nftables service wont start
Hi Everyone
2x Brand new builds of cPanel
one AlmaLinux 9 / Cloudlinux, the other AlmaLinux 10 / Cloudlinux
The nfttables service fails to start on both, error as per below.
I've tried rebuilding the config with /usr/local/cpanel/scripts/configure_firewall_for_cpanel but it just generates the exact same configuration. The error reads like I've got the wrong package installed.
The full error
May 06 19:22:32 <REDACTED> kernel: Warning: Deprecated Driver is detected: nft_compat will not be maintained in a future major release and may be disabled
May 06 19:22:32 <REDACTED> kernel: Warning: Deprecated Driver is detected: nft_compat_module_init will not be maintained in a future major release and may be disabled
May 06 20:20:52 <REDACTED> nft[7854]: /etc/sysconfig/nftables.conf:18:72-91: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
May 06 20:20:52 <REDACTED> nft[7854]: ip protocol tcp tcp dport { 25, 465, 587 } counter packets 0 bytes 0 xt target "REDIRECT"
May 06 20:20:52 <REDACTED> nft[7854]: ^^^^^^^^^^^^^^^^^^^^
May 06 20:20:52 <REDACTED> systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
May 06 20:20:52 <REDACTED> systemd[1]: nftables.service: Failed with result 'exit-code'.
The relevant part of the /etc/sysconfig/nftables.conf:
chain OUTPUT {
type nat hook output priority dstnat; policy accept;
ip protocol tcp tcp dport { 25, 465, 587 } skgid 996 counter packets 0 bytes 0 return
ip protocol tcp tcp dport { 25, 465, 587 } skgid 12 counter packets 0 bytes 0 return
ip daddr 127.0.0.1 ip protocol tcp tcp dport { 25, 465, 587 } skuid 995 counter packets 0 bytes 0 return
ip protocol tcp tcp dport { 25, 465, 587 } skuid 0 counter packets 8 bytes 480 return
ip protocol tcp tcp dport { 25, 465, 587 } counter packets 0 bytes 0 xt target "REDIRECT"
}-
I'm not running CSF or Immunify360.
that fix worked. just steps 2-5 as the above mentioned software isn't installed or running.
You really need to check the security advisor. it failed to detect the firewall wasn't running. It actually gave me green ticks. firewall down in 2026 is big red banner & email notifications type of an issue.
0 -
Hey hey! I have some ideas on this but I'm reaching out to the firewall team to confirm before I share them here. I'll post as soon as I know more!
0 -
The first issue with the errors is a known issue that we're tracking with case CPANEL-46555 - we actually have a fix available and it's currently in the testing phase, so I'm hoping this gets resolved shortly. I've linked this thread to the case so I'll be sure to post once it is resolved.
As far as the Security Advisor issue, I don't believe there is currently a mechanism for a real-time email if it detects a service is offline. That's something that would typically be handled through the Service Manager page in WHM, but since cPanel hasn't traditionally supported the firewall service, we haven't added that check.
With us taking over CSF and the eventual new tool we're working on as part of https://features.cpanel.net/c/374-built-in-firewall-management, I created case CPANEL-53160 to get iptables/nftables monitoring added to the Service Manager tool. If I hear about that one I'll be sure to post again as well!
0 -
thanks cprex!
shields up again today... firewalls are essential now, no doubt about it
1 -
I too have this issue
Further down the rabbit hole...
Check the service status
systemctl status nftables
x nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; preset: disabled)
Active: failed (Result: exit-code) since Tue 2026-05-12 03:01:34 BST; 17h ago
Docs: man:nft(8)
Process: 1009 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=1/FAILURE)
Main PID: 1009 (code=exited, status=1/FAILURE)
CPU: 23ms
May 12 03:01:34 ghost01.giga-host.uk systemd[1]: Starting Netfilter Tables...
May 12 03:01:34 ghost01.giga-host.uk nft[1009]: /etc/sysconfig/nftables.conf:35:72-91: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
May 12 03:01:34 ghost01.giga-host.uk nft[1009]: ip protocol tcp tcp dport { 25, 465, 587 } counter packets 0 bytes 0 xt target "REDIRECT"
May 12 03:01:34 ghost01.giga-host.uk nft[1009]: ^^^^^^^^^^^^^^^^^^^^
May 12 03:01:34 ghost01.giga-host.uk systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
May 12 03:01:34 ghost01.giga-host.uk systemd[1]: nftables.service: Failed with result 'exit-code'.
May 12 03:01:34 ghost01.giga-host.uk systemd[1]: Failed to start Netfilter Tables.Apply a the ruleset file
nft -f /etc/sysconfig/nftables.conf
/etc/sysconfig/nftables.conf:136:72-91: Error: unsupported xtables compat expression, use iptables-nft with this ruleset
ip protocol tcp tcp dport { 25, 465, 587 } counter packets 0 bytes 0 xt target "REDIRECT"
^^^^^^^^^^^^^^^^^^^^`xt target "REDIRECT"` - is xtables syntax
"When using modern nftables, "xt target" errors often appear when transitioning from iptables or when a kernel module is missing." - Google AIIf I edit `nano /etc/sysconfig/nftables.conf` and change this one line, as below
From
ip protocol tcp tcp dport { 25, 465, 587 } counter packets 0 bytes 0 xt target "REDIRECT"To
ip protocol tcp tcp dport { 25, 465, 587 } counter packets 0 bytes 0 redirectFixes the issue and persists after reboot
So the question is what is adding this rule?
0 -
CPANEL-46555 is scheduled to be resolved in all versions of 138 once that is released.
Brian Boakes - I don't have a specific answer to your question about what may be adding that rule.
0
Please sign in to leave a comment.
Comments
6 comments