Troubleshooting: Difference between revisions
(Created page with "In this section, you can find frequently asked questions that has been posted on the [http://www.netfilter.org/mailinglists.html Netfilter mailing list]. == Question 1: Addre...") |
Jeff.welling (talk | contribs) (Documented iptables and nftables interaction) |
||
Line 39: | Line 39: | ||
This means that the chain type for the specified family is not available in that hook. In the example above, the problem is that the available hooks for the NAT chain type are: prerouting, input, output and postrouting. | This means that the chain type for the specified family is not available in that hook. In the example above, the problem is that the available hooks for the NAT chain type are: prerouting, input, output and postrouting. | ||
== Question 4. How do nftables and iptables interact when used on the same system? == | |||
What happens when you mix Iptables and Nftables? How do they interact? | |||
{| | |||
|'''nft''' | |||
|Empty | |||
|Accept | |||
|Accept | |||
|Block | |||
|Blank | |||
|- | |||
|'''iptables''' | |||
|Empty | |||
|Empty | |||
|Block | |||
|Accept | |||
|Accept | |||
|- | |||
|'''Results''' | |||
|Pass | |||
|Pass | |||
|Unreachable | |||
|Unreachable | |||
|Pass | |||
|} |
Latest revision as of 01:15, 27 January 2018
In this section, you can find frequently asked questions that has been posted on the Netfilter mailing list.
Question 1: Address family not supported by protocol problems
If I try to start nft, I get this error:
% nft list table filter
<cmdline>:1:1-17: Error: Could not receive sets from kernel: Address family not supported by protocol
list table filter
^^^^^^^^^^^^^^^^^
Answer: You have to create the table before you can actually list it, ie. nft add table filter. Please, see how to configure tables. Moreover, make sure you also compiled family support, eg. CONFIG_NF_TABLES_IPV4 and that the module can be loaded (eg. nf_tables_ipv4).
Question 2: No such file or directory when adding chain
nft> add chain arp filter input {type nat hook input priority 0 ;}
<cli>:1:1-64: Error: Could not add chain: No such file or directory
add chain arp filter input {type nat hook input priority 0 ;}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This means that the chain type for the specified family does not exist. In the example above, the problem is that the NAT chain type does not exist for the ARP family.
You may also hit this problem if you forgot to compile the module that enables this chain type in your Linux kernel.
Question 3: Operation not supported when adding chain
For example:
nft> add chain ip filter forward {type nat hook forward priority 0 ;}
<cli>:1:1-64: Error: Could not add chain: Operation not supported
add chain filter forward {type nat hook forward priority 0 ;}
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This means that the chain type for the specified family is not available in that hook. In the example above, the problem is that the available hooks for the NAT chain type are: prerouting, input, output and postrouting.
Question 4. How do nftables and iptables interact when used on the same system?
What happens when you mix Iptables and Nftables? How do they interact?
nft | Empty | Accept | Accept | Block | Blank |
iptables | Empty | Empty | Block | Accept | Accept |
Results | Pass | Pass | Unreachable | Unreachable | Pass |