[aplund]

I have an OdroidN2 running the aarch64 archlinuxarm distro.

I haven't had a look at my netfilters config for many months. But now I can't seem to get the "nft" command to do anything useful. For example:

$this->bbcode_second_pass_code('', '# nft list tables
# echo $?
1')

I have two tables defined "filter" and "nat". They seem to be working fine as well.

Am I doing something really dumb here?

[summers]

I did a quick write of of nft for openwrt here: https://openwrt.org/docs/guide-user/firewall/misc/nftables.

Firewalls you don't usually need on a end of line computer, just on routers (so why on openwrt). So AFAIK default arch doesn't set up an nf table. Use the command:
$this->bbcode_second_pass_code('', 'sudo nft list ruleset')
And you can see what rules - if any you have. Not that you would expect any ...

Thanks for the reply.

$this->bbcode_second_pass_quote('summers', 'F')irewalls you don't usually need on a end of line computer, just on routers (so why on openwrt).

[summers]

Well routing, and netfiltering/NAT have to be handled independently; (e.g. NAT isn't really a solution to routing). But anyway yes you are right, sometimes its useful to have NAT/net filter on a computer.

Anyway need to see more what your set up is. Take the below commands and output on on of my arch computers (arch is quite old now - as this computer not updated any more ...)
$this->bbcode_second_pass_code('', '[summers@nas ~]$ sudo nft -f /etc/nftables.conf
[summers@nas ~]$ sudo nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}

chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
masquerade
}
}
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
ct state { established, related } accept
ct state invalid drop
iifname "lo" accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
tcp dport 22 accept
meta nfproto ipv4 reject
}

chain forward {
type filter hook forward priority filter; policy accept;
}

chain output {
type filter hook output priority filter; policy accept;
}
}
[summers@nas ~]$ lsmod
Module Size Used by
cdc_mbim 16384 0
cdc_wdm 20480 1 cdc_mbim
cdc_ncm 24576 1 cdc_mbim
cdc_eem 16384 0
nft_reject_inet 16384 1
nf_reject_ipv4 16384 1 nft_reject_inet
nf_reject_ipv6 16384 1 nft_reject_inet
nft_reject 16384 1 nft_reject_inet
nft_ct 20480 2
nf_tables_set 32768 1
nft_masq 16384 1
nft_chain_nat 16384 2
nf_nat 32768 2 nft_chain_nat,nft_masq
nf_conntrack 106496 3 nft_ct,nft_masq,nf_nat
nf_defrag_ipv4 16384 1 nf_conntrack
nf_tables 135168 31 nft_ct,nft_reject,nf_tables_set,nft_chain_nat,nft_masq,nft_reject_inet
nfnetlink 16384 1 nf_tables
btrfs 1413120 1
blake2b_generic 32768 0
xor 16384 1 btrfs
rtc_pcf8563 16384 0
raid6_pq 98304 1 btrfs
cdc_ether 16384 0
cdc_acm 24576 0
usbnet 28672 4 cdc_eem,cdc_mbim,cdc_ether,cdc_ncm
mii 16384 1 usbnet
marvell_cesa 40960 0
i2c_mv64xxx 20480 0
ip_tables 28672 0
x_tables 24576 1 ip_tables
ipv6 450560 33 nf_reject_ipv6
nf_defrag_ipv6 16384 2 nf_conntrack,ipv6
')
What you can see is I load nf table from a file with $this->bbcode_second_pass_code('', 'nft -f'), you can see that code is loaded into kernel $this->bbcode_second_pass_code('', 'nft list ruleset'), and that code sets up NAT $this->bbcode_second_pass_code('', 'masquerade') and filtering $this->bbcode_second_pass_code('', ' type filter hook input priority filter; policy accept;
ct state { established, related } accept
ct state invalid drop
iifname "lo" accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
tcp dport 22 accept
meta nfproto ipv4 reject
')
And that loading this into kernel means a whole shaft of modules needed to be loaded into the kernel. This set up works on my machine. So need to see something similar for your machine.

[aplund]

OK. But I still don't know which ABI you are possibly using. For example:

$this->bbcode_second_pass_code('', '$ pacman -Q nftables
nftables 1:1.0.0-1
$ uname -rmpi
4.9.219-1-ARCH aarch64 unknown unknown')

I load my filter with nft -f using the included systemd service in the nftables package. When doing it manually it returns 0 and masquerading and filtering work. But "nft list tables" still returns 1 with no output.

[summers]

I get $this->bbcode_second_pass_code('', '[summers@nas ~]$ pacman -Q nftables
nftables 1:0.9.3-1
[summers@nas ~]$ uname -rmpi
5.5.11-1-ARCH armv5tel unknown unknown
')
But suspect you problem is that you don't have all the kernel modules loaded. If I had to guess it would be you have updated the kernel, but not rebooted. this means the running kernel can't find the modules it needs ...

[summers]

And just tried updating nftables (its the kind of small update I can do and have space!) So I'm now on $this->bbcode_second_pass_code('', 'nftables-1:1.0.0-1') and it still works for me.

[aplund]

Ahh.. right. You are on a newer kernel.

I recompiled and did some debugging.

The error occurs when filling the cache at the start of execution. There's some new stuff in there about flowtables where an error occurs when communicating with the kernel. This probably shouldn't happen, but the developers may not have tested against a 4.9.* stable kernel.

Is there a 5.* kernel available for the odroidn2 in alarm?

[aplund]

The last version that works for me is nftables-1:0.9.7-3.

[karog]

$this->bbcode_second_pass_quote('aplund', 'I')s there a 5.* kernel available for the odroidn2 in alarm?