Skip to main content

Firewall rules that are converted via `iptables-nft` cause an error when loading the nftables service

David Hertenstein
  • Updated

Symptoms

On servers using AlmaLinux 9 and CloudLinux 9, attempting to start the `nftables` service fails with an error similar to the following:

Error: unsupported xtables compat expression, use iptables-nft with this ruleset

This causes the stored firewall rules to not be loaded into the firewall.

 

Description

Some firewall rules are still added via the `iptables` command, and are converted to the new `nftables` format by scripts provided by the `iptables-nft` package that is installed on AlmaLinux 9. However, some of the rules that are generated by this script cannot be reloaded when stored in a configuration file.

We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-46555. Follow this article to receive an email notification when a solution is published in the product. 

 

Workaround

The default cPanel Firewall Rules are not impacted by this issue, however, some features provided by cPanel such as the SMTP Restrictions, as well as other firewalls such as CSF and Imunify360, may result in these additional rules being added to the configuration.  That said, all of these firewalls and services are able to restore their configuration when they restart, and thus do not need to be listed in the default NFTables configuration.  As such, a minimal set of firewall rules can be stored in the NFTables configuration to allow the service to start successfully.

To regenerate a default NFTables configuration, please follow these steps.

1. Any external firewall services must first be stopped on the server.

1a. For Imunify360:

systemctl stop imunify360

1b. For CSF:

csf -x

2. Move aside the current firewall rules:

nft flush ruleset

3. Flush the current firewall:

nft flush ruleset

4. Rebuild the default cPanel firewall configuration:

/scripts/configure_firewall_for_cpanel

5. Export the current firewall configuration to the default location:

nft list ruleset > /etc/sysconfig/nftables.conf

6. Restart any external firewall services that are installed.

6a. For Imunify360:

systemctl restart imunify360

6b. For CSF:

csf -e

For direct assistance with the above steps, and to ensure full compatibility with your server, it is recommended to discuss these steps with your System Administrator.

Related articles

Comments

0 comments

Article is closed for comments.