View previous topic :: View next topic |
Author |
Message |
Zapan n00b
Joined: 07 Oct 2021 Posts: 3
|
Posted: Wed Oct 13, 2021 8:04 pm Post subject: firewalld fail to start with nftables |
|
|
Hi,
I can't get firewalld work with nfttables, start failed with
Code: |
oct. 13 21:44:44 JONATHAN-PC firewalld[3746]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_PREROUTING’ in table inet ‘firewalld’?
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_POSTROUTING’ in table inet ‘firewalld’?
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
|
The kernel is configurate like as the wiki https://wiki.gentoo.org/wiki/Nftables
firewalld.log https://pastebin.com/a7RE4SjB
Anyone has un idea?
Thanks |
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3916
|
Posted: Wed Oct 13, 2021 8:18 pm Post subject: |
|
|
Welcome to Gentoo!
in config file
Code: |
/etc/firewalld/firewalld.conf
|
plz set FirewallBackend to "nftables" _________________
|
|
Back to top |
|
|
Zapan n00b
Joined: 07 Oct 2021 Posts: 3
|
Posted: Wed Oct 13, 2021 8:41 pm Post subject: |
|
|
It's already set to FirewallBackend=nftables
I set IndividualCalls to yes
firewalld log say:
Code: |
2021-10-13 22:45:11 ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_PREROUTING’ in table inet ‘firewalld’?
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}]}
2021-10-13 22:45:11 ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_PREROUTING’ in table inet ‘firewalld’?
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}]}
2021-10-13 22:45:11 ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_PREROUTING’ in table inet ‘firewalld’?
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}]}
2021-10-13 22:45:11 ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_home", "expr": [{"jump": {"target": "filter_INPUT_POLICIES_pre"}}]}}}]}
2021-10-13 22:45:11 ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_home", "expr": [{"jump": {"target": "filter_INPUT_POLICIES_pre"}}]}}}]}
2021-10-13 22:45:11 ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_home", "expr": [{"jump": {"target": "filter_INPUT_POLICIES_pre"}}]}}}]}
|
|
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3916
|
Posted: Wed Oct 13, 2021 11:52 pm Post subject: |
|
|
plz try to
Temporarily rename or move
Code: |
/etc/firewalld/ipsets/*
|
and restart firewalld
Were you using firewalld with backend iptables before? _________________
|
|
Back to top |
|
|
Zapan n00b
Joined: 07 Oct 2021 Posts: 3
|
Posted: Thu Oct 14, 2021 11:18 pm Post subject: |
|
|
[01:16]root:/home/jonathan #
/etc/firewalld/ipsets/*
bash: /etc/firewalld/ipsets/*: No such file or directory
Quote: | Were you using firewalld with backend iptables before? |
yes
Kernel Netfilter
Code: |
#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=y
CONFIG_NETFILTER_NETLINK_LOG=y
CONFIG_NF_CONNTRACK=y
CONFIG_NF_LOG_SYSLOG=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_PROCFS=y
# CONFIG_NF_CONNTRACK_LABELS is not set
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_IRC=y
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
CONFIG_NF_CONNTRACK_SIP=y
CONFIG_NF_CT_NETLINK=y
# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
CONFIG_NF_NAT=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_IRC=y
CONFIG_NF_NAT_SIP=y
CONFIG_NF_NAT_MASQUERADE=y
CONFIG_NF_TABLES=y
CONFIG_NF_TABLES_INET=y
CONFIG_NF_TABLES_NETDEV=y
# CONFIG_NFT_NUMGEN is not set
# CONFIG_NFT_CT is not set
# CONFIG_NFT_COUNTER is not set
# CONFIG_NFT_LOG is not set
# CONFIG_NFT_LIMIT is not set
# CONFIG_NFT_MASQ is not set
# CONFIG_NFT_REDIR is not set
# CONFIG_NFT_NAT is not set
# CONFIG_NFT_TUNNEL is not set
# CONFIG_NFT_OBJREF is not set
# CONFIG_NFT_QUOTA is not set
CONFIG_NFT_REJECT=y
CONFIG_NFT_REJECT_INET=y
