How to troubleshoot why nftables.service doesn't work?

webcaptcha · 6 February 2022 19:04

If I try start it, it appears to start without errors but status says service is inactive

+0 webcapcha@home-laptop:~$ sudo systemctl start nftables.service
+0 webcapcha@home-laptop:~$ sudo systemctl status nftables.service
○ nftables.service - Netfilter Tables
     Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
     Active: inactive (dead) since Sun 2022-02-06 21:02:30 EET; 3s ago
       Docs: man:nft(8)
    Process: 3177 ExecStart=/usr/bin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
   Main PID: 3177 (code=exited, status=0/SUCCESS)
        CPU: 31ms

Feb 06 21:02:30 home-laptop systemd[1]: Starting Netfilter Tables...
Feb 06 21:02:30 home-laptop systemd[1]: nftables.service: Deactivated successfully.
Feb 06 21:02:30 home-laptop systemd[1]: Finished Netfilter Tables.

mithrial · 6 February 2022 19:08

This service is not a daemon and is therefore not running at all times.

ishaan2479 · 6 February 2022 19:08

It loads, does it’s stuff (reads the configuration stored in the /etc/nftables.conf file) and goes inactive. nftables.service will load rules from that file when started or enabled. simple

read - nftables - ArchWiki

webcaptcha · 6 February 2022 19:19

So and how I can monitor that its actually working? I mean without trying bypassing firewall.
I was stand for that if its the systemd service then it should work all the time.

In this case could you explain how its actually work, who is responsible for it? If its not demon then what is that? Archwiki says start and enable service it doesn’t tell that service shouldn’t be active.

maycne.sonahoz · 6 February 2022 19:21

Surely its activity is logged.

journalctl --boot=-0 --unit=nftables.service

webcaptcha · 6 February 2022 19:22

+1 webcapcha@home-laptop:~$ journalctl --boot=-0 --unit=nftables.service
Feb 06 20:42:43 home-laptop systemd[1]: Starting Netfilter Tables...
Feb 06 20:42:43 home-laptop systemd[1]: nftables.service: Deactivated successfully.
Feb 06 20:42:43 home-laptop systemd[1]: Finished Netfilter Tables.
Feb 06 20:59:26 home-laptop systemd[1]: Starting Netfilter Tables...
Feb 06 20:59:26 home-laptop systemd[1]: nftables.service: Deactivated successfully.
Feb 06 20:59:26 home-laptop systemd[1]: Finished Netfilter Tables.
Feb 06 21:02:30 home-laptop systemd[1]: Starting Netfilter Tables...
Feb 06 21:02:30 home-laptop systemd[1]: nftables.service: Deactivated successfully.
Feb 06 21:02:30 home-laptop systemd[1]: Finished Netfilter Tables.

I started it manually few times. If I look at the logs I come up with thought that service is not working according to “deactivated succesfully”

ishaan2479 · 6 February 2022 19:28

@webcaptcha see - https://www.reddit.com/r/archlinux/comments/p3kamz/nftables_deactivating_itself/

webcaptcha · 6 February 2022 19:34

@ishaanbhimwal oh thank you, that thread makes it clear. Its new behavior according to

Edit: Downgrading nftables from 1:0.9.9-6 to 1:0.9.9-1 seems to fix it for now…

I was think I’m out of mind cuz I clearly remember previously service was active and running and today I just accidentally notice that service is dead.

ishaan2479 · 6 February 2022 19:39

@webcaptcha You got it wrong as did the OP of the reddit thread.There is nothing wrong with nftables. See the pinned comment please.

Doesn’t matter. Nftables is not a daemon; it’s a .service that uploads your rules into the kernel and goes off. There’s no “nftablesd” process that inspects your traffic, the kernel does that on its own.

webcaptcha · 6 February 2022 19:44

sorry I didn’t make myself clearly, I mean I didnt downgrade package and I understood nftables is working inside the “kernel”.

I just wanted to say that few version ago service remained active after load the rules and now we have new behavior.

system · 9 February 2022 09:44

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.