Please note that Way to the Web Ltd. (the company behind ConfigServer) has announced it will close permanently on August 31, 2025. However, their free scripts will remain available under the GPLv3 license. For more details, see:
ConfigServer Services Announcement
Symptoms
On servers using AlmaLinux 9 and CloudLinux 9, attempting to start the nftables service fails with an error similar to the following:
Error: unsupported xtables compat expression, use iptables-nft with this rulesetThis causes the stored firewall rules to not be loaded into the firewall.
Description
Some firewall rules are still added via the iptables command, and are converted to the new nftables format by scripts provided by the iptables-nft package that is installed on AlmaLinux 9. However, some of the rules that are generated by this script cannot be reloaded when stored in a configuration file.
We've opened an internal case for our development team to investigate this further. For reference, the case number is CPANEL-46555. Follow this article to receive an email notification when a solution is published in the product.
Workaround
The default cPanel Firewall Rules are not impacted by this issue, however, some features provided by cPanel such as the SMTP Restrictions, as well as other firewalls such as CSF and Imunify360, may result in these additional rules being added to the configuration. That said, all of these firewalls and services are able to restore their configuration when they restart, and thus do not need to be listed in the default NFTables configuration. As such, a minimal set of firewall rules can be stored in the NFTables configuration to allow the service to start successfully.
To regenerate a default NFTables configuration, please follow these steps.
1. Any external firewall services must first be stopped on the server.
1a. For Imunify360:
systemctl stop imunify3601b. For CSF:
csf -x2. Move aside the current firewall rules:
mv -v /etc/sysconfig/nftables.conf{,.bak}3. Flush the current firewall:
nft flush ruleset4. Rebuild the default cPanel firewall configuration:
/scripts/configure_firewall_for_cpanel5. Export the current firewall configuration to the default location:
nft list ruleset > /etc/sysconfig/nftables.conf6. Restart any external firewall services that are installed.
6a. For Imunify360:
systemctl restart imunify3606b. For CSF:
csf -eFor direct assistance with the above steps, and to ensure full compatibility with your server, it is recommended to discuss these steps with your System Administrator.
