Nftables.service: nftables was skipped because of an unmet condition check

retiolus · August 21, 2025, 6:07pm

What type of hardware are you using: Raspberry Pi 3, 4+
What YunoHost version are you running: 12.1.14
How are you able to access your server: SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: Update to 12.1

Describe your issue

I updated YunoHost to the latest version, but the nftables service won’t start: Aug 21 19:31:54 systemd[1]: nftables.service - nftables was skipped because of an unmet condition check (ConditionPathExists=!/etc/systemd/system/multi-user.target.wants/yunohost-firewall.service).

Share relevant logs or error messages

Aug 21 19:31:54 systemd[1]: nftables.service - nftables was skipped because of an unmet condition check (ConditionPathExists=!/etc/systemd/system/multi-user.target.wants/yunohost-firewall.service).

trojkat · August 22, 2025, 6:09pm

More details from the logs

Aug 22 18:04:30 my-domain systemd[1]: Starting nftables.service - nftables...
Aug 22 18:04:30 my-domain nft[2905324]: In file included from /etc/nftables.conf:20:1-33:
Aug 22 18:04:30 my-domain nft[2905324]: /etc/nftables.d/yunohost-firewall.conf:3:20-84: Error: Could not process rule: Operation not supported
Aug 22 18:04:30 my-domain nft[2905324]: define tcp_ports = { 25, 53, 80, 443, 587, 993, 1984, 3478, 5222, 5223, 5269, 8234 }
Aug 22 18:04:30 my-domain nft[2905324]:                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 22 18:04:30 my-domain nft[2905324]: In file included from /etc/nftables.conf:20:1-33:
Aug 22 18:04:30 my-domain nft[2905324]: /etc/nftables.d/yunohost-firewall.conf:3:20-84: Error: Could not process rule: No such file or directory
Aug 22 18:04:30 my-domain nft[2905324]: define tcp_ports = { 25, 53, 80, 443, 587, 993, 1984, 3478, 5222, 5223, 5269, 8234 }
Aug 22 18:04:30 my-domain nft[2905324]:                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 22 18:04:30 my-domain nft[2905324]: In file included from /etc/nftables.conf:20:1-33:
Aug 22 18:04:30 my-domain nft[2905324]: /etc/nftables.d/yunohost-firewall.conf:12:9-43: Error: Could not process rule: No such file or directory
Aug 22 18:04:30 my-domain nft[2905324]:         tcp dport $tcp_ports counter accept;
Aug 22 18:04:30 my-domain nft[2905324]:         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 22 18:04:30 my-domain nft[2905324]: In file included from /etc/nftables.conf:20:1-33:
Aug 22 18:04:30 my-domain nft[2905324]: /etc/nftables.d/yunohost-firewall.conf:5:20-37: Error: Could not process rule: No such file or directory
Aug 22 18:04:30 my-domain nft[2905324]: define udp_ports = { 53, 5353, 8234 }
Aug 22 18:04:30 my-domain nft[2905324]:                    ^^^^^^^^^^^^^^^^^^
Aug 22 18:04:30 my-domain nft[2905324]: In file included from /etc/nftables.conf:20:1-33:
Aug 22 18:04:30 my-domain nft[2905324]: /etc/nftables.d/yunohost-firewall.conf:5:20-37: Error: Could not process rule: No such file or directory
Aug 22 18:04:30 my-domain nft[2905324]: define udp_ports = { 53, 5353, 8234 }
Aug 22 18:04:30 my-domain nft[2905324]:                    ^^^^^^^^^^^^^^^^^^
Aug 22 18:04:30 my-domain nft[2905324]: In file included from /etc/nftables.conf:20:1-33:
Aug 22 18:04:30 my-domain nft[2905324]: /etc/nftables.d/yunohost-firewall.conf:14:9-43: Error: Could not process rule: No such file or directory
Aug 22 18:04:30 my-domain nft[2905324]:         udp dport $udp_ports counter accept;
Aug 22 18:04:30 my-domain nft[2905324]:         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 22 18:04:30 my-domain nft[2905324]: In file included from /etc/nftables.conf:20:1-33:
Aug 22 18:04:30 my-domain nft[2905324]: /etc/nftables.d/yunohost-firewall.conf:17:9-35: Error: Could not process rule: No such file or directory
Aug 22 18:04:30 my-domain nft[2905324]:         iifname "lo" counter accept;
Aug 22 18:04:30 my-domain nft[2905324]:         ^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 22 18:04:30 my-domain nft[2905324]: In file included from /etc/nftables.conf:20:1-33:
Aug 22 18:04:30 my-domain nft[2905324]: /etc/nftables.d/yunohost-firewall.conf:18:9-39: Error: Could not process rule: No such file or directory
Aug 22 18:04:30 my-domain nft[2905324]:         ip protocol icmp counter accept;
Aug 22 18:04:30 my-domain nft[2905324]:         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 22 18:04:30 my-domain systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
Aug 22 18:04:30 my-domain systemd[1]: nftables.service: Failed with result 'exit-code'.
Aug 22 18:04:30 my-domain systemd[1]: Failed to start nftables.service - nftables.

