fenix icon indicating copy to clipboard operation
fenix copied to clipboard

Published 20 hours ago verified publisher icon khadas

Kernel module missing for nftables in Debian Buster image

Open madelponte opened this issue 4 years ago • 16 comments

I was testing out the new Debian Buster build and it looks like it does not include the nftables kernel modules. Debian has switched default firewalls from iptables to nftables and as a result, if the nftables kernel modules are missing, neither iptables nor nftables rules can be loaded into the system.

madelponte avatar Mar 22 '20 14:03 madelponte

Hello @madelponte

Thanks for your feedback, we will check this issue.

Hello @hyphop Do you know about this issue?

numbqq avatar Mar 23 '20 01:03 numbqq

never use nftables ;) sure i can check it maybe need make avternative configs for kernels i will try to solve it ;)

hyphop avatar Mar 23 '20 07:03 hyphop

https://wiki.debian.org/nftables

hyphop avatar Mar 23 '20 07:03 hyphop 

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

hyphop avatar Mar 23 '20 07:03 hyphop 

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Normally that would work, if you wanted to use the legacy iptables, but the image does not have iptables kernel modules either.

On a working Debian Buster system, both sets of kernel modules exist:

$ find /lib/modules -name "ip_tables" /lib/modules/4.19.0-6-amd64/kernel/net/ipv4/netfilter/ip_tables.ko /lib/modules/4.19.0-8-amd64/kernel/net/ipv4/netfilter/ip_tables.ko $ find /lib/modules -name "nf_tables" /lib/modules/4.19.0-6-amd64/kernel/net/netfilter/nf_tables.ko /lib/modules/4.19.0-6-amd64/kernel/net/netfilter/nf_tables_set.ko /lib/modules/4.19.0-8-amd64/kernel/net/netfilter/nf_tables.ko /lib/modules/4.19.0-8-amd64/kernel/net/netfilter/nf_tables_set.ko

However on the fenix compiled image, neither exist and therefor neither can be used.

madelponte avatar Mar 23 '20 14:03 madelponte

please nick and hyphop do not forget to check the issue with debian buster build from docker on ubuntu1804. tks. ravelo.

dsir-minute avatar Mar 24 '20 21:03 dsir-minute

However on the fenix compiled image, neither exist and therefor neither can be used. i will check it tomorrow!

hyphop avatar Mar 28 '20 15:03 hyphop

its works for me

root@Khadas:~# uname -a
Linux Khadas 5.5.0-rc2 #0.8.3 SMP PREEMPT Fri Mar 20 15:44:39 +09 2020 aarch64 GNU/Linux

root@Khadas:~# update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode

root@Khadas:~# iptables -I INPUT -j ACCEPT
root@Khadas:~# iptables -t nat -I PREROUTING

root@Khadas:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
           all  --  anywhere             anywhere            

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination      

root@Khadas:~#  find /lib/modules | grep tables
/lib/modules/5.5.0-rc2/kernel/net/ipv4/netfilter/ip_tables.ko
/lib/modules/5.5.0-rc2/kernel/net/ipv4/netfilter/arp_tables.ko
/lib/modules/5.5.0-rc2/kernel/net/ipv6/netfilter/ip6_tables.ko
/lib/modules/5.5.0-rc2/kernel/net/netfilter/x_tables.ko
/lib/modules/5.5.0-rc2/kernel/net/netfilter/nf_tables.ko
/lib/modules/5.5.0-rc2/kernel/net/bridge/netfilter/ebtables.ko

root@Khadas:~# lsmod | grep tabl
iptable_nat            16384  1
nf_nat                 49152  1 iptable_nat
iptable_filter         16384  1
nf_tables             147456  0
nfnetlink              16384  1 nf_tables
ip_tables              32768  2 iptable_filter,iptable_nat
x_tables               40960  2 iptable_filter,ip_tables

hyphop avatar Mar 28 '20 16:03 hyphop

https://www.reddit.com/r/debian/comments/bemysl/upgrade_to_buster_has_broken_ufw_and_iptables/

SAME

root@Khadas:~# update-alternatives --set iptables /usr/sbin/iptables-nft
update-alternatives: using /usr/sbin/iptables-nft to provide /usr/sbin/iptables (iptables) in manual mode
root@Khadas:~# iptables -L
iptables v1.8.2 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain INPUT

hyphop avatar Mar 28 '20 16:03 hyphop 

root@Khadas:~# zgrep CONFIG_NF_TABLES_BRIDGE /proc/config.gz 
# CONFIG_NF_TABLES_BRIDGE is not set

hyphop avatar Mar 28 '20 16:03 hyphop

OK! need update config for mainline kernel

hyphop avatar Mar 28 '20 16:03 hyphop

OK! need update config for mainline kernel

Hello Artem,

Can you send a PR about this issus?

numbqq avatar Mar 29 '20 01:03 numbqq

OK! i will test at first and send after

hyphop avatar Mar 31 '20 06:03 hyphop

i cant solve this debian buster bug by changing kernel config

only one solution

update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

hyphop avatar Apr 03 '20 06:04 hyphop

Looks like it works with changes I proposed here.

assoc avatar Sep 26 '20 13:09 assoc

ok issue was solved !?

hyphop avatar Nov 11 '20 13:11 hyphop