Skip to main content

Installa new Cpanel on Almalinux 9 nftables error

Comments

13 comments

  • cPRex Jurassic Moderator

    Hey there!  Are you saying those error messages were inside the configuration file itself?  That's odd, as something must have accidentally added them to the configuration file.

    On a default installation on AlmaLinux 9, I see the following entries inside /etc/sysconfig/nftables.conf:

    table inet filter {
            chain INPUT {
                    type filter hook input priority filter; policy accept;
                    counter packets 0 bytes 0 jump cPanel-HostAccessControl
                    counter packets 0 bytes 0 jump cP-Firewall-1-INPUT
            }

            chain FORWARD {
                    type filter hook forward priority filter; policy accept;
                    counter packets 0 bytes 0 jump cPanel-HostAccessControl
                    counter packets 0 bytes 0 jump cP-Firewall-1-INPUT
            }

            chain OUTPUT {
                    type filter hook output priority filter; policy accept;
            }

            chain cPanel-HostAccessControl {
            }

            chain cP-Firewall-1-INPUT {
                    ct state new tcp dport 21 counter packets 0 bytes 0 accept
                    ct state new tcp dport 22 counter packets 0 bytes 0 accept
                    ct state new tcp dport 25 counter packets 0 bytes 0 accept
                    ct state new tcp dport 26 counter packets 0 bytes 0 accept
                    ct state new tcp dport 53 counter packets 0 bytes 0 accept
                    ct state new tcp dport 80 counter packets 0 bytes 0 accept
                    ct state new tcp dport 110 counter packets 0 bytes 0 accept
                    ct state new tcp dport 143 counter packets 0 bytes 0 accept
                    ct state new tcp dport 443 counter packets 0 bytes 0 accept
                    ct state new tcp dport 465 counter packets 0 bytes 0 accept
                    ct state new tcp dport 579 counter packets 0 bytes 0 accept
                    ct state new tcp dport 587 counter packets 0 bytes 0 accept
                    ct state new tcp dport 993 counter packets 0 bytes 0 accept
                    ct state new tcp dport 995 counter packets 0 bytes 0 accept
                    ct state new tcp dport 2077 counter packets 0 bytes 0 accept
                    ct state new tcp dport 2078 counter packets 0 bytes 0 accept
                    ct state new tcp dport 2082 counter packets 0 bytes 0 accept
                    ct state new tcp dport 2083 counter packets 0 bytes 0 accept
                    ct state new tcp dport 2086 counter packets 0 bytes 0 accept
                    ct state new tcp dport 2087 counter packets 0 bytes 0 accept
                    ct state new tcp dport 2091 counter packets 0 bytes 0 accept
                    ct state new tcp dport 2095 counter packets 0 bytes 0 accept
                    ct state new tcp dport 2096 counter packets 0 bytes 0 accept
                    ct state new tcp dport 3306 counter packets 0 bytes 0 accept
                    ct state new tcp dport 8080 counter packets 0 bytes 0 accept
                    ct state new tcp dport 8443 counter packets 0 bytes 0 accept
                    ct state new tcp dport 49152-65534 counter packets 0 bytes 0 accept
                    ct state new udp dport 53 counter packets 0 bytes 0 accept
            }
    }
    0
  • AmedeoSca

    Hi

    Yes, inside the configuration file, the installation of Almalinux 9 was clean without any packages added, I installed Cpanel twice and both times I had the same problem.

    0
  • cPRex Jurassic Moderator

    Could you create a ticket with our team so we can check out your environment?

    0
  • AmedeoSca

    OK done

    0
  • cPRex Jurassic Moderator

    Can you post the ticket number here so I can follow along?

    0
  • AmedeoSca

    #95202081

    0
  • cPRex Jurassic Moderator

    Thanks for that - I'm following along on my end now.

    0
  • Danpol Limited

    I have similar isuee:

    1. Run Security Advisor and show me to click on Add KernelCare’s Free Symlink Protection that leads to execution of the '/scripts13/add_kernelcare_free_symlink_protection'

    2 when i click on it nftables go down and host access table stop working, which leads to quite security isuee.

