Could nf_tables be enabled in raspbian

[github-user-1]

Hello all,
the module for nf_tables (and it's possible dependencies) is not loaded in the latest Raspbian Stretch. I thought it would be (based on the announcement that it will become available with Debian Stretch). Since netfiltering should be moved from iptables etc. over to nftables in the long run I thought this would be a good start now with Stretch being released.

Are there any plans to enable nft (nftables) by standard for Raspbian as well ?

[popcornmix]

To be clear, are you requesting CONFIG_NF_TABLES=m be added to kernel config?

[github-user-1]

Probably yes - however I consider myself rather an end-user of linux (gnu cli rather). So I don't know much about the in and outs of the linux kernel used for raspbian but I was simply wondering why nft wasn't working with Raspbian Stretch (as it was officially announced for Debian Stretch to become the replacement of iptables etc.). Looking for the reason why nft didn't work after I manually installed it from the repo, I can see e.g. that the modul is not loaded:

$ modinfo nf_tables
modinfo: ERROR: Module nf_tables not found.

whereas iptables is for example:

 $ modinfo ip_tables
filename:       /lib/modules/4.9.41-v7+/kernel/net/ipv4/netfilter/ip_tables.ko
description:    IPv4 packet filter
author:         Netfilter Core Team <coreteam@netfilter.org>
license:        GPL
srcversion:     073F6A28550B59E4A9A7F74
depends:        x_tables
intree:         Y
vermagic:       4.9.41-v7+ SMP mod_unload modversions ARMv7 p2v8

[Ferroin]

For nft to actually be usable will require more than just CONFIG_NF_TABLES=m. Ideally, most of the options under that in the config menu should be enabled as well, otherwise you can't really do much with nft.

[github-user-1]

Just as a start and to provide some hints what might be required in the kernel config (copied from https://home.regit.org/netfilter-en/nftables-quick-howto/):

`$ make oldconfig

Netfilter Xtables support (required for ip_tables) (NETFILTER_XTABLES) [M/y/?] m
Netfilter nf_tables support (NF_TABLES) [N/m] (NEW) m
Netfilter nf_tables payload module (NFT_PAYLOAD) [N/m] (NEW) m
Netfilter nf_tables IPv6 exthdr module (NFT_EXTHDR) [N/m] (NEW) m
Netfilter nf_tables meta module (NFT_META) [N/m] (NEW) m
Netfilter nf_tables conntrack module (NFT_CT) [N/m] (NEW) m
Netfilter nf_tables rbtree set module (NFT_RBTREE) [N/m] (NEW) m
Netfilter nf_tables hash set module (NFT_HASH) [N/m] (NEW) m
Netfilter nf_tables counter module (NFT_COUNTER) [N/m] (NEW) m
Netfilter nf_tables log module (NFT_LOG) [N/m] (NEW) m
Netfilter nf_tables limit module (NFT_LIMIT) [N/m] (NEW) m
Netfilter nf_tables nat module (NFT_NAT) [N/m] (NEW) m
Netfilter x_tables over nf_tables module (NFT_COMPAT) [N/m/?] (NEW) m

IPv4 nf_tables support (NF_TABLES_IPV4) [N/m] (NEW) m
nf_tables IPv4 reject support (NFT_REJECT_IPV4) [N/m] (NEW) m
IPv4 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV4) [N/m] (NEW) m
IPv4 nf_tables nat chain support (NFT_CHAIN_NAT_IPV4) [N/m] (NEW) m

IPv6 nf_tables support (NF_TABLES_IPV6) [M/n] m
IPv6 nf_tables route chain support (NFT_CHAIN_ROUTE_IPV6) [M/n] m
IPv6 nf_tables nat chain support (NFT_CHAIN_NAT_IPV6) [M/n] m

Ethernet Bridge nf_tables support (NF_TABLES_BRIDGE) [N/m/y] (NEW) m`

[fabianfrz]

I experience the same issue. All calls fail. For example:

nft list ruleset
internal:0:0-0: Error: Could not receive tables from kernel: Invalid argument

[netcaf]

I have the same issue when I try nftables.

