Contact us
ArticlesWarewulf

Allow PXE Boot to Function on Warewulf with Rocky Linux 8 With nftables Enabled

nftablespxerocky linuxwarewulf

Howard Van Der Wal
Sr. Customer Support Engineer

Jul 07, 2025

Introduction

PXE booting nodes using Warewulf 4.5.x and 4.6.x on Rocky Linux 8 can fail when nftables is active.

This article outlines a working approach to keep nftables enabled without blocking PXE boot traffic.

Users can work around the problem by disabling nftables entirely, which is not ideal for systems requiring persistent firewall rules.

Problem

Enabling nftables on the Controller Node while using Warewulf on Rocky Linux blocks PXE boot traffic and thus new nodes cannot be attached to the cluster.

The challenge is creating a rule set that allows all necessary PXE and container traffic through without compromising security.

Symptoms

Compute nodes fail to PXE boot when the Controller Node's nftables service is running.

Disabling nftables with systemctl disable --now nftables allows Compute Nodes to boot successfully.

Resolution

Prerequisites

  • root or sudo privileges.

  • Two or more physical nodes or VMs available for testing.

nftables Configuration

  • Ensure nftables is installed and enabled on the Controller Node:
dnf install -y nftables
  • Flush any existing rules (make sure to backup any configurations first):
nft flush ruleset
  • Create a new table called filter in the inet family:
nft add table inet filter
  • Create a new chain named input inside the filter table (this will process incoming packets):
nft add chain inet filter input { type filter hook input priority filter ; }
  • Add a rule to the chain to drop incoming traffic on tcp port 9873:
nft add rule inet filter input tcp dport 9873 drop
  • Permanently save the rule to the /etc/nftables.conf file:
nft list ruleset > /etc/nftables.conf
  • Restart the nftables systemd service:
systemctl restart nftables
  • Confirm PXE boot works with nftables enabled.

Root cause

PXE and container provisioning in Warewulf require specific ports to be open.

A default or misconfigured nftables ruleset may reject packets that Warewulf requires, especially when broad reject rules are applied early in the chain.

TCP port 9873 is used by Warewulf for HTTP requests. Without this port open, additional nodes cannot be added to the cluster.

References & related articles