* nft error
@ 2014-02-26 10:12 Matteo Croce
2014-02-26 10:18 ` Eric Leblond
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Matteo Croce @ 2014-02-26 10:12 UTC (permalink / raw
To: netfilter
Hi,
I'm trying to run nftables on Debian with a vanilla 3.13 kernel.
I've compiled libnftnl and nftables from git, but when I try to start
ntf I get this error:
# nft list table filter
<cmdline>:1:1-17: Error: Could not receive sets from kernel: Address
family not supported by protocol
list table filter
^^^^^^^^^^^^^^^^^
I think I have all modules loaded:
lsmod |grep nf
nfnetlink_log 12935 0
nft_ct 12486 0
nft_compat 12844 0
nft_nat 12459 0
nf_tables 36626 3 nft_nat,nft_ct,nft_compat
nfnetlink 12818 3 nf_tables,nfnetlink_log,nft_compat
nf_conntrack_ipv4 13078 1
nf_defrag_ipv4 12443 1 nf_conntrack_ipv4
nf_nat_ipv4 12757 1 iptable_nat
What can it be?
Cheers,
--
Matteo Croce
OpenWrt Developer
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: nft error
2014-02-26 10:12 nft error Matteo Croce
@ 2014-02-26 10:18 ` Eric Leblond
2014-02-26 10:25 ` Pablo Neira Ayuso
[not found] ` <CAFpD06QcWdVkfM1wdA_neoLreewAvR65h5yvmHNX8nvB2h80ow@mail.gmail.com>
2 siblings, 0 replies; 10+ messages in thread
From: Eric Leblond @ 2014-02-26 10:18 UTC (permalink / raw
To: Matteo Croce; +Cc: netfilter
Hi,
On Wed, 2014-02-26 at 11:12 +0100, Matteo Croce wrote:
> Hi,
>
> I'm trying to run nftables on Debian with a vanilla 3.13 kernel.
> I've compiled libnftnl and nftables from git, but when I try to start
> ntf I get this error:
>
> # nft list table filter
> <cmdline>:1:1-17: Error: Could not receive sets from kernel: Address
> family not supported by protocol
> list table filter
> ^^^^^^^^^^^^^^^^
I think you did not create the filter table first:
nft add table filter
nftables comes without any chains. So you have to create your own.
BR,
--
Eric Leblond <eric@regit.org>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: nft error
2014-02-26 10:12 nft error Matteo Croce
2014-02-26 10:18 ` Eric Leblond
@ 2014-02-26 10:25 ` Pablo Neira Ayuso
2014-02-26 10:28 ` Matteo Croce
2014-02-26 10:45 ` Pablo Neira Ayuso
[not found] ` <CAFpD06QcWdVkfM1wdA_neoLreewAvR65h5yvmHNX8nvB2h80ow@mail.gmail.com>
2 siblings, 2 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2014-02-26 10:25 UTC (permalink / raw
To: Matteo Croce; +Cc: netfilter
On Wed, Feb 26, 2014 at 11:12:29AM +0100, Matteo Croce wrote:
> Hi,
>
> I'm trying to run nftables on Debian with a vanilla 3.13 kernel.
> I've compiled libnftnl and nftables from git, but when I try to start
> ntf I get this error:
>
> # nft list table filter
> <cmdline>:1:1-17: Error: Could not receive sets from kernel: Address
> family not supported by protocol
> list table filter
> ^^^^^^^^^^^^^^^^^
>
> I think I have all modules loaded:
>
> lsmod |grep nf
> nfnetlink_log 12935 0
> nft_ct 12486 0
> nft_compat 12844 0
> nft_nat 12459 0
> nf_tables 36626 3 nft_nat,nft_ct,nft_compat
> nfnetlink 12818 3 nf_tables,nfnetlink_log,nft_compat
> nf_conntrack_ipv4 13078 1
> nf_defrag_ipv4 12443 1 nf_conntrack_ipv4
> nf_nat_ipv4 12757 1 iptable_nat
>
> What can it be?
I don't see the nf_tables_ipv4 and nf_tables_ipv6 modules there.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: nft error
[not found] ` <CAFpD06QcWdVkfM1wdA_neoLreewAvR65h5yvmHNX8nvB2h80ow@mail.gmail.com>
@ 2014-02-26 10:27 ` Matteo Croce
0 siblings, 0 replies; 10+ messages in thread
From: Matteo Croce @ 2014-02-26 10:27 UTC (permalink / raw
To: Giuseppe Longo; +Cc: netfilter
Hi,
if I create the filter chain I can see it as empty.
