control: private
Hi Salvatore,
I apologize for my premature response about not being able to reproduce the
issue. After further testing, the problem persists and I can now provide
more detailed information.
The issue manifests inconsistently: sometimes the connection tracking
functionality works after boot, and sometimes it doesn't. This
inconsistency made initial testing or reproducibility unreliable.
Here's a minimal example that demonstrates the issue:
#!/usr/sbin/nftables -f
# Clear existing ruleset
flush ruleset
# Define trusted DNS servers
define TRUSTED_DNS = {
8.8.8.8, # Google Primary
8.8.4.4 # Google Secondary
}
table inet filter {
set dns_queries {
type ipv4_addr
flags dynamic,timeout
size 65535
timeout 1h
}
chain input_base {
ct state invalid drop comment "Drop invalid connections"
ct state {established,related} accept comment "Allow existing
connections"
iifname "lo" accept comment "Allow loopback interface"
iif != "lo" ip daddr 127.0.0.0/8 drop comment "Drop spoofed
localhost IPv4"
iif != "lo" ip6 daddr ::1 drop comment "Drop spoofed localhost IPv6"
}
chain input {
type filter hook input priority filter; policy drop;
jump input_base
ip protocol icmp icmp type echo-reply accept comment "Allow ping
responses"
# DNS Response handling
ip saddr $TRUSTED_DNS udp sport 53 udp dport >= 1024 \
ct state established \
accept comment "Allow DNS responses UDP"
ip saddr $TRUSTED_DNS tcp sport 53 tcp dport >= 1024 \
ct state established \
accept comment "Allow DNS responses TCP"
counter comment "Count dropped packets"
drop comment "Drop all other incoming"
}
chain forward {
type filter hook forward priority filter; policy drop;
}
chain output {
type filter hook output priority filter; policy drop;
oifname "lo" accept comment "Allow loopback output"
ip protocol icmp icmp type echo-request accept comment "Allow
outgoing pings IPv4"
# DNS Query handling
ip daddr $TRUSTED_DNS udp dport 53 \
ct state new \
add @dns_queries { ip daddr } \
counter accept comment "Allow DNS queries UDP"
ip daddr $TRUSTED_DNS tcp dport 53 \
ct state new \
add @dns_queries { ip daddr } \
counter accept comment "Allow DNS queries TCP"
counter comment "Count blocked outgoing"
drop comment "Drop all other outgoing"
}
}
Save it in /etc/nftables.conf
Then run
nft -fc /etc/nftables.conf
The rule sometimes fails with:
Error: Could not process rule: No such file or directory
System details:
- Debian 12 (bookworm)
- Current kernel: 6.1.0-28-amd64 (6.1.119-1)
- nftables v1.0.6-1
- kernel.modules_disabled=1
- Required modules included in initramfs
Relevant system logs show the nftables service starting, but connection
tracking functionality is inconsistently available:
I'm including logs since my first update to the new kernel.
Boot history for reference:
*IDX FIRST ENTRY LAST ENTRY*
*-11 Sat 2024-12-14 10:55:52 UTC Sun 2024-12-15 18:15:56 UTC*
*-10 Sun 2024-12-15 22:50:57 UTC Sun 2024-12-15 23:46:22 UTC*
* -9 Mon 2024-12-16 12:01:31 UTC Mon 2024-12-16 13:02:28 UTC*
* -8 Mon 2024-12-16 13:02:58 UTC Mon 2024-12-16 13:38:21 UTC*
* -7 Mon 2024-12-16 13:38:52 UTC Mon 2024-12-16 15:17:24 UTC*
* -6 Mon 2024-12-16 15:28:29 UTC Mon 2024-12-16 15:38:06 UTC*
* -5 Mon 2024-12-16 15:39:14 UTC Mon 2024-12-16 15:44:24 UTC*
* -4 Mon 2024-12-16 22:12:09 UTC Mon 2024-12-16 22:35:59 UTC*
* -3 Mon 2024-12-16 22:36:35 UTC Tue 2024-12-17 00:11:20 UTC*
* -2 Tue 2024-12-17 09:13:35 UTC Tue 2024-12-17 10:58:41 UTC*
* -1 Tue 2024-12-17 10:59:47 UTC Tue 2024-12-17 11:00:13 UTC*
* 0 Tue 2024-12-17 11:06:14 UTC Tue 2024-12-17 11:20:09 UTC*
NFT Services related logs
Dec 17 11:06:14 localhost (nft)[535]: nftables.service: Executing:
/usr/sbin/nft -f /etc/nftables.conf
Dec 17 11:06:14 localhost systemd[1]: nftables.service: Child 535 belongs
to nftables.service.
