In this post, I’ll show you how I installed nftables from sources. I needed to do this from the sources to have the latest version of nftables.
I needed to work with iptables to perform stateless Network Address Translation (NAT) but then I discovered that didn’t appear to be possible by using iptables. So I found nftables, which allows me to do it.
To have the latest version of nftables, at least above v0.7, I installed this tool from the sources. I started by following the instructions on the nftables’ wiki page with the installation instructions.
The nftables package dependencies are listed here. These are the main ones:
First, I tried to install libmnl package provided by on Debian, with aptitude search libmnl, and then I installed libmnl-dev, but it didn’t work for me later, so I installed this from the sources after installing libnftnl.
To install libnftnl userspace library, the nftables wiki page suggests these commands:
# git clone git://git.netfilter.org/libnftnl
# cd libnftnl
# sh autogen.sh
# ./configure
# make
# make install
While running the commands, I get the first error (in the third command):
root@debian:/home/debian/libnftnl# sh autogen.sh
autogen.sh: 3: autogen.sh: autoreconf: not found
Then I installed the missing packages: autogen, autoreconf.
# aptitude install autoconf autogen
Next, I tried again the sh autogen.sh step and got the following error:
root@debian:/home/debian/libnftnl# sh autogen.sh
configure.ac:28: error: possibly undefined macro: AC_DISABLE_STATIC
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
After some research, I found that I had to install libtool package, with aptitude install libtool.
Then I tried again, and got this output:
root@debian:/home/debian/libnftnl# sh autogen.sh
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `build-aux'.
libtoolize: copying file `build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
configure.ac:8: installing 'build-aux/ar-lib'
configure.ac:8: installing 'build-aux/compile'
configure.ac:5: installing 'build-aux/config.guess'
configure.ac:5: installing 'build-aux/config.sub'
configure.ac:10: installing 'build-aux/install-sh'
configure.ac:10: installing 'build-aux/missing'
examples/Makefile.am: installing 'build-aux/depcomp'
Finally autogen.sh script is working! In this point, I could move forward to the next command: ./configure. Here’s the output I had:
root@debian:/home/debian/libnftnl# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking for ar... ar
checking the archiver (ar) interface... ar
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking whether make supports nested variables... yes
checking how to create a pax tar archive... gnutar
checking dependency style of gcc... gcc3
checking whether make supports nested variables... (cached) yes
./configure: line 4135: syntax error near unexpected token `LIBMNL,'
./configure: line 4135: `PKG_CHECK_MODULES(LIBMNL, libmnl >= 1.0.0)'
From this output, I noticed that I was missing the libmnl package, which I installed later, as shown next.
To install libmnl userspace library, correctly from the sources, I ran these commands:
# git clone git://git.netfilter.org/libmnl
# cd libmnl
# sh autogen.sh
# ./configure
# make
# make install
With the previous packages I installed, these steps had no errors.
Now going back to the installation of libnftnl, I tried to run ./configure again and I still got the same problem. I fixed the problem following the instructions of this blog post. Here are the steps I followed:
root@debian:/home/debian/libnftnl# whereis libmnl
libmnl: /usr/local/lib/libmnl.so /usr/local/lib/libmnl.la /usr/include/libmnl
Then I did:
root@debian:/home/debian/libnftnl# ldd /usr/local/lib/libmnl.so
linux-vdso.so.1 (0x00007ffe5212a000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007efc29faf000)
/lib64/ld-linux-x86-64.so.2 (0x000056203c383000)
The post also suggested that I installed pkg-config with aptitude install pkg-config and install gmp package with aptitude install libgmp3-dev. Here's a post that shows how to install in other Linux distributions here.
Also, the above post suggested that I should configure the pkg-config environment path:
# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
# export PKG_CONFIG_PATH
Then I ran sh autogen.sh and ./configure again. After this I got a much nicer and longer output, like this:
root@debian:/home/debian/libnftnl# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
(...)
checking for LIBMNL... yes
(...)
config.status: creating tests/Makefile
config.status: creating libnftnl.pc
config.status: creating doxygen.cfg
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
libnftnl configuration:
JSON support: no
After this step I finally ran the last two commands — make and make install —
without any errors.
