iptables/1.8.2 Failed to initialize nft: Protocol not supported

I'm having a problem using iptables on my Raspberry PI.
I've just downloaded a fresh version of Raspbian Lite on my PI and all I'm trying to do is check my iptables rules but it's not working and I'm getting this error:
>> iptables -L
iptables/1.8.2 Failed to initialize nft: Protocol not supported
I don't know what to do? could I go back to an older version of iptables or something?
Bare in mind I'm a real beginner in the IT world.


Solution 1:

The solution is here: You need to reboot after a kernel upgrade. The easiest way is of course:

# as root
reboot

Solution 2:

Raspbian certainly followed its Debian upstream there: by default the newer iptables userland tools are using the nftables kernel API instead of the "legacy" iptables kernel API, as told here:

Current status

NOTE: Debian Buster uses the nftables framework by default.

Starting with Debian Buster, nf_tables is the default backend when using iptables, by means of the iptables-nft layer (i.e, using iptables syntax with the nf_tables kernel subsystem). This also affects ip6tables, arptables and ebtables.

nftables is aiming at completely replacing iptables with extended features, but has a quite different implementation. A compatibility layer will be kept anyway, mostly in the userland tools, but partially in the kernel. This is in addition of the usual iptables "legacy" layer which will still be in the kernel for a long time.

The newer version of iptables is using this compatibility layer. This can be easily verified by running (as root) iptables -V. Result will most certainly be:

# iptables -V
iptables v1.8.2 (nf_tables)

While the legacy version is still shipped:

# iptables-legacy -V
iptables v1.8.2 (legacy)

At the same time I guess your kernel doesn't support nftables for whatever reason.

So you can:

  • get support for nftables in the kernel (and probably also at least NFT_COMPAT). Might require recompiling it or upgrading it in case you kept an older one. If this task requires too much effort, you can use the other alternative,

  • or use legacy version of iptables which will use the usual iptables kernel API. The previous link explains how to do it. As root user do (at least for iptables and ip6tables, and maybe for ebtables and arptables if installed):

    Switching to the legacy version:

    # update-alternatives --set iptables /usr/sbin/iptables-legacy
    # update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
    # update-alternatives --set arptables /usr/sbin/arptables-legacy
    # update-alternatives --set ebtables /usr/sbin/ebtables-legacy