nftables Address family not supported by protocol

[idmila]

Hi,

After installing nftables looks like i'm missing something to make it work. Can't really understand what's I'm missing here.

Code: Select all

oot@soekris:/var/log# cat /etc/nftables.conf 
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # count and drop any other traffic
                counter drop
        }
}

Code: Select all

root@soekris:~# systemctl status nftables.service
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sat 2021-03-20 12:13:21 CET; 30min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 191 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
 Main PID: 191 (code=exited, status=1/FAILURE)

Mar 20 12:13:22 soekris.home.moua7.com nft[191]: ^^^^^^^^^^^^^^
Mar 20 12:13:22 soekris.home.moua7.com nft[191]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Mar 20 12:13:22 soekris.home.moua7.com nft[191]: flush ruleset
Mar 20 12:13:22 soekris.home.moua7.com nft[191]: ^^^^^^^^^^^^^^
Mar 20 12:13:22 soekris.home.moua7.com nft[191]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Mar 20 12:13:22 soekris.home.moua7.com nft[191]: flush ruleset
Mar 20 12:13:22 soekris.home.moua7.com nft[191]: ^^^^^^^^^^^^^^
Mar 20 12:13:22 soekris.home.moua7.com nft[191]: /etc/nftables.conf:3:1-14: Error: Could not process rule: Address family not supported by protocol
Mar 20 12:13:22 soekris.home.moua7.com nft[191]: flush ruleset
Mar 20 12:13:22 soekris.home.moua7.com nft[191]: ^^^^^^^^^^^^^^

Code: Select all

root@soekris:/var/log# nft flush ruleset
Error: Could not process rule: Address family not supported by protocol
flush ruleset
^^^^^^^^^^^^^^

Code: Select all

root@soekris:~# nft --debug=all flush ruleset
Entering state 0
Reducing stack by rule 1 (line 747):
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --accepting rule at line 284 ("flush")
Next token is token "flush" (: )
Shifting token "flush" (: )
Entering state 27
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 258 ("ruleset")
Next token is token "ruleset" (: )
Shifting token "ruleset" (: )
Entering state 126
Reading a token: --accepting rule at line 611 ("
")
Next token is token "newline" (: )
Reducing stack by rule 274 (line 2025):
-> $$ = nterm ruleset_spec (: )
Stack now 0 1 27 126
Entering state 422
Reducing stack by rule 117 (line 1277):
   $1 = token "ruleset" (: )
   $2 = nterm ruleset_spec (: )
-> $$ = nterm flush_cmd (: )
Stack now 0 1 27
Entering state 129
Reducing stack by rule 25 (line 866):
   $1 = token "flush" (: )
   $2 = nterm flush_cmd (: )
-> $$ = nterm base_cmd (: )
Stack now 0 1
Entering state 44
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 766):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 44
Entering state 249
Reducing stack by rule 14 (line 824):
   $1 = nterm base_cmd (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm line (: )
Stack now 0 1
Entering state 43
Reducing stack by rule 2 (line 748):
   $1 = nterm input (: )
   $2 = nterm line (: )
Evaluate flush
flush ruleset
^^^^^^^^^^^^^^


----------------        ------------------
|  0000000020  |        | message length |
| 02576 | R--- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 00 00  |        |  extra header  |
----------------        ------------------
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token "end of file" (: )
Entering state 2
Stack now 0 1 2
Cleanup: popping token "end of file" (: )
Cleanup: popping nterm input (: )
----------------        ------------------
|  0000000020  |        | message length |
| 00016 | R--- |        |  type | flags  |
|  0000000000  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 0a 00  |        |  extra header  |
----------------        ------------------
----------------        ------------------
|  0000000020  |        | message length |
| 02562 | R-A- |        |  type | flags  |
|  0000000001  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 00 00  |        |  extra header  |
----------------        ------------------
----------------        ------------------
|  0000000020  |        | message length |
| 00017 | R--- |        |  type | flags  |
|  0000000002  |        | sequence number|
|  0000000000  |        |     port ID    |
----------------        ------------------
| 00 00 0a 00  |        |  extra header  |
----------------        ------------------
Error: Could not process rule: Address family not supported by protocol
flush ruleset
^^^^^^^^^^^^^^

Code: Select all

root@soekris:~# lsmod | grep ^nf
nft_counter            12475  0
nf_conntrack_ipv6      17453  0
nf_defrag_ipv6         20950  1 nf_conntrack_ipv6
nf_conntrack_ipv4      18040  0
nf_defrag_ipv4         12443  1 nf_conntrack_ipv4
nft_ct                 12674  0
nf_conntrack           73428  3 nft_ct,nf_conntrack_ipv4,nf_conntrack_ipv6
nft_meta               12613  0
nft_hash               16824  0
nft_rbtree             12679  0
nf_tables_inet         12491  0
nf_tables_ipv6         12518  1 nf_tables_inet
nf_tables_ipv4         12557  1 nf_tables_inet
nf_tables              45218  8 nf_tables_inet,nf_tables_ipv4,nf_tables_ipv6,nft_ct,nft_hash,nft_meta,nft_rbtree,nft_counter
nfnetlink              12853  1 nf_tables

Code: Select all

root@soekris:~# ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.42  netmask 255.255.255.0  broadcast 192.168.1.255
        ether 00:00:24:c8:b3:9c  txqueuelen 1000  (Ethernet)
        RX packets 6724  bytes 1153857 (1.1 MiB)
        RX errors 0  dropped 378  overruns 0  frame 0
        TX packets 4120  bytes 599379 (585.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 00:00:24:c8:b3:9d  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth2: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 00:00:24:c8:b3:9e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth3: flags=4098<BROADCAST,MULTICAST>  mtu 1500
        ether 00:00:24:c8:b3:9f  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 0  (Local Loopback)
        RX packets 178  bytes 18728 (18.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 178  bytes 18728 (18.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Your help is appreciated

[Head_on_a_Stick]

https://bugzilla.netfilter.org/show_bug.cgi?id=1500

Which versions of Debian and nftables are you using?

Code: Select all

cat /etc/debian_version
uname -a
apt-cache policy nftables

[idmila]

Hi,

https://bugzilla.netfilter.org/show_bug.cgi?id=1500

Not sure it's the same issue

Which versions of Debian and nftables are you using?

Code: Select all

cat /etc/debian_version
uname -a
apt-cache policy nftables

Code: Select all

root@soekris:~# cat /etc/debian_version && uname -a && apt-cache policy nftables
10.8
Linux soekris.home.moua7.com 3.16.0-10-586 #1 Debian 3.16.81-1 (2020-01-17) i586 GNU/Linux
nftables:
  Installed: 0.9.0-2
  Candidate: 0.9.0-2
  Version table:
 *** 0.9.0-2 500
        500 http://ftp.debian.org/debian buster/main i386 Packages
        100 /var/lib/dpkg/status

[Head_on_a_Stick]

The service is failing because you are booted into an ancient kernel version. Boot into the current buster kernel instead.

[idmila]

The service is failing because you are booted into an ancient kernel version. Boot into the current buster kernel instead.

Absolutely! after upgrading to 4.19 it's running smoothly !
Thank you for your help.

[Head_on_a_Stick]

You're welcome. Please edit the title of thread (in the first post) and prepend [SOLVED] to help others who encounter this issue.