请求与 nftables 相关的帮助。
使用配置命令时。 得到下面的错误。
Error: Could not process rule: Operation not supported
Debian - 10。
root@localhost:~# uname -a
Linux localhost 4.19.81-OpenNetworkLinux-thanos #1 SMP Tue Apr 28 08:24:05 UTC 2020 x86_64 GNU/Linux
root@localhost:~# nft -v
nftables v0.9.0 (Fearless Fosdick)
已安装已确认的 NFT 和依赖包。
root@localhost:~# sudo dpkg-query -l
...
ii libnftables0:amd64 0.9.0-2 amd64 Netfilter nftables high level userspace API library
ii libnftnl11:amd64 1.1.2-2 amd64 Netfilter nftables userspace API library
ii nftables 0.9.0-2 amd64 Program to control packet filtering rules by Netfilter project
ii libmnl0:amd64 1.0.4-2 amd64 minimalistic Netlink communication library
...
按顺序尝试了以下命令:
1.root@localhost:~# nft --debug all flush ruleset
2.root@localhost:~# nft --debug all add table ip filter
下面是上述 2( add 命令的调试输出
类似的"操作不受支持"错误也适用于 1(。
# nft --debug all add table ip filter
Entering state 0
Reducing stack by rule 1 (line 747):
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --accepting rule at line 275 ("add")
Next token is token "add" (: )
Shifting token "add" (: )
Entering state 19
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 245 ("table")
Next token is token "table" (: )
Shifting token "table" (: )
Entering state 10
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 388 ("ip")
Next token is token "ip" (: )
Shifting token "ip" (: )
Entering state 35
Reducing stack by rule 246 (line 1845):
$1 = token "ip" (: )
-> $$ = nterm family_spec_explicit (: )
Stack now 0 1 19 10
Entering state 47
Reducing stack by rule 245 (line 1842):
$1 = nterm family_spec_explicit (: )
-> $$ = nterm family_spec (: )
Reducing stack by rule 245 (line 1842):
$1 = nterm family_spec_explicit (: )
-> $$ = nterm family_spec (: )
Stack now 0 1 19 10
Entering state 46
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 602 ("filter")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 53
Reducing stack by rule 239 (line 1818):
$1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 19 10 46
Entering state 250
Reducing stack by rule 252 (line 1853):
$1 = nterm family_spec (: )
$2 = nterm identifier (: )
-> $$ = nterm table_spec (: )
Stack now 0 1 19 10
Entering state 57
Reading a token: --accepting rule at line 611 ("
")
Next token is token "newline" (: )
Reducing stack by rule 31 (line 874):
$1 = token "table" (: )
$2 = nterm table_spec (: )
-> $$ = nterm add_cmd (: )
Stack now 0 1 19
Entering state 66
Reducing stack by rule 17 (line 858):
$1 = token "add" (: )
$2 = nterm add_cmd (: )
-> $$ = nterm base_cmd (: )
Stack now 0 1
Entering state 44
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 766):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 44
Entering state 249
Reducing stack by rule 14 (line 824):
$1 = nterm base_cmd (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm line (: )
Stack now 0 1
Entering state 43
Reducing stack by rule 2 (line 748):
$1 = nterm input (: )
$2 = nterm line (: )
Evaluate add
add table ip filter
^^^^^^^^^^^^^^^^^^^^
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token "end of file" (: )
Entering state 2
Stack now 0 1 2
Cleanup: popping token "end of file" (: )
Cleanup: popping nterm input (: )
---------------- ------------------
| 0000000020 | | message length |
| 00016 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 0a 00 | | extra header |"
.....
Error: Could not process rule: Operation not supported
add table ip filter
^^^^^^^^^^^^^^
root@localhost:~# nft --interactive
nft> create table inet mytable
Error: Could not process rule: Operation not supported
create table inet mytable
感谢您的帮助。
谢谢大家,
桑托什
内核可能是在没有 nftables 模块的情况下编译的。 您可以通过以下方式检查模块是否加载:
lsmod | grep nf_tables