# Firewalld broken after update...

## The_Great_Sephiroth

OK, I updated my system this past weekend since I had a four-day break. It took three days to update (554 updates) and firewalld was one of the updates. I no longer have any firewall. I saw that for whatever idiotic reason, the switch was made to default to nftables. I set it to use iptables. That got me this output while connected to my home network (WiFi).

```

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-N FWDI_home

-N FWDI_home_allow

-N FWDI_home_deny

-N FWDI_home_log

-N IN_home

-N IN_home_allow

-N IN_home_deny

-N IN_home_log

-A FWDI_home -j FWDI_home_log

-A FWDI_home -j FWDI_home_deny

-A FWDI_home -j FWDI_home_allow

-A IN_home -j IN_home_log

-A IN_home -j IN_home_deny

-A IN_home -j IN_home_allow

```

In other words, I am wide open. When I open the firewall applet in Plasma it shows that nothing for the "home" zone is enabled. When I switch it from runtime to permanent, it does have the correct settings, such as allowing SSH and the Samba client in. So firewalld is not properly creating rules, despite there being rules for this zone. What do I do? Tried figuring this out for two days and I need my work laptop.

Also, I get this now:

```

~ $ sudo firewall-cmd --state

failed

```

----------

## The_Great_Sephiroth

I have continued digging and verified that nftables was fully enabled in my kernel. Is there some tool I need so I can actually firewall my system? I am still down and working from my Android tablet, which limits me.

----------

## The_Great_Sephiroth

OK, all of our Gentoo systems are on hold until we can figure this out. From the looks of it, somebody decided that firewalld needed to use the shiny, new nftables. They switched it by default but even when I set it to use iptables in /etc/firewalld/firewalld.conf, it generates empty rules and leaves us wide-open. We have reproduced this on a second laptop now, so we have no choice but to stop updates until this is resolved. What I have tried is below.

Setting the firewalld configuration to use iptables

Setting it back to nftables

checked for iptables rules while using iptables int he configuration and nftables rules while in nftables mode

Checked with the firewall-applet GUI interface, realizing that the "permanent" settings are there, but they never go to runtime

Tried allowing samba-client in the runtime page and got a single word error: "RAW"

In other words, this nftables stuff comes across to me as a very alpha product that somebody was dying to test, and it has us affected since we use firewalld with Plasma to configure individual settings in zones and apply said zones to various wireless and wired connections. Now all we get is wide-open at all times no matter what we do. I can manually enter rules on the command-line using sudo, but that is NOT a solution.

----------

## Anon-E-moose

Why not just convert iptables rules to nftables rules, it's not that hard.

https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

Or like me you can just create your rules as a script and execute it, I've never needed firewalld or any firewall tool, I tried them in the past and it was easier to just roll my own.

Edit to add: and nftables is not new, it's been around for years. It's just an easier way to do things than the old iptables way.

Edit to add 2: Not sure if you've read this https://firewalld.org/2018/07/nftables-backend

 *The_Great_Sephiroth wrote:*   

> I have continued digging and verified that nftables was fully enabled in my kernel.

 

Do you have all the CONFIG_NF_* showing in .config, just like iptables you have to enable all the different pieces for rules.

And again, if you didn't read the link above from firewalld, they tell you how to make iptables the default, just like it's been in the past.

For example you would set this for iptables

```
CONFIG_NETFILTER_XT_CONNMARK=m

CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m

CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m

CONFIG_NETFILTER_XT_TARGET_CONNMARK=m

CONFIG_NETFILTER_XT_TARGET_CT=m
```

or this for nftables

```
CONFIG_NF_CONNTRACK=m

CONFIG_NF_LOG_COMMON=m

CONFIG_NF_CONNTRACK_MARK=y

CONFIG_NF_CONNTRACK_PROCFS=y

CONFIG_NF_CONNTRACK_EVENTS=y
```

----------

## The_Great_Sephiroth

I have ALL NFT stuff enabled in the kernel. I just double-checked. Also, I made it the default, as I said in my last post, and it still won't create firewall rules. It won't create them whether NFT or IPT is the backend. It is flat-out broken.