# CONFIG_NFT_COMPAT is not set
# CONFIG_NFT_HASH is not set
# CONFIG_NFT_XFRM is not set
# CONFIG_NFT_SOCKET is not set
# CONFIG_NFT_TPROXY is not set
# CONFIG_NF_DUP_NETDEV is not set
# CONFIG_NFT_DUP_NETDEV is not set
# CONFIG_NFT_FWD_NETDEV is not set
# CONFIG_NFT_REJECT_NETDEV is not set
# CONFIG_NF_FLOW_TABLE is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XTABLES_COMPAT=y
#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=y
# CONFIG_NF_SOCKET_IPV4 is not set
# CONFIG_NF_TPROXY_IPV4 is not set
CONFIG_NF_TABLES_IPV4=y
CONFIG_NFT_REJECT_IPV4=y
# CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_FIB_IPV4 is not set
# CONFIG_NF_TABLES_ARP is not set
# CONFIG_NF_DUP_IPV4 is not set
CONFIG_NF_LOG_ARP=y
CONFIG_NF_LOG_IPV4=y
CONFIG_NF_REJECT_IPV4=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_MANGLE=y
# CONFIG_IP_NF_RAW is not set
# end of IP: Netfilter Configuration
#
# IPv6: Netfilter Configuration
#
# CONFIG_NF_SOCKET_IPV6 is not set
# CONFIG_NF_TPROXY_IPV6 is not set
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_REJECT_IPV6=y
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_FIB_IPV6 is not set
# CONFIG_NF_DUP_IPV6 is not set
CONFIG_NF_REJECT_IPV6=y
CONFIG_NF_LOG_IPV6=y
CONFIG_IP6_NF_IPTABLES=y
CONFIG_IP6_NF_MATCH_IPV6HEADER=y
CONFIG_IP6_NF_FILTER=y
CONFIG_IP6_NF_TARGET_REJECT=y
CONFIG_IP6_NF_MANGLE=y
# CONFIG_IP6_NF_RAW is not set
# end of IPv6: Netfilter Configuration
|
|
|
Back to top |
|
|
alamahant Advocate
Joined: 23 Mar 2019 Posts: 3916
|
Posted: Fri Oct 15, 2021 8:46 am Post subject: |
|
|
Then plz try to locate the "ipsets" directory
Code: |
equery f firewalld | grep ipsets
|
When it comes to iptables and nftables dont be stingy with your kernel .config.
Best if you enable everything. _________________
|
|
Back to top |
|
|
user Apprentice
Joined: 08 Feb 2004 Posts: 211
|
Posted: Fri Oct 15, 2021 8:38 pm Post subject: |
|
|
Hi Jonathan,
looks like firewalld python-nftables wrapper print no helpful error messages.
My best guess for this wrapper hot air
Code: | ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory; did you mean chain ‘nat_PREROUTING’ in table inet ‘firewalld’?
|
maybe triggered by
Code: | {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}
|
which was a result of missing kernel support
Code: |
# CONFIG_NFT_NAT is not set
|
My best hint, get rid of firewalld/python/json wrapper stuff and use native ntf commands to rule your firewall.
You will learn more (in spirit of gentoo) and reduce wrapper hot waffle. |
|
Back to top |
|
|
kms9 n00b
Joined: 09 Aug 2022 Posts: 1
|
Posted: Tue Aug 09, 2022 5:26 pm Post subject: |
|
|
Hi Jonathan,
Were you able to fix this. If yes whats the fix?
Thanks in advance,
kms |
|
Back to top |
|
|
iLaysChipz n00b
Joined: 09 Jul 2024 Posts: 1
|
Posted: Tue Jul 09, 2024 6:34 pm Post subject: |
|
|
kms9 wrote: | Hi Jonathan,
Were you able to fix this. If yes whats the fix?
Thanks in advance,
kms |
This is fairly old, but in case anyone else stumbles upon this problem, your kernel MUST BE compiled with CONFIG_NFT_NAT=y in order to avoid this issue. If it is not compiled, you cannot configure the NAT (Natural Address Translation) Module, and thus will get errors anytime nftables tries to interface with it.
You can check if its compiled using any one of the following commands:
Code: |
zgrep CONFIG_NFT_NAT /proc/config.gz
grep CONFIG_NFT_NAT /boot/config-$(uname -r)
lsmod | grep nft_nat
sudo modprobe nft_nat
find /lib/modules/$(uname -r) -type f -name 'nft_nat.ko*'
|
If you find that your kernel has not been compiled with this option, then you can either recompile and reinstall your kernel with the option set, or you can try to build nft_nat as an "out-of-tree" kernel module.
For the latter option, see:
https://home.regit.org/netfilter-en/nftables-quick-howto/
https://www.baeldung.com/linux/kernel-source-code-headers
https://www.kernel.org/doc/html/latest/kbuild/modules.html |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|