[ageru]

EDIT: Figured what I needed was already available as a module, and figured out how to load it. You can disregard the rest of my message. Sorry for the useless intervention.

Hi,

I seem to have a similar issue with iptables/netfilter functionalities not working due to missing kernel flags. In addition to the above flags, my need would be mainly for Netfilter Xtables support > "recent" match support (something like that anyway, haven't compiled a kernel recently). It's useful to pick and drop brute-force attempts.

Many thanks.

[netcaf]

bump

[miwagner1]

I hope this gets added in soon, I really despise using iptables and really love using nftables after using Cisco IOS for some time. The syntax is similar which makes it easer for me to alternate between them.

[JamesH65]

We are wary of adding large amount of modules to the system, without knowing the impact. So has anyone found out how much storage is taken up, how much the kernel bloats when it is added, and whether there are performance impacts?

[fabianfrz]

find . -name "*.ko" -exec ls -l {} \; | grep nft 
-rw-r--r-- 1 myuser users 6640  5. Dez 18:32 ./net/ipv6/netfilter/nft_chain_nat_ipv6.ko
-rw-r--r-- 1 myuser users 16832  5. Dez 18:32 ./net/netfilter/nft_ct.ko
-rw-r--r-- 1 myuser users 9704  5. Dez 18:32 ./net/netfilter/nft_set_rbtree.ko
-rw-r--r-- 1 myuser users 6240  5. Dez 18:32 ./net/netfilter/nft_fwd_netdev.ko
-rw-r--r-- 1 myuser users 7896  5. Dez 18:32 ./net/netfilter/nft_rt.ko
-rw-r--r-- 1 myuser users 8264  5. Dez 18:32 ./net/netfilter/nft_set_bitmap.ko
-rw-r--r-- 1 myuser users 6640  5. Dez 18:32 ./net/netfilter/nft_masq.ko
-rw-r--r-- 1 myuser users 27376  5. Dez 18:32 ./net/netfilter/nft_set_hash.ko
-rw-r--r-- 1 myuser users 6240  5. Dez 18:32 ./net/netfilter/nft_dup_netdev.ko
-rw-r--r-- 1 myuser users 11632  5. Dez 18:32 ./net/netfilter/nft_exthdr.ko
-rw-r--r-- 1 myuser users 17456  5. Dez 18:32 ./net/netfilter/nft_meta.ko
-rw-r--r-- 1 myuser users 8648  5. Dez 18:32 ./net/netfilter/nft_nat.ko
-rw-r--r-- 1 myuser users 6504  5. Dez 18:32 ./net/ipv4/netfilter/nft_chain_nat_ipv4.ko
-rw-r--r-- 1 myuser users 6800  5. Dez 18:32 ./net/ipv4/netfilter/nft_masq_ipv4.ko

Total: around 143 kB

I probably have not compiled everything in but as you can see, it is not too large (compiled for x86_64).

[fabianfrz]

Ok, Forgot about the nf_tables modules:

-rw-r--r-- 1 myuser users 9704  5. Dez 18:32 ./net/ipv6/netfilter/nf_tables_ipv6.ko
-rw-r--r-- 1 myuser users 7824  5. Dez 18:32 ./net/netfilter/nf_tables_inet.ko
-rw-r--r-- 1 myuser users 10344  5. Dez 18:32 ./net/netfilter/nf_tables_netdev.ko
-rw-r--r-- 1 myuser users 132352  5. Dez 18:32 ./net/netfilter/nf_tables.ko
-rw-r--r-- 1 myuser users 9216  5. Dez 18:32 ./net/ipv4/netfilter/nf_tables_ipv4.ko

Total: 165 kB

So the total of both: 308 kB

[s20208413]

How to compile and install these kernel modules to make nftables work ?

[s20208413]

Follow this guide: http://lostindetails.com/blog/post/Compiling-a-kernel-module-for-the-raspberry-pi-2
and this: https://www.raspberrypi.org/documentation/linux/kernel/building.md

Download build tools: https://github.com/raspberrypi/tools
and kernel source: https://github.com/raspberrypi/linux/releases/tag/raspberrypi-kernel_1.20171029-1

---

Then I cross-compile a kernel and install and run it.

