Nftables: "Could not process rule: No such file or directory"

asheshambasta · September 14, 2023, 4:05pm

With 23.05.3165.9075cba53e86 (Stoat), and

nixos-rebuild build-vm -I nixos-config=configuration.nix

I’m seeing a strange error when trying to build with nftables, and it seems like a bug to me:

ruleset.conf:5:17-17: Error: Could not process rule: No such file or directory
      flowtable f {
                ^
ruleset.conf:41:34-48: Error: Could not process rule: No such file or directory
        ip protocol { tcp, udp } flow offload @f
                                 ^^^^^^^^^^^^^^^
error: builder for '/nix/store/jyzhwn1a2i532cw4jfjr0cpv5q083gy9-nftables-rules.drv' failed with exit code 1;
       last 6 log lines:
       > ruleset.conf:5:17-17: Error: Could not process rule: No such file or directory
       >       flowtable f {
       >                 ^
       > ruleset.conf:41:34-48: Error: Could not process rule: No such file or directory
       >         ip protocol { tcp, udp } flow offload @f
       >                                  ^^^^^^^^^^^^^^^

And the output of nix log is also pretty unhelpful: gist:10464d2e767fcdda8a5e0474495e1ec3 · GitHub (nix log /nix/store/jyzhwn1a2i532cw4jfjr0cpv5q083gy9-nftables-rules.drv).

What does this error mean and what’s the solution?

asheshambasta · September 16, 2023, 12:20pm

Edit:
It seems that this is a similar issue, however, I need to understand the order in which the configurations are applied and how I can control them.

asheshambasta · September 18, 2023, 3:44pm

So the issue has been highlighted here (thanks Freddy).

The “fix” in my case was to disable nftables checks until I can come up with a more thorough fix using preCheckRuleset.

Majiir · September 18, 2023, 6:26pm

I think I ran into this once. My config does something funny: I have a ruleset without flowtables, and then another service that adds flowtables to the ruleset after sys-subsystem-net-devices-<device>.device for all the network interfaces. I think I had issues where my Wireguard or VLAN interfaces weren’t coming up in time for nftables.

covert8 · March 10, 2024, 2:26pm

Hi all, i have found a workaround.
Replace the line which changes the devices to the always present lo seems to have solve the issue for me.

          rulesetFile = ./nftables.nft;
          flattenRulesetFile = true;
          preCheckRuleset = "sed 's/.*devices.*/devices = { lo }/g' -i ruleset.conf";

fsbof · July 1, 2025, 4:12am

I recently had a similar issue with this error that was perplexing me.

I had tracked down the error to the device reference in the following section;

table netdev <tableName> {
  chain <chainName> {
    type filter hook ingress device enp2s0 priority 0; policy accept;
  }
}

The table loaded fine manually using ‘nft -f’.

I tried the following which worked perfectly.

preCheckRuleset = "sed 's/ingress device enp2s0/ingress device lo/g' -i ruleset.conf

Showing my ruleset afterwards (nft list ruleset) showed that the substitution was temporary (during build) which I guess is the purpose of the command. I hadn’t quite understood that from the description.

LLMs 0, Search Enginess 0, Discourse 1 - Thank you

rnhmjoj · July 1, 2025, 6:20am

This is because nftables people had the bright idea of having the firewall rules syntax depend on the current state of the kernel, specifically what’s valid syntax changes depending on which kernel modules you have loaded, which interfaces are available at this moment, etc. This is also the reason preCheckRuleset exists.

For example, flowtables ft { devices = ... } or iifname ... will fail the check if any of the device is unavailable. Or meta ipsec exists accept will fail if you don’t load the IPSec modules beforehand. This also mean you can’t use a remote builder to build the NixOS system… unless you manually remove any line that can’t be validated with the smallest possible set of kernel modules using preCheckRuleset.