# firewalld fails to add new rules

## denn0n

Hi Im trying to set correctly firewalld now wen I try to set a interface to a zones I get 

```

firewall-cmd --zone=public --add-interface=wlp1s0 

Error: COMMAND_FAILED: 'python-nftables' failed: 

JSON blob:

{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "index": 6, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "wlp1s0"}}, {"goto": {"target": "filter_IN_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "wlp1s0"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "wlp1s0"}}, {"goto": {"target": "filter_FWD_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "wlp1s0"}}, {"goto": {"target": "nat_PRE_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "wlp1s0"}}, {"goto": {"target": "mangle_PRE_public"}}]}}}]}

```

----------

## alamahant

Is firewalld buitl with USE="nftables iptables"

?

If yes then switch backend like this:

In /etc/firewalld/firewalld.conf set FirewallBackend to iptables.

And check if it works.

Then preferably rebuild it with only USE="iptables",although it is considered obsolete.

----------

## denn0n

 *alamahant wrote:*   

> Is firewalld buitl with USE="nftables iptables"
> 
> ?
> 
> If yes then switch backend like this:
> ...

 

I did rebuild whit USE="iptables" and i think that's fixed but now show this 

```

firewall-cmd --zone=public --add-interface=wlp1s0 

Error: COMMAND_FAILED: '/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.7 (legacy): ip6tables-restore: unable to initialize table 'raw'

Error occurred at line: 5

Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
```

I'm reading about

----------

## alamahant

What is the output of

```

iptables -L

```

----------

## denn0n

 *alamahant wrote:*   

> What is the output of
> 
> ```
> 
> iptables -L
> ...

