Troubleshooting: Difference between revisions

In this section, you can find frequently asked questions that has been posted on the Netfilter mailing list.

Question 1: Address family not supported by protocol problems

If I try to start nft, I get this error:

% nft list table filter
<cmdline>:1:1-17: Error: Could not receive sets from kernel: Address family not supported by protocol
list table filter
^^^^^^^^^^^^^^^^^

Answer: You have to create the table before you can actually list it, ie. nft add table filter. Please, see how to configure tables. Moreover, make sure you also compiled family support, eg. CONFIG_NF_TABLES_IPV4 and that the module can be loaded (eg. nf_tables_ipv4).

Question 2: No such file or directory when adding chain

nft> add chain arp filter input {type nat hook input priority 0 ;}          
<cli>:1:1-64: Error: Could not add chain: No such file or directory            
add chain arp filter input {type nat hook input priority 0 ;}               
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This means that the chain type for the specified family does not exist. In the example above, the problem is that the NAT chain type does not exist for the ARP family.

You may also hit this problem if you forgot to compile the module that enables this chain type in your Linux kernel.

Question 3: Operation not supported when adding chain

For example:

nft> add chain ip filter forward {type nat hook forward priority 0 ;}          
<cli>:1:1-64: Error: Could not add chain: Operation not supported              
add chain filter forward {type nat hook forward priority 0 ;}               
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This means that the chain type for the specified family is not available in that hook. In the example above, the problem is that the available hooks for the NAT chain type are: prerouting, input, output and postrouting.

Question 4. How do nftables and iptables interact when used on the same system?

What happens when you mix Iptables and Nftables? How do they interact?

Question 5: Could not process rule: Operation not permitted

First step is to use `sudo` or a root shell to run the `nft` command.

```console

   $ sudo nft list ruleset

```

Question 6: Chain of type "filter" is not supported, perhaps kernel support is missing

Most likely used a rule statement that does not belong in that particular family.

Usually means one of the following statement got illegally used inside a specific family chain or outside a specific chain hook/type:

In ip (or implicit) family chain, invalid rule statements are:

• devices (netdev family only)
• dnat to (only in nat type & prerouting/input hook)
• flags offload (netdev family only)
• fwd to (only in filter type & forward hook)
• ibriport (bridge family only)
• ibrname (bridge family only)
• meta ibriport (bridge family only)
• meta obriport (bridge family only)
• obriport (bridge family only)
• obrname (bridge family only)
• redirect (only in nat type & prerouting/input hook)

In ip6 family chains, invalid rule statements are:

• devices (netdev family only)
• dnat to (only in nat type & prerouting/input hook)
• flags offload (netdev family only)
• fwd to (only in filter type & forward hook)
• ibriport (bridge family only)
• ibrname (bridge family only)
• meta ibriport (bridge family only)
• meta obriport (bridge family only)
• obriport (bridge family only)
• obrname (bridge family only)
• redirect (only in nat type & prerouting/input hook)
• snat to (only in nat type & postrouting/output hook)

In inet family chains, invalid rule statements are:

• devices (netdev family only)
• dnat to (only in nat type & prerouting/input hook)
• flags offload (netdev family only)
• fwd to (ip/ip6 family only)
• ibriport (bridge family only)
• ibrname (bridge family only)
• meta ibriport (bridge family only)
• meta obriport (bridge family only)
• obriport (bridge family only)
• obrname (bridge family only)
• redirect (only in nat chain type & prerouting/input hook)
• snat to (only in nat type & postrouting/output hook)

In netdev family chain, invalid rule statements are:

• devices (only in filter type & ingress hook)
• dnat to (ip/ip6/inet family only)
• flags offload (only in filter type & ingress hook)
• fwd to (ip/ip6 family only)
• ibriport (bridge family only)
• ibrname (bridge family only)
• meta ibriport (bridge family only)
• meta obriport (bridge family only)
• obriport (bridge family only)
• obrname (bridge family only)
• redirect (ip/ip6/inet family only)
• snat to (ip/ip6/inet family only)

In bridge family chain, invalid rule statements are:

• devices (netdev family only)
• dnat to (ip/ip6/inet family only)
• flags offload (netdev family only)
• fwd to (ip/ip6 family only)
• redirect (ip/ip6/inet family only)
• snat to (ip/ip6/inet family only)

In arp family chain, invalid rule statements are:

• devices (netdev family only)
• dnat to (ip/ip6/inet family only)
• flags offload (netdev family only)
• fwd to (ip/ip6 family only)
• ibriport (bridge family only)
• ibrname (bridge family only)
• meta ibriport (bridge family only)
• meta obriport (bridge family only)
• obriport (bridge family only)
• obrname (bridge family only)
• redirect (ip/ip6/inet family only)
• snat to (ip/ip6/inet family only)