DEV Community

loading...

Installing nftables from sources on Debian

Isabel Costa
I'm a Software Engineer, from Portugal. I like Open Source, developing products, documentation, collaborate, learning new things, other people's perspectives on the world ...
・7 min read

In this post, I’ll show you how I installed nftables from sources. I needed to do this from the sources to have the latest version of nftables.

I needed to work with iptables to perform stateless Network Address Translation (NAT) but then I discovered that didn’t appear to be possible by using iptables. So I found nftables, which allows me to do it.

To have the latest version of nftables, at least above v0.7, I installed this tool from the sources. I started by following the instructions on the nftables’ wiki page with the installation instructions.

The nftables package dependencies are listed here. These are the main ones:

  • libmnl — the minimalistic Netlink library
  • libnftnl — low level netlink userspace library

First, I tried to install libmnl package provided by on Debian, with aptitude search libmnl, and then I installed libmnl-dev, but it didn’t work for me later, so I installed this from the sources after installing libnftnl.


To install libnftnl userspace library, the nftables wiki page suggests these commands:

# git clone git://git.netfilter.org/libnftnl
# cd libnftnl
# sh autogen.sh
# ./configure
# make
# make install
Enter fullscreen mode Exit fullscreen mode

While running the commands, I get the first error (in the third command):

root@debian:/home/debian/libnftnl# sh autogen.sh 
autogen.sh: 3: autogen.sh: autoreconf: not found
Enter fullscreen mode Exit fullscreen mode

Then I installed the missing packages: autogen, autoreconf.

# aptitude install autoconf autogen
Enter fullscreen mode Exit fullscreen mode

Next, I tried again the sh autogen.sh step and got the following error:

root@debian:/home/debian/libnftnl# sh autogen.sh 
configure.ac:28: error: possibly undefined macro: AC_DISABLE_STATIC
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
Enter fullscreen mode Exit fullscreen mode

After some research, I found that I had to install libtool package, with aptitude install libtool.

Then I tried again, and got this output:

root@debian:/home/debian/libnftnl# sh autogen.sh 
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build-aux'.
libtoolize: copying file `build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
configure.ac:8: installing 'build-aux/ar-lib'
configure.ac:8: installing 'build-aux/compile'
configure.ac:5: installing 'build-aux/config.guess'
configure.ac:5: installing 'build-aux/config.sub'
configure.ac:10: installing 'build-aux/install-sh'
configure.ac:10: installing 'build-aux/missing'
examples/Makefile.am: installing 'build-aux/depcomp'
Enter fullscreen mode Exit fullscreen mode

Finally autogen.sh script is working! In this point, I could move forward to the next command: ./configure. Here’s the output I had:

root@debian:/home/debian/libnftnl# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for ar... ar
checking the archiver (ar) interface... ar
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking whether make supports nested variables... yes
checking how to create a pax tar archive... gnutar
checking dependency style of gcc... gcc3
checking whether make supports nested variables... (cached) yes
./configure: line 4135: syntax error near unexpected token `LIBMNL,'
./configure: line 4135: `PKG_CHECK_MODULES(LIBMNL, libmnl >= 1.0.0)'
Enter fullscreen mode Exit fullscreen mode

From this output, I noticed that I was missing the libmnl package, which I installed later, as shown next.


To install libmnl userspace library, correctly from the sources, I ran these commands:

# git clone git://git.netfilter.org/libmnl
# cd libmnl
# sh autogen.sh
# ./configure
# make
# make install
Enter fullscreen mode Exit fullscreen mode

With the previous packages I installed, these steps had no errors.


Now going back to the installation of libnftnl, I tried to run ./configure again and I still got the same problem. I fixed the problem following the instructions of this blog post. Here are the steps I followed:

root@debian:/home/debian/libnftnl# whereis libmnl
libmnl: /usr/local/lib/libmnl.so /usr/local/lib/libmnl.la /usr/include/libmnl
Enter fullscreen mode Exit fullscreen mode

Then I did:

root@debian:/home/debian/libnftnl# ldd /usr/local/lib/libmnl.so
 linux-vdso.so.1 (0x00007ffe5212a000)
 libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007efc29faf000)
 /lib64/ld-linux-x86-64.so.2 (0x000056203c383000)
Enter fullscreen mode Exit fullscreen mode

The post also suggested that I installed pkg-config with aptitude install pkg-config and install gmp package with aptitude install libgmp3-dev. Here's a post that shows how to install in other Linux distributions here.

Also, the above post suggested that I should configure the pkg-config environment path:

# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
# export PKG_CONFIG_PATH
Enter fullscreen mode Exit fullscreen mode

Then I ran sh autogen.sh and ./configure again. After this I got a much nicer and longer output, like this:

root@debian:/home/debian/libnftnl# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
(...)
checking for LIBMNL... yes
(...)
config.status: creating tests/Makefile
config.status: creating libnftnl.pc
config.status: creating doxygen.cfg
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
libnftnl configuration:
  JSON support:    no
Enter fullscreen mode Exit fullscreen mode

After this step I finally ran the last two commands  —  make and make install  — 
without any errors.


