From: Matt Zagrabelny <mzagrabe@d.umn.edu>
To: netfilter <netfilter@vger.kernel.org>
Subject: ct state module issue
Date: Tue, 25 Jul 2023 14:11:04 -0500 [thread overview]
Message-ID: <CAOLfK3WzBo=dPJ0WEvpO4wFPnSp1uEkBXRWpxRSz7Guou3z7kw@mail.gmail.com> (raw)
Greetings netfilter,
I'm running kernel: 6.1.0-10-amd64
and
nftables v1.0.6 (Lester Gooch #5)
I have a set of nftables rules that have served me well for Debian 11
- thanks in large part to the netfilter mailing list, so...thank you!
nftables on Debian 11 is: 0.9.8-3.1+deb11u1
I have recently installed Debian 12 and tried my nftables rules and
have hit a snag with the connection tracking and a verdict map.
nftables on Debian 12 is: 1.0.6-2+deb12u1
When I run the offending snippet:
# nft -f /etc/nftables.conf.d/300-common.d/200-connection-tracking.nft
/etc/nftables.conf.d/300-common.d/200-connection-tracking.nft:4:9-16:
Error: Could not process rule: No such file or directory
ct state vmap {
^^^^^^^^
# cat /etc/nftables.conf.d/300-common.d/200-connection-tracking.nft
table inet filter {
chain input {
# accept traffic originated from us
ct state vmap {
established: accept,
related: accept,
invalid: drop,
}
}
}
When I watch the kernel logs (journalctl), I see:
Jul 25 13:44:04 localhost kernel: BPF: [99725] STRUCT
Jul 25 13:44:04 localhost kernel: BPF: size=104 vlen=12
Jul 25 13:44:04 localhost kernel: BPF:
Jul 25 13:44:04 localhost kernel: BPF: Invalid name
Jul 25 13:44:04 localhost kernel: BPF:
Jul 25 13:44:04 localhost kernel: failed to validate module
[nf_conntrack] BTF: -22
Jul 25 13:44:04 localhost kernel: missing module BTF, cannot register kfuncs
I've tried to load the module manually:
# lsmod | rg nf
nf_defrag_ipv6 24576 0
nf_defrag_ipv4 16384 0
nf_tables 290816 0
libcrc32c 16384 1 nf_tables
nfnetlink 20480 1 nf_tables
binfmt_misc 24576 1
configfs 57344 1
# modprobe nft_ct
modprobe: ERROR: could not insert 'nft_ct': Unknown symbol in module,
or unknown parameter (see dmesg)
dmesg shows the same as the kernel message as above.
I'm starting to struggle with where to look for debugging clues. Any
help would be very appreciated.
Thank you!
-m
next reply other threads:[~2023-07-25 19:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-25 19:11 Matt Zagrabelny [this message]
2023-07-25 19:33 ` ct state module issue Florian Westphal
2023-07-25 19:57 ` Alexei Starovoitov
2023-07-26 7:39 ` Pablo Neira Ayuso
2023-07-26 16:19 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOLfK3WzBo=dPJ0WEvpO4wFPnSp1uEkBXRWpxRSz7Guou3z7kw@mail.gmail.com' \
--to=mzagrabe@d.umn.edu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).