FS#59674 - [firewalld] (default) nftables backend broken
Attached to Project:
Community Packages
Opened by Sijmen Woutersen (sijmen.woutersen) - Thursday, 16 August 2018, 07:32 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 25 August 2018, 03:00 GMT
Opened by Sijmen Woutersen (sijmen.woutersen) - Thursday, 16 August 2018, 07:32 GMT
Last edited by Doug Newgard (Scimmia) - Saturday, 25 August 2018, 03:00 GMT
|
Details
The (now default) nftables backend for firewalld doesn't
work (after a clean install of Arch);
Aug 14 14:18:20 swolin firewalld[539]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. Aug 14 14:18:20 swolin firewalld[539]: ERROR: '/usr/bin/nft add chain ip firewalld nat_PREROUTING { type nat hook prerouting priority -90 ; }' failed: Error: Could not process rule: Device or resource busy add chain ip firewalld nat_PREROUTING { type nat hook prerouting priority -90 ; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I tried various things suggested on the internet (blacklisting iptable_nat), but I could only get this working by switching back to iptables. I don't know if this is an Arch, firewalld or nftables issue (but it seems new Arch installs are now broken). Steps to reproduce; * clean install arch * install firewalld * start it Or maybe; * change iptables to nftables in /etc/firewalld/firewalld.conf firewalld version: 0.6.1-1 nftables version: 1:0.9.0-1 |
This task depends upon
One of the problems (using iptables backend):
2018-08-21 17:58:23 DEBUG1: Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/firewall/server/decorators.py", line 53, in handle_exceptions
return func(*args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/server/firewalld.py", line 94, in start
return self.fw.start()
File "/usr/lib/python3.7/site-packages/firewall/core/fw.py", line 482, in start
self._start()
File "/usr/lib/python3.7/site-packages/firewall/core/fw.py", line 451, in _start
self.zone.apply_zones(use_transaction=transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 155, in apply_zones
use_zone_transaction=zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 87, in _error2warning
f(name, *args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 701, in add_rule
mark = self.__rule(True, _zone, rule, None, zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 676, in __rule
zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 1782, in _rule_prepare
enable, zone, rule)
File "/usr/lib/python3.7/site-packages/firewall/core/ipXtables.py", line 1116, in build_zone_rich_source_destination_rules
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
File "/usr/lib/python3.7/site-packages/firewall/core/ipXtables.py", line 855, in _rich_rule_source_fragment
flags = self._fw.zone.__ipset_match_flags(rich_source.ipset, "src")
AttributeError: 'FirewallZone' object has no attribute '_ip4tables__ipset_match_flags'
2018-08-21 17:58:23 Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/firewall/server/decorators.py", line 53, in handle_exceptions
return func(*args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/server/firewalld.py", line 94, in start
return self.fw.start()
File "/usr/lib/python3.7/site-packages/firewall/core/fw.py", line 482, in start
self._start()
File "/usr/lib/python3.7/site-packages/firewall/core/fw.py", line 451, in _start
self.zone.apply_zones(use_transaction=transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 155, in apply_zones
use_zone_transaction=zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 87, in _error2warning
f(name, *args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 701, in add_rule
mark = self.__rule(True, _zone, rule, None, zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 676, in __rule
zone_transaction)
File "/usr/lib/python3.7/site-packages/firewall/core/fw_zone.py", line 1782, in _rule_prepare
enable, zone, rule)
File "/usr/lib/python3.7/site-packages/firewall/core/ipXtables.py", line 1116, in build_zone_rich_source_destination_rules
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
File "/usr/lib/python3.7/site-packages/firewall/core/ipXtables.py", line 855, in _rich_rule_source_fragment
flags = self._fw.zone.__ipset_match_flags(rich_source.ipset, "src")
AttributeError: 'FirewallZone' object has no attribute '_ip4tables__ipset_match_flags'
Second problem (using nftables) : Making changes in firewall-gui runtime then 'runtime to permanent'
File "/usr/lib/python3.7/site-packages/firewall/server/decorators.py", line 68, in dbus_handle_exceptions
return func(*args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/server/firewalld.py", line 466, in runtimeToPermanent
for interface in settings.getInterfaces():
UnboundLocalError: local variable 'settings' referenced before assignment
2018-08-21 19:15:29 Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/firewall/server/decorators.py", line 68, in dbus_handle_exceptions
return func(*args, **kwargs)
File "/usr/lib/python3.7/site-packages/firewall/server/firewalld.py", line 466, in runtimeToPermanent
for interface in settings.getInterfaces():
UnboundLocalError: local variable 'settings' referenced before assignment
Does anyone have a working setup with nftables and firewalld?
source=("git+https://github.com/firewalld/firewalld.git#tag=v${pkgver}"
If you do not consider https://github.com/firewalld/firewalld/ as upstream and you acknowledge https://github.com/t-woerner/firewalld has not been updated since December 2017 and has no 0.6.1 release/tag
what do you consider upstream?