As for the manual rules, that is not a solution. As I said before, I need the software to work as it is intended. Sure, we can do scripts. How about telling that to the finance lady that has only ever used Windows and barely know how to turn on the desktop? This won't work for 99% of us. We are supposed to be able to define firewall zones (home, public, work, etc) and apply certain rules to each zone. We then assign those zones to the connections in NetworkManager and when a connection comes up, the correct zone rules are applied. To the normal users this all happens without them knowing anything. We cannot spend years training these people on how to enter firewall rules, execute BASH scripts, or anything else. We need this software, which worked FLAWLESSLY prior to the update, to work. Something in the new firewalld is completely broken and we need to fix it or figure out a solid work-around. Scripts won't work for us.

Not trying to come across as a butt, I am just really pissed that something so critical and also so broken got through the cracks. On top of that I am now struggling with the licenses and am about to give up and accept all because it tells me what license to read but not how to accept it in package.license! Bad day for Gentoo here, that is all.

----------

## Anon-E-moose

Have you turned on debugging to see what's going on?

----------

## The_Great_Sephiroth

No, I have never needed debugging before. How do I do this? I synced and am currently updating 11 packages, none related to the network though.

----------

## Anon-E-moose

https://firewalld.org/documentation/howto/debug-firewalld.html

----------

## The_Great_Sephiroth

I actually checked the log last night after a kernel upgrade and found the most likely cause. The new firewalld version is not calling the commands correctly. I will post the log and link to it in this post or another response today.

*UPDATE*

I deleted the firewalld log, rebooted, and pasted the new log. This gets spammed over and over again. It did not do this prior to the update where nftables became the default. It does this regardless of whether or not the setting is iptables or nftables.

My firewalld log

----------

## Marlo

 *My firewalld log wrote:*   

> 
> 
> 2019-07-11 09:45:04 ERROR: '/sbin/iptables-restore -n' failed: iptables-restore v1.6.1: 

 

I'm not an iptable specialist, but probably you need to use iptables version >= 1.8.3 and nftables 0.8.5 or 0.9.

I use Firewalld 0.7. It's works great.

Ma

----------

## Anon-E-moose

 *The_Great_Sephiroth wrote:*   

> I deleted the firewalld log, rebooted, and pasted the new log. This gets spammed over and over again. It did not do this prior to the update where nftables became the default. It does this regardless of whether or not the setting is iptables or nftables.
> 
> 

 

This is a reference to your problem, there are a couple of links in this link so follow them and read them.

https://github.com/firewalld/firewalld/issues/411

----------

## The_Great_Sephiroth

Checked all that. There was one single link on that bug report. I read the discussion. Nothing fruitful. All of the kernel modules mentioned are enabled on my kernel. I literally have EVERY option enabled as a module or built-in. Well, except the one which is obsolete, but I have NEVER enabled that one.

----------

## Anon-E-moose

There was a link to a discussion, then another link to another bug report (started because he couldn't reopen the original one)

https://github.com/firewalld/firewalld/issues/484

And on this one there is a patch (look at last one by  erig0 commented on Apr 17)

with mention that commits have been added to firewalld codebase.

I would imagine that 1.6.4 will probably have those changes in it.

As far as you having every option, if you had the security option then it would have found it.

Read the thread properly and try the patch OR stick with 0.5.1 until changes have been finalized.

Good luck!

----------

## The_Great_Sephiroth

OK, I just went through every single option under the netfilter configuration menus and literally EVERYTHING is checked as either built-in or module. So if this security table option is set to no, then it is not in the netfilter configuration area, meaning I am not seeing it. Here is the kernel configuration.

Also, I did read and understand the tickets, but it does me no good. I already upgraded because there was no warning that everything breaks with this version. I assumed it would work.

Kernel Configuration

What option is not set there that should be and since I use the menu configuration to configure my kernels, why is it not in the netfilter sections?

