一年多来,我一直有一个有效的 nft 配置。在更新网卡的 NVM 并“apt update & upgrade”后,我在启动时遇到以下错误。但如果我在命令行上使用“sudo systemctl start nftables”手动启动 nftables,它就会启动而不会出现任何错误。我已经执行了干净的 Debian 安装,但错误仍然存在。经过两天的搜索,我不知道从哪里开始,非常感谢您的提示。
拥有 Debian 12.4 和内核 6.1.0-17-amd64。从“sudo journalctl -xe”中提取的错误:
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]: chain ingress {
Jan 06 17:22:21 black nft[440]: ^^^^^^^
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]: chain ingress {
Jan 06 17:22:21 black nft[440]: ^^^^^^^
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]: chain ingress {
Jan 06 17:22:21 black nft[440]: ^^^^^^^
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]: chain ingress {
Jan 06 17:22:21 black nft[440]: ^^^^^^^
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]: chain ingress {
Jan 06 17:22:21 black nft[440]: ^^^^^^^
Jan 06 17:22:21 black nft[440]: /etc/nftables.conf:13:15-21: Error: Could not process rule: No such file or directory
Jan 06 17:22:21 black nft[440]: chain ingress {
Jan 06 17:22:21 black nft[440]: ^^^^^^^
Jan 06 17:22:21 black systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ An ExecStart= process belonging to unit nftables.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Jan 06 17:22:21 black systemd[1]: nftables.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ The unit nftables.service has entered the 'failed' state with result 'exit-code'.
Jan 06 17:22:21 black systemd[1]: Failed to start nftables.service - nftables.
░░ Subject: A start job for unit nftables.service has failed
░░ Defined-By: systemd
░░ Support: https://www.debian.org/support
░░
░░ A start job for unit nftables.service has finished with a failure.
░░
░░ The job identifier is 16 and the job result is failed.
NFTABLES 具有以下配置
#!/usr/sbin/nft -f
flush ruleset
define carbon_LAN=eno2
define WiFi_LAN=eno1
define CarbonWAN=enp2s0f1
# WiFi_LAN is 10.111.221.0/24 and Carbon_LAN is 10.111.222.0/24, hence 10.111.221.0/23 contains both network segments
define CarbonNET = 10.111.221.0/23
# "anti-DDOS/SYN-flood protection"
table netdev filter {
chain ingress {
type filter hook ingress device $CarbonWAN priority -500;
# IP FRAGMENTS
ip frag-off & 0x1fff != 0 counter drop
# IP BOGONS
# From <https://www.team-cymru.com/bogon-reference.html>.
ip saddr { \
0.0.0.0/8, \
10.0.0.0/8, \
100.64.0.0/10, \
127.0.0.0/8, \
169.254.0.0/16, \
172.16.0.0/12, \
192.0.0.0/24, \
192.0.2.0/24, \
192.168.0.0/16, \
198.18.0.0/15, \
198.51.100.0/24, \
203.0.113.0/24, \
224.0.0.0/3 \
} \
counter drop
# TCP XMAS
tcp flags & (fin|psh|urg) == fin|psh|urg counter drop
# TCP NULL
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
# TCP MSS
tcp flags syn tcp option maxseg size 1-535 counter drop
}
}
table inet filter {
chain input {
type filter hook input priority 0;
# "allow ssh from WAN, don't forget to limit the number of parallel ssh to max. 2. See tutorial on RedHat"
#iif $CarbonWAN tcp dport {ssh} counter accept
# "drop invalid packets"
iif $CarbonWAN ct state invalid drop
# "allow local packets"
iif {$carbon_LAN,$WiFi_LAN} accept
# "allow established wan packets"
iif $CarbonWAN ct state {established, related} counter accept
# "allow communication between LANs subnets"
iif $carbon_LAN oif $WiFi_LAN accept
iif $WiFi_LAN oif $carbon_LAN accept
# "drop the rest of the packets"
iif $CarbonWAN drop
}
chain forward {
type filter hook forward priority 0;
# "drop invalid packets"
iif $CarbonWAN ct state invalid drop
# "allow wan est, relat"
iif $CarbonWAN oif {$carbon_LAN,$WiFi_LAN} ct state {established, related} counter accept
# "allow lan to wan"
iif {$carbon_LAN,$WiFi_LAN} oif $CarbonWAN counter accept
# "drop the rest of the packets"
iif $CarbonWAN drop
}
chain output {
type filter hook output priority 0;
# "allow traffic from all LANs to WAN"
ip saddr $CarbonNET oif $CarbonWAN accept
# "allow communication between LANs"
iif $carbon_LAN oif $WiFi_LAN accept
iif $WiFi_LAN oif $carbon_LAN accept
# "drop the rest of the packets"
oif $CarbonWAN drop
}
}
table nat {
chain output {
type nat hook output priority -100;
}
chain prerouting {
type nat hook prerouting priority -100;
}
chain postrouting {
type nat hook postrouting priority 100;
oif $CarbonWAN counter masquerade comment "masquerade"
}
}
table inet mangle {
chain prerouting {
type filter hook prerouting priority -150;
# CT INVALID
ct state invalid counter drop
# TCP SYN (CT NEW)
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
}
}
答案1
导致入口错误的根本原因是 NVM 更新错误。我能够通过更换网卡缩小根本原因。当故障卡被更换/从服务器中拔出时,错误消失了。我重新刷新了故障卡上的 NVM,现在它可以启动而不会出现入口错误。感谢 u1686_grawity 花时间解决我的问题!