Attempting to run nftables has broken wifi connection
by linuxuser371038 from LinuxQuestions.org on (#6ND1Z)
In another post, on archforums, it was indicated the issues were due to libvirt switching to nftables, and that seeming to be what will replace ufw, I thought I would attempt to try it instead of ufw, since this is a fairly new arch install anyway.
It was already installed, but not running, and reading the nftables archwiki it notes the default config file 'comes with a simple and secure firewall'. I took that to mean I only had to start and enable it without any further editing.
Here is the config file, not changed from default:
Code:#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
destroy table inet filter
table inet filter {
chain input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
tcp dport ssh accept comment "allow sshd"
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter
}
chain forward {
type filter hook forward priority filter
policy drop
}
}I started and enabled and rebooted and on reboot I am greeted with my ip route having been deleted. Not only that, Network Manager no longer works and just hangs when I try to run the wifi connection manually with Code:nmcli connection up wifi-connectionI stopped and disabled nftables and reinstated ufw and rebooted however whatever nftables has done has remained and the above problems persist even though it isn't running. The route is still empty and I would have no idea how to reinstate that as Network Manager did that for me.
Here is the output from Code:$sudo systemctl status NetworkManager --nopager -l:
Code:Jun 09 06:56:06 machine NetworkManager[393]: <info> [1717916166.9942] device (wlp0s21f0u7i2): supplicant interface state: disconnected -> scanning
Jun 09 06:56:32 machine NetworkManager[393]: <warn> [1717916192.6952] device (wlp0s21f0u7i2): Activation: (wifi) association took too long, failing activation
Jun 09 06:56:32 machine NetworkManager[393]: <info> [1717916192.6953] device (wlp0s21f0u7i2): state change: config -> failed (reason 'ssid-not-found', sys-iface-state: 'managed')
Jun 09 06:56:32 machine NetworkManager[393]: <info> [1717916192.6961] manager: NetworkManager state is now DISCONNECTED
Jun 09 06:56:32 machine NetworkManager[393]: <warn> [1717916192.6968] device (wlp0s21f0u7i2): Activation: failed for connection 'wifi-connection'
Jun 09 06:56:32 machine NetworkManager[393]: <info> [1717916192.6976] device (wlp0s21f0u7i2): state change: failed -> disconnected (reason 'none', sys-iface-state: 'managed')
Jun 09 06:56:32 machine NetworkManager[393]: <info> [1717916192.7443] device (wlp0s21f0u7i2): set-hw-addr: set MAC address to xx:xx:xx:xx:xx:xx (scanning)
Jun 09 06:56:32 machine NetworkManager[393]: <info> [1717916192.7497] device (wlp0s21f0u7i2): supplicant interface state: scanning -> disconnectedPlease advise how 1.) I get wifi/Network Manager working again and only then 2.) perhaps how to get a default nftables up and running the same as how ufw was to then see if the original issue I was trying to test is resolved by using nftables instead of ufw. The only settings I have for ufw are the basic default deny as per the archwiki basic setup.
EDIT: nmcli doesn't hang actually but returns the error after some time:
Code:$ nmcli connection up wifi-connection
Error: Connection activation failed: The Wi-Fi network could not be found
Hint: use 'journalctl -xe NM_CONNECTION=aa630334-17b8-4b3a-abe6-8822e944b100 + NM_DEVICE=wlp0s21f0u7i2' to get more details.The journalctl command indicated in the message seemed to just give the same output as in the systemctl status command I already posted above.
EDIT: nmcli doesn't hang actually but returns the error after some time:
Code:$ nmcli connection up wifi-connection
Error: Connection activation failed: The Wi-Fi network could not be found
Hint: use 'journalctl -xe NM_CONNECTION=aa630334-17b8-4b3a-abe6-8822e944b100 + NM_DEVICE=wlp0s21f0u7i2' to get more details.The journalctl command indicated in the message seemed to just give the same output as in the systemctl status command I already posted above.
EDIT2: Ok nftables has somehow mucked up my ability to even ping 8.8.8.8 and even local network 192.168.1.1. This is even after having uninstalled it. How could it have mucked all that up?
I have a second, usb wifi device which I plugged in and was able to connect with network manager but when pinging host could not be reached even 192.xxx addresses. I have no idea what has changed? I noticed for this connection the familiar routing is back with ip route but nothing gets through when pinging.
However, and how I am able to post this now, the mobile wifi dongle still connects normally via ppp. I notice in ip route for this connection the ip block is much different starting with 10.xx.... so I guess somehow nftables has cocked up something which is still causing 192 related routes to be blocked? Any ideas how to find out where the issue may lie?
I have not experienced before a case where changes made in a program persist after having deleted it. Well the odd case of /etc/resolv.conf changes - which I also checked but besides that non name resolution, ip only, addresses still wouldn't ping either and indeed local ones too.
EDIT3: Ok I don't know how but it is working again. I didn't change any config files. I stopped for a break, had a bite, came back tried to scan for connections again with nmcli and now suddenly it worked to show ssids, Made a new profile and working again.