I'm running raspbian on a Raspberry pi 3B. This is the kernel I built:

$ uname -a
Linux sceext-p3-201712 4.9.59-v7 #3 SMP Mon Jan 1 11:36:00 CST 2018 armv7l GNU/Linux

---

Before build the kernel, use make ARCH=arm CROSS_COMPILE=$CCPREFIX menuconfig to add some modules for nftables.

Then nftables works fine:

$  sudo nft list ruleset
table ip nat {
	chain nat-dnat {
		type nat hook prerouting priority 0; policy accept;
	}

	chain nat-snat {
		type nat hook postrouting priority 100; policy accept;
		ip saddr 10.150.0.0/16 oifname "eth1" masquerade
		ip saddr 10.151.0.0/16 oifname "eth1" masquerade
	}
}
table ip vadsll {
	chain out {
		type filter hook postrouting priority 150; policy accept;
		ip daddr 0.0.0.0 oifname "eth1" accept
		ip daddr 10.0.0.0/8 oifname "eth1" accept
		ip daddr 172.16.0.0/12 oifname "eth1" accept
		ip daddr 192.168.0.0/16 oifname "eth1" accept
		ip daddr 255.255.255.255 oifname "eth1" accept
		oifname "eth1" counter packets 112957 bytes 9520267 queue num 44001 bypass
	}
}
$  lsmod | grep nf
nfnetlink_queue        12450  1
nft_queue               3538  1
nft_counter             2633  1
nft_masq_ipv4           1393  2
nf_nat_masquerade_ipv4     3123  1 nft_masq_ipv4
nft_masq                2172  1 nft_masq_ipv4
nft_meta                6536  8
nft_chain_nat_ipv4      1722  2
nf_conntrack_ipv4       8890  1
nf_defrag_ipv4          1824  1 nf_conntrack_ipv4
nf_nat_ipv4             6071  1 nft_chain_nat_ipv4
nf_nat                 18854  2 nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_conntrack          104634  4 nf_conntrack_ipv4,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat
nf_tables_ipv4          2363  3
nf_tables              70146  41 nft_chain_nat_ipv4,nf_tables_ipv4,nft_masq,nft_queue,nft_meta,nft_masq_ipv4,nft_counter
nfnetlink               7322  3 nfnetlink_queue,nf_tables
$ modinfo nf_tables
filename:       /lib/modules/4.9.59-v7/kernel/net/netfilter/nf_tables.ko
alias:          nfnetlink-subsys-10
author:         Patrick McHardy <kaber@trash.net>
license:        GPL
srcversion:     3A2EAEF39C36D06566983D6
depends:        nfnetlink
intree:         Y
vermagic:       4.9.59-v7 SMP mod_unload modversions ARMv7 p2v8 

---

Here is my kernel config:

$ diff -u old_config .config
--- old_config	2018-01-01 18:45:22.190685726 +0800
+++ .config	2018-01-01 18:45:33.431083373 +0800
@@ -829,7 +829,30 @@
 CONFIG_NF_NAT_SIP=m
 CONFIG_NF_NAT_TFTP=m
 CONFIG_NF_NAT_REDIRECT=m
-# CONFIG_NF_TABLES is not set
+CONFIG_NF_TABLES=m
+CONFIG_NF_TABLES_INET=m
+CONFIG_NF_TABLES_NETDEV=m
+CONFIG_NFT_EXTHDR=m
+CONFIG_NFT_META=m
+CONFIG_NFT_NUMGEN=m
+CONFIG_NFT_CT=m
+CONFIG_NFT_SET_RBTREE=m
+CONFIG_NFT_SET_HASH=m
+CONFIG_NFT_COUNTER=m
+CONFIG_NFT_LOG=m
+CONFIG_NFT_LIMIT=m
+CONFIG_NFT_MASQ=m
+CONFIG_NFT_REDIR=m
+CONFIG_NFT_NAT=m
+CONFIG_NFT_QUEUE=m
+CONFIG_NFT_QUOTA=m
+CONFIG_NFT_REJECT=m
+CONFIG_NFT_REJECT_INET=m
+CONFIG_NFT_COMPAT=m
+CONFIG_NFT_HASH=m
+CONFIG_NF_DUP_NETDEV=m
+CONFIG_NFT_DUP_NETDEV=m
+CONFIG_NFT_FWD_NETDEV=m
 CONFIG_NETFILTER_XTABLES=m
 