Now that libmnl and libnftnl were successfully installed, I tried to install userspace nft command line utility, nftables from the sources, with the following commands:
# git clone git://git.netfilter.org/nftables
# cd nftables
# sh autogen.sh
# ./configure
While running the last command, ./configure, I got an error indicating that I was missing bison package, which the nftables depended on:
root@debian:/home/debian/nftables# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
(...)
checking for flex... no
checking for lex... no
checking for bison... no
checking for byacc... no
*** Error: No suitable bison/yacc found. ***
Please install the 'bison' package.
Later I got the same message for flex and docbook2x packages. Note that both of this are in the nftables dependencies list. So to fix these error messages I installed these packages — bison, flex, and docbook2x — with aptitude install <package> (e.g.: aptitude install flex).
After this, I got this error message: configure: error: No suitable version of libreadline found. To fix this I followed the steps of this post.
# aptitude update
# aptitude install libreadline-dev
At this point, I had enough installed to have nft tool running. This is the installation output with no errors:
root@debian:/home/debian/nftables# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
(...)
config.status: creating include/linux/netfilter_ipv4/Makefile
config.status: creating include/linux/netfilter_ipv6/Makefile
config.status: creating doc/Makefile
config.status: creating files/Makefile
config.status: creating files/nftables/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
nft configuration:
cli support: yes
enable debugging symbols: yes
use mini-gmp: no
enable man page: yes
enable pdf documentation: no
libxtables support: no
Then I ran make and make install, also with no errors.
Finally, I checked if nftables was successfully installed:
root@debian:/home/debian/nftables# nft
nft: no command specified
root@debian:/home/debian/nftables# nft -v
nftables v0.8.2 (Joe Btfsplk)
And it was! It worked!
Summary
After all of this procedure, I had to install this on another virtual machine. In this time I tried a simpler approach, with this order:
- First I ran aptitude update to download lists of new and upgradable packages.
- Then I installed all the packages I needed during the first installation, with aptitude install . These include autoconf, autogen, libtool, pkg-config, libgmp3-dev, bison, flex, docbook2x and libreadline-dev. You can check the dependencies of nftables here.
- Next, I configured the path for pkg-config with the following lines:
# PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
# export PKG_CONFIG_PATH
- Then I installed the libmnl library, with the commands previously presented:
# git clone git://git.netfilter.org/libmnl
# cd libmnl
# sh autogen.sh
# ./configure
# make
# make install
- After that I installed the libnftnl library, with these commands, also shown previously:
# git clone git://git.netfilter.org/libnftnl
# cd libnftnl
# sh autogen.sh
# ./configure
# make
# make install
- Lastly, I installed nftables this way:
# git clone git://git.netfilter.org/nftables
# cd nftables
# sh autogen.sh
# ./configure
# make
# make install
- Next, to check if nftables is working, I checked the version with
nft -v. Surprisingly I got an error I haven’t seen before, that I fixed withldconfigcommand. If you’re unfamiliar withldconfigyou can learn more about it here. You can check the sequence of the commands below:
root@debian:/home/debian# nft -v
nft: error while loading shared libraries: libnftnl.so.7: cannot open shared object file: No such file or directory
root@debian:/home/debian# ldconfig
root@debian:/home/debian# nft -v
nftables v0.8.2 (Joe Btfsplk)
This is also posted on Medium.
You can find me on Twitter, LinkedIn, Github, Medium, and my personal website.
Top comments (1)
Hi Isabel,
First, i would like to thank you for sharing this nftable building from source. I followed it and at the end I encountered an error such as:
I checked the internet but could not find a proper solution for this one or i am misunderstanding what was written.
I already added /etc/modules-load.d/nftables.conf in order for the systemd to recognized it (as i understood it). I rebooted the system but when i ran systemctl enable nftables.service the same error message came again.
OS: Debian 10 (Buster)
nft had been built:
What did i miss here? thanks very much...
/etc/modules-load.d/nftables.conf contains the ff:
nf_conntrack
nf_conntrack_ipv4
nf_conntrack_ipv6
nf_defrag_ipv4
nf_defrag_ipv6
nf_nat
nf_nat_ipv4
nf_tables
nf_tables_inet
nf_tables_ipv4
nf_tables_ipv6
nfnetlink
nft_counter
nft_ct
nft_hash
nft_limit
nft_log
nft_meta
nft_rbtree
nft_reject
nft_reject_inet
nft_reject_ipv4
nft_reject_ipv6