Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
firewalld state shows as "failed"
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Eggplants
n00b
n00b


Joined: 22 Oct 2011
Posts: 4

PostPosted: Tue Mar 24, 2020 6:46 pm    Post subject: firewalld state shows as "failed" Reply with quote

We've been asked to install firewalld on our home computers for working from home. I'm able to emerge it and there no apparent errors there. However, when I run /etc/init.d/firewalld start, firewall-cmd --state reports "failed". Looking at /etc/log/firewalld, I see errors like this:

Code:

2020-03-24 11:30:52 ERROR: '/sbin/nft add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; }' failed: Error: Could not process rule: No such file or directory
add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; }


If I run that command with strace, there are a couple of files showing up as not found (/etc/iproute2/rt_marks and /etc/connlabel.conf), but creating those files doesn't change anything.

Any ideas on how to figure out what's going wrong?

Here's the log file with debugging set to maximum: /etc/log/firewalld

And my kernel config, since some other posts here seem to suggest this can cause problems: Kernel config
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1710
Location: KUUSANKOSKI, Finland

PostPosted: Tue Mar 24, 2020 7:30 pm    Post subject: Reply with quote

Post your
  • equery u firewalld
  • which nft


Newer firewalld versions default to nft rather than to iptables and friends.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
Eggplants
n00b
n00b


Joined: 22 Oct 2011
Posts: 4

PostPosted: Tue Mar 24, 2020 9:03 pm    Post subject: Reply with quote

Zucca wrote:
Post your
  • equery u firewalld
  • which nft


Newer firewalld versions default to nft rather than to iptables and friends.

Thanks, it does look like it's using nft based on the errors. Here's the output you asked for:
Code:

% equery u firewalld
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for net-firewall/firewalld-0.7.1-r2:
 U I
 + + gui                            : Enable support for a graphical user
                                      interface
 + + iptables                       : Add support for net-firewall/nftables as
                                      firewall backend
 + + nftables                       : Add support for net-firewall/nftables as
                                      firewall backend
 - - python_single_target_python2_7 : Build for Python 2.7 only
 + + python_single_target_python3_6 : Build for Python 3.6 only
 - - python_single_target_python3_7 : Build for Python 3.7 only
% which nft
/sbin/nft

I did find some information about the kernel options in the wiki and am rebuilding the kernel now with a couple new options set.
Back to top
View user's profile Send private message
Eggplants
n00b
n00b


Joined: 22 Oct 2011
Posts: 4

PostPosted: Wed Mar 25, 2020 4:56 pm    Post subject: Reply with quote

I eventually gave up on nftables and changed /etc/firewalld/firewalld.conf to have:
Code:
FirewallBackend=iptables

And that seemed to work; at leasr, firewall-cmd --state returns "running".
More details on what I tried with nft below in case someone has an idea of what I'm doing wrong with nftables.

Eggplants wrote:
I did find some information about the kernel options in the wiki and am rebuilding the kernel now with a couple new options set.

No joy there; I get the same errors. I then tried running some nft commands from the wiki and eventually got the same "No such file or directory" error. I also tried turning on all the NF_ and NFT_ options in the kernel I could find, but it looks like some require that others be turned off so that didn't seem fruitful.
Back to top
View user's profile Send private message
Zucca
Veteran
Veteran


Joined: 14 Jun 2007
Posts: 1710
Location: KUUSANKOSKI, Finland

PostPosted: Wed Mar 25, 2020 8:28 pm    Post subject: Reply with quote

Using iptables will be deprecated in the future. If I were you I'd investigate why nft doesn't work.

It's a little strange that firewalld would call nft binary since, to my knowledge, firewalld moved to use libnftables (or something like that) to interface with nftables.

