Firewalls [x] but nftables

[internethering]

I installed Lynis 3.1.11 and the audit says:

  Components:
  - Firewall               [X]

and:

[+] Software: Firewalls
------------------------------------
libkmod: kmod_module_new_from_loaded: could not open /proc/modules: No such file or directory
Error: could not get list of modules: No such file or directory
  - Checking iptables kernel module                           [ NICHT GEFUNDEN ]
  - Checking iptables in config file                          [ NICHT GEFUNDEN ]
libkmod: kmod_module_new_from_loaded: could not open /proc/modules: No such file or directory
Error: could not get list of modules: No such file or directory
  - Checking host based firewall 

this is wrong:

# nft list ruleset
table inet filter {
        chain services {
[...]

you know nftables? ;)
http://nftables.org/projects/nftables/index.html

[mboelen]

What OS and version are you using? What nftables version?

Also, what is wrong? The output, the used commands within Lynis?

Although I'm sure you meant well (and included a wink), please note that the nftables project is known for changing its syntax without backwards compatibility. So most likely Lynis uses a syntax that used to work (and still does on older systems), but changed. So with the questions above we can hopefully see what goes wrong.

[internethering]

What OS and version are you using? What nftables version?

Gentoo Linux (23.0 profile)

# nft -v
nftables v1.0.9 (Old Doc Yak #3)

Kernel 6.8.2-gentoo

Also, what is wrong? The output, the used commands within Lynis?

lynis audit system

Although I'm sure you meant well (and included a wink), please note that the nftables project is known for changing its syntax without backwards compatibility. So most likely Lynis uses a syntax that used to work (and still does on older systems), but changed. So with the questions above we can hopefully see what goes wrong.

ok, thanks for this hint, I tried something more:

lynis --debug --verbose --developer audit system

[...]
[+] Software: Firewalls
------------------------------------
[DEBUG] Performing test ID FIRE-4502 (Check iptables kernel module)
libkmod: kmod_module_new_from_loaded: could not open /proc/modules: No such file or directory
Error: could not get list of modules: No such file or directory
  - Checking iptables kernel module                           [ NICHT GEFUNDEN ]
  - Checking iptables in config file                          [ NICHT GEFUNDEN ]
[DEBUG] Performing test ID FIRE-4524 (Check for CSF presence)
[DEBUG] Performing test ID FIRE-4536 (Check nftables status)
libkmod: kmod_module_new_from_loaded: could not open /proc/modules: No such file or directory
Error: could not get list of modules: No such file or directory
[DEBUG] Performing test ID FIRE-4538 (Check nftables basic configuration)
[DEBUG] Performing test ID FIRE-4540 (Check for empty nftables configuration)
[DEBUG] Performing test ID FIRE-4590 (Check firewall status)
  - Checking host based firewall                              [ NOT ACTIVE ]
[DEBUG] Performing test ID FIRE-4594 (Check for APF presence)

Then I had a look in https://github.com/CISOfy/lynis/blob/master/include/tests_firewalls for FIRE-4538 & FIRE-4540:

# AWKBINARY=awk
# TRBINARY=tr
# NFTBINARY=nft
# NFT_VERSION=$(${NFTBINARY} --version 2> /dev/null | ${AWKBINARY} '{ if ($1=="nftables") { print $2 }}' | ${TRBINARY} -d 'v')
# echo $NFT_VERSION
1.0.9

# NFTBINARY=nft
# GREPBINARY=grep
# WCBINARY=wc
# NFT_RULES_LENGTH=$(${NFTBINARY} --stateless list ruleset 2> /dev/null | ${GREPBINARY} -E -v "table|chain|;$|}$|^$" | ${WCBINARY} -l)
# echo $NFT_RULES_LENGTH
14

seems like a bug in lynis