bugzilla-daemon at netfilter.org
2024-Oct-29 12:21 UTC
[Bug 1777] New: Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777
Bug ID: 1777
Summary: Error: COMMAND_FAILED: 'python-nftables' failed
Product: nftables
Version: 1.0.x
Hardware: arm
OS: Debian GNU/Linux
Status: NEW
Severity: blocker
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: fs3000 at proton.me
(apologies if picking the wrong component)
This happens on a Debian 12 system with custom kernel. On a arm64 router.
On a fresh install, simply doing "firewall-cmd --add-interface=eth1
--zone=internal" causes a nftables error. The strange part, is that this
only
happens on firewalld's zones "internal" and "home".
Actually i have tried other
zones, but then, NAT does not work properly, even tough i have set the right
rules and policies in firewalld.
#########################################
root at banana1 /root $ firewall-cmd --add-interface=eth1 --zone=internal
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error:
No such
file or directory; did you mean chain ?filter_IN_external? in table inet
?firewalld??
internal:0:0-0: Error: No such file or directory; did you mean chain
?filter_FWD_external_allow? in table inet ?firewalld??
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version":
1}}, {"add": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_IN_internal",
"index": 6, "expr": [{"match": {"left":
{"meta": {"key": "l4proto"}}, "op":
"==", "right": {"set": ["icmp",
"icmpv6"]}}}, {"accept": null}]}}}, {"insert":
{"rule": {"family": "inet", "table":
"firewalld", "chain":
"filter_INPUT_ZONES", "expr": [{"match":
{"left": {"meta": {"key": "iifname"}},
"op": "==", "right": "eth1"}},
{"goto": {"target": "filter_IN_internal"}}]}}},
{"insert": {"rule": {"family": "inet",
"table": "firewalld", "chain":
"nat_POSTROUTING_ZONES", "expr": [{"match":
{"left": {"meta": {"key":
"oifname"}}, "op": "==", "right":
"eth1"}}, {"goto": {"target":
"nat_POST_internal"}}]}}}, {"insert": {"rule":
{"family": "inet", "table":
"firewalld", "chain": "filter_FORWARD_ZONES",
"expr": [{"match": {"left":
{"meta": {"key": "iifname"}}, "op":
"==", "right": "eth1"}}, {"goto":
{"target": "filter_FWD_internal"}}]}}}, {"insert":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"nat_PREROUTING_ZONES", "expr": [{"match":
{"left": {"meta": {"key": "iifname"}},
"op": "==", "right": "eth1"}},
{"goto":
{"target": "nat_PRE_internal"}}]}}}, {"insert":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"mangle_PREROUTING_ZONES", "expr": [{"match":
{"left": {"meta": {"key": "iifname"}},
"op": "==", "right": "eth1"}},
{"goto":
{"target": "mangle_PRE_internal"}}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_FWD_internal_allow", "expr": [{"match":
{"left": {"meta": {"key": "oifname"}},
"op": "==", "right": "eth1"}},
{"accept": null}]}}}]}
#############################################
firewalld 1.3.3-1~deb12u1
libnftables1:arm64 1.0.6-2+deb12u2
libnftnl11:arm64 1.2.4-2
python3-firewall 1.3.3-1~deb12u1
python3-nftables 1.0.6-2+deb12u2
Custom 6.12.0-rc1 kernel.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241029/190b5e04/attachment.html>
bugzilla-daemon at netfilter.org
2024-Oct-30 15:19 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |phil at nwl.cc
--- Comment #1 from Phil Sutter <phil at nwl.cc> ---
Hi,
At a first glance, it looks like a chain which should receive a rule does not
exist. This might well be a bug in the version of firewalld you're using.
Can
you reproduce the issue with recent versions of firewalld and nftables?