Dec 17 11:06:14 localhost systemd[1]: nftables.service: Main process
exited, code=exited, status=0/SUCCESS (success)
Dec 17 11:06:14 localhost systemd[1]: nftables.service: Changed start ->
exited
Dec 17 11:06:14 localhost systemd[1]: nftables.service: Job 74
nftables.service/start finished, result=done
Dec 17 11:06:14 localhost systemd[1]: Finished nftables.service - nftables.
Dec 17 11:06:14 localhost systemd[1]: nftables.service: Control group is
empty.
Dec 17 10:59:47 localhost (nft)[531]: nftables.service: Executing:
/usr/sbin/nft -f /etc/nftables.conf
Dec 17 10:59:48 localhost systemd[1]: nftables.service: Child 531 belongs
to nftables.service.
Dec 17 10:59:48 localhost systemd[1]: nftables.service: Main process
exited, code=exited, status=0/SUCCESS (success)
Dec 17 10:59:48 localhost systemd[1]: nftables.service: Changed start ->
exited
Dec 17 10:59:48 localhost systemd[1]: nftables.service: Job 59
nftables.service/start finished, result=done
Dec 17 10:59:48 localhost systemd[1]: Finished nftables.service - nftables.
Dec 17 10:59:48 localhost systemd[1]: nftables.service: Control group is
empty.
Dec 17 11:00:11 localhost systemd[1]: nftables.service: Installed new job
nftables.service/stop as 397
Dec 17 11:00:12 localhost systemd[1]: nftables.service: stopping held back,
waiting for: network-pre.target
Dec 17 09:13:35 localhost (nft)[540]: nftables.service: Executing:
/usr/sbin/nft -f /etc/nftables.conf
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:39:9-16: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state invalid drop comment "Drop
invalid connections"
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:40:9-16: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state {established,related}
accept comment "Allow existing connections"
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:57:13-20: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state established \
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:61:13-20: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state established \
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:66:13-20: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state new \
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:70:13-20: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state established \
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:74:13-20: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state established \
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:96:13-20: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state new \
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:101:13-20: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state new \
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:107:13-20: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state
{new,established,related} \
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost nft[540]: /etc/nftables.conf:111:13-20: Error:
Could not process rule: No such file or directory
Dec 17 09:13:35 localhost nft[540]: ct state
{new,established,related} \
Dec 17 09:13:35 localhost nft[540]: ^^^^^^^^
Dec 17 09:13:35 localhost systemd[1]: nftables.service: Child 540 belongs
to nftables.service.
Dec 17 09:13:35 localhost systemd[1]: nftables.service: Main process
exited, code=exited, status=1/FAILURE
Dec 17 09:13:35 localhost systemd[1]: nftables.service: Failed with result
'exit-code'.
Dec 17 09:13:35 localhost systemd[1]: nftables.service: Service will not
restart (restart setting)
Dec 17 09:13:35 localhost systemd[1]: nftables.service: Changed start ->
failed
Dec 17 09:13:35 localhost systemd[1]: nftables.service: Job 69
nftables.service/start finished, result=failed
Dec 17 09:13:35 localhost systemd[1]: Failed to start nftables.service -
nftables.
