Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#845500: nftables: notrack target fails with No such file or directory

251 views
Skip to first unread message

Peter Colberg

unread,
Nov 23, 2016, 6:40:02 PM11/23/16
to
Package: nftables
Version: 0.6+snapshot20161117-2
Severity: normal

Dear Maintainer,

The latest snapshot of nftables adds a notrack target that may
be used to disable connection tracking for selected packets:

#!/usr/sbin/nft -f

flush ruleset

table inet raw {
chain prerouting {
type filter hook prerouting priority -300;
iif lo notrack
}
chain output {
type filter hook output priority -300;
oif lo notrack
}
}

table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state established,related,untracked accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}


Loading the above ruleset fails with

# /etc/nftables.conf
/etc/nftables.conf:5:1-2: Error: Could not process rule: No such file or directory
table inet raw {
^^
/etc/nftables.conf:5:1-2: Error: Could not process rule: No such file or directory
table inet raw {
^^

I tried both linux-image-4.8.0-1-amd64 and linux-image-4.9.0-rc5-amd64-unsigned.

Regards,
Peter

Peter Colberg

unread,
Nov 23, 2016, 7:10:02 PM11/23/16
to
Control: tags -1 upstream

On Wed, Nov 23, 2016 at 06:34:06PM -0500, Peter Colberg wrote:
> The latest snapshot of nftables adds a notrack target that may
> be used to disable connection tracking for selected packets:

This is the corresponding patch for netfilter:

https://patchwork.ozlabs.org/patch/684684/

https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/tree/net/netfilter/nft_ct.c

Looks like it has simply not been merged yet:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/netfilter/nft_ct.c

Peter

Peter Colberg

unread,
Nov 23, 2016, 7:40:02 PM11/23/16
to
Control: reassign -1 linux 4.9~rc5-1~exp1

Dear Maintainer,

nftables recently added support for a notrack target, which is used to
disable connection tracking for selected packets, e.g., on a web server.

http://git.netfilter.org/nftables/commit/?id=a84921d7c0de950632ab4630dd4f7ad763e9e453

While the nftables package in Debian stretch will support notrack, the
corresponding kernel support was committed after the 4.9 merge window:

https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/net/netfilter/nft_ct.c?id=254432613c588640f8b8b5c3641a3c27bbe14688

Assuming 4.9 becomes the stretch kernel, could you backport the patch?

Regards,
Peter

Jens Reyer

unread,
Nov 23, 2016, 8:00:02 PM11/23/16
to
On 24.11.2016 01:34, Peter Colberg wrote:
> Assuming 4.9 becomes the stretch kernel, could you backport the patch?

According to
https://lists.debian.org/debian-devel-announce/2016/03/msg00000.html it
will be 4.10.

Greets
jre

Peter Colberg

unread,
Nov 23, 2016, 8:10:02 PM11/23/16
to
On Thu, Nov 24, 2016 at 01:55:01AM +0100, Jens Reyer wrote:
> According to
> https://lists.debian.org/debian-devel-announce/2016/03/msg00000.html it
> will be 4.10.

That would be great. After the recent announcement that 4.9 will
probably be the next LTS kernel I assumed that the same version
would also be shipped with stretch.

http://kroah.com/log/blog/2016/09/06/4-dot-9-equals-equals-next-lts-kernel/

Peter

Peter Colberg

unread,
Nov 23, 2016, 8:10:02 PM11/23/16
to
On Wed, Nov 23, 2016 at 07:34:42PM -0500, Peter Colberg wrote:
> Assuming 4.9 becomes the stretch kernel, could you backport the patch?

The same applies to kernel support for the "fib" expression that may
be used for reverse path filtering (analogous to iptables rp_filter).

https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit?id=f6d0cbcf09c506b9b022df8f9d7693a7cec3c732

That patch is more extensive and there are many more commits needed to
sync nftables kernel support with userspace. Backporting does not make
much sense. I am crossing fingers for 4.10 making it into stretch.

Peter

Arturo Borrero Gonzalez

unread,
Nov 24, 2016, 3:00:03 AM11/24/16
to
On 24 November 2016 at 01:34, Peter Colberg <pe...@colberg.org> wrote:
>
> While the nftables package in Debian stretch will support notrack, the
> corresponding kernel support was committed after the 4.9 merge window:
>
> https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/commit/net/netfilter/nft_ct.c?id=254432613c588640f8b8b5c3641a3c27bbe14688
>
> Assuming 4.9 becomes the stretch kernel, could you backport the patch?


Debian stretch will include linux 4.10 [0], so no problem.


[0] https://lists.debian.org/debian-devel-announce/2016/03/msg00000.html

Vincent Blut

unread,
Nov 24, 2016, 7:50:02 AM11/24/16
to
Hi,

IIRC Ben said that the next upstream kernel being tagged as LTS will be
the one included in Debian strech, so we’ll probably have 4.9… unless
Greg KH changes his mind again. :D

Cheers,
Vincent
signature.asc

Ben Hutchings

unread,
Nov 24, 2016, 2:10:02 PM11/24/16
to
Yes, exactly.

Ben.

--
Ben Hutchings
[W]e found...that it wasn't as easy to get programs right as we had
thought.
... I realized that a large part of my life from then on was going to
be spent
in finding mistakes in my own programs. - Maurice Wilkes, 1949

signature.asc

Peter Colberg

unread,
Nov 24, 2016, 2:50:03 PM11/24/16
to
On Thu, Nov 24, 2016 at 06:58:46PM +0000, Ben Hutchings wrote:
> > IIRC Ben said that the next upstream kernel being tagged as LTS will be 
> > the one included in Debian strech, so we’ll probably have 4.9… unless 
> > Greg KH changes his mind again. :D
>
> Yes, exactly.

Thanks for clarifying.

There are worse things than 3 more years of iptables–ip6tables duality ;-).

Peter
0 new messages