在从 Stretch 更新到 Buster 并从 iptables 移动到 nftables 之后,nft 命令不处理任何给定的命令,除了 list,它不打印任何内容。
输入nft flush ruleset
打印:
Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
nft create table inet filter
Error: Could not process rule: Invalid argument
create table inet filter
^^^^^^^^^^^^^^^^^^^^^^^^^
Error: Could not process rule: Invalid argument
create table inet filter
^^^^^^^^^^^^^^^^^^^^^^^^^
即使使用 debian 包中的初始配置,它也会为其中的每一行打印一个错误。
nft -f /etc/nftables.conf
/etc/nftables.conf:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
/etc/nftables.conf:3:1-14: Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
/etc/nftables.conf:5:1-2: Error: Could not process rule: Invalid argument
table inet filter {
^^
/etc/nftables.conf:6:15-19: Error: Could not process rule: Invalid argument
chain input {
^^^^^
/etc/nftables.conf:9:15-21: Error: Could not process rule: Invalid argument
chain forward {
^^^^^^^
/etc/nftables.conf:12:15-20: Error: Could not process rule: Invalid argument
chain output {
^^^^^^
/etc/nftables.conf:3:1-14: Error: Could not process rule: Invalid argument
flush ruleset
^^^^^^^^^^^^^^
/etc/nftables.conf:5:1-2: Error: Could not process rule: Invalid argument
table inet filter {
^^
/etc/nftables.conf:6:15-19: Error: Could not process rule: Invalid argument
chain input {
^^^^^
/etc/nftables.conf:9:15-21: Error: Could not process rule: Invalid argument
chain forward {
^^^^^^^
/etc/nftables.conf:12:15-20: Error: Could not process rule: Invalid argument
chain output {
^^^^^^
发行版:Debian GNU/Linux 10(破坏者)
nft: nftables v0.9.0 (Fearless Fosdick)
发现问题是,未加载 nf_tables 模块。这个问题在运行在 openVZ 中的 VPS 上仍然存在,这是一个基于容器的虚拟化。而且由于 iptables 和 nftables 模块不能同时运行,提供者宁愿不会为了支持 nftables 而破坏每个人的系统。