From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Robert Sander <r.sander@heinlein-support.de>
Cc: netfilter@vger.kernel.org
Subject: Re: nftables iifname and currently unknown interfaces
Date: Fri, 16 Oct 2020 12:54:22 +0200 [thread overview]
Message-ID: <20201016105422.GA1151@salvia> (raw)
In-Reply-To: <c382354e-4a18-0863-e006-0db6f9fce1f6@heinlein-support.de>
On Fri, Oct 16, 2020 at 12:37:58PM +0200, Robert Sander wrote:
> Hi.
>
> with iptables it was possible to specify "-i ifacename" even when the
> interface was currently not available.
>
> nft bails out with an error:
>
> ./nft:225:1-75: Error: Could not process rule: No such file or directory
> add rule ip filter FORWARD iifname bond0.16 oifname bond0.42 accept
>
> We are generating a single firewall configuration for a number of
> firewalls with different interfaces. How do we migrate to nftables?
Strange, that rule works fine here and I don't have such device.
iifname allows you match on the device name, so such interface does
not need to be available.
What nft version and kernel are you using there?
Error: Could not process rule: No such file or directory
add rule ip filter FORWARD iifname bond0.16 oifname bond0.42 accept
^^^^^^
With relatively recent nft userspace and kernel, you should get
context on why the ENOENT error is displayed.
Either by missing table like above, or missing chain:
Error: Could not process rule: No such file or directory
add rule ip filter FORWARD iifname bond0.16 oifname bond0.42 accept
^^^^^^^
What nft version are you using?
Then, moving forward, a general error means that some of your kernel
components in missing. Did you compile kernel, if so, could you also
post your .config file for your kernel?
next prev parent reply other threads:[~2020-10-16 10:54 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-16 10:37 nftables iifname and currently unknown interfaces Robert Sander
2020-10-16 10:54 ` Pablo Neira Ayuso [this message]
2020-10-16 10:56 ` Florian Westphal
2020-10-16 11:10 ` Robert Sander
2020-10-28 22:25 ` Pablo Neira Ayuso
2020-11-04 5:30 ` Trying to provision flowtable returns error Martin Gignac
2020-11-05 0:53 ` Duncan Roe
2020-11-05 15:17 ` Martin Gignac
2020-11-05 15:38 ` Florian Westphal
2020-11-05 16:20 ` Martin Gignac
2020-11-05 17:07 ` Florian Westphal
2020-11-05 18:21 ` Martin Gignac
2020-11-05 18:41 ` Martin Gignac
2020-11-05 21:01 ` Pablo Neira Ayuso
2020-11-05 21:45 ` Martin Gignac
2020-11-06 10:58 ` Pablo Neira Ayuso
2020-11-06 15:13 ` Martin Gignac
2020-11-06 15:24 ` Martin Gignac
2020-11-06 16:21 ` Pablo Neira Ayuso
2020-11-06 19:20 ` Martin Gignac
2020-11-10 15:04 ` Gordon Fisher
2020-11-06 17:18 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201016105422.GA1151@salvia \
--to=pablo@netfilter.org \
--cc=netfilter@vger.kernel.org \
--cc=r.sander@heinlein-support.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox