not able to set ct state rule

not able to set ct state rule

[Andreas Hoefler]

Hi

I am trying to set up a basic connection tracking rule:
#nft list ruleset
table ip filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }
}
# nft add rule filter input ct state established accept
Error: Could not process rule: No such file or directory
add rule filter input ct state established accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

cat /proc/config.gz | gunzip | grep NFT
# CONFIG_NFT_NUMGEN is not set
CONFIG_NFT_CT=m
# CONFIG_NFT_FLOW_OFFLOAD is not set
CONFIG_NFT_COUNTER=y
# CONFIG_NFT_CONNLIMIT is not set
CONFIG_NFT_LOG=y
CONFIG_NFT_LIMIT=y
# CONFIG_NFT_MASQ is not set
# CONFIG_NFT_REDIR is not set
CONFIG_NFT_NAT=m
# CONFIG_NFT_TUNNEL is not set
# CONFIG_NFT_OBJREF is not set
# CONFIG_NFT_QUOTA is not set
# CONFIG_NFT_REJECT is not set
# CONFIG_NFT_COMPAT is not set
CONFIG_NFT_HASH=y
# CONFIG_NFT_SOCKET is not set
# CONFIG_NFT_OSF is not set
# CONFIG_NFT_TPROXY is not set
# CONFIG_NFT_DUP_NETDEV is not set
# CONFIG_NFT_FWD_NETDEV is not set
CONFIG_NFT_CHAIN_ROUTE_IPV4=y
# CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_FIB_IPV4 is not set
CONFIG_NFT_CHAIN_NAT_IPV4=m
# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_FIB_IPV6 is not set
# CONFIG_NFTL is not set
# CONFIG_INFTL is not set

What am I missing here?

Thx
Andy

Re: not able to set ct state rule

[Florian Westphal]

Andreas Hoefler <andreas.hoefler@hitachi-powergrids.com> wrote:
> Hi
> 
> I am trying to set up a basic connection tracking rule:
> #nft list ruleset
> table ip filter {
>         chain input {
>                 type filter hook input priority 0; policy accept;
>         }
> }
> # nft add rule filter input ct state established accept
> Error: Could not process rule: No such file or directory
> add rule filter input ct state established accept
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

works for me on 5.6.18.

> cat /proc/config.gz | gunzip | grep NFT
> # CONFIG_NFT_NUMGEN is not set
> CONFIG_NFT_CT=m

Does "modinfo nft_ct" work?
If its does, is that module loaded?
If not, try to load it manually.

If that makes the rule add work, then module autoloading is broken
on your system for some reason.

RE: not able to set ct state rule

[Andreas Hoefler]

Hi Florian

Hi

First of all thx for the quick reply.

#modinfo nft_ct
modinfo: ERROR: Module nft_ct not found.

Looks like all the modules are not present.
modprobe nft_ct
modprobe: FATAL: Module nft_ct not found in directory /lib/modules/4.19.94-rt39-g7028856b05

BR
Andy

Andreas Hoefler <andreas.hoefler@hitachi-powergrids.com> wrote:
> Hi
>
> I am trying to set up a basic connection tracking rule:
> #nft list ruleset
> table ip filter {
>         chain input {
>                 type filter hook input priority 0; policy accept;
>         }
> }
> # nft add rule filter input ct state established accept
> Error: Could not process rule: No such file or directory add rule 
> filter input ct state established accept 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

works for me on 5.6.18.

> cat /proc/config.gz | gunzip | grep NFT # CONFIG_NFT_NUMGEN is not set 
> CONFIG_NFT_CT=m

Does "modinfo nft_ct" work?
If its does, is that module loaded?
If not, try to load it manually.

If that makes the rule add work, then module autoloading is broken on your system for some reason.