# firewalld state shows as "failed"

## Eggplants

We've been asked to install firewalld on our home computers for working from home.  I'm able to emerge it and there no apparent errors there.  However, when I run /etc/init.d/firewalld start, firewall-cmd --state reports "failed".  Looking at /etc/log/firewalld, I see errors like this:

```

2020-03-24 11:30:52 ERROR: '/sbin/nft add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; }' failed: Error: Could not process rule: No such file or directory

add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; }

```

If I run that command with strace, there are a couple of files showing up as not found (/etc/iproute2/rt_marks and /etc/connlabel.conf), but creating those files doesn't change anything.

Any ideas on how to figure out what's going wrong?

Here's the log file with debugging set to maximum: /etc/log/firewalld

And my kernel config, since some other posts here seem to suggest this can cause problems: Kernel config

----------

## Zucca

Post your equery u firewalldwhich nft

Newer firewalld versions default to nft rather than to iptables and friends.

----------

## Eggplants

 *Zucca wrote:*   

> Post your equery u firewalldwhich nft
> 
> Newer firewalld versions default to nft rather than to iptables and friends.

 

Thanks, it does look like it's using nft based on the errors.  Here's the output you asked for:

```

% equery u firewalld

[ Legend : U - final flag setting for installation]

[        : I - package is installed with flag     ]

[ Colors : set, unset                             ]

 * Found these USE flags for net-firewall/firewalld-0.7.1-r2:

 U I

 + + gui                            : Enable support for a graphical user

                                      interface

 + + iptables                       : Add support for net-firewall/nftables as

                                      firewall backend

 + + nftables                       : Add support for net-firewall/nftables as

                                      firewall backend

 - - python_single_target_python2_7 : Build for Python 2.7 only

 + + python_single_target_python3_6 : Build for Python 3.6 only

 - - python_single_target_python3_7 : Build for Python 3.7 only

% which nft

/sbin/nft

```

I did find some information about the kernel options in the wiki and am rebuilding the kernel now with a couple new options set.

----------

## Eggplants

I eventually gave up on nftables and changed /etc/firewalld/firewalld.conf to have:

```
FirewallBackend=iptables

```

And that seemed to work; at leasr, firewall-cmd --state returns "running".

More details on what I tried with nft below in case someone has an idea of what I'm doing wrong with nftables.

 *Eggplants wrote:*   

> I did find some information about the kernel options in the wiki and am rebuilding the kernel now with a couple new options set.

 

No joy there; I get the same errors.  I then tried running some nft commands from the wiki and eventually got the same "No such file or directory" error.  I also tried turning on all the NF_ and NFT_ options in the kernel I could find, but it looks like some require that others be turned off so that didn't seem fruitful.

----------

## Zucca

Using iptables will be deprecated in the future. If I were you I'd investigate why nft doesn't work.

It's a little strange that firewalld would call nft binary since, to my knowledge, firewalld moved to use libnftables (or something like that) to interface with nftables.

Which version you have?

```
# qfile -v "$(which nft)" "$(which firewalld)"

net-firewall/firewalld-0.7.1: /usr/sbin/firewalld

net-firewall/nftables-0.9.0-r5: /sbin/nft
```