Which version you have?
Code:
# qfile -v "$(which nft)" "$(which firewalld)"
net-firewall/firewalld-0.7.1: /usr/sbin/firewalld
net-firewall/nftables-0.9.0-r5: /sbin/nft


This is how my kernel is configured:
zgrep -E 'CONFIG_(NF_|NFT_)' /proc/config.gz:
CONFIG_NF_CONNTRACK=m
CONFIG_NF_LOG_COMMON=y
CONFIG_NF_LOG_NETDEV=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_ZONES=y
CONFIG_NF_CONNTRACK_PROCFS=y
CONFIG_NF_CONNTRACK_EVENTS=y
CONFIG_NF_CONNTRACK_TIMEOUT=y
CONFIG_NF_CONNTRACK_TIMESTAMP=y
CONFIG_NF_CONNTRACK_LABELS=y
CONFIG_NF_CT_PROTO_DCCP=y
CONFIG_NF_CT_PROTO_GRE=m
CONFIG_NF_CT_PROTO_SCTP=y
CONFIG_NF_CT_PROTO_UDPLITE=y
CONFIG_NF_CONNTRACK_AMANDA=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_H323=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_BROADCAST=m
CONFIG_NF_CONNTRACK_NETBIOS_NS=m
CONFIG_NF_CONNTRACK_SNMP=m
CONFIG_NF_CONNTRACK_PPTP=m
CONFIG_NF_CONNTRACK_SANE=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CONNTRACK_TFTP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NF_CT_NETLINK_TIMEOUT=m
CONFIG_NF_CT_NETLINK_HELPER=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_NF_NAT_PROTO_DCCP=y
CONFIG_NF_NAT_PROTO_UDPLITE=y
CONFIG_NF_NAT_PROTO_SCTP=y
CONFIG_NF_NAT_AMANDA=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_NF_NAT_TFTP=m
CONFIG_NF_NAT_REDIRECT=y
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_SET=m
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
CONFIG_NFT_NUMGEN=m
CONFIG_NFT_CT=m
CONFIG_NFT_FLOW_OFFLOAD=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_CONNLIMIT=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_TUNNEL=m
CONFIG_NFT_OBJREF=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_QUOTA=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_HASH=m
CONFIG_NFT_FIB=m
CONFIG_NFT_FIB_INET=m
CONFIG_NFT_SOCKET=m
CONFIG_NFT_OSF=m
CONFIG_NFT_TPROXY=m
CONFIG_NF_DUP_NETDEV=m
CONFIG_NFT_DUP_NETDEV=m
CONFIG_NFT_FWD_NETDEV=m
CONFIG_NFT_FIB_NETDEV=m
CONFIG_NF_FLOW_TABLE_INET=m
CONFIG_NF_FLOW_TABLE=m
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_SOCKET_IPV4=m
CONFIG_NF_TPROXY_IPV4=m
CONFIG_NF_TABLES_IPV4=y
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_DUP_IPV4=m
CONFIG_NFT_FIB_IPV4=m
CONFIG_NF_TABLES_ARP=y
CONFIG_NF_FLOW_TABLE_IPV4=m
CONFIG_NF_DUP_IPV4=m
CONFIG_NF_LOG_ARP=m
CONFIG_NF_LOG_IPV4=y
CONFIG_NF_REJECT_IPV4=m
CONFIG_NF_NAT_IPV4=m
CONFIG_NF_NAT_MASQUERADE_IPV4=y
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
CONFIG_NFT_REDIR_IPV4=m
CONFIG_NF_NAT_SNMP_BASIC=m
CONFIG_NF_NAT_PROTO_GRE=m
CONFIG_NF_NAT_PPTP=m
CONFIG_NF_NAT_H323=m
CONFIG_NF_SOCKET_IPV6=m
CONFIG_NF_TPROXY_IPV6=m
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
CONFIG_NFT_REDIR_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_DUP_IPV6=m
CONFIG_NFT_FIB_IPV6=m
CONFIG_NF_FLOW_TABLE_IPV6=m
CONFIG_NF_DUP_IPV6=m
CONFIG_NF_REJECT_IPV6=m
CONFIG_NF_LOG_IPV6=m
CONFIG_NF_NAT_IPV6=m
CONFIG_NF_NAT_MASQUERADE_IPV6=y
CONFIG_NF_DEFRAG_IPV6=m
CONFIG_NF_TABLES_BRIDGE=y
CONFIG_NFT_BRIDGE_REJECT=m
CONFIG_NF_LOG_BRIDGE=m
... many are built as modules since I don't nearly at all use all of them. But those are there if some rule needs them.
_________________
..: Zucca :..

Code:
ERROR: '--failure' is not an option. Aborting...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum