* Found extra tables in nft ruleset
@ 2020-03-06 12:52 Lars Noodén
2020-03-06 13:08 ` Florian Westphal
0 siblings, 1 reply; 4+ messages in thread
From: Lars Noodén @ 2020-03-06 12:52 UTC (permalink / raw)
To: Linux Netfilter Users List
It's looking like nft is creating some extra tables when I create a chain.
Seen below, I can clear the ruleset and then create a table and only the
table I created is in the otherwise empty ruleset. However, if I add a
chain to that table, then two unasked for tables get created, but
perhaps not used. I'm not sure if they are supposed to be there or if
they should be used.
Is this an error on my part? If so what?
Thanks,
Lars
# uname -sr
Linux 4.19.97-v7l+
# nft --version
nftables v0.9.0 (Fearless Fosdick)
# nft flush ruleset
# nft list ruleset
# nft add table ip foobar
# nft list ruleset
table ip foobar {
}
# nft add chain foobar output { type filter hook output priority 0 \;
policy drop \; }
# nft list ruleset
table ip foobar {
chain output {
type filter hook output priority 0; policy drop;
}
}
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Found extra tables in nft ruleset
2020-03-06 12:52 Found extra tables in nft ruleset Lars Noodén
@ 2020-03-06 13:08 ` Florian Westphal
2020-03-06 13:22 ` Lars Noodén
0 siblings, 1 reply; 4+ messages in thread
From: Florian Westphal @ 2020-03-06 13:08 UTC (permalink / raw)
To: Lars Noodén; +Cc: Linux Netfilter Users List
Lars Noodén <lars.nooden@gmx.com> wrote:
> It's looking like nft is creating some extra tables when I create a chain.
>
> Seen below, I can clear the ruleset and then create a table and only the
> table I created is in the otherwise empty ruleset. However, if I add a
> chain to that table, then two unasked for tables get created, but
> perhaps not used. I'm not sure if they are supposed to be there or if
> they should be used.
THey are not supposed to be there.
> Is this an error on my part? If so what?
Run 'nft monitor' to figure out what adds them.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Found extra tables in nft ruleset
2020-03-06 13:08 ` Florian Westphal
@ 2020-03-06 13:22 ` Lars Noodén
2020-03-09 16:31 ` Lars Noodén
0 siblings, 1 reply; 4+ messages in thread
From: Lars Noodén @ 2020-03-06 13:22 UTC (permalink / raw)
To: Linux Netfilter Users List
[...]
> THey are not supposed to be there.
>
>> Is this an error on my part? If so what?
>
> Run 'nft monitor' to figure out what adds them.
Thanks.
If I clear the ruleset and wait, while watching 'nft monitor' I get the
following.
# new generation 951 by process 4497 (nft)
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy
accept; }
add chain ip filter FORWARD { type filter hook forward priority 0;
policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy
accept; }
# new generation 952 by process 4510 (iptables)
# new generation 953 by process 4510 (iptables)
add table ip6 filter
add chain ip6 filter INPUT { type filter hook input priority 0; policy
accept; }
add chain ip6 filter FORWARD { type filter hook forward priority 0;
policy accept; }
add chain ip6 filter OUTPUT { type filter hook output priority 0; policy
accept; }
# new generation 954 by process 4512 (ip6tables)
# new generation 955 by process 4512 (ip6tables)
# new generation 956 by process 4514 (iptables)
# new generation 957 by process 4514 (iptables)
# new generation 958 by process 4516 (ip6tables)
# new generation 959 by process 4516 (ip6tables)
... and so on ...
However, I can't seem to find anything obviously calling ip6tables, the
processes are quite short lived. Then I search for ip6tables in a
script or (ugh) unit file, for example:
# grep -r ip6tables /lib/systemd/*
# grep -r ip6tables /etc/*
Both greps turn up nothing, but something is running and modifying
nftables frequently. It's probably related to the distro so I will dig
into that, if the cause is not already known.
/Lars
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: Found extra tables in nft ruleset
2020-03-06 13:22 ` Lars Noodén
@ 2020-03-09 16:31 ` Lars Noodén
0 siblings, 0 replies; 4+ messages in thread
From: Lars Noodén @ 2020-03-09 16:31 UTC (permalink / raw)
To: Linux Netfilter Users List
Using 'nft monitor' solved that: It appears that the extra tables were
added by iptables, which is in Raspbian Buster by default in the package
of the same name:
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
$ apt-cache policy iptables | head -n 3
iptables:
Installed: 1.8.2-4
Candidate: 1.8.2-4
iptables interferes with nft. Uninstalling it package leaves nftables
alone to create new tables without getting extra, unasked for tables.
$ sudo nft add table ip foobar
$ sudo nft list ruleset
table ip foobar {
}
All set. Thanks.
/Lars
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-03-09 16:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-06 12:52 Found extra tables in nft ruleset Lars Noodén
2020-03-06 13:08 ` Florian Westphal
2020-03-06 13:22 ` Lars Noodén
2020-03-09 16:31 ` Lars Noodén
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.