Nftables' "ct count" hangs my terminal

q2dg · March 22, 2020, 7:35am

Hello
I want to add this Nftables rule to my input chain:
nft add rule ip filter input ct count over 2 reject with tcp reset
But when I write this command in bash, it doesn’t return: it hangs.
This only happens when I write the “ct count …” option.
What’s going on?
My kernel is 5.5.9-200.fc31.x86_64 in nftables package version is last available in official repository: 0.9.1
Thanks!!

q2dg · March 20, 2022, 11:42pm

Well, currently state is worst: same rule now gives me this error:
“Error: Could not process rule: No such file or directory”, marking “ct counter 2” as the bad written part of the rule. What’s going on??

My kernel is 5.16.14-200.fc35.x86_64 and nftables package version is last available in official repository: v1.0.0

Thanks!

grumpey · March 21, 2022, 1:35am

Can you post the rule you’re trying to add/is causing you issues?
edit:, my apologies I missed it in the first post.

q2dg · March 21, 2022, 9:38am

Yes, it is:

nft add rule inet filter input ct count over 2 log

nft list ruleset show my current configuration (which is clean):

table inet filter {
	chain input {
		type filter hook input priority filter; policy accept;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
	}

	chain output {
		type filter hook output priority filter; policy accept;
	}
}

Thanks!

bennetts2 · May 17, 2023, 2:07pm

Hi Oscar, I don’t have a solution, but I think part of the problem is that ct count requires CONFIG_NFT_CONNLIMIT to be configured in the kernel, and (for me ) it doesn’t seem to be:

$ grep -C1 CONFIG_NFT_CONNLIMIT /boot/config-$(uname -r)
CONFIG_NFT_FLOW_OFFLOAD=m
# CONFIG_NFT_CONNLIMIT is not set
CONFIG_NFT_LOG=m

It’s a shame, because I was hoping to use this too. I don’t know if there’s an easy way round this - building a custom kernel seems like a lot of bother.

q2dg1 · May 17, 2023, 3:48pm

Thanks!!

bennetts2 · May 17, 2023, 4:45pm

As it happens, I asked on the kernel mailing list and one of the Fedora kernel maintainers has said that it was turned off because of the instability in kernel 4.19 - which is where the thread started!

He agreed that there was no need for it to be disabled now, and has turned it back on. It’ll be in the next build of the kernel packages - apparently we’ve just missed the boat for 6.3.3, but it should be there for 6.3.4

q2dg1 · May 17, 2023, 5:09pm

Great!
Thanks!!