Debian 11 doesn't seem to have any netfilters installed

Houman

3/11/23, 7:01 PM

When I tried to so

sudo sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1

I got the error:

sysctl: cannot stat /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal: No such file or directory

When I checked the folder ls /proc/sys/net/netfilter/ All I could see was:

nf_log  nf_log_all_netns

But on Debian 10, I see this: ls /proc/sys/net/netfilter/

nf_conntrack_acct                   nf_conntrack_dccp_timeout_closing   nf_conntrack_events             nf_conntrack_helper               nf_conntrack_sctp_timeout_cookie_echoed      nf_conntrack_sctp_timeout_shutdown_recd  nf_conntrack_tcp_timeout_close_wait   nf_conntrack_tcp_timeout_syn_sent        nf_log
nf_conntrack_buckets                nf_conntrack_dccp_timeout_open      nf_conntrack_expect_max         nf_conntrack_icmp_timeout         nf_conntrack_sctp_timeout_cookie_wait        nf_conntrack_sctp_timeout_shutdown_sent  nf_conntrack_tcp_timeout_established  nf_conntrack_tcp_timeout_time_wait       nf_log_all_netns
nf_conntrack_checksum               nf_conntrack_dccp_timeout_partopen  nf_conntrack_frag6_high_thresh  nf_conntrack_icmpv6_timeout       nf_conntrack_sctp_timeout_established        nf_conntrack_tcp_be_liberal              nf_conntrack_tcp_timeout_fin_wait     nf_conntrack_tcp_timeout_unacknowledged
nf_conntrack_count                  nf_conntrack_dccp_timeout_request   nf_conntrack_frag6_low_thresh   nf_conntrack_log_invalid          nf_conntrack_sctp_timeout_heartbeat_acked    nf_conntrack_tcp_loose                   nf_conntrack_tcp_timeout_last_ack     nf_conntrack_timestamp
nf_conntrack_dccp_loose             nf_conntrack_dccp_timeout_respond   nf_conntrack_frag6_timeout      nf_conntrack_max                  nf_conntrack_sctp_timeout_heartbeat_sent     nf_conntrack_tcp_max_retrans             nf_conntrack_tcp_timeout_max_retrans  nf_conntrack_udp_timeout
nf_conntrack_dccp_timeout_closereq  nf_conntrack_dccp_timeout_timewait  nf_conntrack_generic_timeout    nf_conntrack_sctp_timeout_closed  nf_conntrack_sctp_timeout_shutdown_ack_sent  nf_conntrack_tcp_timeout_close           nf_conntrack_tcp_timeout_syn_recv     nf_conntrack_udp_timeout_stream

What am I missing, please?

334

0 + 0

debian

Score:0

Server

A.B

3/11/23, 8:08 PM

The missing variables are made available by the kernel module nf_conntrack.

You could, depending on the exact issue you have and the time when it happens (at boot or not...):

manually load the module
```
modprobe nf_conntrack
```
have any stateful or NAT rule (from iptables-legacy, iptables-nft or nftables) trigger the loading of nf_conntrack
alter the order and dependencies of systemd services so systemd-sysctl (or procps) doesn't run too early but after the nf_conntrack module is loaded by such previous rule loaded from an other service.
force load the nf_conntrack module at boot by adding it in /etc/modules

and if needed early, rebuilding initramfs:
```
update-initramfs -u
```

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Debian 11 doesn't seem to have any netfilters installed

TH: Debian 11 ดูเหมือนจะไม่ได้ติดตั้ง netfilters ไว้เลย

RO: Debian 11 nu pare să aibă niciun netfilter instalat

RU: В Debian 11 не установлены сетевые фильтры.

VI: Debian 11 dường như không cài đặt bất kỳ bộ lọc mạng nào

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.