 

```
iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED,DNAT

ACCEPT     all  --  anywhere             anywhere            

INPUT_direct  all  --  anywhere             anywhere            

INPUT_ZONES  all  --  anywhere             anywhere            

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED,DNAT

ACCEPT     all  --  anywhere             anywhere            

FORWARD_direct  all  --  anywhere             anywhere            

FORWARD_ZONES  all  --  anywhere             anywhere            

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere            

OUTPUT_direct  all  --  anywhere             anywhere            

OUTPUT_POLICIES_pre  all  --  anywhere             anywhere            

OUTPUT_POLICIES_post  all  --  anywhere             anywhere            

Chain FORWARD_POLICIES_post (2 references)

target     prot opt source               destination         

Chain FORWARD_POLICIES_pre (2 references)

target     prot opt source               destination         

Chain FORWARD_ZONES (1 references)

target     prot opt source               destination         

FWD_public  all  --  anywhere             anywhere            [goto] 

FWD_public  all  --  anywhere             anywhere            [goto] 

FWD_public  all  --  anywhere             anywhere            [goto] 

FWD_public  all  --  anywhere             anywhere            [goto] 

FWD_trusted  all  --  anywhere             anywhere            [goto] 

FWD_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_direct (1 references)

target     prot opt source               destination         

Chain FWD_public (5 references)

target     prot opt source               destination         

FORWARD_POLICIES_pre  all  --  anywhere             anywhere            

FWD_public_pre  all  --  anywhere             anywhere            

FWD_public_log  all  --  anywhere             anywhere            

FWD_public_deny  all  --  anywhere             anywhere            

FWD_public_allow  all  --  anywhere             anywhere            

FWD_public_post  all  --  anywhere             anywhere            

FORWARD_POLICIES_post  all  --  anywhere             anywhere            

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FWD_public_allow (1 references)

target     prot opt source               destination         

Chain FWD_public_deny (1 references)

target     prot opt source               destination         

Chain FWD_public_log (1 references)

target     prot opt source               destination         

Chain FWD_public_post (1 references)

target     prot opt source               destination         

Chain FWD_public_pre (1 references)

target     prot opt source               destination         

Chain FWD_trusted (1 references)

target     prot opt source               destination         

FORWARD_POLICIES_pre  all  --  anywhere             anywhere            

FWD_trusted_pre  all  --  anywhere             anywhere            

FWD_trusted_log  all  --  anywhere             anywhere            

FWD_trusted_deny  all  --  anywhere             anywhere            

FWD_trusted_allow  all  --  anywhere             anywhere            

FWD_trusted_post  all  --  anywhere             anywhere            

FORWARD_POLICIES_post  all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

Chain FWD_trusted_allow (1 references)

target     prot opt source               destination         

Chain FWD_trusted_deny (1 references)

target     prot opt source               destination         

Chain FWD_trusted_log (1 references)

target     prot opt source               destination         

Chain FWD_trusted_post (1 references)

target     prot opt source               destination         

Chain FWD_trusted_pre (1 references)

target     prot opt source               destination         

Chain INPUT_POLICIES_post (2 references)

target     prot opt source               destination         

Chain INPUT_POLICIES_pre (2 references)

target     prot opt source               destination         

IN_allow-host-ipv6  all  --  anywhere             anywhere            

Chain INPUT_ZONES (1 references)

target     prot opt source               destination         

IN_public  all  --  anywhere             anywhere            [goto] 

IN_public  all  --  anywhere             anywhere            [goto] 

IN_public  all  --  anywhere             anywhere            [goto] 

IN_public  all  --  anywhere             anywhere            [goto] 

IN_trusted  all  --  anywhere             anywhere            [goto] 

IN_public  all  --  anywhere             anywhere            [goto] 

Chain INPUT_direct (1 references)

target     prot opt source               destination         

Chain IN_allow-host-ipv6 (1 references)

target     prot opt source               destination         

IN_allow-host-ipv6_pre  all  --  anywhere             anywhere            

IN_allow-host-ipv6_log  all  --  anywhere             anywhere            

IN_allow-host-ipv6_deny  all  --  anywhere             anywhere            

IN_allow-host-ipv6_allow  all  --  anywhere             anywhere            

IN_allow-host-ipv6_post  all  --  anywhere             anywhere            

Chain IN_allow-host-ipv6_allow (1 references)

target     prot opt source               destination         

Chain IN_allow-host-ipv6_deny (1 references)

target     prot opt source               destination         

Chain IN_allow-host-ipv6_log (1 references)

target     prot opt source               destination         

Chain IN_allow-host-ipv6_post (1 references)

target     prot opt source               destination         

Chain IN_allow-host-ipv6_pre (1 references)

target     prot opt source               destination         

Chain IN_public (5 references)

target     prot opt source               destination         

INPUT_POLICIES_pre  all  --  anywhere             anywhere            

IN_public_pre  all  --  anywhere             anywhere            

IN_public_log  all  --  anywhere             anywhere            

IN_public_deny  all  --  anywhere             anywhere            

IN_public_allow  all  --  anywhere             anywhere            

IN_public_post  all  --  anywhere             anywhere            

INPUT_POLICIES_post  all  --  anywhere             anywhere            

ACCEPT     icmp --  anywhere             anywhere            

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain IN_public_allow (1 references)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW,UNTRACKED

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:distcc ctstate NEW,UNTRACKED

Chain IN_public_deny (1 references)

target     prot opt source               destination         

Chain IN_public_log (1 references)

target     prot opt source               destination         

Chain IN_public_post (1 references)

target     prot opt source               destination         

Chain IN_public_pre (1 references)

target     prot opt source               destination         

Chain IN_trusted (1 references)

target     prot opt source               destination         

INPUT_POLICIES_pre  all  --  anywhere             anywhere            

IN_trusted_pre  all  --  anywhere             anywhere            

IN_trusted_log  all  --  anywhere             anywhere            

IN_trusted_deny  all  --  anywhere             anywhere            

IN_trusted_allow  all  --  anywhere             anywhere            

IN_trusted_post  all  --  anywhere             anywhere            

INPUT_POLICIES_post  all  --  anywhere             anywhere            

ACCEPT     all  --  anywhere             anywhere            

Chain IN_trusted_allow (1 references)

target     prot opt source               destination         

Chain IN_trusted_deny (1 references)

target     prot opt source               destination         

Chain IN_trusted_log (1 references)

target     prot opt source               destination         

Chain IN_trusted_post (1 references)

target     prot opt source               destination         

Chain IN_trusted_pre (1 references)

target     prot opt source               destination         

Chain OUTPUT_POLICIES_post (1 references)

target     prot opt source               destination         

Chain OUTPUT_POLICIES_pre (1 references)

target     prot opt source               destination         

Chain OUTPUT_direct (1 references)

target     prot opt source               destination
```

----------

## denn0n

 *alamahant wrote:*   

> What is the output of
> 
> ```
> 
> iptables -L
> ...

 

I remember disable ipv6 in some point installing iptables

----------

## denn0n

 *denn0n wrote:*   

>  *alamahant wrote:*   What is the output of
> 
> ```
> 
> iptables -L
> ...

 

Oh no I did remember now i did block in iptables the chain INPUT and FORWARD from ipv6 to drop i did not mess whit any configuration

----------

## alamahant

Yes I also installed  right now firewalld in my openrc.

Although I have a full iptables kernel .config the damned thing would not start.

I think it is very temperamental.

Anyway i found this kernel config

https://zigford.org/firewalld-kernel-requirements.html

to use with nftables backend.

But maybe its not a kernel thing at all.

----------

## denn0n

 *alamahant wrote:*   

> Yes I also installed  right now firewalld in my openrc.
> 
> Although I have a full iptables kernel .config the damned thing would not start.
> 
> I think it is very temperamental.
> ...

 

Yes I also think it's very temperamental    :Crying or Very sad:   i have some weeks trying to do this because i need share the internet from my laptop, I will try something more before change to nftables I never have use it

----------

## denn0n

 *alamahant wrote:*   

> Yes I also installed  right now firewalld in my openrc.
> 
> Although I have a full iptables kernel .config the damned thing would not start.
> 
> I think it is very temperamental.
> ...