Note that firewalld bug tracking happens over at github:
https://github.com/firewalld/firewalld/issues
Cheers, Phil
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241030/7599c866/attachment.html>
bugzilla-daemon at netfilter.org
2024-Oct-30 16:13 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #2 from fs3000 at proton.me --- (In reply to Phil Sutter from comment #1) I am running a full updated Debian 12 install. On a Banana pi R4 router. I don't see newer versions for this packages. I have tried in a raspberry pi 4, which is the same arch and it does not happen there. Same versions on everything. I have no idea why this... Anyway, i have submitted an issue on firewalld github page here: https://github.com/firewalld/firewalld/issues/1410 -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241030/0d08bdaa/attachment.html>
bugzilla-daemon at netfilter.org
2024-Oct-30 18:10 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #3 from Phil Sutter <phil at nwl.cc> --- (In reply to fs3000 from comment #0)> firewalld 1.3.3-1~deb12u1 > libnftables1:arm64 1.0.6-2+deb12u2 > libnftnl11:arm64 1.2.4-2 > python3-firewall 1.3.3-1~deb12u1 > python3-nftables 1.0.6-2+deb12u2Current upstream versions: firewalld: 2.2.2 (lib)nftables: 1.1.1 libnftnl: 1.2.8 If you're having a problem with Debian packages, you should report it there: https://www.debian.org/Bugs/ The people maintaining the upstream project are usually not also maintaining the distribution packages. Even if I knew what went wrong on your system and how to fix it, I could not push a fix since I don't have access to Debian's package source. You will probably face the same reply with firewalld on Github. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241030/2457f3da/attachment.html>
bugzilla-daemon at netfilter.org
2024-Oct-30 18:14 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #4 from fs3000 at proton.me --- (In reply to Phil Sutter from comment #3)> (In reply to fs3000 from comment #0) > > firewalld 1.3.3-1~deb12u1 > > libnftables1:arm64 1.0.6-2+deb12u2 > > libnftnl11:arm64 1.2.4-2 > > python3-firewall 1.3.3-1~deb12u1 > > python3-nftables 1.0.6-2+deb12u2 > > Current upstream versions: > > firewalld: 2.2.2 > (lib)nftables: 1.1.1 > libnftnl: 1.2.8 > > If you're having a problem with Debian packages, you should report it there: > https://www.debian.org/Bugs/ > > The people maintaining the upstream project are usually not also maintaining > the distribution packages. Even if I knew what went wrong on your system and > how to fix it, I could not push a fix since I don't have access to Debian's > package source. > > You will probably face the same reply with firewalld on Github.You're right, again not sure what's wrong here. Anyway, no worries. Maybe better to close this bug. Sorry for spam. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241030/96b324ae/attachment.html>
bugzilla-daemon at netfilter.org
2024-Oct-31 13:35 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777
Phil Sutter <phil at nwl.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WORKSFORME
--- Comment #5 from Phil Sutter <phil at nwl.cc> ---
(In reply to fs3000 from comment #4)> You're right, again not sure what's wrong here. Anyway, no worries.
Maybe
> better to close this bug. Sorry for spam.
No worries! If you can reproduce the problem, ideally on a freshly installed
system, Debian maintainers should be interested in it as there's likely a
fix
upstream which they should backport.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241031/9c58604d/attachment.html>
bugzilla-daemon at netfilter.org
2024-Oct-31 22:24 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #6 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Phil Sutter from comment #5)> (In reply to fs3000 from comment #4) > > You're right, again not sure what's wrong here. Anyway, no worries. Maybe > > better to close this bug. Sorry for spam. > > No worries! If you can reproduce the problem, ideally on a freshly installed > system, Debian maintainers should be interested in it as there's likely a fix > upstream which they should backport.this reminds me I have to pick up again on 1.0.6.x backports to include this fix in a -stable release of that version. I am lagging behind with backports. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241031/7265b21f/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-04 21:56 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #7 from fs3000 at proton.me --- In reply to Pablo Neira Ayuso from comment #6)> (In reply to Phil Sutter from comment #5) > > (In reply to fs3000 from comment #4) > > > You're right, again not sure what's wrong here. Anyway, no worries. Maybe > > > better to close this bug. Sorry for spam. > > > > No worries! If you can reproduce the problem, ideally on a freshly installed > > system, Debian maintainers should be interested in it as there's likely a fix > > upstream which they should backport. > > this reminds me I have to pick up again on 1.0.6.x backports to include this > fix in a -stable release of that version. I am lagging behind with backports.Wait, do you mean you know what's wrong? Please pardon my ignorance, as i said before, this problem does not happen in Rasp PI 4, but does on Banana PI R4. So i was inclined to mark the custom Debian install i used the culprit. I talked to that custom Debian's responsible, he said that probably was something