X-Received: by 2002:ad4:556a:: with SMTP id w10mr6228480qvy.100.1589183525413; Mon, 11 May 2020 00:52:05 -0700 (PDT)
X-Received: by 2002:a25:c751:: with SMTP id w78mr22622929ybe.432.1589183525156; Mon, 11 May 2020 00:52:05 -0700 (PDT)
Path: csiph.com!xmission!news.snarked.org!border2.nntp.dca1.giganews.com!nntp.giganews.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.os.linux.security
Date: Mon, 11 May 2020 00:52:04 -0700 (PDT)
Complaints-To: groups-abuse@google.com
Injection-Info: google-groups.googlegroups.com; posting-host=49.206.12.206; posting-account=2tlXQgoAAABmVpd83MOkVqrGAMLtIC3X
NNTP-Posting-Host: 49.206.12.206
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <71f0c893-0f36-4d66-b42f-39a77564d6a3@googlegroups.com>
Subject: Request for help nft commands - debian throwing error - Operation not supported
From: Santosh Kumar <santoshjeergi@gmail.com>
Injection-Date: Mon, 11 May 2020 07:52:05 +0000
Content-Type: text/plain; charset="UTF-8"
Lines: 146
Xref: csiph.com comp.os.linux.security:744

Hi everyone, 

Request for your kind help related to nft commands not working.

I always get below error for nft commands when i run.
Error: Could not process rule: Operation not supported

Debian - 10.

root@localhost:~# uname -a
Linux localhost 4.19.81-OpenNetworkLinux-thanos #1 SMP Tue Apr 28 08:24:05 UTC 2020 x86_64 GNU/Linux

Checked nft dependensies:

root@localhost:~# sudo dpkg-query -l | grep nft
ii libnftables0:amd64 0.9.0-2 amd64 Netfilter nftables high level userspace API library
ii libnftnl11:amd64 1.1.2-2 amd64 Netfilter nftables userspace API library
ii nftables 0.9.0-2 amd64 Program to control packet filtering rules by Netfilter project
ii  libmnl0:amd64  1.0.4-2 amd64  minimalistic Netlink communication library




1) root@localhost:~# nft --debug all flush ruleset

2) root@localhost:~# nft --debug all  add table ip filter

Below is the debug output for the above add command


"
Entering state 0
Reducing stack by rule 1 (line 747):
-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --accepting rule at line 275 ("add")
Next token is token "add" (: )
Shifting token "add" (: )
Entering state 19
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 245 ("table")
Next token is token "table" (: )
Shifting token "table" (: )
Entering state 10
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 388 ("ip")
Next token is token "ip" (: )
Shifting token "ip" (: )
Entering state 35
Reducing stack by rule 246 (line 1845):
   $1 = token "ip" (: )
-> $$ = nterm family_spec_explicit (: )
Stack now 0 1 19 10
Entering state 47
Reducing stack by rule 245 (line 1842):
   $1 = nterm family_spec_explicit (: )
-> $$ = nterm family_spec (: )
Reducing stack by rule 245 (line 1842):
   $1 = nterm family_spec_explicit (: )
-> $$ = nterm family_spec (: )
Stack now 0 1 19 10
Entering state 46
Reading a token: --accepting rule at line 631 (" ")
--accepting rule at line 602 ("filter")
Next token is token "string" (: )
Shifting token "string" (: )
Entering state 53
Reducing stack by rule 239 (line 1818):
   $1 = token "string" (: )
-> $$ = nterm identifier (: )
Stack now 0 1 19 10 46
Entering state 250
Reducing stack by rule 252 (line 1853):
   $1 = nterm family_spec (: )
   $2 = nterm identifier (: )
-> $$ = nterm table_spec (: )
Stack now 0 1 19 10
Entering state 57
Reading a token: --accepting rule at line 611 ("
")
Next token is token "newline" (: )
Reducing stack by rule 31 (line 874):
   $1 = token "table" (: )
   $2 = nterm table_spec (: )
-> $$ = nterm add_cmd (: )
Stack now 0 1 19
Entering state 66
Reducing stack by rule 17 (line 858):
   $1 = token "add" (: )
   $2 = nterm add_cmd (: )
-> $$ = nterm base_cmd (: )
Stack now 0 1
Entering state 44
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Reducing stack by rule 3 (line 766):
   $1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Stack now 0 1 44
Entering state 249
Reducing stack by rule 14 (line 824):
   $1 = nterm base_cmd (: )
   $2 = nterm stmt_separator (: )
-> $$ = nterm line (: )
Stack now 0 1
Entering state 43
Reducing stack by rule 2 (line 748):
   $1 = nterm input (: )
   $2 = nterm line (: )

Evaluate add
add table ip filter
^^^^^^^^^^^^^^^^^^^^

-> $$ = nterm input (: )
Stack now 0
Entering state 1
Reading a token: --(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token "end of file" (: )
Entering state 2
Stack now 0 1 2
Cleanup: popping token "end of file" (: )
Cleanup: popping nterm input (: )
---------------- ------------------
| 0000000020 | | message length |
| 00016 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 0a 00 | | extra header |"
  ..... 

Error: Could not process rule: Operation not supported
flush ruleset
^^^^^^^^^^^^^^

Appreciate your help.

Thanks all,

Santosh