Debian
nftables:ct 狀態規則產生“錯誤:無法處理規則:沒有這樣的文件或目錄”
這是我的 /etc/nftables.conf
#!/usr/sbin/nft -f flush ruleset define wan = { eth0 } table inet filter { chain input { type filter hook input priority 0; policy drop; # allow everything from loopback interface iif lo accept comment "Accept any localhost traffic" # drop invalid connection attempts ct state invalid drop comment "Drop all invalid connection attempts" # allow established and related connections ct state established,related accept comment "Accept all traffic initiated by us" # allow explicitly allowed services/ports/protocols iif $wan tcp dport 22 accept comment "wan" # Apply extra (manual configured) rules # reject everything that has not been accepted before reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed" } chain forward { type filter hook forward priority 0; policy drop; # allow everything from loopback interface iif lo accept comment "Accept any localhost traffic" # drop invalid connection attempts ct state invalid drop comment "Drop all invalid connection attempts" # Apply extra (manual configured) rules # reject everything that has not been accepted before reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed" } chain output { type filter hook output priority 0; policy accept; # Apply extra (manual configured) rules } }這是我
journalctl -u nftables.service在執行後得到的systemctl restart nftables.service:Feb 01 18:54:40 mydomain.net systemd[1]: Starting nftables... Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:14:13-33: Error: Could not process rule: No such file or directory Feb 01 18:54:40 mydomain.net nft[1682]: ct state invalid drop comment "Drop all invalid connection attempts" Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^ Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:16:13-47: Error: Could not process rule: No such file or directory Feb 01 18:54:40 mydomain.net nft[1682]: ct state established,related accept comment "Accept all traffic initiated by us" Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:21:13-51: Error: Could not process rule: No such file or directory Feb 01 18:54:40 mydomain.net nft[1682]: reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed" Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:29:13-33: Error: Could not process rule: No such file or directory Feb 01 18:54:40 mydomain.net nft[1682]: ct state invalid drop comment "Drop all invalid connection attempts" Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^ Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:32:13-51: Error: Could not process rule: No such file or directory Feb 01 18:54:40 mydomain.net nft[1682]: reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed" Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Feb 01 18:54:40 mydomain.net systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE Feb 01 18:54:40 mydomain.net systemd[1]: nftables.service: Failed with result 'exit-code'. Feb 01 18:54:40 mydomain.net systemd[1]: Failed to start nftables.當我評論以“ct state”開頭的規則時,服務啟動時沒有錯誤。這裡有什麼問題?相同的規則集在其他機器上也能正常工作。
系統資訊:
作業系統:Debian 10
核心:4.19.0-14-amd64
對於其他遇到此問題的人。確保:
- “netfilter”(和相應的)核心選項直接編譯或編譯為模組(grep -i netfilter /proc/config* 或 grep -i netfilter /boot/config*)
- 如果該選項已編譯為模組,請確保您沒有將 sysctl 選項 kernel.modules_disabled 設置為 1。(編輯 /etc/sysctl.conf)