Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
firewalld fail to start with nftables
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Zapan
n00b
n00b


Joined: 07 Oct 2021
Posts: 3

PostPosted: Wed Oct 13, 2021 8:04 pm    Post subject: firewalld fail to start with nftables Reply with quote

Hi,

I can't get firewalld work with nfttables, start failed with
Code:

oct. 13 21:44:44 JONATHAN-PC firewalld[3746]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_PREROUTING’ in table inet ‘firewalld’?
                                             
                                              internal:0:0-0: Error: Could not process rule: No such file or directory
                                             
                                              internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_POSTROUTING’ in table inet ‘firewalld’?
                                             
                                              internal:0:0-0: Error: Could not process rule: No such file or directory
                                             
                                              internal:0:0-0: Error: Could not process rule: No such file or directory
                                             
                                              internal:0:0-0: Error: Could not process rule: No such file or directory
                                             
                                              internal:0:0-0: Error: Could not process rule: No such file or directory
                                             
                                              internal:0:0-0: Error: Could not process rule: No such file or directory
                                             
                                              internal:0:0-0: Error: Could not process rule: No such file or directory
                                             
                                              internal:0:0-0: Error: Could not process rule: No such file or directory
                                             
                                              internal:0:0-0: Error: Could not process rule: No such file or directory


The kernel is configurate like as the wiki https://wiki.gentoo.org/wiki/Nftables

firewalld.log https://pastebin.com/a7RE4SjB

Anyone has un idea?

Thanks
Back to top
View user's profile Send private message
alamahant
Veteran
Veteran


Joined: 23 Mar 2019
Posts: 1834

PostPosted: Wed Oct 13, 2021 8:18 pm    Post subject: Reply with quote

Welcome to Gentoo!
in config file
Code:

/etc/firewalld/firewalld.conf

plz set FirewallBackend to "nftables"
_________________
:)
Back to top
View user's profile Send private message
Zapan
n00b
n00b


Joined: 07 Oct 2021
Posts: 3

PostPosted: Wed Oct 13, 2021 8:41 pm    Post subject: Reply with quote

It's already set to FirewallBackend=nftables

I set IndividualCalls to yes

firewalld log say:

Code:

2021-10-13 22:45:11 ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_PREROUTING’ in table inet ‘firewalld’?
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}]}
2021-10-13 22:45:11 ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_PREROUTING’ in table inet ‘firewalld’?
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}]}
2021-10-13 22:45:11 ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_PREROUTING’ in table inet ‘firewalld’?
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}]}
2021-10-13 22:45:11 ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_home", "expr": [{"jump": {"target": "filter_INPUT_POLICIES_pre"}}]}}}]}
2021-10-13 22:45:11 ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_home", "expr": [{"jump": {"target": "filter_INPUT_POLICIES_pre"}}]}}}]}
2021-10-13 22:45:11 ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_home", "expr": [{"jump": {"target": "filter_INPUT_POLICIES_pre"}}]}}}]}
Back to top
View user's profile Send private message
alamahant
Veteran
Veteran


Joined: 23 Mar 2019
Posts: 1834

PostPosted: Wed Oct 13, 2021 11:52 pm    Post subject: Reply with quote

plz try to
Temporarily rename or move
Code:

/etc/firewalld/ipsets/*

and restart firewalld
Were you using firewalld with backend iptables before?
_________________
:)
Back to top
View user's profile Send private message
Zapan
n00b
n00b


Joined: 07 Oct 2021
Posts: 3

PostPosted: Thu Oct 14, 2021 11:18 pm    Post subject: Reply with quote

[01:16]root:/home/jonathan #
/etc/firewalld/ipsets/*
bash: /etc/firewalld/ipsets/*: No such file or directory

Quote:
Were you using firewalld with backend iptables before?

yes

Kernel Netfilter

Code:

#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_LOG_SYSLOG=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
# CONFIG_NF_CONNTRACK_LABELS is not set
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_IRC=y
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
CONFIG_NF_CONNTRACK_SIP=y
CONFIG_NF_CT_NETLINK=y
# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
CONFIG_NF_NAT=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_IRC=y
CONFIG_NF_NAT_SIP=y
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NF_TABLES=y
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
# CONFIG_NFT_NUMGEN is not set
# CONFIG_NFT_CT is not set
# CONFIG_NFT_COUNTER is not set
# CONFIG_NFT_LOG is not set
# CONFIG_NFT_LIMIT is not set
# CONFIG_NFT_MASQ is not set
# CONFIG_NFT_REDIR is not set
# CONFIG_NFT_NAT is not set
# CONFIG_NFT_TUNNEL is not set
# CONFIG_NFT_OBJREF is not set
# CONFIG_NFT_QUOTA is not set
CONFIG_NFT_REJECT=y
CONFIG_NFT_REJECT_INET=y
# CONFIG_NFT_COMPAT is not set
# CONFIG_NFT_HASH is not set
# CONFIG_NFT_XFRM is not set
# CONFIG_NFT_SOCKET is not set
# CONFIG_NFT_TPROXY is not set
# CONFIG_NF_DUP_NETDEV is not set
# CONFIG_NFT_DUP_NETDEV is not set
# CONFIG_NFT_FWD_NETDEV is not set
# CONFIG_NFT_REJECT_NETDEV is not set
# CONFIG_NF_FLOW_TABLE is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XTABLES_COMPAT=y

#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=y
# CONFIG_NF_SOCKET_IPV4 is not set
# CONFIG_NF_TPROXY_IPV4 is not set
CONFIG_NF_TABLES_IPV4=y
CONFIG_NFT_REJECT_IPV4=y
# CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_FIB_IPV4 is not set
# CONFIG_NF_TABLES_ARP is not set
# CONFIG_NF_DUP_IPV4 is not set
CONFIG_NF_LOG_ARP=y
CONFIG_NF_LOG_IPV4=y
CONFIG_NF_REJECT_IPV4=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_MANGLE=y
# CONFIG_IP_NF_RAW is not set
# end of IP: Netfilter Configuration

#
# IPv6: Netfilter Configuration
#
# CONFIG_NF_SOCKET_IPV6 is not set
# CONFIG_NF_TPROXY_IPV6 is not set
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_REJECT_IPV6=y
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_FIB_IPV6 is not set
# CONFIG_NF_DUP_IPV6 is not set
CONFIG_NF_REJECT_IPV6=y
CONFIG_NF_LOG_IPV6=y
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_MATCH_IPV6HEADER=y
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_REJECT=y
CONFIG_IP6_NF_MANGLE=y
# CONFIG_IP6_NF_RAW is not set
# end of IPv6: Netfilter Configuration
Back to top
View user's profile Send private message
alamahant
Veteran
Veteran


Joined: 23 Mar 2019
Posts: 1834

PostPosted: Fri Oct 15, 2021 8:46 am    Post subject: Reply with quote

Then plz try to locate the "ipsets" directory
Code:

equery f firewalld | grep ipsets

When it comes to iptables and nftables dont be stingy with your kernel .config.
Best if you enable everything.
_________________
:)
Back to top
View user's profile Send private message
user
Apprentice
Apprentice


Joined: 08 Feb 2004
Posts: 176

PostPosted: Fri Oct 15, 2021 8:38 pm    Post subject: Reply with quote

Hi Jonathan,
looks like firewalld python-nftables wrapper print no helpful error messages.

My best guess for this wrapper hot air
Code:
ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_PREROUTING’ in table inet ‘firewalld’?

maybe triggered by
Code:
{"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}

which was a result of missing kernel support
Code:

# CONFIG_NFT_NAT is not set


My best hint, get rid of firewalld/python/json wrapper stuff and use native ntf commands to rule your firewall.
You will learn more (in spirit of gentoo) and reduce wrapper hot waffle.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum