[CentOS] nftables not working (missing kernel modules?)

Tue Oct 12 18:58:37 UTC 2021
Kees de Jong <kees.dejong at surf.nl>

It seems like I'm missing some modules or something?

I can't seem to load the default /etc/nftables/main.nft on my CentOS 8
ISO. I get the following errors:

```
nft -f /etc/nftables/main.nft 
/etc/nftables/main.nft:21:6-22: Error: Could not process rule:
Operation not supported 
 set allowed_protocols { 
 ^^^^^^^^^^^^^^^^^ 
/etc/nftables/main.nft:21:6-22: Error: Could not process rule: No such
file or directory 
 set allowed_protocols { 
 ^^^^^^^^^^^^^^^^^ 
/etc/nftables/main.nft:27:6-23: Error: Could not process rule:
Operation not supported 
 set allowed_interfaces { 
 ^^^^^^^^^^^^^^^^^^ 
/etc/nftables/main.nft:27:6-23: Error: Could not process rule: No such
file or directory 
 set allowed_interfaces { 
 ^^^^^^^^^^^^^^^^^^ 
/etc/nftables/main.nft:33:6-23: Error: Could not process rule:
Operation not supported 
 set allowed_tcp_dports { 
 ^^^^^^^^^^^^^^^^^^ 
/etc/nftables/main.nft:33:6-23: Error: Could not process rule: No such
file or directory 
 set allowed_tcp_dports { 
 ^^^^^^^^^^^^^^^^^^ 
/etc/nftables/main.nft:40:3-37: Error: Could not process rule: No such
file or directory 
 ct state established,related accept 
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
/etc/nftables/main.nft:42:3-40: Error: Could not process rule: No such
file or directory 
 meta l4proto @allowed_protocols accept 
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
/etc/nftables/main.nft:43:3-36: Error: Could not process rule: No such
file or directory 
 iifname @allowed_interfaces accept 
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
/etc/nftables/main.nft:44:3-38: Error: Could not process rule: No such
file or directory 
 tcp dport @allowed_tcp_dports accept 
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 
/etc/nftables/main.nft:53:3-41: Error: Could not process rule: No such
file or directory 
 reject with icmpx type port-unreachable 
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
```

After loading some modules, the errors are reduced to just one.

```
nf_defrag_ipv6
nf_defrag_ipv4
nft_ct
nf_conntrack
nf_tables_set
nf_tables
nfnetlink
```

What could I still be missing here? Is there a way to simply get full
support to do firewalling in these cases?

```
 nft -f /etc/nftables/main.nft 
/etc/nftables/main.nft:53:3-41: Error: Could not process rule: No such
file or directory
 reject with icmpx type port-unreachable
```


-- 
Kees de Jong | Supercomputing | https://www.surf.nl/en/about-surf
OpenPGP fingerprint: 0x0E45C98AB51428E6