Dec 17 09:13:35 localhost systemd[1]: nftables.service: Unit entered failed
state.
Dec 17 09:13:35 localhost systemd[1]: nftables.service: Consumed 25ms CPU
time.
Dec 17 09:13:35 localhost systemd[1]: nftables.service: Control group is
empty.
Dec 16 22:36:35 localhost systemd[1]: nftables.service: Child 537 belongs
to nftables.service.
Dec 16 22:36:35 localhost systemd[1]: nftables.service: Main process
exited, code=exited, status=0/SUCCESS (success)
Dec 16 22:36:35 localhost systemd[1]: nftables.service: Changed start ->
exited
Dec 16 22:36:35 localhost systemd[1]: nftables.service: Job 49
nftables.service/start finished, result=done
Dec 16 22:36:35 localhost systemd[1]: Finished nftables.service - nftables.
Dec 16 22:36:35 localhost systemd[1]: nftables.service: Control group is
empty.
Dec 17 00:11:20 localhost systemd[1]: nftables.service: Installed new job
nftables.service/stop as 2752
Dec 17 00:11:20 localhost systemd[1]: nftables.service: stopping held back,
waiting for: network-pre.target
Dec 16 22:12:09 localhost (nft)[536]: nftables.service: Executing:
/usr/sbin/nft -f /etc/nftables.conf
Dec 16 22:12:09 localhost systemd[1]: nftables.service: Child 536 belongs
to nftables.service.
Dec 16 22:12:09 localhost systemd[1]: nftables.service: Main process
exited, code=exited, status=0/SUCCESS (success)
Dec 16 22:12:09 localhost systemd[1]: nftables.service: Changed start ->
exited
Dec 16 22:12:09 localhost systemd[1]: nftables.service: Job 105
nftables.service/start finished, result=done
Dec 16 22:12:09 localhost systemd[1]: Finished nftables.service - nftables.
Dec 16 22:12:09 localhost systemd[1]: nftables.service: Control group is
empty.
Dec 16 22:35:58 localhost systemd[1]: nftables.service: Installed new job
nftables.service/stop as 560
Dec 16 22:35:58 localhost systemd[1]: nftables.service: stopping held back,
waiting for: network-pre.target
Dec 16 22:35:59 localhost systemd[1]: nftables.service: Will spawn child
(service_enter_stop): /usr/sbin/nft
Dec 16 22:35:59 localhost systemd[1]: nftables.service: About to execute
/usr/sbin/nft flush ruleset
Dec 16 22:35:59 localhost systemd[1]: nftables.service: Forked
/usr/sbin/nft as 19306
Dec 16 22:35:59 localhost systemd[1]: nftables.service: Changed exited ->
stop
Dec 16 22:35:59 localhost systemd[1]: Stopping nftables.service -
nftables...
Dec 16 22:35:59 localhost (nft)[19306]: Bind-mounting / on
/run/systemd/unit-root (MS_BIND|MS_REC "")...
Dec 16 22:35:59 localhost (nft)[19306]: Followed mount entry path symlink
/run/systemd/unit-root/bin → /run/systemd/unit-root/usr/bin.
Dec 16 22:35:59 localhost (nft)[19306]: /run/systemd/unit-root/usr/bin
(read-only) is made redundant by /run/systemd/unit-root/usr (read-only)
Dec 16 22:35:59 localhost (nft)[19306]: Applying namespace mount on
/run/systemd/unit-root/boot
Dec 16 22:35:59 localhost (nft)[19306]: Applying namespace mount on
/run/systemd/unit-root/efi
Dec 16 22:35:59 localhost (nft)[19306]: Applying namespace mount on
/run/systemd/unit-root/etc
Dec 16 22:35:59 localhost (nft)[19306]: Bind-mounting
/run/systemd/unit-root/etc on /run/systemd/unit-root/etc (MS_BIND|MS_REC ""
)...