retiolus · August 22, 2025, 9:16pm

Yes, but in my case, I really only have the logs I shared…

Aleks · August 24, 2025, 1:10pm

Can you check with sudo ls -l /etc/systemd/system/multi-user.target.wants/yunohost-firewall.service if the file exists or doesn’t ?

retiolus · August 24, 2025, 1:34pm

retiolus@home:~ $ sudo ls -l /etc/systemd/system/multi-user.target.wants/yunohost-firewall.service
[sudo] password for retiolus: 
lrwxrwxrwx 1 root root 45 Oct 13  2022 /etc/systemd/system/multi-user.target.wants/yunohost-firewall.service -> /etc/systemd/system/yunohost-firewall.service
retiolus@home:~ $

matlag · September 2, 2025, 9:30pm

Je me joins à la discussion, j’ai le même problème: nftables en vrac.

yunohost 12.1.17.1

$ ls -lh /etc/systemd/system/multi-user.target.wants/yunohost-firewall.service
lrwxrwxrwx 1 root root 45 Oct  1  2021 /etc/systemd/system/multi-user.target.wants/yunohost-firewall.service -> /lib/systemd/system/yunohost-firewall.service

$ ls -lh /lib/systemd/system/yunohost-firewall.service
ls: cannot access '/lib/systemd/system/yunohost-firewall.service': No such file or directory

En passant, j’ai aussi yunohost.api qui est en lien mort:

herelrwxrwxrwx 1 root root 40 Oct  1  2021 yunohost-api.service -> /lib/systemd/system/yunohost-api.service

ajoe04 · September 2, 2025, 11:10pm

I have the same problem, broken link /etc/systemd/system/multi-user.target.wants/yunohost-firewall.service

lrwxrwxrwx 1 root root 45 1. Mai 15:50 yunohost-firewall.service → /etc/systemd/system/yunohost-firewall.service

ajoe04 · September 3, 2025, 12:15am

I deleted the /etc/systemd/system/multi-user.target.wants/yunohost-firewall.service file, but now the error is BACK. First ist seamed to be a solution.

retiolus · September 3, 2025, 5:27am

I fixed part of the issue running sudo apt --fix-broken install

Now all seams to work, but I can’t access firewall config in tools on web interface.

Cyril · September 4, 2025, 8:01am

I have the same issue on one of my server.
On the working instance, I have the following :

sudo ls -l /etc/systemd/system/yuno
yunohost-api.service yunomdns.service
yunohost-portal-api.service yunoprompt.service

On the instance with the issue, there are no files starting with “yuno” in the folder /etc/systemd/system

There’s also no files starting with yunohost in the folder /etc/systemd/system/multi-user.target.wants in the instance with the faulty nftables service.

Is it something that can be fixed by reinstalling yunohost packet ?
(I have already installed the last updates)

Cyril

Cyril · September 6, 2025, 7:08am

Hello,

what’s happens when the nftable service is not running ?

Does that means that the firewall is not running ?

Cyril

retiolus · September 6, 2025, 7:33pm

I have this kind of issues too…

retiolus · September 7, 2025, 10:24am

Okay, looks like upgrade to the latest YunoHost release 12.1.17.1 (stable) fixed all my issues for the moment

Cyril · September 7, 2025, 6:00pm

Okay,

I think I got it : I’m using a server VPS from Kimsuffi.

Nftables service needs the kernel module nftables and the kernel can be compiled without the nftables module.
https://stackoverflow.com/questions/61727119/nftables-config-commands-failing-with-operation-not-supported

To check :

sudo lsmod | grep nf_tables

If the command gives nothing, the module is not available.

