Error including file in nftables.conf

[Dave Parker]

Hi All!

After using iptables for years, I'm using nftables on Debian 11 for the first time, and have encountered a weird issue which may just be due to my own lack of experience with this.  FYI, I'm doing everything here as root.

I have a valid ruleset stored in the file /root/nftables/ruleset.txt .

When I run this, it works:

    nft -f -

    flush ruleset

    include "/root/nftables/ruleset.txt"

    <CTRL-D>

I then run "nft list ruleset" and get the expected results.

But when I put this in /etc/nftables.conf...

    #!/usr/sbin/nft -f
    flush ruleset
    include "/root/nftables/ruleset.txt"

This happens...

# systemctl start nftables
Job for nftables.service failed because the control process exited with error code.
See "systemctl status nftables.service" and "journalctl -xe" for details.

# systemctl status nftables
● nftables.service - nftables
     Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2022-10-03 16:48:55 EDT; 9s ago
       Docs: man:nft(8)
             http://wiki.nftables.org
    Process: 926 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
   Main PID: 926 (code=exited, status=1/FAILURE)
        CPU: 14ms

Oct 03 16:48:55 host systemd[1]: Starting nftables...
Oct 03 16:48:55 host nft[926]: /etc/nftables.conf:4:1-37: Error: File not found: /root/nftables/ruleset.txt
Oct 03 16:48:55 host nft[926]: include "/root/nftables/ruleset.txt"
Oct 03 16:48:55 host nft[926]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Oct 03 16:48:55 host systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
Oct 03 16:48:55 host systemd[1]: nftables.service: Failed with result 'exit-code'.
Oct 03 16:48:55 host systemd[1]: Failed to start nftables.

Does anyone know why nft will load the included file manually but throws an error when doing it through systemd?

Thanks!

Dave

--

Dave Parker '11

Database & Systems Administrator
Utica University
Integrated Information Technology Services
315-792-3229

He/Him

[Greg Wooledge]

On Mon, Oct 03, 2022 at 05:01:21PM -0400, Dave Parker wrote:
> Oct 03 16:48:55 host systemd[1]: Starting nftables...
> Oct 03 16:48:55 host nft[926]: /etc/nftables.conf:4:1-37: Error: File not
> found: /root/nftables/ruleset.txt

Sounds like the service might be chrooted.

[Andy Smith]

Hello,

… so OP please show us

$ systemctl cat nftables.service

to see if there are any interesting options about restricting
access to the filesystem.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

[Dave Parker]

On Mon, Oct 3, 2022 at 5:42 PM Andy Smith <an...@strugglers.net> wrote:

Hello,

On Mon, Oct 03, 2022 at 05:36:19PM -0400, Greg Wooledge wrote:
> On Mon, Oct 03, 2022 at 05:01:21PM -0400, Dave Parker wrote:
> > Oct 03 16:48:55 host systemd[1]: Starting nftables...
> > Oct 03 16:48:55 host nft[926]: /etc/nftables.conf:4:1-37: Error: File not
> > found: /root/nftables/ruleset.txt
>
> Sounds like the service might be chrooted.

… so OP please show us

$ systemctl cat nftables.service

to see if there are any interesting options about restricting
access to the filesystem.

Hello,

Thanks for pointing me in the right direction.  I checked the service as you suggested:

----------

~# systemctl cat nftables.service
# /lib/systemd/system/nftables.service
[Unit]
Description=nftables
Documentation=man:nft(8) http://wiki.nftables.org
Wants=network-pre.target
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no

[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
ExecStart=/usr/sbin/nft -f /etc/nftables.conf
ExecReload=/usr/sbin/nft -f /etc/nftables.conf
ExecStop=/usr/sbin/nft flush ruleset

[Install]

WantedBy=sysinit.target 

----------

It turns out that the problem was the "ProtectHome=true" in the service config.  According to the systemd documentation[1]:

"If true, the directories /home, /root and /run/user are made inaccessible and empty for processes invoked by this unit."

So, I copied /lib/systemd/system/nftables.service to /etc/systemd/system/nftables.service, set ProtectHome=false, ran "systemctl daemon-reload", and now it works!

Thank you!

[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=

[Anssi Saari]

Dave Parker <dpa...@utica.edu> writes:

> So, I copied /lib/systemd/system/nftables.service to /etc/systemd/system/nftables.service, set
> ProtectHome=false, ran "systemctl daemon-reload", and now it works!

Well, good, buy why not put configuration data in /etc instead of /root
where it belongs and keep the service as is?

Personally I have my main or common rules in /etc/nftables.conf and have
in there include "/etc/nftables.conf.d/*" so that I can add extra input
rules for different computers.

[Dave Parker]

You're right that it probably should just go in /etc/nftables.conf.  This was mostly just for testing; I had a fairly large ruleset in a file which was converted from an iptables script on another server, and instead of pasting that all into nftables.conf, I was hoping to keep it separate and use include to read it.  Moving that to a location other than /root is the solution. Thanks!

[Andy Smith]

Hello,

On Mon, Oct 03, 2022 at 10:36:53PM -0400, Dave Parker wrote:
> So, I copied /lib/systemd/system/nftables.service to
> /etc/systemd/system/nftables.service, set ProtectHome=false, ran "systemctl
> daemon-reload", and now it works!

This overrides the entire file with your copy in /etc. That will
work, but if a future update changes the original version in /lib
then you may not be aware. You may find it better to only override
the ProtectHome part.

$ sudo rm /etc/systemd/system/nftables.service
$ sudo systemctl edit nftables.service

Add only:

[Service]
ProtectHome=false

Of course, there is good reason for ProtectHome. It seems like you
could easily store this configuration file outside of /root, which
would be more common and would save you all this work.