从 Stretch 更新到 Buster 并从 iptables 移动到 nftables 后,nft 命令不会处理除列表之外的任何给定命令,而列表不会打印任何内容。
输入nft flush ruleset打印:
Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
nft create table inet filter
Error: Could not process rule: Invalid argument
create table inet filter
^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Invalid argument
create table inet filter
^^^^^^^^^^^^^^^^^^^^^^^^^
即使使用 debian 包中的初始配置,它也会为其中的每一行打印一个错误。
nft -f /etc/nftables.conf
/etc/nftables.conf:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
/etc/nftables.conf:3:1-14: Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
/etc/nftables.conf:5:1-2: Error: Could not process rule: Invalid argument
table inet filter {
^^
/etc/nftables.conf:6:15-19: Error: Could not process rule: Invalid argument
chain input {
^^^^^
/etc/nftables.conf:9:15-21: Error: Could not process rule: Invalid argument
chain forward {
^^^^^^^
/etc/nftables.conf:12:15-20: Error: Could not process rule: Invalid argument
chain output {
^^^^^^
/etc/nftables.conf:3:1-14: Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
/etc/nftables.conf:5:1-2: Error: Could not process rule: Invalid argument
table inet filter {
^^
/etc/nftables.conf:6:15-19: Error: Could not process rule: Invalid argument
chain input {
^^^^^
/etc/nftables.conf:9:15-21: Error: Could not process rule: Invalid argument
chain forward {
^^^^^^^
/etc/nftables.conf:12:15-20: Error: Could not process rule: Invalid argument
chain output {
^^^^^^
发行版:Debian GNU/Linux 10 (buster)
nft:nftables v0.9.0(Fearless Fosdick)
答案1
发现问题是 nf_tables 模块未加载。问题仍然存在于在 openVZ(一种基于容器的虚拟化)中运行的 VPS 上。由于 iptables 和 nftables 模块不能同时运行,提供商宁愿不破坏所有人的系统来支持 nftables。