FS#59674 - [firewalld] (default) nftables backend broken

Attached to Project: Community Packages
Opened by Sijmen Woutersen (sijmen.woutersen) - Thursday, 16 August 2018, 07:32 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 25 August 2018, 03:00 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

The (now default) nftables backend for firewalld doesn't work (after a clean install of Arch);

Aug 14 14:18:20 swolin firewalld[539]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
Aug 14 14:18:20 swolin firewalld[539]: ERROR: '/usr/bin/nft add chain ip firewalld nat_PREROUTING { type nat hook prerouting priority -90 ; }' failed: Error: Could not process rule: Device or resource busy
add chain ip firewalld nat_PREROUTING { type nat hook prerouting priority -90 ; }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

I tried various things suggested on the internet (blacklisting iptable_nat), but I could only get this working by switching back to iptables. I don't know if this is an Arch, firewalld or nftables issue (but it seems new Arch installs are now broken).

Steps to reproduce;
* clean install arch
* install firewalld
* start it

Or maybe;
* change iptables to nftables in /etc/firewalld/firewalld.conf

firewalld version: 0.6.1-1
nftables version: 1:0.9.0-1
This task depends upon

Closed by  Doug Newgard (Scimmia)
Saturday, 25 August 2018, 03:00 GMT
Reason for closing:  None
Comment by Josias Wolhuter (hawkinsthewizard) - Tuesday, 21 August 2018, 15:53 GMT
I thought it was just me. I also found running firewalld with the '--nofork --debug' options and in journalctl -xmu firewalld that part of the problem might be in /usr/*/python3.7/*nft*.py and firewalld.py. Was firewalld or nft expecting python2 perhaps?

One of the problems (using iptables backend):
2018-08-21 17:58:23 DEBUG1: Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/firewall/server/decorators.py", line 53, in handle_exceptions
return func(*args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/server/firewalld.py", line 94, in start
return self.fw.start()
File "/usr/lib/python3.7/site-packages/firewall/core/fw.py", line 482, in start
self._start()
File "/usr/lib/python3.7/site-packages/firewall/core/fw.py", line 451, in _start
self.zone.apply_zones(use_transaction=transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 155, in apply_zones
use_zone_transaction=zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 87, in _error2warning
f(name, *args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 701, in add_rule
mark = self.__rule(True, _zone, rule, None, zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 676, in __rule
zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 1782, in _rule_prepare
enable, zone, rule)
File "/usr/lib/python3.7/site-packages/firewall/core/ipXtables.py", line 1116, in build_zone_rich_source_destination_rules
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
File "/usr/lib/python3.7/site-packages/firewall/core/ipXtables.py", line 855, in _rich_rule_source_fragment
flags = self._fw.zone.__ipset_match_flags(rich_source.ipset, "src")
AttributeError: 'FirewallZone' object has no attribute '_ip4tables__ipset_match_flags'

2018-08-21 17:58:23 Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/firewall/server/decorators.py", line 53, in handle_exceptions
return func(*args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/server/firewalld.py", line 94, in start
return self.fw.start()
File "/usr/lib/python3.7/site-packages/firewall/core/fw.py", line 482, in start
self._start()
File "/usr/lib/python3.7/site-packages/firewall/core/fw.py", line 451, in _start
self.zone.apply_zones(use_transaction=transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 155, in apply_zones
use_zone_transaction=zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 87, in _error2warning
f(name, *args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 701, in add_rule
mark = self.__rule(True, _zone, rule, None, zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 676, in __rule
zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 1782, in _rule_prepare
enable, zone, rule)
File "/usr/lib/python3.7/site-packages/firewall/core/ipXtables.py", line 1116, in build_zone_rich_source_destination_rules
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
File "/usr/lib/python3.7/site-packages/firewall/core/ipXtables.py", line 855, in _rich_rule_source_fragment
flags = self._fw.zone.__ipset_match_flags(rich_source.ipset, "src")
AttributeError: 'FirewallZone' object has no attribute '_ip4tables__ipset_match_flags'

Second problem (using nftables) : Making changes in firewall-gui runtime then 'runtime to permanent'
File "/usr/lib/python3.7/site-packages/firewall/server/decorators.py", line 68, in dbus_handle_exceptions
return func(*args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/server/firewalld.py", line 466, in runtimeToPermanent
for interface in settings.getInterfaces():
UnboundLocalError: local variable 'settings' referenced before assignment

2018-08-21 19:15:29 Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/firewall/server/decorators.py", line 68, in dbus_handle_exceptions
return func(*args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/server/firewalld.py", line 466, in runtimeToPermanent
for interface in settings.getInterfaces():
UnboundLocalError: local variable 'settings' referenced before assignment
Comment by loqs (loqs) - Tuesday, 21 August 2018, 18:28 GMT
Have you reported the issue upstream https://github.com/firewalld/firewalld/issues ?
Comment by Sijmen Woutersen (sijmen.woutersen) - Wednesday, 22 August 2018, 07:24 GMT
I have not reported this (yet). As it happens with the default configuration, and I cannot find any information on this issue, I think this is an integration issue in Arch Linux? Perhaps because of a different nftables or python version? I have no experience with nftables or iptables (which is why I use firewalld :)), so debugging this is a bit difficult.

Does anyone have a working setup with nftables and firewalld?
Comment by Sijmen Woutersen (sijmen.woutersen) - Wednesday, 22 August 2018, 07:30 GMT
Hmm, I just tried another Arch system, fully upgraded it (switching it, or maybe it already was) using the nftabels backend. This system does not show any issues though. I'll try to find out the differences
Comment by Sijmen Woutersen (sijmen.woutersen) - Thursday, 23 August 2018, 09:08 GMT
I upgraded the previously broken system, switched it back to nftables and it now works without problems. Firewalld was updated, but no relevant changes (I tried rolling it back, and the previous version now also works). nftables is not upgraded so the problem was caused by something else. I don't think I'll ever figure out what exactly caused it, and since it is now working, I guess this report can be closed.
Comment by Josias Wolhuter (hawkinsthewizard) - Friday, 24 August 2018, 13:16 GMT
Upstream isn't https://github.com/firewalld/firewalld/ anymore. Firewalld was forked at some point and https://github.com/t-woerner/firewalld is now not updated since December 2017
Comment by loqs (loqs) - Friday, 24 August 2018, 18:21 GMT
@hawkinsthewizard https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/firewalld&id=5b71080ad08fce0bc1da7c4829dc7c8b0fb07613#n25
source=("git+https://github.com/firewalld/firewalld.git#tag=v${pkgver}"
If you do not consider https://github.com/firewalld/firewalld/ as upstream and you acknowledge https://github.com/t-woerner/firewalld has not been updated since December 2017 and has no 0.6.1 release/tag
what do you consider upstream?

Loading...