wrong on his side. But if you have a fix, that would be great. BTW, the custom Debian's repo: https://github.com/frank-w/BPI-Router-Linux -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241104/5156c65b/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-05 21:33 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #8 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to fs3000 from comment #7)> In reply to Pablo Neira Ayuso from comment #6) > > (In reply to Phil Sutter from comment #5) > > > (In reply to fs3000 from comment #4) > > > > You're right, again not sure what's wrong here. Anyway, no worries. Maybe > > > > better to close this bug. Sorry for spam. > > > > > > No worries! If you can reproduce the problem, ideally on a freshly installed > > > system, Debian maintainers should be interested in it as there's likely a fix > > > upstream which they should backport. > > > > this reminds me I have to pick up again on 1.0.6.x backports to include this > > fix in a -stable release of that version. I am lagging behind with backports. > > > Wait, do you mean you know what's wrong? Please pardon my ignorance, as i > said before, this problem does not happen in Rasp PI 4, but does on Banana > PI R4. So i was inclined to mark the custom Debian install i used the > culprit. I talked to that custom Debian's responsible, he said that probably > was something wrong on his side. But if you have a fix, that would be great. > > BTW, the custom Debian's repo: https://github.com/frank-w/BPI-Router-LinuxUsing the latest nftables 1.1.1 version should sort this out. Please, give it a go and let us know. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241105/ffaa731d/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-06 12:28 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #9 from fs3000 at proton.me --- (In reply to Pablo Neira Ayuso from comment #8)> > Using the latest nftables 1.1.1 version should sort this out. Please, give > it a go and let us know.I'm new at Debian, is there an easy way to test 1.1.1? I see there is version 1.1.1 on the testing repo, but that means updating the entire OS. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241106/de9cc8a0/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-11 11:07 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WORKSFORME |---
--- Comment #11 from Pablo Neira Ayuso <pablo at netfilter.org> ---
Hi,
This json output does not work here either on x86_64.
Would you post your ruleset with:
nft list ruleset
?
Thanks.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241111/1f1730b3/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-11 18:18 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777
--- Comment #12 from fs3000 at proton.me ---
root at bpi-r4 /root $ nft list ruleset
table inet firewalld { # progname firewalld
flags owner,persist
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy
accept;
jump mangle_PREROUTING_POLICIES
}
chain mangle_PREROUTING_POLICIES {
jump mangle_PRE_policy_allow-host-ipv6
jump mangle_PRE_public
return
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_POLICIES
}
chain nat_PREROUTING_POLICIES {
jump nat_PRE_policy_allow-host-ipv6
jump nat_PRE_public
return
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_POLICIES
}
chain nat_POSTROUTING_POLICIES {
jump nat_POST_public
return
}
chain nat_OUTPUT {
type nat hook output priority dstnat + 10; policy accept;
jump nat_OUTPUT_POLICIES
}
chain nat_OUTPUT_POLICIES {
jump nat_OUT_public
return
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy
accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
jump filter_INPUT_POLICIES
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24,
2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19
} reject with icmpv6 addr-unreachable
jump filter_FORWARD_POLICIES
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24,
2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19
} reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES
}
chain filter_INPUT_POLICIES {
jump filter_IN_policy_allow-host-ipv6
jump filter_IN_public
reject with icmpx admin-prohibited
}
chain filter_FORWARD_POLICIES {
jump filter_FWD_public
reject with icmpx admin-prohibited
}
chain filter_OUTPUT_POLICIES {
jump filter_OUT_public
return
}
chain filter_IN_public {
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 22 accept
ip6 daddr fe80::/64 udp dport 546 accept
}
chain filter_IN_public_post {
}
chain filter_OUT_public {
jump filter_OUT_public_pre
jump filter_OUT_public_log
jump filter_OUT_public_deny
jump filter_OUT_public_allow
jump filter_OUT_public_post
}
chain filter_OUT_public_pre {
}
chain filter_OUT_public_log {
}
chain filter_OUT_public_deny {
}
chain filter_OUT_public_allow {
}
chain filter_OUT_public_post {
}
chain nat_OUT_public {
jump nat_OUT_public_pre
jump nat_OUT_public_log
jump nat_OUT_public_deny
jump nat_OUT_public_allow
jump nat_OUT_public_post
}
chain nat_OUT_public_pre {
}
chain nat_OUT_public_log {
}
chain nat_OUT_public_deny {
}
chain nat_OUT_public_allow {
}
chain nat_OUT_public_post {
}
chain nat_POST_public {
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241111/b865195b/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-11 18:46 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777
--- Comment #13 from Pablo Neira Ayuso <pablo at netfilter.org> ---
the json blob you posted is incomplete, it is easy to inspect via | jq.