Dec 16 22:35:59 localhost (nft)[19306]: Successfully mounted
/run/systemd/unit-root/etc to /run/systemd/unit-root/etc
Dec 16 22:35:59 localhost (nft)[19306]: Applying namespace mount on
/run/systemd/unit-root/home
Dec 16 22:35:59 localhost (nft)[19306]: Bind-mounting
/run/systemd/inaccessible/dir on /run/systemd/unit-root/home
(MS_BIND|MS_REC "")...
Dec 16 22:35:59 localhost (nft)[19306]: Successfully mounted
/run/systemd/inaccessible/dir to /run/systemd/unit-root/home
Dec 16 22:35:59 localhost (nft)[19306]: Followed mount entry path symlink
/run/systemd/unit-root/lib → /run/systemd/unit-root/usr/lib.
Dec 16 22:35:59 localhost (nft)[19306]: /run/systemd/unit-root/usr/lib
(read-only) is made redundant by /run/systemd/unit-root/usr (read-only)
Dec 16 22:35:59 localhost (nft)[19306]: Followed mount entry path symlink
/run/systemd/unit-root/lib64 → /run/systemd/unit-root/usr/lib64.
Dec 16 22:35:59 localhost (nft)[19306]: /run/systemd/unit-root/usr/lib64
(read-only) is made redundant by /run/systemd/unit-root/usr (read-only)
Dec 16 22:35:59 localhost (nft)[19306]: Applying namespace mount on
/run/systemd/unit-root/root
Dec 16 22:35:59 localhost (nft)[19306]: Bind-mounting
/run/systemd/inaccessible/dir on /run/systemd/unit-root/root
(MS_BIND|MS_REC "")...
Dec 16 22:35:59 localhost (nft)[19306]: Successfully mounted
/run/systemd/inaccessible/dir to /run/systemd/unit-root/root
Dec 16 22:35:59 localhost (nft)[19306]: Applying namespace mount on
/run/systemd/unit-root/run/credentials
Dec 16 22:35:59 localhost (nft)[19306]: Bind-mounting
/run/systemd/inaccessible/dir on /run/systemd/unit-root/run/credentials
(MS_BIND|MS_REC "")...
Dec 16 22:35:59 localhost (nft)[19306]: Successfully mounted
/run/systemd/inaccessible/dir to /run/systemd/unit-root/run/credentials
Dec 16 22:35:59 localhost (nft)[19306]: Applying namespace mount on
/run/systemd/unit-root/run/systemd/incoming
Dec 16 22:35:59 localhost (nft)[19306]: Followed source symlinks
/run/systemd/propagate/nftables.service →
/run/systemd/propagate/nftables.service.
Dec 16 22:35:59 localhost (nft)[19306]: Bind-mounting
/run/systemd/propagate/nftables.service on
/run/systemd/unit-root/run/systemd/incoming (MS_BIND "")...
Dec 16 22:35:59 localhost (nft)[19306]: Successfully mounted
/run/systemd/propagate/nftables.service to
/run/systemd/unit-root/run/systemd/incoming
Dec 16 22:35:59 localhost (nft)[19306]: Applying namespace mount on
/run/systemd/unit-root/run/user
Dec 16 22:35:59 localhost (nft)[19306]: Bind-mounting
/run/systemd/inaccessible/dir on /run/systemd/unit-root/run/user
(MS_BIND|MS_REC "")...
Dec 16 22:35:59 localhost (nft)[19306]: Successfully mounted
/run/systemd/inaccessible/dir to /run/systemd/unit-root/run/user
Dec 16 22:35:59 localhost (nft)[19306]: Followed mount entry path symlink
/run/systemd/unit-root/sbin → /run/systemd/unit-root/usr/sbin.