I would however still like to know how to setup nftables with a basic default deny config just as equivalent to ufw in order to test running that in place of ufw and trying running libvirt again so suggestions welcome for that issue. Of course without it breaking my networking again and what might have caused it/how to avoid it.
It was already installed, but not running, and reading the nftables archwiki it notes the default config file 'comes with a simple and secure firewall'. I took that to mean I only had to start and enable it without any further editing.
Here is the config file, not changed from default:
Code:#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
destroy table inet filter
table inet filter {
chain input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
tcp dport ssh accept comment "allow sshd"
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter
}
chain forward {
type filter hook forward priority filter
policy drop
}
}I started and enabled and rebooted and on reboot I am greeted with my ip route having been deleted. Not only that, Network Manager no longer works and just hangs when I try to run the wifi connection manually with Code:nmcli connection up wifi-connectionI stopped and disabled nftables and reinstated ufw and rebooted however whatever nftables has done has remained and the above problems persist even though it isn't running. The route is still empty and I would have no idea how to reinstate that as Network Manager did that for me.
Here is the output from Code:$sudo systemctl status NetworkManager --nopager -l:
Code:Jun 09 06:56:06 machine NetworkManager[393]: <info> [1717916166.9942] device (wlp0s21f0u7i2): supplicant interface state: disconnected -> scanning
Jun 09 06:56:32 machine NetworkManager[393]: <warn> [1717916192.6952] device (wlp0s21f0u7i2): Activation: (wifi) association took too long, failing activation
Jun 09 06:56:32 machine NetworkManager[393]: <info> [1717916192.6953] device (wlp0s21f0u7i2): state change: config -> failed (reason 'ssid-not-found', sys-iface-state: 'managed')
Jun 09 06:56:32 machine NetworkManager[393]: <info> [1717916192.6961] manager: NetworkManager state is now DISCONNECTED
Jun 09 06:56:32 machine NetworkManager[393]: <warn> [1717916192.6968] device (wlp0s21f0u7i2): Activation: failed for connection 'wifi-connection'
Jun 09 06:56:32 machine NetworkManager[393]: <info> [1717916192.6976] device (wlp0s21f0u7i2): state change: failed -> disconnected (reason 'none', sys-iface-state: 'managed')
Jun 09 06:56:32 machine NetworkManager[393]: <info> [1717916192.7443] device (wlp0s21f0u7i2): set-hw-addr: set MAC address to xx:xx:xx:xx:xx:xx (scanning)
Jun 09 06:56:32 machine NetworkManager[393]: <info> [1717916192.7497] device (wlp0s21f0u7i2): supplicant interface state: scanning -> disconnectedPlease advise how 1.) I get wifi/Network Manager working again and only then 2.) perhaps how to get a default nftables up and running the same as how ufw was to then see if the original issue I was trying to test is resolved by using nftables instead of ufw. The only settings I have for ufw are the basic default deny as per the archwiki basic setup.
EDIT: nmcli doesn't hang actually but returns the error after some time:
Code:$ nmcli connection up wifi-connection
Error: Connection activation failed: The Wi-Fi network could not be found
Hint: use 'journalctl -xe NM_CONNECTION=aa630334-17b8-4b3a-abe6-8822e944b100 + NM_DEVICE=wlp0s21f0u7i2' to get more details.The journalctl command indicated in the message seemed to just give the same output as in the systemctl status command I already posted above.
EDIT: nmcli doesn't hang actually but returns the error after some time:
Code:$ nmcli connection up wifi-connection
Error: Connection activation failed: The Wi-Fi network could not be found
Hint: use 'journalctl -xe NM_CONNECTION=aa630334-17b8-4b3a-abe6-8822e944b100 + NM_DEVICE=wlp0s21f0u7i2' to get more details.The journalctl command indicated in the message seemed to just give the same output as in the systemctl status command I already posted above.
EDIT2: Ok nftables has somehow mucked up my ability to even ping 8.8.8.8 and even local network 192.168.1.1. This is even after having uninstalled it. How could it have mucked all that up?
I have a second, usb wifi device which I plugged in and was able to connect with network manager but when pinging host could not be reached even 192.xxx addresses. I have no idea what has changed? I noticed for this connection the familiar routing is back with ip route but nothing gets through when pinging.
However, and how I am able to post this now, the mobile wifi dongle still connects normally via ppp. I notice in ip route for this connection the ip block is much different starting with 10.xx.... so I guess somehow nftables has cocked up something which is still causing 192 related routes to be blocked? Any ideas how to find out where the issue may lie?
I have not experienced before a case where changes made in a program persist after having deleted it. Well the odd case of /etc/resolv.conf changes - which I also checked but besides that non name resolution, ip only, addresses still wouldn't ping either and indeed local ones too.
EDIT3: Ok I don't know how but it is working again. I didn't change any config files. I stopped for a break, had a bite, came back tried to scan for connections again with nmcli and now suddenly it worked to show ssids, Made a new profile and working again.
I would however still like to know how to setup nftables with a basic default deny config just as equivalent to ufw in order to test running that in place of ufw and trying running libvirt again so suggestions welcome for that issue. Of course without it breaking my networking again and what might have caused it/how to avoid it.