 #
@@ -921,14 +944,14 @@
 CONFIG_IP_SET_BITMAP_IPMAC=m
 CONFIG_IP_SET_BITMAP_PORT=m
 CONFIG_IP_SET_HASH_IP=m
-# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPMARK=m
 CONFIG_IP_SET_HASH_IPPORT=m
 CONFIG_IP_SET_HASH_IPPORTIP=m
 CONFIG_IP_SET_HASH_IPPORTNET=m
-# CONFIG_IP_SET_HASH_MAC is not set
-# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_MAC=m
+CONFIG_IP_SET_HASH_NETPORTNET=m
 CONFIG_IP_SET_HASH_NET=m
-# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETNET=m
 CONFIG_IP_SET_HASH_NETPORT=m
 CONFIG_IP_SET_HASH_NETIFACE=m
 CONFIG_IP_SET_LIST_SET=m
@@ -980,12 +1003,20 @@
 #
 CONFIG_NF_DEFRAG_IPV4=m
 CONFIG_NF_CONNTRACK_IPV4=m
+CONFIG_NF_TABLES_IPV4=m
+CONFIG_NFT_CHAIN_ROUTE_IPV4=m
+CONFIG_NFT_REJECT_IPV4=m
+CONFIG_NFT_DUP_IPV4=m
+CONFIG_NF_TABLES_ARP=m
 CONFIG_NF_DUP_IPV4=m
 # CONFIG_NF_LOG_ARP is not set
 CONFIG_NF_LOG_IPV4=m
 CONFIG_NF_REJECT_IPV4=m
 CONFIG_NF_NAT_IPV4=m
+CONFIG_NFT_CHAIN_NAT_IPV4=m
 CONFIG_NF_NAT_MASQUERADE_IPV4=m
+CONFIG_NFT_MASQ_IPV4=m
+CONFIG_NFT_REDIR_IPV4=m
 CONFIG_NF_NAT_SNMP_BASIC=m
 CONFIG_NF_NAT_PROTO_GRE=m
 CONFIG_NF_NAT_PPTP=m
@@ -1016,11 +1047,18 @@
 #
 CONFIG_NF_DEFRAG_IPV6=m
 CONFIG_NF_CONNTRACK_IPV6=m
+CONFIG_NF_TABLES_IPV6=m
+CONFIG_NFT_CHAIN_ROUTE_IPV6=m
+CONFIG_NFT_REJECT_IPV6=m
+CONFIG_NFT_DUP_IPV6=m
 CONFIG_NF_DUP_IPV6=m
 CONFIG_NF_REJECT_IPV6=m
 CONFIG_NF_LOG_IPV6=m
 CONFIG_NF_NAT_IPV6=m
+CONFIG_NFT_CHAIN_NAT_IPV6=m
 CONFIG_NF_NAT_MASQUERADE_IPV6=m
+CONFIG_NFT_MASQ_IPV6=m
+CONFIG_NFT_REDIR_IPV6=m
 CONFIG_IP6_NF_IPTABLES=m
 CONFIG_IP6_NF_MATCH_AH=m
 CONFIG_IP6_NF_MATCH_EUI64=m
@@ -1040,6 +1078,10 @@
 CONFIG_IP6_NF_NAT=m
 CONFIG_IP6_NF_TARGET_MASQUERADE=m
 CONFIG_IP6_NF_TARGET_NPT=m
+CONFIG_NF_TABLES_BRIDGE=m
+CONFIG_NFT_BRIDGE_META=m
+CONFIG_NFT_BRIDGE_REJECT=m
+CONFIG_NF_LOG_BRIDGE=m
 CONFIG_BRIDGE_NF_EBTABLES=m
 CONFIG_BRIDGE_EBT_BROUTE=m
 CONFIG_BRIDGE_EBT_T_FILTER=m
$