I found these articles that help to update the kernel of a kimsuffi server

Installing Linux kernel with nftables support
Mise a jour du Kernel sur serveur Debian Kimsufi
Mise à jour du kernel debian sur un serveur Kimsufi OVH
[Astuce] Changer le kernel de votre Kimsufi

The kernel is quite old :

$ ls /boot/
config-4.19-ovh-xxxx-std-ipv6-64  
initrd.img-4.19-ovh-xxxx-std-ipv6-64  
vmlinuz-4.19-ovh-xxxx-std-ipv6-64
grub                              
System.map-4.19-ovh-xxxx-std-ipv6-64

and there’s some available but apt-get will not install it ( not sure why):

$ sudo apt-get install linux-image-
linux-image-4.18.5-mod-std-ipv6-64            linux-image-6.1.0-37-amd64
linux-image-4.19.17-mod-std-ipv6-64           linux-image-6.1.0-37-amd64-dbg
linux-image-4.19.17-xxxx-std-ipv6-64          linux-image-6.1.0-37-amd64-unsigned
linux-image-4.19.17-xxxx-std-ipv6-64-hz1000   linux-image-6.1.0-37-cloud-amd64
linux-image-4.19.18-mod-std-ipv6-64           linux-image-6.1.0-37-cloud-amd64-dbg
linux-image-4.19.18-xxxx-std-ipv6-64          linux-image-6.1.0-37-cloud-amd64-unsigned
linux-image-4.19.18-xxxx-std-ipv6-64-hz1000   linux-image-6.1.0-37-rt-amd64
linux-image-4.19.44-mod-std-ipv6-64           linux-image-6.1.0-37-rt-amd64-dbg
linux-image-4.19.44-xxxx-std-ipv6-64          linux-image-6.1.0-37-rt-amd64-unsigned
linux-image-4.19.44-xxxx-std-ipv6-64-hz1000   linux-image-6.1.0-38-amd64
linux-image-4.19-ovh                          linux-image-6.1.0-38-amd64-dbg
linux-image-4.19-ovh-mod-std-ipv6-64          linux-image-6.1.0-38-amd64-unsigned
linux-image-4.19-ovh-xxxx-pcs-ipv6-64         linux-image-6.1.0-38-cloud-amd64
linux-image-4.19-ovh-xxxx-std-ipv6-64         linux-image-6.1.0-38-cloud-amd64-dbg
linux-image-4.19-ovh-xxxx-std-ipv6-64-hz1000  linux-image-6.1.0-38-cloud-amd64-unsigned
linux-image-5.10-ovh-mod-std                  linux-image-6.1.0-38-rt-amd64
linux-image-5.15-ovh-mod-std                  linux-image-6.1.0-38-rt-amd64-dbg
linux-image-6.1.0-33-amd64                    linux-image-6.1.0-38-rt-amd64-unsigned
linux-image-6.1.0-33-cloud-amd64              linux-image-6.1.0-39-amd64
linux-image-6.1.0-33-rt-amd64                 linux-image-6.1.0-39-amd64-dbg
linux-image-6.1.0-34-amd64                    linux-image-6.1.0-39-amd64-unsigned
linux-image-6.1.0-34-cloud-amd64              linux-image-6.1.0-39-cloud-amd64
linux-image-6.1.0-34-rt-amd64                 linux-image-6.1.0-39-cloud-amd64-dbg
linux-image-6.1.0-35-amd64                    linux-image-6.1.0-39-cloud-amd64-unsigned
linux-image-6.1.0-35-amd64-dbg                linux-image-6.1.0-39-rt-amd64
linux-image-6.1.0-35-amd64-unsigned           linux-image-6.1.0-39-rt-amd64-dbg
linux-image-6.1.0-35-cloud-amd64              linux-image-6.1.0-39-rt-amd64-unsigned
linux-image-6.1.0-35-cloud-amd64-dbg          linux-image-amd64
linux-image-6.1.0-35-cloud-amd64-unsigned     linux-image-amd64-dbg
linux-image-6.1.0-35-rt-amd64                 linux-image-amd64-signed-template
linux-image-6.1.0-35-rt-amd64-dbg             linux-image-cloud-amd64
linux-image-6.1.0-35-rt-amd64-unsigned        linux-image-cloud-amd64-dbg
linux-image-6.1.0-36-amd64                    linux-image-rt-amd64
linux-image-6.1.0-36-cloud-amd64              linux-image-rt-amd64-dbg
linux-image-6.1.0-36-rt-amd64

here are the command to update the kernel :

> sudo apt-get install  linux-image-6.1.0-39-amd64
> sudo mv /etc/grub.d/06_OVHkernel /etc/grub.d/96_OVHkernel
> sudo update-grub
> sudo reboot

the server has restarted on the new Kernel

sudo lsmod | grep nf_tables

now gives :

nf_tables             303104  33 nft_ct
nfnetlink              20480  1 nf_tables
libcrc32c              16384  4 nf_conntrack,btrfs,nf_tables,raid456

and

sudo yunohost service status nftables

gives :

nftables: 
  configuration: unknown
  description: Manages open and close connection ports to services
  last_state_change: 2025-09-07 19:44:59
  start_on_boot: enabled
  status: running

Sounds better no ?

Cyril