 

Thank You! I couldn't  :Laughing:  :Laughing:  I will read nftables

----------

## pietinger

The only correct installation of a firewall is:

1. You put in ALL modules belonging to netfilter as <M> in your kernel (+compile and install your kernel as always). Forget all informations about needed kernel modules, because the needed modules depends on your FW-configuration !

2. If you want to set up a firewall for a network (more than one ethernet port) dont forget to enable all needed ROUTING modules (e.g. "advanced router); this is not needed for a personal FW.

3. You configure your firewall BEST with native "ipatbles" or "nftables" - dont use any "simple" solution from ufw or others. If you dont understand what you are doing then learn: networking (tcp, udp, icmp, ports, layers, IPv4, IPv6, DNAT, SNAT, ...) and at least do a "man iptables" or "man nftables".

4. If your FW is running you can do a "lsmod" and find out which kernel modules are really needed (the next time you configure your kernel you can unset all not needed modules).

As far as I can see your configuration is a mess ... dont use it until you understand for what a firewall is able to do and NOT to do 

(there is a german guide from me with iptables; and a translated english version in this forum).

----------

## denn0n

 *pietinger wrote:*   

> The only correct installation of a firewall is:
> 
> 1. You put in ALL modules belonging to netfilter as <M> in your kernel (+compile and install your kernel as always). Forget all informations about needed kernel modules, because the needed modules depends on your FW-configuration !
> 
> 2. If you want to set up a firewall for a network (more than one ethernet port) dont forget to enable all needed ROUTING modules (e.g. "advanced router); this is not needed for a personal FW.
> ...

 

Thank You ! for the reference.

I do iptables since some time but always it's something more to learn, I was thinking in install firewalld since it's very useful just make masquerade in a zone to share internet, at the moment it's working whit iptables but it wasn't and i had to review and install some things li ispec, and set the network it's one of the most intricate things to do as I see, if you could share the link to the guide it will very appreciate

----------

## alamahant

Ok I made some progress.

It doesnt matter if you build firewalld with USE="-nftables" you need both ie "nftables iptables" USE flags for it to start.

I did that and after setting backend to iptables in firewalld.conf It Starts!

Same when I set it to nftables.

Running firewall commands no problem.

If you need to debug it use something

```

firewalld --nofork --debug=4 #### or 10

```

in one terminal, after having first stopped it and then open another terminal and run your firewall-cmd commands.

plz see

https://firewalld.org/documentation/howto/debug-firewalld.html

----------

## sam_

 *alamahant wrote:*   

> Ok I made some progress.
> 
> It doesnt matter if you build firewalld with USE="-nftables" you need both ie "nftables iptables" USE flags for it to start.
> 
> I did that and after setting backend to iptables in firewalld.conf It Starts!
> ...

 

Sorry, I haven't been following this whole thing, but is there a change I need to make to the ebuild? If so, could you file a bug?

----------

## alamahant

sam_

Do you think its a bug?

I dont have the output because i closed that terminal but it complained thet it was trying to load an nftables python module which could not be found despite having set backend to "iptables"  in firewalld.conf.

So it seems irrespective of using nftables or iptables backend you DO need firewalld built with both.

Otherwise it will not start.

Should i rebuild it with only one get the output and open a bug report?

```

Traceback (most recent call last):

  File "/usr/sbin/firewalld", line 215, in <module>

    main()

  File "/usr/sbin/firewalld", line 210, in main

    startup(args)

  File "/usr/sbin/firewalld", line 163, in startup

    from firewall.server import server

  File "/usr/lib/python3.9/site-packages/firewall/server/server.py", line 40, in <module>

    from firewall.server.firewalld import FirewallD

  File "/usr/lib/python3.9/site-packages/firewall/server/firewalld.py", line 30, in <module>

    from firewall.core.fw import Firewall

  File "/usr/lib/python3.9/site-packages/firewall/core/fw.py", line 33, in <module>

    from firewall.core import nftables

  File "/usr/lib/python3.9/site-packages/firewall/core/nftables.py", line 35, in <module>

    from nftables.nftables import Nftables

ModuleNotFoundError: No module named 'nftables'

```

But if nftables is present irrespective of the presence or not of USE="nftables" it WILL start.

Ok this is the culprit

```

/usr/lib/python3.9/site-packages/firewall/core/fw.py

```

that mandates nftables irrespective of chosen backend,thereby making redundant the functionality of portage USE flags.

RESUME:firewalld needs nftables installed irrespective of backend chosen or portage USE.

----------

## pietinger

 *denn0n wrote:*   

> [...] if you could share the link to the guide it will very appreciate

 

This is the english translation from @Ralphred (containing a link to my german post):

https://forums.gentoo.org/viewtopic-t-1135566-start-0.html

(In my german post you will find some additional english posts).

Maybe you are also interested in this - not for doing it - only for having some ideas (in english):

https://forums.gentoo.org/viewtopic-t-1114432.html

----------

## sam_

Ah, yes, please do file a bug for this in Gentoo. This exists upstream here too: https://github.com/firewalld/firewalld/issues/891.

----------

