fenix
fenix copied to clipboard
Kernel module missing for nftables in Debian Buster image
I was testing out the new Debian Buster build and it looks like it does not include the nftables kernel modules. Debian has switched default firewalls from iptables to nftables and as a result, if the nftables kernel modules are missing, neither iptables nor nftables rules can be loaded into the system.
Hello @madelponte
Thanks for your feedback, we will check this issue.
Hello @hyphop Do you know about this issue?
never use nftables ;) sure i can check it maybe need make avternative configs for kernels i will try to solve it ;)
https://wiki.debian.org/nftables
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
update-alternatives --set arptables /usr/sbin/arptables-legacy
update-alternatives --set ebtables /usr/sbin/ebtables-legacy
update-alternatives --set iptables /usr/sbin/iptables-legacy update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy update-alternatives --set arptables /usr/sbin/arptables-legacy update-alternatives --set ebtables /usr/sbin/ebtables-legacy
Normally that would work, if you wanted to use the legacy iptables, but the image does not have iptables kernel modules either.
On a working Debian Buster system, both sets of kernel modules exist:
$ find /lib/modules -name "ip_tables" /lib/modules/4.19.0-6-amd64/kernel/net/ipv4/netfilter/ip_tables.ko /lib/modules/4.19.0-8-amd64/kernel/net/ipv4/netfilter/ip_tables.ko $ find /lib/modules -name "nf_tables" /lib/modules/4.19.0-6-amd64/kernel/net/netfilter/nf_tables.ko /lib/modules/4.19.0-6-amd64/kernel/net/netfilter/nf_tables_set.ko /lib/modules/4.19.0-8-amd64/kernel/net/netfilter/nf_tables.ko /lib/modules/4.19.0-8-amd64/kernel/net/netfilter/nf_tables_set.ko
However on the fenix compiled image, neither exist and therefor neither can be used.
please nick and hyphop do not forget to check the issue with debian buster build from docker on ubuntu1804. tks. ravelo.
However on the fenix compiled image, neither exist and therefor neither can be used. i will check it tomorrow!
its works for me
root@Khadas:~# uname -a
Linux Khadas 5.5.0-rc2 #0.8.3 SMP PREEMPT Fri Mar 20 15:44:39 +09 2020 aarch64 GNU/Linux
root@Khadas:~# update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode
root@Khadas:~# iptables -I INPUT -j ACCEPT
root@Khadas:~# iptables -t nat -I PREROUTING
root@Khadas:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
root@Khadas:~# find /lib/modules | grep tables
/lib/modules/5.5.0-rc2/kernel/net/ipv4/netfilter/ip_tables.ko
/lib/modules/5.5.0-rc2/kernel/net/ipv4/netfilter/arp_tables.ko
/lib/modules/5.5.0-rc2/kernel/net/ipv6/netfilter/ip6_tables.ko
/lib/modules/5.5.0-rc2/kernel/net/netfilter/x_tables.ko
/lib/modules/5.5.0-rc2/kernel/net/netfilter/nf_tables.ko
/lib/modules/5.5.0-rc2/kernel/net/bridge/netfilter/ebtables.ko
root@Khadas:~# lsmod | grep tabl
iptable_nat 16384 1
nf_nat 49152 1 iptable_nat
iptable_filter 16384 1
nf_tables 147456 0
nfnetlink 16384 1 nf_tables
ip_tables 32768 2 iptable_filter,iptable_nat
x_tables 40960 2 iptable_filter,ip_tables
https://www.reddit.com/r/debian/comments/bemysl/upgrade_to_buster_has_broken_ufw_and_iptables/
SAME
root@Khadas:~# update-alternatives --set iptables /usr/sbin/iptables-nft
update-alternatives: using /usr/sbin/iptables-nft to provide /usr/sbin/iptables (iptables) in manual mode
root@Khadas:~# iptables -L
iptables v1.8.2 (nf_tables): CHAIN_ADD failed (No such file or directory): chain INPUT
root@Khadas:~# zgrep CONFIG_NF_TABLES_BRIDGE /proc/config.gz
# CONFIG_NF_TABLES_BRIDGE is not set
OK! need update config for mainline kernel
OK! need update config for mainline kernel
Hello Artem,
Can you send a PR about this issus?
OK! i will test at first and send after
i cant solve this debian buster bug by changing kernel config
only one solution
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
Looks like it works with changes I proposed here.
ok issue was solved !?