iptables/1.8.2 Failed to initialize nft: Protocol not supported

iptables raspberry-pi raspbian

I'm having a problem using iptables on my Raspberry PI.
I've just downloaded a fresh version of Raspbian Lite on my PI and all I'm trying to do is check my iptables rules but it's not working and I'm getting this error:
>> iptables -L
iptables/1.8.2 Failed to initialize nft: Protocol not supported
I don't know what to do? could I go back to an older version of iptables or something?
Bare in mind I'm a real beginner in the IT world.


Solution 1:

The solution is here: You need to reboot after a kernel upgrade. The easiest way is of course:

# as root
reboot

Solution 2:

Raspbian certainly followed its Debian upstream there: by default the newer iptables userland tools are using the nftables kernel API instead of the "legacy" iptables kernel API, as told here:

Current status

NOTE: Debian Buster uses the nftables framework by default.

Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.

nftables is aiming at completely replacing iptables with extended features, but has a quite different implementation. A compatibility layer will be kept anyway, mostly in the userland tools, but partially in the kernel. This is in addition of the usual iptables "legacy" layer which will still be in the kernel for a long time.

The newer version of iptables is using this compatibility layer. This can be easily verified by running (as root) iptables -V. Result will most certainly be:

# iptables -V
iptables v1.8.2 (nf_tables)

While the legacy version is still shipped:

# iptables-legacy -V
iptables v1.8.2 (legacy)

At the same time I guess your kernel doesn't support nftables for whatever reason.

So you can:

  • get support for nftables in the kernel (and probably also at least NFT_COMPAT). Might require recompiling it or upgrading it in case you kept an older one. If this task requires too much effort, you can use the other alternative,

  • or use legacy version of iptables which will use the usual iptables kernel API. The previous link explains how to do it. As root user do (at least for iptables and ip6tables, and maybe for ebtables and arptables if installed):

    Switching to the legacy version:

    # update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# update-alternatives --set arptables /usr/sbin/arptables-legacy
# update-alternatives --set ebtables /usr/sbin/ebtables-legacy

Related

Gigabit Ethernet full-duplex is actually 2Gbit/sec counting both ways?
Search for email containg attachment of specific file type
Will lsusb and lspci list devices for which the system has no drivers?
How to reinstall the host-only network adapter in VMware 7
ModuleNotFoundError: No module named 'kivymd.stiffscroll'
What is the differences between MODE_IN_CALL, MODE_IN_COMMUNICATION, MODE_CALL_SCREENING?
Load spark bucketed table from disk previously written via saveAsTable
SIMD instructions lowering CPU frequency
ggplot2 0.9.0 automatically dropping unused factor levels from plot legend?
question on GWT, Cookies and webpage directing
Bluetooth pairing without user confirmation
Enable rear camera with HTML5