Package: nftables
Version: 1.0.6-2+deb12u2
Severity: normal
X-Debbugs-Cc: alf...@web.de
Dear Maintainer,
after setting up /etc/nftables.conf and rebooting, the service does not start.
systemctl status nftables
× nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset:
enabled)
Active: failed (Result: exit-code) since Fri 2024-09-20 19:33:50 CEST;
9min ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 682 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited,
status=1/FAILURE)
Main PID: 682 (code=exited, status=1/FAILURE)
CPU: 9ms
Sep 20 19:33:50 asterix nft[682]: ^^^^^^^^
Sep 20 19:33:50 asterix nft[682]: /etc/nftables.conf:33:7-14: Error: Interface
does not exist
Sep 20 19:33:50 asterix nft[682]: iif macvtap1 counter drop
Sep 20 19:33:50 asterix nft[682]: ^^^^^^^^
Sep 20 19:33:50 asterix nft[682]: /etc/nftables.conf:50:7-14: Error: Interface
does not exist
Sep 20 19:33:50 asterix nft[682]: oif macvtap1 counter drop
Sep 20 19:33:50 asterix nft[682]: ^^^^^^^^
Sep 20 19:33:50 asterix systemd[1]: nftables.service: Main process exited,
code=exited, status=1/FAILURE
Sep 20 19:33:50 asterix systemd[1]: nftables.service: Failed with result
'exit-code'.
Sep 20 19:33:50 asterix systemd[1]: Failed to start nftables.service - nftables.
After the network is up, the restart of the service is successful.
ystemctl restart nftables
systemctl status nftables
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset:
enabled)
Active: active (exited) since Fri 2024-09-20 19:46:50 CEST; 5s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 1605 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited,
status=0/SUCCESS)
Main PID: 1605 (code=exited, status=0/SUCCESS)
CPU: 20ms
Sep 20 19:46:50 asterix systemd[1]: Starting nftables.service - nftables...
Sep 20 19:46:50 asterix systemd[1]: Finished nftables.service - nftables.
Several attempts with systemctl add-requires to make nftables start after the
network devices were not successful.
The only (bad) workaround was to edit the service file
/lib/systemd/system/nftables.service
diff -u bak/lib/systemd/system/nftables.service.orig
bak/lib/systemd/system/nftables.service
--- bak/lib/systemd/system/nftables.service.orig 2024-09-20
03:04:15.693619453 +0200
+++ bak/lib/systemd/system/nftables.service 2024-09-20 03:32:18.857322949
+0200
@@ -1,8 +1,8 @@
[Unit]
Description=nftables
Documentation=man:nft(8) http://wiki.nftables.org
-Wants=network-pre.target
-Before=network-pre.target shutdown.target
+After=network.target
+Before=shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no
Expected behaviour: nftables service starts after the network devices are known.
I don't use network-manager, it was purged.
Network device setup was done with systemd-networkd and systemd-resolved:
ls -lh /etc/systemd/network
-rw-r--r-- 1 root root 58 19. Sep 18:21 40-macvtap0.netdev
-rw-r--r-- 1 root root 58 19. Sep 18:21 40-macvtap1.netdev
-rw-r--r-- 1 root root 42 19. Sep 18:24 41-macvtap0.network
-rw-r--r-- 1 root root 49 19. Sep 18:21 41-macvtap1.network
-rw-r--r-- 1 root root 62 19. Sep 18:21 50-eno1-macvtap.network
ls -lh /etc/udev/rules.d/
insgesamt 4,0K
-rw-r--r-- 1 root root 41 19. Sep 20:04 65-mykvm.rules
-- System Information:
Debian Release: 12.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-25-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages nftables depends on:
ii libc6 2.36-9+deb12u8
ii libedit2 3.1-20221030-2
ii libnftables1 1.0.6-2+deb12u2
Versions of packages nftables recommends:
ii netbase 6.4
Versions of packages nftables suggests:
pn firewalld <none>
-- Configuration Files:
/etc/nftables.conf changed [not included]
-- no debconf information