Actually I'm using iptables-nftables to use my old firewall, and it works.
Is there any way to see the iptables-nftables chains?
2014-02-26 11:23 GMT+01:00 Giuseppe Longo <giuseppelng@gmail.com>:
> Hi Matteo,
>
> try to run: nft -f files/example/ipv4-filter
>
> (into nftables directory)
>
> BR
--
Matteo Croce
OpenWrt Developer
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
BARRIER BREAKER
-----------------------------------------------------
* 1/2 oz Galliano Pour all ingredients into
* 4 oz cold Coffee an irish coffee mug filled
* 1 1/2 oz Dark Rum with crushed ice. Stir.
* 2 tsp. Creme de Cacao
-----------------------------------------------------
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: nft error
2014-02-26 10:25 ` Pablo Neira Ayuso
@ 2014-02-26 10:28 ` Matteo Croce
2014-02-26 10:45 ` Pablo Neira Ayuso
1 sibling, 0 replies; 10+ messages in thread
From: Matteo Croce @ 2014-02-26 10:28 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter
it gets loaded after running 'nft add table filter' as Eric suggested
2014-02-26 11:25 GMT+01:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Wed, Feb 26, 2014 at 11:12:29AM +0100, Matteo Croce wrote:
>> Hi,
>>
>> I'm trying to run nftables on Debian with a vanilla 3.13 kernel.
>> I've compiled libnftnl and nftables from git, but when I try to start
>> ntf I get this error:
>>
>> # nft list table filter
>> <cmdline>:1:1-17: Error: Could not receive sets from kernel: Address
>> family not supported by protocol
>> list table filter
>> ^^^^^^^^^^^^^^^^^
>>
>> I think I have all modules loaded:
>>
>> lsmod |grep nf
>> nfnetlink_log 12935 0
>> nft_ct 12486 0
>> nft_compat 12844 0
>> nft_nat 12459 0
>> nf_tables 36626 3 nft_nat,nft_ct,nft_compat
>> nfnetlink 12818 3 nf_tables,nfnetlink_log,nft_compat
>> nf_conntrack_ipv4 13078 1
>> nf_defrag_ipv4 12443 1 nf_conntrack_ipv4
>> nf_nat_ipv4 12757 1 iptable_nat
>>
>> What can it be?
>
> I don't see the nf_tables_ipv4 and nf_tables_ipv6 modules there.
--
Matteo Croce
OpenWrt Developer
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
BARRIER BREAKER
-----------------------------------------------------
* 1/2 oz Galliano Pour all ingredients into
* 4 oz cold Coffee an irish coffee mug filled
* 1 1/2 oz Dark Rum with crushed ice. Stir.
* 2 tsp. Creme de Cacao
-----------------------------------------------------
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: nft error
2014-02-26 10:25 ` Pablo Neira Ayuso
2014-02-26 10:28 ` Matteo Croce
@ 2014-02-26 10:45 ` Pablo Neira Ayuso
2014-02-26 10:47 ` Matteo Croce
1 sibling, 1 reply; 10+ messages in thread
From: Pablo Neira Ayuso @ 2014-02-26 10:45 UTC (permalink / raw
To: Matteo Croce; +Cc: netfilter
On Wed, Feb 26, 2014 at 11:25:30AM +0100, Pablo Neira Ayuso wrote:
> On Wed, Feb 26, 2014 at 11:12:29AM +0100, Matteo Croce wrote:
> > Hi,
> >
> > I'm trying to run nftables on Debian with a vanilla 3.13 kernel.
> > I've compiled libnftnl and nftables from git, but when I try to start
> > ntf I get this error:
> >
> > # nft list table filter
> > <cmdline>:1:1-17: Error: Could not receive sets from kernel: Address
> > family not supported by protocol
> > list table filter
> > ^^^^^^^^^^^^^^^^^
> >
> > I think I have all modules loaded:
> >
> > lsmod |grep nf
> > nfnetlink_log 12935 0
> > nft_ct 12486 0
> > nft_compat 12844 0
> > nft_nat 12459 0
> > nf_tables 36626 3 nft_nat,nft_ct,nft_compat
> > nfnetlink 12818 3 nf_tables,nfnetlink_log,nft_compat
> > nf_conntrack_ipv4 13078 1
> > nf_defrag_ipv4 12443 1 nf_conntrack_ipv4
> > nf_nat_ipv4 12757 1 iptable_nat
> >
> > What can it be?
>
> I don't see the nf_tables_ipv4 and nf_tables_ipv6 modules there.