Now that libmnl and libnftnl were successfully installed, I tried to install userspace nft command line utility, nftables from the sources, with the following commands:

# git clone git://git.netfilter.org/nftables
# cd nftables
# sh autogen.sh
# ./configure
Enter fullscreen mode Exit fullscreen mode

While running the last command, ./configure, I got an error indicating that I was missing bison package, which the nftables depended on:

root@debian:/home/debian/nftables# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
(...)
checking for flex... no
checking for lex... no
checking for bison... no
checking for byacc... no
*** Error: No suitable bison/yacc found. ***
    Please install the 'bison' package.
Enter fullscreen mode Exit fullscreen mode

Later I got the same message for flex and docbook2x packages. Note that both of this are in the nftables dependencies list. So to fix these error messages I installed these packages  —  bison, flex, and docbook2x  —  with aptitude install <package> (e.g.: aptitude install flex).

After this, I got this error message: configure: error: No suitable version of libreadline found. To fix this I followed the steps of this post.

# aptitude update
# aptitude install libreadline-dev
Enter fullscreen mode Exit fullscreen mode

At this point, I had enough installed to have nft tool running. This is the installation output with no errors:

root@debian:/home/debian/nftables# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
(...)
config.status: creating include/linux/netfilter_ipv4/Makefile
config.status: creating include/linux/netfilter_ipv6/Makefile
config.status: creating doc/Makefile
config.status: creating files/Makefile
config.status: creating files/nftables/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
nft configuration:
  cli support:                 yes
  enable debugging symbols:    yes
  use mini-gmp:                no
  enable man page:             yes
  enable pdf documentation:    no
  libxtables support:          no
Enter fullscreen mode Exit fullscreen mode

Then I ran make and make install, also with no errors.


Finally, I checked if nftables was successfully installed:

root@debian:/home/debian/nftables# nft
nft: no command specified
root@debian:/home/debian/nftables# nft -v
nftables v0.8.2 (Joe Btfsplk)
Enter fullscreen mode Exit fullscreen mode

And it was! It worked!

Summary

After all of this procedure, I had to install this on another virtual machine. In this time I tried a simpler approach, with this order:

  • First I ran aptitude update to download lists of new and upgradable packages. 
  • Then I installed all the packages I needed during the first installation, with aptitude install . These include autoconf, autogen, libtool, pkg-config, libgmp3-dev, bison, flex, docbook2x and libreadline-dev. You can check the dependencies of nftables here.
  • Next, I configured the path for pkg-config with the following lines:
# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
# export PKG_CONFIG_PATH
Enter fullscreen mode Exit fullscreen mode
  • Then I installed the libmnl library, with the commands previously presented:
# git clone git://git.netfilter.org/libmnl
# cd libmnl
# sh autogen.sh
# ./configure
# make
# make install
Enter fullscreen mode Exit fullscreen mode
  • After that I installed the libnftnl library, with these commands, also shown previously:
# git clone git://git.netfilter.org/libnftnl
# cd libnftnl
# sh autogen.sh
# ./configure
# make
# make install
Enter fullscreen mode Exit fullscreen mode
  • Lastly, I installed nftables this way:
# git clone git://git.netfilter.org/nftables
# cd nftables
# sh autogen.sh
# ./configure
# make
# make install
Enter fullscreen mode Exit fullscreen mode
  • Next, to check if nftables is working, I checked the version with nft -v. Surprisingly I got an error I haven’t seen before, that I fixed with ldconfig command. If you’re unfamiliar with ldconfig you can learn more about it here. You can check the sequence of the commands below:
root@debian:/home/debian# nft -v
nft: error while loading shared libraries: libnftnl.so.7: cannot open shared object file: No such file or directory
root@debian:/home/debian# ldconfig
root@debian:/home/debian# nft -v
nftables v0.8.2 (Joe Btfsplk)
Enter fullscreen mode Exit fullscreen mode

This is also posted on Medium.

You can find me on Twitter, LinkedIn, Github, Medium, and my personal website.

Discussion (1)

Collapse
juantek profile image
juantek

Hi Isabel,
First, i would like to thank you for sharing this nftable building from source. I followed it and at the end I encountered an error such as:

arth@deb10:~$ sudo systemctl start nftables.service
Failed to start nftables.service: Unit nftables.service not found.

I checked the internet but could not find a proper solution for this one or i am misunderstanding what was written.

I already added /etc/modules-load.d/nftables.conf in order for the systemd to recognized it (as i understood it). I rebooted the system but when i ran systemctl enable nftables.service the same error message came again.

OS: Debian 10 (Buster)

nft had been built:

arth@deb10:~$ sudo nft -v
nftables v0.9.2 (Scram)

What did i miss here? thanks very much...

/etc/modules-load.d/nftables.conf contains the ff:

nf_conntrack
nf_conntrack_ipv4
nf_conntrack_ipv6
nf_defrag_ipv4
nf_defrag_ipv6
nf_nat
nf_nat_ipv4
nf_tables
nf_tables_inet
nf_tables_ipv4
nf_tables_ipv6
nfnetlink
nft_counter
nft_ct
nft_hash
nft_limit
nft_log
nft_meta
nft_rbtree
nft_reject
nft_reject_inet
nft_reject_ipv4
nft_reject_ipv6