nft utility errors "XT target TPROXY not found" caused by WTP/NTP task [KES for Linux]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem

While WTP/NTP is enabled, nft utility produces errors (stderr) like

# nft list ruleset XT target TPROXY not found XT target TPROXY not found XT target TPROXY not found XT target TPROXY not found

These errors are caused by a bug in nft utility and xt_TPROXY dynamic library. This effect does not indicate functionality issues.

This bug may be reported to netfilter.org developers.

Explanation

Whenever nft utility lists traffic rules, it dynamically loads extension libraries (for example, from /usr/lib/x86_64-linux-gnu/xtables in Debian OS) including TPROXY and CONNMARK.

When nft encounters first ipv4 rule, it sets global "family=ipv4" state via xtables_set_nfproto function, then loads libxt_TPROXY.so which has both ipv4 and ipv6 targets, but ipv6 are ignored due to the flag.

After that, nft processes ipv6 rules but there are no ipv6 targets for them. As a result, nft utility produces errors "XT target TPROXY not found".