    Job for nftables.service failed because the control process exited with error code.
    See "systemctl status nftables.service" and "journalctl -xe" for details.
    [root@ss ~]# service nftables status
    Redirecting to /bin/systemctl status nftables.service
    ● nftables.service - Netfilter Tables
       Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
       Active: failed (Result: exit-code) since Tue 2024-03-05 19:38:54 GMT; 4s ago
         Docs: man:nft(8)
      Process: 147584 ExecStop=/sbin/nft flush ruleset (code=exited, status=0/SUCCESS)
      Process: 147586 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=1/FAILURE)
     Main PID: 147586 (code=exited, status=1/FAILURE)

    Mar 05 19:38:54 nft[147586]:        ^
    Mar 05 19:38:54 nft[147586]: /etc/sysconfig/nftables.conf:3:8-8: Error: syntax error, unexpected colon, expecting string
    Mar 05 19:38:54 nft[147586]: Warning: Extension owner is not supported, missing kernel module?
    Mar 05 19:38:54 nft[147586]:        ^
    Mar 05 19:38:54 nft[147586]: /etc/sysconfig/nftables.conf:4:8-8: Error: syntax error, unexpected colon, expecting string
    Mar 05 19:38:54 nft[147586]: Warning: Extension owner is not supported, missing kernel module?
    Mar 05 19:38:54 nft[147586]:        ^
    Mar 05 19:38:54 systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
    Mar 05 19:38:54 systemd[1]: nftables.service: Failed with result 'exit-code'.
    Mar 05 19:38:54 systemd[1]: Failed to start Netfilter Tables.

    so i go to /etc/sysconfig/nftables.conf as advised and remove bad syntax that appear in first 4 lines:

    Warning: Extension owner is not supported, missing kernel module?
    Warning: Extension owner is not supported, missing kernel module?
    Warning: Extension owner is not supported, missing kernel module?
    Warning: Extension owner is not supported, missing kernel module?

    once this is done, save the file restart nft service nftables restart and all back to normal but Advisor warning:

    Add KernelCare’s Free Symlink Protection.

    This free patch set protects your system from symlink attacks. Add KernelCare’s Free Patch Set. Add KernelCare’s Free Symlink Protection. NOTE: This is not the full KernelCare product and service.

    You can protect against this in multiple ways. Please review the following documentation to find a solution that is suited to your needs.

    comes back again. System OS: AlmaLinux v8.9.0 STANDARD standard cPanel Version 118.0.2. I had bought Karnel Care in my past but for some reason i haven't been ablke to renew it so i fall back to free version contained symlink protection that cpanel offers to Almas so i set kcarectl --set-patch-type edf and check other files for sytaxes all looks fine to me. Went back to backtrace why script is cousing this so i search for add_kernelcare_free_symlink_protection script in usr/local/cpanel/scripts but could't find it.

    For now abandoned the quest.

    0
  • cPRex Jurassic Moderator

    Danpol Limited - could you submit a ticket so we can check this out?

    0
  • Danpol Limited

    yeah well, i don't need any asistance. just asimilate the isuee. sys freaking out when trying paid repo replaced with free one. for me to fall back is matter of remove kcare/reinstal kcare/restart machine. wchih i can't do it right at this very moment as matrix is encrypted and i need to be physically there when is booting.

    Warning: Extension owner is not supported, missing kernel module?

    written syntax error in file where shall not be written is deferent story. and i thouth you can explain this.

    0
  • tom9909

    cPRex I just hit this same issue. It seems after running the Security Advisor in CloudLinux9 that the nftables.conf file has Warning: Extension owner is not supported, missing kernel module? added at the top and it take down the service.

    Removing the lines and saving does allow the service to become active.

    0
  • tom9909

    cPRex - Hmm, I'm running CSF and not sure that I want to disable it.

    I'd hazard a guess and to say that the only circumstance where this issue occurs is when running the advisor? I'll just note to not go into it until the dev team can come up with a permanent solution that doesn't require the removal/disable of CFS.

    1

Please sign in to leave a comment.