Nftables: "Could not process rule: No such file or directory"

asheshambasta · September 14, 2023, 4:05pm

With 23.05.3165.9075cba53e86 (Stoat), and

nixos-rebuild build-vm -I nixos-config=configuration.nix

I’m seeing a strange error when trying to build with nftables, and it seems like a bug to me:

ruleset.conf:5:17-17: Error: Could not process rule: No such file or directory
      flowtable f {
                ^
ruleset.conf:41:34-48: Error: Could not process rule: No such file or directory
        ip protocol { tcp, udp } flow offload @f
                                 ^^^^^^^^^^^^^^^
error: builder for '/nix/store/jyzhwn1a2i532cw4jfjr0cpv5q083gy9-nftables-rules.drv' failed with exit code 1;
       last 6 log lines:
       > ruleset.conf:5:17-17: Error: Could not process rule: No such file or directory
       >       flowtable f {
       >                 ^
       > ruleset.conf:41:34-48: Error: Could not process rule: No such file or directory
       >         ip protocol { tcp, udp } flow offload @f
       >                                  ^^^^^^^^^^^^^^^

And the output of nix log is also pretty unhelpful: gist:10464d2e767fcdda8a5e0474495e1ec3 · GitHub (nix log /nix/store/jyzhwn1a2i532cw4jfjr0cpv5q083gy9-nftables-rules.drv).

What does this error mean and what’s the solution?

asheshambasta · September 16, 2023, 12:20pm

Edit:
It seems that this is a similar issue, however, I need to understand the order in which the configurations are applied and how I can control them.

asheshambasta · September 18, 2023, 3:44pm

So the issue has been highlighted here (thanks Freddy).

The “fix” in my case was to disable nftables checks until I can come up with a more thorough fix using preCheckRuleset.

Majiir · September 18, 2023, 6:26pm

I think I ran into this once. My config does something funny: I have a ruleset without flowtables, and then another service that adds flowtables to the ruleset after sys-subsystem-net-devices-<device>.device for all the network interfaces. I think I had issues where my Wireguard or VLAN interfaces weren’t coming up in time for nftables.

covert8 · March 10, 2024, 2:26pm

Hi all, i have found a workaround.
Replace the line which changes the devices to the always present lo seems to have solve the issue for me.

          rulesetFile = ./nftables.nft;
          flattenRulesetFile = true;
          preCheckRuleset = "sed 's/.*devices.*/devices = { lo }/g' -i ruleset.conf";