On my dietpi v. 8 I installed nftables, using a working configuration on my pc and on other raspberry with debian. I get an error message and systemctl tells me that nftables startup failed. This is the portion reported that gives an error:
/etc/nftables.conf:12:3-10: Error: Could not process rule: No such file or directory
gen 23 17:40:08 DietPi nft[11344]: ct state invalid drop comment "Drop invalid connections"
gen 23 17:40:08 DietPi nft[11344]: ^^^^^^^^
gen 23 17:40:08 DietPi nft[11344]: /etc/nftables.conf:13:3-10: Error: Could not process rule: No such file or directory
gen 23 17:40:08 DietPi nft[11344]: ct state established,related accept comment "Accept traffic originated from us"
gen 23 17:40:08 DietPi nft[11344]: ^^^^^^^^
gen 23 17:40:08 DietPi nft[11344]: /etc/nftables.conf:22:91-126: Error: Could not process rule: No such file or directory
gen 23 17:40:08 DietPi nft[11344]: udp sport 1900 udp dport >= 1024 ip6 saddr { fd00::/8, fe80::/10 } meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
gen 23 17:40:08 DietPi nft[11344]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
gen 23 17:40:08 DietPi nft[11344]: /etc/nftables.conf:23:128-163: Error: Could not process rule: No such file or directory
gen 23 17:40:08 DietPi nft[11344]: udp sport 1900 udp dport >= 1024 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
gen 23 17:40:08 DietPi nft[11344]:
I don’t understand why it works on the pc and on the raspy with dietpi it gives me an error
The errors contain line and character coordinates within the file , so the file exists, but those four rules are invalid it seems. I have not much experience with nftables syntax, to be true, kept using iptables so far (which internally uses nftables as well on modern Debian with non-ancient kernel), but the error message “No such file or directory” is pretty confusing indeed, as if a firewall rule would contain a file path, especially the understandable “ct state” syntax . However, looks like you need to review those rules.
Thanks for your answers.
I give you in
order the details:
1 - The file /etc/nftables.conf exists. The same setup worked on the same raspberry with raspbian. It works without errors even on pc.
2- The “ct state” error does not appear on raspbian or on pc with debian and arch, but only with dietpi.
3- I also tried other very simple configurations from the nftables wikis, but the error always recurs. I also checked the nftables man pages, where the “ct state” construct appears. The example shown is the same as the one I entered in nftables.conf. I don’t understand where the error comes from.
Hmm, the nftables package has no recommends or suggests defined, so very unlikely that any other package, which is not pulled as strict dependency, adds further features.
DietPi on RPi is pretty equal to Raspberry Pi OS, same kernel with nftables support (modinfo nf_tables), same userland tools sources, in case of the ARMv6 image the exact same packages.
Which image do you use, ARMv6, ARMv7 or ARMv8? And, in case a kernel upgrade was applied recently, did you reboot already so that the loaded kernel matches the upgraded kernel modules?
ARMv7. Yes. After each update I always reboot to update the modules as you suggested. I have also installed all dependencies and am not getting package missing errors or unmet dependencies.
A strange thing happened today. Last night, after changing the nftables configuration it no longer let me access my raspy with dietpi remotely. Today I removed the sd card and changed the /etc/nftables.conf to the version I had previously installed. and now I log in, but if I give the command:
systemctl status nftables
I get “FAILURE” as an answer. Yet the firewall still works. Bizarre: - /
I didn’t know that there is a nftables.service. Nice actually, seems to be something like iptables-persistent/netfilter-persistent, hence applies rules automatically at boot, but isn’t enabled OOTB (reasonably, given that it may not be wanted/unexpected as iptables doesn’t do it either).
Yes sure, however, iptables internally uses nf_tables as well when configured. That way one tool can be used to configure the firewall for modern and legacy kernel versions. Also, nft has filter and forwarding/NAT rules split, while iptables combines them in one command, which is convenient at least.
It has been btw fixed with DietPi v8.1: Whenever iptables is installed, is is configured automatically to use either nf_tables or legacy setsockopt depending on whether the first works (is supported by the system) or not.
That the nftables package ships with a restore-on-boot service is however convenient as well.
, so the file exists, but those four rules are invalid it seems. I have not much experience with nftables syntax, to be true, kept using iptables so far (which internally uses nftables as well on modern Debian with non-ancient kernel), but the error message “No such file or directory” is pretty confusing indeed, as if a firewall rule would contain a file path, especially the understandable “ct state” syntax 
. However, looks like you need to review those rules.