This is how my kernel is configured:

```
CONFIG_NF_CONNTRACK=m

CONFIG_NF_LOG_COMMON=y

CONFIG_NF_LOG_NETDEV=m

CONFIG_NF_CONNTRACK_MARK=y

CONFIG_NF_CONNTRACK_SECMARK=y

CONFIG_NF_CONNTRACK_ZONES=y

CONFIG_NF_CONNTRACK_PROCFS=y

CONFIG_NF_CONNTRACK_EVENTS=y

CONFIG_NF_CONNTRACK_TIMEOUT=y

CONFIG_NF_CONNTRACK_TIMESTAMP=y

CONFIG_NF_CONNTRACK_LABELS=y

CONFIG_NF_CT_PROTO_DCCP=y

CONFIG_NF_CT_PROTO_GRE=m

CONFIG_NF_CT_PROTO_SCTP=y

CONFIG_NF_CT_PROTO_UDPLITE=y

CONFIG_NF_CONNTRACK_AMANDA=m

CONFIG_NF_CONNTRACK_FTP=m

CONFIG_NF_CONNTRACK_H323=m

CONFIG_NF_CONNTRACK_IRC=m

CONFIG_NF_CONNTRACK_BROADCAST=m

CONFIG_NF_CONNTRACK_NETBIOS_NS=m

CONFIG_NF_CONNTRACK_SNMP=m

CONFIG_NF_CONNTRACK_PPTP=m

CONFIG_NF_CONNTRACK_SANE=m

CONFIG_NF_CONNTRACK_SIP=m

CONFIG_NF_CONNTRACK_TFTP=m

CONFIG_NF_CT_NETLINK=m

CONFIG_NF_CT_NETLINK_TIMEOUT=m

CONFIG_NF_CT_NETLINK_HELPER=m

CONFIG_NF_NAT=m

CONFIG_NF_NAT_NEEDED=y

CONFIG_NF_NAT_PROTO_DCCP=y

CONFIG_NF_NAT_PROTO_UDPLITE=y

CONFIG_NF_NAT_PROTO_SCTP=y

CONFIG_NF_NAT_AMANDA=m

CONFIG_NF_NAT_FTP=m

CONFIG_NF_NAT_IRC=m

CONFIG_NF_NAT_SIP=m

CONFIG_NF_NAT_TFTP=m

CONFIG_NF_NAT_REDIRECT=y

CONFIG_NF_TABLES=m

CONFIG_NF_TABLES_SET=m

CONFIG_NF_TABLES_INET=y

CONFIG_NF_TABLES_NETDEV=y

CONFIG_NFT_NUMGEN=m

CONFIG_NFT_CT=m

CONFIG_NFT_FLOW_OFFLOAD=m

CONFIG_NFT_COUNTER=m

CONFIG_NFT_CONNLIMIT=m

CONFIG_NFT_LOG=m

CONFIG_NFT_LIMIT=m

CONFIG_NFT_MASQ=m

CONFIG_NFT_REDIR=m

CONFIG_NFT_NAT=m

CONFIG_NFT_TUNNEL=m

CONFIG_NFT_OBJREF=m

CONFIG_NFT_QUEUE=m

CONFIG_NFT_QUOTA=m

CONFIG_NFT_REJECT=m

CONFIG_NFT_REJECT_INET=m

CONFIG_NFT_COMPAT=m

CONFIG_NFT_HASH=m

CONFIG_NFT_FIB=m

CONFIG_NFT_FIB_INET=m

CONFIG_NFT_SOCKET=m

CONFIG_NFT_OSF=m

CONFIG_NFT_TPROXY=m

CONFIG_NF_DUP_NETDEV=m

CONFIG_NFT_DUP_NETDEV=m

CONFIG_NFT_FWD_NETDEV=m

CONFIG_NFT_FIB_NETDEV=m

CONFIG_NF_FLOW_TABLE_INET=m

CONFIG_NF_FLOW_TABLE=m

CONFIG_NF_DEFRAG_IPV4=m

CONFIG_NF_SOCKET_IPV4=m

CONFIG_NF_TPROXY_IPV4=m

CONFIG_NF_TABLES_IPV4=y

CONFIG_NFT_CHAIN_ROUTE_IPV4=m

CONFIG_NFT_REJECT_IPV4=m

CONFIG_NFT_DUP_IPV4=m

CONFIG_NFT_FIB_IPV4=m

CONFIG_NF_TABLES_ARP=y

CONFIG_NF_FLOW_TABLE_IPV4=m

CONFIG_NF_DUP_IPV4=m

CONFIG_NF_LOG_ARP=m

CONFIG_NF_LOG_IPV4=y

CONFIG_NF_REJECT_IPV4=m

CONFIG_NF_NAT_IPV4=m

CONFIG_NF_NAT_MASQUERADE_IPV4=y

CONFIG_NFT_CHAIN_NAT_IPV4=m

CONFIG_NFT_MASQ_IPV4=m

CONFIG_NFT_REDIR_IPV4=m

CONFIG_NF_NAT_SNMP_BASIC=m

CONFIG_NF_NAT_PROTO_GRE=m

CONFIG_NF_NAT_PPTP=m

CONFIG_NF_NAT_H323=m

CONFIG_NF_SOCKET_IPV6=m

CONFIG_NF_TPROXY_IPV6=m

CONFIG_NF_TABLES_IPV6=y

CONFIG_NFT_CHAIN_ROUTE_IPV6=m

CONFIG_NFT_CHAIN_NAT_IPV6=m

CONFIG_NFT_MASQ_IPV6=m

CONFIG_NFT_REDIR_IPV6=m

CONFIG_NFT_REJECT_IPV6=m

CONFIG_NFT_DUP_IPV6=m

CONFIG_NFT_FIB_IPV6=m

CONFIG_NF_FLOW_TABLE_IPV6=m

CONFIG_NF_DUP_IPV6=m

CONFIG_NF_REJECT_IPV6=m

CONFIG_NF_LOG_IPV6=m

CONFIG_NF_NAT_IPV6=m

CONFIG_NF_NAT_MASQUERADE_IPV6=y

CONFIG_NF_DEFRAG_IPV6=m

CONFIG_NF_TABLES_BRIDGE=y

CONFIG_NFT_BRIDGE_REJECT=m

CONFIG_NF_LOG_BRIDGE=m
```

... many are built as modules since I don't nearly at all use all of them. But those are there if some rule needs them.

----------

## Eggplants

 *Zucca wrote:*   

> Using iptables will be deprecated in the future. If I were you I'd investigate why nft doesn't work.

 

Thanks for your reply; sorry I didn't notice it earlier.  I wasn't able to get my kernel config exactly matching yours, but I got it closer and eventually got firewalld to work with nft.  Not clear which changes are the critical ones, but at least it works now.  Thanks again!

----------

