nftables 在启动时失败,并显示“错误:无法处理规则:没有这样的文件或目录链入口”,但相同的 nft 配置可以与手动 nft 启动一起使用

nftables 在启动时失败,并显示“错误:无法处理规则:没有这样的文件或目录链入口”,但相同的 nft 配置可以与手动 nft 启动一起使用

一年多来,我一直有一个有效的 nft 配置。在更新网卡的 NVM 并“apt update & upgrade”后,我在启动时遇到以下错误。但如果我在命令行上使用“sudo systemctl start nftables”手动启动 nftables,它就会启动而不会出现任何错误。我已经执行了干净的 Debian 安装,但错误仍然存​​在。经过两天的搜索,我不知道从哪里开始,非常感谢您的提示。

拥有 Debian 12.4 和内核 6.1.0-17-amd64。从“sudo journalctl -xe”中提取的错误:

Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]:         chain ingress {
Jan 06 17:22:21 black nft[440]:               ^^^^^^^
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]:         chain ingress {
Jan 06 17:22:21 black nft[440]:               ^^^^^^^
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]:         chain ingress {
Jan 06 17:22:21 black nft[440]:               ^^^^^^^
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]:         chain ingress {
Jan 06 17:22:21 black nft[440]:               ^^^^^^^
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]:         chain ingress {
Jan 06 17:22:21 black nft[440]:               ^^^^^^^
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]:         chain ingress {
Jan 06 17:22:21 black nft[440]:               ^^^^^^^
Jan 06 17:22:21 black systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStart= process belonging to unit nftables.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 06 17:22:21 black systemd[1]: nftables.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit nftables.service has entered the 'failed' state with result 'exit-code'.
Jan 06 17:22:21 black systemd[1]: Failed to start nftables.service - nftables.
░░ Subject: A start job for unit nftables.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit nftables.service has finished with a failure.
░░
░░ The job identifier is 16 and the job result is failed.

NFTABLES 具有以下配置

#!/usr/sbin/nft -f

flush ruleset

define carbon_LAN=eno2
define WiFi_LAN=eno1
define CarbonWAN=enp2s0f1
# WiFi_LAN is 10.111.221.0/24 and Carbon_LAN is 10.111.222.0/24, hence 10.111.221.0/23 contains both network segments
define CarbonNET = 10.111.221.0/23

# "anti-DDOS/SYN-flood protection"
table netdev filter {
        chain ingress {
                type filter hook ingress device $CarbonWAN priority -500;

                # IP FRAGMENTS
                ip frag-off & 0x1fff != 0 counter drop

                # IP BOGONS
                # From <https://www.team-cymru.com/bogon-reference.html>.
                ip saddr { \
                                0.0.0.0/8, \
                                10.0.0.0/8, \
                                100.64.0.0/10, \
                                127.0.0.0/8, \
                                169.254.0.0/16, \
                                172.16.0.0/12, \
                                192.0.0.0/24, \
                                192.0.2.0/24, \
                                192.168.0.0/16, \
                                198.18.0.0/15, \
                                198.51.100.0/24, \
                                203.0.113.0/24, \
                                224.0.0.0/3 \
                        } \
                        counter drop

                # TCP XMAS
                tcp flags & (fin|psh|urg) == fin|psh|urg counter drop

                # TCP NULL
                tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop

                # TCP MSS
                tcp flags syn tcp option maxseg size 1-535 counter drop
        }
}

table inet filter {
        chain input {
        type filter hook input priority 0;

                # "allow ssh from WAN, don't forget to limit the number of parallel ssh to max. 2. See tutorial on RedHat"
                #iif $CarbonWAN tcp dport {ssh} counter accept

                # "drop invalid packets"
                iif $CarbonWAN ct state invalid drop

                # "allow local packets"
                iif {$carbon_LAN,$WiFi_LAN} accept

                # "allow established wan packets"
                iif $CarbonWAN ct state {established, related} counter accept

                # "allow communication between LANs subnets"
                iif $carbon_LAN oif $WiFi_LAN accept
                iif $WiFi_LAN oif $carbon_LAN accept

                # "drop the rest of the packets"
                iif $CarbonWAN drop
                }

        chain forward {
        type filter hook forward priority 0;

                # "drop invalid packets"
                iif $CarbonWAN ct state invalid drop

                # "allow wan est, relat"
                iif $CarbonWAN oif {$carbon_LAN,$WiFi_LAN} ct state {established, related} counter accept

                # "allow lan to wan"
                iif {$carbon_LAN,$WiFi_LAN} oif $CarbonWAN counter accept

                # "drop the rest of the packets"
                iif $CarbonWAN drop
                }

        chain output {
        type filter hook output priority 0;

                # "allow traffic from all LANs to WAN"
                ip saddr $CarbonNET oif $CarbonWAN accept

                # "allow communication between LANs"
                iif $carbon_LAN oif $WiFi_LAN accept
                iif $WiFi_LAN oif $carbon_LAN accept

                # "drop the rest of the packets"
                oif $CarbonWAN drop
                }
        }


table nat {
        chain output {
        type nat hook output priority -100;
                }

        chain prerouting {
        type nat hook prerouting priority -100;
                }

        chain postrouting {
        type nat hook postrouting priority 100;
                oif $CarbonWAN counter masquerade comment "masquerade"
                }
        }


table inet mangle {
        chain prerouting {
                type filter hook prerouting priority -150;

                # CT INVALID
                ct state invalid counter drop

                # TCP SYN (CT NEW)
                tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
        }
}

答案1

导致入口错误的根本原因是 NVM 更新错误。我能够通过更换网卡缩小根本原因。当故障卡被更换/从服务器中拔出时,错误消失了。我重新刷新了故障卡上的 NVM,现在它可以启动而不会出现入口错误。感谢 u1686_grawity 花时间解决我的问题!

相关内容