| View previous topic :: View next topic |
| Author |
Message |
seamusthedog
n00b
Joined: 09 Nov 2022
Posts: 2
|
 Posted: Mon Nov 14, 2022 2:18 am Post subject: NFTables ct timeout |
 |
|
Hello everyone.
Been trying to move from iptables to nftables and came across an interesting option that I just can't seem to add.
ct timeout
Whenever I enter the command I get:
| Code: | [root@gen2fw:~] nft 'add ct timeout inet simple cttime { protocol tcp; policy = { established: 100, close: 4}; }'
Error: Could not process rule: No such file or directory
add ct timeout inet simple cttime { protocol tcp; policy = { established: 100, close: 4}; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
So far, all the other commands I've entered to add tables, chains, rules, sets, and flowtables, have worked without issue. I've tried many different combinations of the above command, i.e different order of options, different values, but no joy. For grins, I spun up a stock Ubuntu Server 22.04, added a single table, and the above command worked just fine. Searched for what the difference could be between the boxes. Kernel, modules, kernel parameters, but I couldn't find anything to fix this and allow me to add the ct timeout.
Anyone run into this, or have a suggestion?
Thanks for your time.
Useful details (I think). Happy to reply with other info.
| Code: | [root@gen2fw:~] uname -r
5.15.75-gentoo-dist
[root@gen2fw:~] nft -V
nftables v1.0.5 (Lester Gooch #4)
cli: readline
json: yes
minigmp: no
libxtables: yes |
|
|
| Back to top |
|
 |
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4123
Location: Bavaria
|
| Posted: Mon Nov 14, 2022 9:11 am Post subject: |
|
|
seamusthedog,
Welcome to Gentoo Forums !
Maybe you are missing some kernel modules in your kernel configuration for that. Do you have this enabled ?
| Code: | [*] Networking support --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
[*] Advanced netfilter configuration
Core Netfilter Configuration --->
[*] Connection tracking timeout
[*] Connection tracking timestamping |
(If you are unsure about needed modules, you could enable ALL as <M>odules, then make your FW rules, then look into "lsmod" which modules have been loaded) |
|
| Back to top |
|
|
seamusthedog
n00b
Joined: 09 Nov 2022
Posts: 2
|
| Posted: Mon Nov 14, 2022 2:50 pm Post subject: |
|
|
Thank you pietinger. That looks like that is the issue. I installed the distribution precompiled kernel image, to save some time. I saw the kernel module for connection tracking was built, but didn't think to check the modules options. For some odd reason "Connection tracking timeout" is the only option not selected. *sigh*
I'll compile a new kernel manually, to include that option, and I suspect things will work as I initially expected.
Thanks again. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