JFYI: Just created this section:
http://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting
I'll try to collect similar questions in that article.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: nft error
2014-02-26 10:45 ` Pablo Neira Ayuso
@ 2014-02-26 10:47 ` Matteo Croce
2014-02-26 16:26 ` Matteo Croce
0 siblings, 1 reply; 10+ messages in thread
From: Matteo Croce @ 2014-02-26 10:47 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter
thank you very much
2014-02-26 11:45 GMT+01:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Wed, Feb 26, 2014 at 11:25:30AM +0100, Pablo Neira Ayuso wrote:
>> On Wed, Feb 26, 2014 at 11:12:29AM +0100, Matteo Croce wrote:
>> > Hi,
>> >
>> > I'm trying to run nftables on Debian with a vanilla 3.13 kernel.
>> > I've compiled libnftnl and nftables from git, but when I try to start
>> > ntf I get this error:
>> >
>> > # nft list table filter
>> > <cmdline>:1:1-17: Error: Could not receive sets from kernel: Address
>> > family not supported by protocol
>> > list table filter
>> > ^^^^^^^^^^^^^^^^^
>> >
>> > I think I have all modules loaded:
>> >
>> > lsmod |grep nf
>> > nfnetlink_log 12935 0
>> > nft_ct 12486 0
>> > nft_compat 12844 0
>> > nft_nat 12459 0
>> > nf_tables 36626 3 nft_nat,nft_ct,nft_compat
>> > nfnetlink 12818 3 nf_tables,nfnetlink_log,nft_compat
>> > nf_conntrack_ipv4 13078 1
>> > nf_defrag_ipv4 12443 1 nf_conntrack_ipv4
>> > nf_nat_ipv4 12757 1 iptable_nat
>> >
>> > What can it be?
>>
>> I don't see the nf_tables_ipv4 and nf_tables_ipv6 modules there.
>
> JFYI: Just created this section:
>
> http://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting
>
> I'll try to collect similar questions in that article.
--
Matteo Croce
OpenWrt Developer
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
BARRIER BREAKER
-----------------------------------------------------
* 1/2 oz Galliano Pour all ingredients into
* 4 oz cold Coffee an irish coffee mug filled
* 1 1/2 oz Dark Rum with crushed ice. Stir.
* 2 tsp. Creme de Cacao
-----------------------------------------------------
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: nft error
2014-02-26 10:47 ` Matteo Croce
@ 2014-02-26 16:26 ` Matteo Croce
2014-02-26 16:34 ` Pablo Neira Ayuso
0 siblings, 1 reply; 10+ messages in thread
From: Matteo Croce @ 2014-02-26 16:26 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter
What module I'm missing now?
# nft list table global
table ip global {
chain one {
type filter hook input priority 0;
}
}
# nft add set global ipv4_ad \{ type ipv4_address \; \}
internal:0:0-0: Error: Could not add set: Operation not supported
2014-02-26 11:47 GMT+01:00 Matteo Croce <technoboy85@gmail.com>:
> thank you very much
>
> 2014-02-26 11:45 GMT+01:00 Pablo Neira Ayuso <pablo@netfilter.org>:
>> On Wed, Feb 26, 2014 at 11:25:30AM +0100, Pablo Neira Ayuso wrote:
>>> On Wed, Feb 26, 2014 at 11:12:29AM +0100, Matteo Croce wrote:
>>> > Hi,
>>> >
>>> > I'm trying to run nftables on Debian with a vanilla 3.13 kernel.
>>> > I've compiled libnftnl and nftables from git, but when I try to start
>>> > ntf I get this error:
>>> >
>>> > # nft list table filter
>>> > <cmdline>:1:1-17: Error: Could not receive sets from kernel: Address
>>> > family not supported by protocol
>>> > list table filter
>>> > ^^^^^^^^^^^^^^^^^
>>> >
>>> > I think I have all modules loaded:
>>> >
>>> > lsmod |grep nf
>>> > nfnetlink_log 12935 0
>>> > nft_ct 12486 0
>>> > nft_compat 12844 0
>>> > nft_nat 12459 0
>>> > nf_tables 36626 3 nft_nat,nft_ct,nft_compat
>>> > nfnetlink 12818 3 nf_tables,nfnetlink_log,nft_compat
>>> > nf_conntrack_ipv4 13078 1
>>> > nf_defrag_ipv4 12443 1 nf_conntrack_ipv4
>>> > nf_nat_ipv4 12757 1 iptable_nat
>>> >
>>> > What can it be?
>>>
>>> I don't see the nf_tables_ipv4 and nf_tables_ipv6 modules there.