Dec 16 22:35:59 localhost (nft)[19306]: /run/systemd/unit-root/usr/sbin
(read-only) is made redundant by /run/systemd/unit-root/usr (read-only)
Dec 16 22:35:59 localhost (nft)[19306]: Applying namespace mount on
/run/systemd/unit-root/usr
Dec 16 22:35:59 localhost (nft)[19306]: nftables.service: Executing:
/usr/sbin/nft flush ruleset
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:39:9-16: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state invalid drop comment "Drop
invalid connections"
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:40:9-16: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state {established,related}
accept comment "Allow existing connections"
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:57:13-20: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state established \
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:61:13-20: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state established \
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:66:13-20: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state new \
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:70:13-20: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state established \
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:74:13-20: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state established \
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:96:13-20: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state new \
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:101:13-20: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state new \
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:107:13-20: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state
{new,established,related} \
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
Dec 16 15:39:15 localhost nft[511]: /etc/nftables.conf:111:13-20: Error:
Could not process rule: No such file or directory
Dec 16 15:39:15 localhost nft[511]: ct state
{new,established,related} \
Dec 16 15:39:15 localhost nft[511]: ^^^^^^^^
-- No entries --
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:39:9-16: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state invalid drop comment "Drop
invalid connections"
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:40:9-16: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state {established,related}
accept comment "Allow existing connections"
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:57:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state established \
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:61:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state established \
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:66:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state new \
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:70:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state established \
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:74:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state established \
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:96:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state new \
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:101:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state new \
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:107:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state
{new,established,related} \
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost nft[510]: /etc/nftables.conf:111:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:38:52 localhost nft[510]: ct state
{new,established,related} \
Dec 16 13:38:52 localhost nft[510]: ^^^^^^^^
Dec 16 13:38:52 localhost systemd[1]: nftables.service: Main process
exited, code=exited, status=1/FAILURE
Dec 16 13:38:52 localhost systemd[1]: nftables.service: Failed with result
'exit-code'.
Dec 16 13:38:52 localhost systemd[1]: Failed to start nftables.service -
nftables.
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:39:9-16: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state invalid drop comment "Drop
invalid connections"
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:40:9-16: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state {established,related}
accept comment "Allow existing connections"
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:57:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state established \
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:61:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state established \
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:66:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state new \
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:70:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state established \
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:74:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state established \
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:96:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state new \
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:101:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state new \
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:107:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state
{new,established,related} \
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost nft[504]: /etc/nftables.conf:111:13-20: Error:
Could not process rule: No such file or directory
Dec 16 13:02:58 localhost nft[504]: ct state
{new,established,related} \
Dec 16 13:02:58 localhost nft[504]: ^^^^^^^^
Dec 16 13:02:58 localhost systemd[1]: nftables.service: Main process
exited, code=exited, status=1/FAILURE
Dec 16 13:02:58 localhost systemd[1]: nftables.service: Failed with result
'exit-code'.
Dec 16 13:02:58 localhost systemd[1]: Failed to start nftables.service -
nftables.
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:29:9-16: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state invalid drop comment "Drop
invalid connections"
Dec 16 12:01:31 localhost nft[503]: ^^^^^^^^
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:30:9-16: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state established,related
accept comment "Allow existing connections"
Dec 16 12:01:31 localhost nft[503]: ^^^^^^^^
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:47:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state established \
Dec 16 12:01:31 localhost nft[503]: ^^^^^^^^
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:51:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state established \
Dec 16 12:01:31 localhost nft[503]: ^^^^^^^^
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:56:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state new \
Dec 16 12:01:31 localhost nft[503]: ^^^^^^^^
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:60:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state established \
Dec 16 12:01:31 localhost nft[503]: ^^^^^^^^
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:80:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state new \
Dec 16 12:01:31 localhost nft[503]: ^^^^^^^^
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:85:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state new \
Dec 16 12:01:31 localhost nft[503]: ^^^^^^^^
Dec 16 12:01:31 localhost nft[503]: /etc/nftables.conf:91:13-20: Error:
Could not process rule: No such file or directory
Dec 16 12:01:31 localhost nft[503]: ct state
{new,established,related} \
Dec 16 12:01:31 localhost nft[503]: ^^^^^^^^
Dec 16 12:01:31 localhost systemd[1]: nftables.service: Main process
exited, code=exited, status=1/FAILURE
Dec 16 12:01:31 localhost systemd[1]: nftables.service: Failed with result
'exit-code'.
