The nftables systemd service fails to load rules at boot because it lacks explicit instruction on which rule set to load, defaulting to an empty configuration.
This means that even if you’ve meticulously crafted your firewall rules in /etc/nftables.conf (or a similar location), the nftables.service unit doesn’t know to apply them. When the service starts, it sees no rules loaded and dutifully exits, leaving your system unprotected or with an unexpected firewall state.
Here’s a breakdown of the common causes and their solutions:
Cause 1: Missing or Incorrect nftables.conf Location
The most frequent culprit is that nftables simply can’t find your rules file. By default, it looks for nftables.conf in specific directories, but if yours is elsewhere, or if the file itself is malformed, it won’t load.
Diagnosis:
Check the system journal for nftables.service logs:
sudo journalctl -u nftables.service
Look for messages indicating "file not found" or parsing errors related to configuration files.
Fix:
Ensure your nftables.conf is in a standard location, typically /etc/nftables.conf. If you’ve placed it elsewhere, you need to tell nftables where to find it. This is done by creating a symbolic link or by modifying the nftables.service unit file itself.
Option A (Symbolic Link):
If your rules are in /etc/firewall/myrules.nft:
sudo ln -s /etc/firewall/myrules.nft /etc/nftables.conf
This makes nftables see your custom file as the default.
Option B (Modify Systemd Unit):
Edit the nftables.service file:
sudo systemctl edit nftables.service
Add the following to the [Service] section:
[Service]
ExecStart=
ExecStart=/usr/sbin/nft -f /etc/firewall/myrules.nft
This directly tells the service to load your specific file.
Why it works: The nftables daemon needs an explicit path to the configuration file to load. By providing it either via a symlink or by overriding the service’s ExecStart command, you ensure it knows where to find and apply your rules.
Cause 2: Syntax Errors in nftables.conf
Even if the file is in the right place, a single typo or incorrect syntax will prevent nftables from loading the entire configuration. nftables is strict about its syntax.
Diagnosis:
Manually test your nftables.conf file:
sudo nft -c -f /etc/nftables.conf
The -c flag checks the syntax without applying the rules. If there are errors, nft will report them with line numbers.
Fix: Carefully review the output of the syntax check. Correct any reported errors. Common mistakes include missing semicolons, incorrect keyword spelling, or mismatched braces. For example, a table definition might look like this:
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
}
}
If you missed the semicolon after policy accept;, the syntax check would fail.
Why it works: The nft -c command acts as a linter for your firewall rules. By fixing the identified syntax errors, you ensure the configuration file is parseable by the nftables daemon, allowing it to load.
Cause 3: nftables.service Not Enabled
The service might be installed but not configured to start automatically at boot.
Diagnosis:
Check the status of the nftables.service:
sudo systemctl status nftables.service
Look for "disabled" in the output.
Fix: Enable the service to start on boot:
sudo systemctl enable nftables.service
Then, start it immediately:
sudo systemctl start nftables.service
Why it works: systemctl enable creates the necessary symlinks so that the systemd init system starts the service during the boot process. systemctl start applies the rules immediately.
Cause 4: Kernel Module Not Loaded
nftables relies on kernel modules for its functionality. If these modules aren’t loaded, nftables won’t be able to operate.
Diagnosis:
Check if the necessary nf_tables module is loaded:
lsmod | grep nf_tables
If you don’t see nf_tables in the output, it’s not loaded.
Fix: Load the module manually:
sudo modprobe nf_tables
To ensure it loads at boot, create a configuration file in /etc/modules-load.d/:
echo "nf_tables" | sudo tee /etc/modules-load.d/nftables.conf
Why it works: The nf_tables kernel module provides the core packet filtering and manipulation capabilities that the nftables userspace tools interact with. Loading it makes these kernel features available.
Cause 5: Conflicts with iptables
If iptables is still active and managing rules, it can interfere with nftables. nftables is the successor to iptables, and while they can coexist, it’s often cleaner to use one or the other. If you’ve recently migrated, remnants of iptables might be causing issues.
Diagnosis:
Check if iptables services are running:
sudo systemctl status iptables
sudo systemctl status ip6tables
Also, check if iptables rules are loaded:
sudo iptables -S
Fix:
If you intend to use nftables exclusively, disable and stop any active iptables services:
sudo systemctl stop iptables
sudo systemctl disable iptables
sudo systemctl stop ip6tables
sudo systemctl disable ip6tables
You might also need to flush any existing iptables rules:
sudo iptables -F
sudo ip6tables -F
Note: Be extremely cautious when flushing rules. Ensure you have a plan to immediately apply your nftables rules.
Why it works: iptables and nftables operate on different kernel hooks and mechanisms. Running both simultaneously can lead to unpredictable behavior or one system overwriting the other’s rules. Disabling iptables ensures nftables has a clear path to manage the firewall.
Cause 6: Incorrect Permissions on nftables.conf
The nftables.service runs as root. If the configuration file has restrictive permissions, the service might not be able to read it.
Diagnosis:
Check the permissions of your nftables.conf file:
ls -l /etc/nftables.conf
The file should be readable by the root user.
Fix: Ensure the owner is root and it’s readable:
sudo chown root:root /etc/nftables.conf
sudo chmod 644 /etc/nftables.conf
Why it works: The nftables.service process runs with root privileges, but if the file permissions are set too restrictively (e.g., only readable by a specific user that isn’t root), the service will fail to access it. 644 (owner read/write, group read, others read) is a standard safe permission.
After addressing these, the next error you’ll likely encounter is the system complaining about missing network interfaces or missing ipsets if your nftables.conf references them but they haven’t been created or loaded yet.