>>
>> JFYI: Just created this section:
>>
>> http://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting
>>
>> I'll try to collect similar questions in that article.
>
>
>
> --
> Matteo Croce
> OpenWrt Developer
> _______ ________ __
> | |.-----.-----.-----.| | | |.----.| |_
> | - || _ | -__| || | | || _|| _|
> |_______|| __|_____|__|__||________||__| |____|
> |__| W I R E L E S S F R E E D O M
> -----------------------------------------------------
> BARRIER BREAKER
> -----------------------------------------------------
> * 1/2 oz Galliano Pour all ingredients into
> * 4 oz cold Coffee an irish coffee mug filled
> * 1 1/2 oz Dark Rum with crushed ice. Stir.
> * 2 tsp. Creme de Cacao
> -----------------------------------------------------
--
Matteo Croce
OpenWrt Developer
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
BARRIER BREAKER
-----------------------------------------------------
* 1/2 oz Galliano Pour all ingredients into
* 4 oz cold Coffee an irish coffee mug filled
* 1 1/2 oz Dark Rum with crushed ice. Stir.
* 2 tsp. Creme de Cacao
-----------------------------------------------------
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: nft error
2014-02-26 16:26 ` Matteo Croce
@ 2014-02-26 16:34 ` Pablo Neira Ayuso
2014-02-27 11:10 ` Matteo Croce
0 siblings, 1 reply; 10+ messages in thread
From: Pablo Neira Ayuso @ 2014-02-26 16:34 UTC (permalink / raw
To: Matteo Croce; +Cc: netfilter
On Wed, Feb 26, 2014 at 05:26:58PM +0100, Matteo Croce wrote:
> What module I'm missing now?
>
> # nft list table global
> table ip global {
> chain one {
> type filter hook input priority 0;
> }
> }
>
> # nft add set global ipv4_ad \{ type ipv4_address \; \}
> internal:0:0-0: Error: Could not add set: Operation not supported
nft_hash 12900 0
nft_rbtree 12808 1
nf_tables 42349 3 nf_tables_ipv4,nft_hash,nft_rbtree
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: nft error
2014-02-26 16:34 ` Pablo Neira Ayuso
@ 2014-02-27 11:10 ` Matteo Croce
0 siblings, 0 replies; 10+ messages in thread
From: Matteo Croce @ 2014-02-27 11:10 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter
Thanks all, I've nftables working, I'm playing with some rule.
I'm trying on my gateway to do NAT with SNAT (masquerading is not
implemented yet) with this rule:
table ip nat {
chain postrouting {
type nat hook postrouting priority 0;
oif eth0 snat $eth0
}
}
$eth0 is the outgoing ethernet ip address.
if from a PC I try to ping 8.8.8.8 I can sniff on the gateway the
outgoing ICMP with the correct address $eth0,
but the replies aren't forwarded back to the PC.
Is the snat target supposed to do also connection tracking?
2014-02-26 17:34 GMT+01:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> On Wed, Feb 26, 2014 at 05:26:58PM +0100, Matteo Croce wrote:
>> What module I'm missing now?
>>
>> # nft list table global
>> table ip global {
>> chain one {
>> type filter hook input priority 0;
>> }
>> }
>>
>> # nft add set global ipv4_ad \{ type ipv4_address \; \}
>> internal:0:0-0: Error: Could not add set: Operation not supported
>
> nft_hash 12900 0
> nft_rbtree 12808 1
> nf_tables 42349 3 nf_tables_ipv4,nft_hash,nft_rbtree
--
Matteo Croce
OpenWrt Developer
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
BARRIER BREAKER
-----------------------------------------------------
* 1/2 oz Galliano Pour all ingredients into
* 4 oz cold Coffee an irish coffee mug filled
* 1 1/2 oz Dark Rum with crushed ice. Stir.
* 2 tsp. Creme de Cacao
-----------------------------------------------------
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-02-27 11:10 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-26 10:12 nft error Matteo Croce
2014-02-26 10:18 ` Eric Leblond
2014-02-26 10:25 ` Pablo Neira Ayuso
2014-02-26 10:28 ` Matteo Croce
2014-02-26 10:45 ` Pablo Neira Ayuso
2014-02-26 10:47 ` Matteo Croce
2014-02-26 16:26 ` Matteo Croce
2014-02-26 16:34 ` Pablo Neira Ayuso
2014-02-27 11:10 ` Matteo Croce
[not found] ` <CAFpD06QcWdVkfM1wdA_neoLreewAvR65h5yvmHNX8nvB2h80ow@mail.gmail.com>
2014-02-26 10:27 ` Matteo Croce
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.