[pkg-netfilter-team] Bug#959427: nftables: On boot "nftables.service" fails to start

Damir Koscic damir.koscic at gmail.com
Sat May 2 11:12:59 BST 2020 

Package: nftables
Version: 0.9.0-2
Severity: important

Dear Maintainer,

On boot "nftables.service" fails to start. The excerpt from systemd journal
(shown on bottom of mail), shows that offending part of of config file is:

	table netdev macs{
		chain mac_filter{
			type filter hook ingress device ens192 priority 0; policy drop;
			ether saddr "00:0c:29:0b:04:09" accept
		}
	}

The config file itself is OK, since there is no problem starting "nftables"
after boot procedure is done (boot procedure itself is not compromised as
described in another bug report).

The fact, that nft error messages were nested between "systemd-udevd" messages,
suggested that maybe "udevd" has not done its job entirely, and that somehow
"nftables" depends on it. What I have tried to do is to add following into
"nftables.service" unit file (using "systemctl edit", thus not modifying packa-
ge original unit file):

	After=systemd-udevd.service

That solved the problem, and all successive reboots were successful.

I hope this helps you identify the problem and find proper solution for it :)

Kind regards,
  Damir Koscic


Excerpt from systemd journal:
----------------------------------
  audit[317]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined"
  systemd-udevd[278]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
  systemd-udevd[288]: Using default interface naming scheme 'v240'.
  systemd-udevd[289]: Using default interface naming scheme 'v240'.
  nft[244]: /etc/nftables.conf:61:11-27: Error: Could not process rule: No such file or directory
  nft[244]:     chain mac_filter{
  nft[244]:           ^^^^^^^^^^
  nft[244]: /etc/nftables.conf:63:9-39: Error: Could not process rule: No such file or directory
  nft[244]:         ether saddr "00:0c:29:0b:04:09" accept
  nft[244]:         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  systemd-udevd[278]: Using default interface naming scheme 'v240'.
  systemd-udevd[290]: Using default interface naming scheme 'v240'.
  systemd-udevd[288]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
  systemd-udevd[289]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
  systemd-udevd[278]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
  systemd-udevd[290]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
  systemd-udevd[283]: Using default interface naming scheme 'v240'.
  systemd[1]: Starting Flush Journal to Persistent Storage...

-- System Information:
Debian Release: 10.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nftables depends on:
ii  dpkg          1.19.7
ii  libc6         2.28-10
ii  libgmp10      2:6.1.2+dfsg-4
ii  libjansson4   2.12-1
ii  libnftables0  0.9.0-2
ii  libreadline7  7.0-5

nftables recommends no packages.

nftables suggests no packages.

-- Configuration Files:
/etc/nftables.conf changed [not included]

-- no debconf information

More information about the pkg-netfilter-team mailing list