----------

## Hu

Unless you override using Z, you only see options that you can enable.  If an option has an unsatisfied prerequisite, it is not shown.  I happen to already know that table 'security' refers to the Netfilter table named security, and I remembered approximately where to find it.  It is controlled by the option IP_NF_SECURITY, which is not even listed in your kernel configuration.  That tipped me off that you are probably missing a prerequisite, since it would be shown as # CONFIG_IP_NF_SECURITY is not set if you had the option to enable it and did not.  From there, I opened the Kconfig file (though menuconfig can do this for you too) and checked the prerequisites:

```
config IP_NF_SECURITY

   tristate "Security table"

   depends on SECURITY

   depends on NETFILTER_ADVANCED

   help

     This option adds a `security' table to iptables, for use

     with Mandatory Access Control (MAC) policy.
```

From there, I went back to your configuration and checked the prerequisites.  You have CONFIG_SECURITY=n and CONFIG_NETFILTER_ADVANCED=y.  Therefore, you need to enable CONFIG_SECURITY to expose the option you want.  If I had your configuration already set up, I would have instead done:Start menuconfigOpen the search menu using /.  Search for IP_NF_SECURITY.  (Reminder: I already knew that was the configuration name I wanted.  I don't know how you would learn that, since it's not mentioned in the linked Github issue.  You could try a blind search for all Kconfig symbols that have security in their name, read the help text of everything you find, and eventually hit it that way, since the help text does mention that it controls the relevant table.)Menuconfig would take me to a view where I could see that symbol, and a list of its prerequisites, and the current state of all those prerequisites.Pick a prerequisite that is shown as =n.  Use search to find that symbol and enable it.  Theoretically, this step may need to be recursed, but for your problem today, a single step is enough.Now that the prerequisite is enabled, return to IP_NF_SECURITY and enable it.

As a general question, is this version of firewalld ever usable without that Kconfig symbol enabled?  I could see that OP has a particular configuration that requires it, but I can also see that firewalld may have a hard dependency on this symbol and be totally broken without it.  If the latter, then the ebuild probably ought to at least print a warning, if not perform a configuration check, so that people find out about this before they restart firewalld and discover it broken.

----------

## Anon-E-moose

This is the patch from the second github bug link

http://dpaste.com/2YJVJ7K

With it you shouldn't require security, your choice as to whether to apply it or just enable security. 

To apply it put it in /etc/portage/patches/net-firewall/firewalld-0.6.3.

NOTE: I don't run firewalld, so can't verify if the patch works, but from the looks of it, it should.

It looks to see if security is available and only asks for it, if it sees it.

----------

## Anon-E-moose

 *Hu wrote:*   

> As a general question, is this version of firewalld ever usable without that Kconfig symbol enabled?  I could see that OP has a particular configuration that requires it, but I can also see that firewalld may have a hard dependency on this symbol and be totally broken without it.  If the latter, then the ebuild probably ought to at least print a warning, if not perform a configuration check, so that people find out about this before they restart firewalld and discover it broken.

 

I think the problem is no one really knew that firewalld was broken, re security, well unless you did what I did and google for the specific error, and even then it wasn't real obvious. 

Yes, there should be a warning in the ebuild OR the patch should be applied by the devs.

If I'm not mistaken, they will have fixed the problem in 0.6.4.

Edit to add: according to changed things in 0.6.4

```
fix: ipXtables: don’t use tables that aren’t available
```

which was the problem with security, but should apply to any "missing" table.

Note that if you ask for something in the missing table, it will create an error, but that's expected behavior.

----------

## The_Great_Sephiroth

I searched for "security" and got loads of results. I was not sure of the entire symbol name. I also gave up fairly easily as I woke up sick this morning. Lovely little sinus issues that make life a living Hell, but I digress.

I have NEVER needed that prior to now and never enabled the multiple security types option before. That is what threw me. Thank you both for the help. I will be building a new kernel soon (updates grabbed a new one) and have already enabled the security table in both IPv4 and IPv6 iptables. Thanks for being patient with me, I haven't had an issue in ages and this one stumped me.

----------

## Anon-E-moose

main menu -> security options -> enable different security models (sets CONFIG_SECURITY)

other options are set in netfilter area (security above needs to be set for other options to show)

----------

## The_Great_Sephiroth

Yeah, I already enabled it. I had long since forgotten about using Z to see hidden options. I built the new kernel and will be installing it today. Will post the results.

----------

