at those modules, understand what they’re for, which of them are mandatory to use nftables and create that file.

#5 2018-01-02 12:33:27

ayekat: Member; Registered: 2011-01-17; Posts: 1,553; Website

Re: nftables create /etc/modules-load.d/nftables.conf

nftables should not require any additional modules to be loaded; I’m not sure why the wiki mentions that (and that note in particular is just badly written).

The only thing that might be required is to blacklist the iptable_nat module, as it conflicts with the nf_nat module for setting NAT (pre/postrouting) rules, but that’s only tangential to this issue here.

What does your nftables.conf look like?
Or do you set ephemeral rules simply with the `nft` command? If so, what are the commands you run?

Last edited by ayekat (2018-01-02 12:35:15)

{,META,RE}PKGBUILDS │ pacman-hacks (includes makemetapkg and remakepkg) │ dotfileslocaldir

#6 2018-01-02 18:20:06

diederick76: Member; Registered: 2010-02-14; Posts: 145

Re: nftables create /etc/modules-load.d/nftables.conf

I have an empty nftables.conf, since I first want to learn how to do this, and then want to populate that file. The command I run is:

$ sudo nft add rule ip filter input ip saddr 192.168.1.102 drop
Error: Could not process rule: No such file or directory
add rule ip filter input ip saddr 192.168.1.102 drop
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Because I want to test that the machine drops any packets coming from 192.168.1.102. The nf_nat module isn’t loaded, and if I interpret the name correctly, I won’t need it for this command.

Perhaps, the fragment on the wiki was added because on https://wiki.nftables.org/wiki-nftables … leshooting it mentions:

Question 2: No such file or directory when adding chain
You may also hit this problem if you forgot to compile the module that enables this chain type in your Linux kernel.

But if the modules aren’t the problem here, what file is nft talking about? Is nft storing temporary rules as files somewhere or do I need tables and chains for them?

Last edited by diederick76 (2018-01-02 18:34:20)

#7 2018-01-02 18:41:14

progandy: Member; Registered: 2012-05-17; Posts: 5,071

Re: nftables create /etc/modules-load.d/nftables.conf

If I read the wiki and the manpage correctly, the first thing you have to do is creating tables and chains. Only then you can add rules.

| alias CUTF=’LANG=en_XX.UTF-8@POSIX ‘ |

#8 2018-01-02 20:12:06

diederick76: Member; Registered: 2010-02-14; Posts: 145

Re: nftables create /etc/modules-load.d/nftables.conf

progandy wrote:

If I read the wiki and the manpage correctly, the first thing you have to do is creating tables and chains. Only then you can add rules.

Indeed. This worked:

$ sudo nft add table ip filter
$ sudo nft add chain ip filter input { type filter hook input priority 0 ; }
$ sudo nft add rule ip filter input ip saddr 192.168.1.102 drop

in the sense that when inputing those while nftables.service was started, that machine didn’t respond anymore from only the machine with that ip, until I stopped nftables.service.

Thanks!

Источник

hm, I don’t have access to a Debian system that old.

An easy fix for that is to create a VM and install debian 10. gnome-boxes is an easy to use VM program

Looking at this issue more, one piece of the puzzle is the duplicated AddChain() call in: https://github.com/ziggie1984/nftables_sample/blob/2331b08955e78c20c3520c0a94611bb54c37bf76/main.go#L25-L33

When I remove one of the AddChain() calls, the example also works (i.e. prints an error message for the last, non-working request) with a lasting nftables connection.

I think in the scenario where we send two AddChain() calls, we still only Receive() one error message, and then for the next AddTable() call, we receive the error message from the previous AddChain() call.

This only matters when using a lasting connection — when re-connecting for each Flush(), at least the first NLMSG_ERROR reply will always match the first request sent, papering over this issue.

The problem might be how we call (mdlayher/netlink.Conn).Receive():

if _, err := conn.Receive(); err != nil {

I’m thinking we might need to call it an appropriate number of times based on what we send. mdlayher/netlink has its own handling for multi-part messages, but I think multi-part messages might be orthogonal? Perhaps we just need to count how many netlink.Acknowledge flags we send out?

cc @mdlayher in case you happen to know off the top of your head how acknowledgement/error handling is supposed to be done with netlink

Источник

I’ve got a problem combining fail2ban and nftables. My setup is «Debian 10 + fail2ban + nftables».
At the end there is a problem adding a new rule if someone is banned by fail2ban:

2020-09-15 17:38:26,078 fail2ban.utils          [626]: Level 39 7fa684124198 -- exec: nft list chain inet fail2ban fail2ban | grep -q '@f2b-sshd[ t]'
2020-09-15 17:38:26,078 fail2ban.utils          [626]: ERROR   7fa684124198 -- stderr: 'Error: Could not process rule: No such file or directory'
2020-09-15 17:38:26,078 fail2ban.utils          [626]: ERROR   7fa684124198 -- stderr: 'list chain inet fail2ban fail2ban'
2020-09-15 17:38:26,078 fail2ban.utils          [626]: ERROR   7fa684124198 -- stderr: '                ^^^^^^^^'
2020-09-15 17:38:26,078 fail2ban.utils          [626]: ERROR   7fa684124198 -- returned 1

My nftables.conf looks like this

include "/etc/nftables/fail2ban.conf"

#!/usr/sbin/nft -f

# Start by flushing all the rules.
flush ruleset

# Define private IP for ssh access
define privateip = {77.56.188.228}

table inet filter {
    # TCP ports to allow. (Allowed services: HTTP, HTTPS, SFTP)
    set tcp_accepted {
        type inet_service; flags interval;
        elements = {
        80,443,722
        }
    }
    # TCP port for SSH service.
    set ssh_accepted {
        type inet_service; flags interval;
        elements = {
        721
        }
    }
    # UDP ports to allow. (Allowed services: Teamspeak 3)
    set udp_accepted {
        type inet_service; flags interval;
        elements = {
        9987
        }
    }
    chain input {
        # This line set what traffic the chain will handle, the priority and default policy.
        # The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
        # Use a semicolon to separate multiple commands on one row.
        type filter hook input priority 0; policy drop;

        # Limit ping requests.
        ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop
        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 1/second burst 5 packets drop

        # OBS! Rules with "limit" need to be put before rules accepting "established" connections.
        # Allow all incomming established and related traffic. Drop invalid traffic.
        ct state established,related accept
        ct state invalid drop

        # Allow loopback.
        # Interfaces can by set with "iif" or "iifname" (oif/oifname). If the interface can come and go use "iifname", otherwise use "iif" since it performs better.
        iif lo accept

        # Drop all fragments.
        ip frag-off & 0x1fff != 0 counter drop

        # Force SYN checks.
        tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop

        # Drop XMAS packets.
        tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop

        # Drop NULL packets.
        tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop

        # Allow certain inbound ICMP types (ping, traceroute).
        # With these allowed you are a good network citizen.
        # Without the nd-* ones ipv6 will not work.
        ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } accept      
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded } accept

        # Allow SSH for specific IP only
        ip saddr $privateip tcp dport @ssh_accepted accept
        tcp dport @ssh_accepted drop

        # Allow needed tcp and udp ports.
        tcp dport @tcp_accepted ct state new accept
        udp dport @udp_accepted ct state new accept
    }
    chain forward {
        type filter hook forward priority 0; policy drop;

        # Forward all established and related traffic. Drop invalid traffic.
        ct state established,related accept
        ct state invalid drop
    }
    chain output {
        type filter hook output priority 0; policy drop;

        # Allow all outgoing traffic. Drop invalid traffic.
        # ipv6 ICMP needs to be explicitly allowed here.
        ip6 nexthdr ipv6-icmp accept
        ct state new,established,related accept
        ct state invalid drop
    }
}

and the fail2ban.conf looks like this

#!/usr/sbin/nft -f

# Use ip as fail2ban doesn't support ipv6 yet
table ip fail2ban {
        chain input {
                # Assign a high priority to reject as fast as possible and avoid more complex rule evaluation
                type filter hook input priority 100;
        }
}

It looks like the command is not finding the «fail2ban» table but to be honest, I don’t know where to look or fix the problem. If you need more information please ask

Источник

After reviewing a bit of Python code here and here it became clear that I need to disassemble the big JSON blob and see which instructions exactly fail, which lead me to the following (after storing the JSON blob into ~/nftables.json):

jq '.nftables | length' ~/nftables.json

…to get the number of entries (225 in my case) and then:

for i in $(seq 1 224); do 
    jq --argjson index "$i" '{"nftables": [.nftables[0], .nftables[$index]]}' ~/nftables.json | tee nft.json; 
    sudo nft --json --file nft.json || break; 
done

…which failed just for the first entry:

{
  "nftables": [
    {
      "metainfo": {
        "json_schema_version": 1
      }
    },
    {
      "add": {
        "chain": {
          "family": "inet",
          "table": "firewalld",
          "name": "raw_PREROUTING",
          "type": "filter",
          "hook": "prerouting",
          "prio": -290
        }
      }
    }
  ]
}
internal:0:0-0: Error: No such file or directory

As this was just adding a chain, the only thing that could be wrong here is a missing table, which was confirmed by:

$ sudo nft list tables
table bridge filter
table bridge nat

…so we need to add it:

sudo nft add table inet firewalld

After some more similar failures, I ended up with just the following tables being added manually:

table inet firewalld
table ip firewalld
table ip6 firewalld

Источник