4

After upgrading from Ubuntu 20.04 to 20.10 I want to finally get started with firewalld instead of the old manual iptables approach, but all I get from the service is the following, which also breaks any network integration with Docker:

Feb 13 13:28:20 myhost firewalld[36390]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory

That error message is not really helpful, since it doesn't say "what" can not be found.

I also tried to execute the JSON blob (from journalctl --unit firewalld --no-pager) using the nft command directly, but that just gives the same error message, actually mutliple times. So the error message is the one coming from libnftables1.

Ancoron
  • 161

1 Answers1

2

After reviewing a bit of Python code here and here it became clear that I need to disassemble the big JSON blob and see which instructions exactly fail, which lead me to the following (after storing the JSON blob into ~/nftables.json):

jq '.nftables | length' ~/nftables.json

...to get the number of entries (225 in my case) and then:

for i in $(seq 1 224); do \
    jq --argjson index "$i" '{"nftables": [.nftables[0], .nftables[$index]]}' ~/nftables.json | tee nft.json; \
    sudo nft --json --file nft.json || break; \
done

...which failed just for the first entry:

{
  "nftables": [
    {
      "metainfo": {
        "json_schema_version": 1
      }
    },
    {
      "add": {
        "chain": {
          "family": "inet",
          "table": "firewalld",
          "name": "raw_PREROUTING",
          "type": "filter",
          "hook": "prerouting",
          "prio": -290
        }
      }
    }
  ]
}
internal:0:0-0: Error: No such file or directory

As this was just adding a chain, the only thing that could be wrong here is a missing table, which was confirmed by:

$ sudo nft list tables
table bridge filter
table bridge nat

...so we need to add it:

sudo nft add table inet firewalld

After some more similar failures, I ended up with just the following tables being added manually:

table inet firewalld
table ip firewalld
table ip6 firewalld
Ancoron
  • 161