On Mon, Oct 3, 2022 at 5:42 PM Andy Smith <a...@strugglers.net> wrote:
> Hello, > > On Mon, Oct 03, 2022 at 05:36:19PM -0400, Greg Wooledge wrote: > > On Mon, Oct 03, 2022 at 05:01:21PM -0400, Dave Parker wrote: > > > Oct 03 16:48:55 host systemd[1]: Starting nftables... > > > Oct 03 16:48:55 host nft[926]: /etc/nftables.conf:4:1-37: Error: File > not > > > found: /root/nftables/ruleset.txt > > > > Sounds like the service might be chrooted. > > … so OP please show us > > $ systemctl cat nftables.service > > to see if there are any interesting options about restricting > access to the filesystem. > > Hello, Thanks for pointing me in the right direction. I checked the service as you suggested: ---------- ~# systemctl cat nftables.service # /lib/systemd/system/nftables.service [Unit] Description=nftables Documentation=man:nft(8) http://wiki.nftables.org Wants=network-pre.target Before=network-pre.target shutdown.target Conflicts=shutdown.target DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes StandardInput=null ProtectSystem=full ProtectHome=true ExecStart=/usr/sbin/nft -f /etc/nftables.conf ExecReload=/usr/sbin/nft -f /etc/nftables.conf ExecStop=/usr/sbin/nft flush ruleset [Install] WantedBy=sysinit.target ---------- It turns out that the problem was the "ProtectHome=true" in the service config. According to the systemd documentation[1]: "If true, the directories /home, /root and /run/user are made inaccessible and empty for processes invoked by this unit." So, I copied /lib/systemd/system/nftables.service to /etc/systemd/system/nftables.service, set ProtectHome=false, ran "systemctl daemon-reload", and now it works! Thank you! [1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome= -- Dave Parker '11 Database & Systems Administrator Utica University Integrated Information Technology Services 315-792-3229 He/Him