Dec 16 12:01:31 localhost systemd[1]: Failed to start nftables.service -
nftables.
And version history - setting back to the previous kernel, then upgrading
to the new kernel, seemed to resolve the issue for the first boot.
Dec 17 11:06:14 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 17 10:59:47 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 17 09:13:35 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 22:36:35 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 22:12:09 localhost kernel: Linux version 6.1.0-27-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.115-1
(2024-11-01)
Dec 16 15:39:14 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 15:28:29 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 13:38:52 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 13:02:58 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
Dec 16 12:01:31 localhost kernel: Linux version 6.1.0-28-amd64 (
debian-kernel@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld
(GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1
(2024-11-22)
I can reliably reproduce this by:
1. Cold boot the system
2. Attempt to add the above ruleset
3. If it fails, reboot and try again.
Behaviour changed after editing grub, and running grub and initramfs update
Best regards,
On Mon, Dec 16, 2024 at 4:49 PM Salvatore Bonaccorso <car...@debian.org>
wrote:
> Control: tags -1 + moreinfo
>
> Hi,
>
> On Mon, Dec 16, 2024 at 02:43:47PM +0000, Tibor wrote:
> > Package: linux-image-6.1.0-28-amd64
> > Version: 6.1.119-1
> > Severity: important
> >
> > After upgrading from linux-image-6.1.0-27-amd64 to
> > linux-image-6.1.0-28-amd64, nftables connection tracking ('ct state')
> > functionality stopped working. The issue appears to be related to recent
> > netfilter security patches.
> >
> > Steps to reproduce:
> > 1. Update kernel to 6.1.119-1
> > 2. Reboot system
> > 3. Attempt to use nftables rules with 'ct state'
> >
> > Current behavior:
> > - Error message: "could not process rule: No such file or directory"
> > - nftables rules using 'ct state' fail to load
> > - Basic firewall functionality without connection tracking works
> >
> > Expected behavior:
> > - nftables rules with 'ct state' should load and function properly
> > - Connection tracking should work as it did in previous kernel version
> >
> > System information:
> > - Debian 12 (bookworm)
> > - Previous kernel: linux-image-6.1.0-27-amd64 (6.1.115-1)
> > - Current kernel: linux-image-6.1.0-28-amd64 (6.1.119-1)
> > - nftables version: 1.0.6
> >
> > Related changes in current version:
> > - Security fixes for netfilter IPv6 (use-after-free in ip6table_nat)
> > - Changes to nf_reject_ipv6 TCP header handling
> >
> > nf_conntrack and related modules are loaded:
> > [output of lsmod | grep -E 'nf_|netfilter|nft']
> >
> > Additional notes:
> > - System has module loading disabled (kernel.modules_disabled=1)
> > - Required modules are preloaded in initramfs
> > - Configuration worked correctly in previous kernel version
> >
> > Proposed temporary solution:
> > Reverting to linux-image-6.1.0-27-amd64 restores functionality.
> >
> > Please advise on proper configuration for connection tracking with the
> new
> > security patches, or confirm if this is a regression that needs to be
> > addressed.
>
> Can you please provide an ideally as minimal as possible example which
> fails. A simple example using ct state from
>
> https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Simple_IP/IPv6_Firewall
> works as expected, so we need more information here.
>
> If you are able to to reproduce the issue with the upstream version
> 6.1.115 and 6.1.119 can you please as well bisect the changes?
>
> Regards,
> Salvatore
>
