centos 8, firewalld error `COMMAND_FAILED: 'python-nftables' failed` [closed]
Asked Answered
C

2

7

when I try to reload firewalld, it tells me

Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: Numerical result out of range


JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}]}

I don't know why this is, after Google, it still hasn't been resolved

Checkrow answered 7/1, 2022 at 14:9 Comment(0)
V
2

I had the same error message. I enabled verbose debugs on firewalld and tailed the logs to file for a deeper dive. In my case the exception was originally happening in "nftables.py" on line "361".

Exception:

2022-01-23 14:00:23 DEBUG3: <class 'firewall.core.nftables.nftables'>: calling python-nftables with JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}]} 2022-01-23 14:00:23 DEBUG1: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/firewall/core/fw.py", line 888, in rules backend.set_rule(rule, self._log_denied) File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 390, in set_rule self.set_rules([rule], log_denied) File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 361, in set_rules raise ValueError("'%s' failed: %s\nJSON blob:\n%s" % ("python-nftables", error, json.dumps(json_blob))) ValueError: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: Numerical result out of range

Line 361 in "nftables.py":

self._loader(config.FIREWALLD_POLICIES, "policy")

Why this is a problem:
Basically nftables is a backend service and firewalld is a frontend service. They are dependent on each other to function. Each time you restart firewalld it has to reconcile the backend, in this case nftables. At some point during the reconciliation a conflict is occurring in the python code. That is unfortunate as the only real solution will likely have to come from code improvements from nftables in how it is able to populate policies into chains and tables.

A work-around:
The good news is, if you are like me, you don't use ipv6, in which case we simply disable the policy rather than solve for the issue. I'll put the work-around steps below.

Work-around Steps:
The proper way to remove the policy is to use the command "firewall-cmd --delete-policy=allow-host-ipv6 --permanent" but I encountered other errors and exceptions in python when attempting to do that. Since I don't care about ipv6 I manually deleted the XML from configuration and restarted the firewalld service.

rm /usr/lib/firewalld/policies/allow-host-ipv6.xml

rm /etc/firewalld/policies/allow-host-ipv6.xml

systemctl restart firewalld

Side Note: Once I fixed this conflict, I also had some additional conflicts between nftables/iptables/fail2ban that had to be cleared up. For that I just used the command "fail2ban-client unban --all" to make fail2ban wipe clean all of the chains it added to iptables.

Vittoria answered 23/1, 2022 at 21:55 Comment(2)
Didn't work for me. The "ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory" remained.Mesencephalon
Update: In the etc/firewalld/firewalld.conf I set the IPv6_rpfilter=no and the error was gone.Mesencephalon
W
6

In my case, I didn't really care about using nftables, so on my Centos 8 installation, I went to /etc/firewalld/firewalld.conf e.g.

vi /etc/firewalld/firewalld.conf

and changed the backend for firewalld from nftables to iptables.

To do this, you will find the line:

FirewallBackend=nftables

Change it to:

FirewallBackend=iptables

Then save and restart firewalld using:

systemctl restart firewalld

Now check the status:

systemctl status firewalld

And everything should be fine.

Thanks for reading

Wera answered 21/3, 2023 at 16:1 Comment(1)
Just a note to be careful when making this switch if you're remote. Don't lock yourself out of SSH and ideally make sure you have access to the hypervisor console, IMPI, something... just in case.Her
V
2

I had the same error message. I enabled verbose debugs on firewalld and tailed the logs to file for a deeper dive. In my case the exception was originally happening in "nftables.py" on line "361".

Exception:

2022-01-23 14:00:23 DEBUG3: <class 'firewall.core.nftables.nftables'>: calling python-nftables with JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}]} 2022-01-23 14:00:23 DEBUG1: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/firewall/core/fw.py", line 888, in rules backend.set_rule(rule, self._log_denied) File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 390, in set_rule self.set_rules([rule], log_denied) File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 361, in set_rules raise ValueError("'%s' failed: %s\nJSON blob:\n%s" % ("python-nftables", error, json.dumps(json_blob))) ValueError: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: Numerical result out of range

Line 361 in "nftables.py":

self._loader(config.FIREWALLD_POLICIES, "policy")

Why this is a problem:
Basically nftables is a backend service and firewalld is a frontend service. They are dependent on each other to function. Each time you restart firewalld it has to reconcile the backend, in this case nftables. At some point during the reconciliation a conflict is occurring in the python code. That is unfortunate as the only real solution will likely have to come from code improvements from nftables in how it is able to populate policies into chains and tables.

A work-around:
The good news is, if you are like me, you don't use ipv6, in which case we simply disable the policy rather than solve for the issue. I'll put the work-around steps below.

Work-around Steps:
The proper way to remove the policy is to use the command "firewall-cmd --delete-policy=allow-host-ipv6 --permanent" but I encountered other errors and exceptions in python when attempting to do that. Since I don't care about ipv6 I manually deleted the XML from configuration and restarted the firewalld service.

rm /usr/lib/firewalld/policies/allow-host-ipv6.xml

rm /etc/firewalld/policies/allow-host-ipv6.xml

systemctl restart firewalld

Side Note: Once I fixed this conflict, I also had some additional conflicts between nftables/iptables/fail2ban that had to be cleared up. For that I just used the command "fail2ban-client unban --all" to make fail2ban wipe clean all of the chains it added to iptables.

Vittoria answered 23/1, 2022 at 21:55 Comment(2)
Didn't work for me. The "ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory" remained.Mesencephalon
Update: In the etc/firewalld/firewalld.conf I set the IPv6_rpfilter=no and the error was gone.Mesencephalon

© 2022 - 2024 — McMap. All rights reserved.