There is no initial add table inet firewalld command.
There is also a jump to chain which is not defined.
{
"add": {
"rule": {
"family": "inet",
"table": "firewalld",
"chain": "filter_IN_internal",
"expr": [
{
"jump": {
"target": "filter_INPUT_POLICIES_pre"
}
}
]
}
}
},
Are you trying to add this json blob that you posted to an existing ruleset in
place?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241111/afcd5e95/attachment-0001.html>
bugzilla-daemon at netfilter.org
2024-Nov-11 18:52 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #14 from fs3000 at proton.me --- (In reply to Pablo Neira Ayuso from comment #13)> the json blob you posted is incomplete, it is easy to inspect via | jq. > > There is no initial add table inet firewalld command. > > There is also a jump to chain which is not defined. > > { > "add": { > "rule": { > "family": "inet", > "table": "firewalld", > "chain": "filter_IN_internal", > "expr": [ > { > "jump": { > "target": "filter_INPUT_POLICIES_pre" > } > } > ] > } > } > }, > > Are you trying to add this json blob that you posted to an existing ruleset > in place?Pablo, i get this error while doing i.e. firewall-cmd --add-interface=eth1 --zone=internal. I do it after installing firewalld. I don't alter, add or delete any rules. To be honest, i don't know nftables, i just use firewalld. This happens in a clean install. If you want me to post here to post the original nft ruleset after installing firewalld, please just say so. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241111/4ecb3236/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-11 19:46 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777
--- Comment #15 from fs3000 at proton.me ---
This is the original /etc/nftables.conf right after a clean install. "nft
list
ruleset" is empy. The nftables service is inactive.
root at bpi-r4 /root $ cat /etc/nftables.conf
#!/usr/sbin/nft -f
define iflan="lanbr0"
define ifinternal={$iflan,"wlan0","wlan1"}
#define ifwan="ppp0"
define ifwan="ppp8"
define ifexternal={"wan",$ifwan,"ppp9"}
flush ruleset
table inet filter {
# flowtable f {
# hook ingress priority filter
# devices = { lan0, lan1, lan2, lan3, wan }
# #devices = { lan0, lan1, lan2, lan3, wan, wlan0, wlan1 }
# flags offload
# }
chain input {
type filter hook input priority filter;policy drop;
iifname "lo" accept comment "accept
loopback"
limit rate 5/second icmp type {echo-request, echo-reply} accept
comment "limit icmp to 5/s"
tcp dport ssh limit rate 10/second accept comment "limit
SSH"
#iifname $ifinternal tcp dport ssh limit rate 10/second accept
comment "limit SSH"
ct state { established, related } accept comment "allow
connections initiated"
iifname $ifinternal accept comment "allow traffic from
internal
interfaces"
tcp sport ftp-data ct state established,related accept comment
"allow active/passive FTP"
#reject
}
chain forward {
type filter hook forward priority filter;policy drop;
ct state invalid counter drop comment "early drop of
invalid
packets"
#ct state {established,related} accept comment "allow
connections initiated"
#limit rate 5/second icmp type { echo-reply, echo-request }
accept comment "limit icmp to 5/s"
oifname $ifexternal tcp flags syn tcp option maxseg size set rt
mtu
#split new connections from known, syn-ack=ct-established
ct state vmap { established : jump forward-known, related :
jump forward-known, new : jump forward-new }
}
chain forward-new {
#oifname $ifexternal ip saddr $iprangesblocked reject comment
"block internal ip ranges to have only internal access"
#oifname $ifwan tcp dport domain reject comment "block
external
dns in forward"
#limit rate 10/minute counter log prefix "NF-FWD-NEW:
" level
debug
#int <=> ext
iifname $ifinternal oifname $ifinternal accept comment
"allow
int => int"
iifname $ifinternal oifname $ifexternal accept comment
"allow
int => ext"
iifname $ifexternal oifname $ifinternal ct state
established,related accept comment "allow ext => int (only
established/related)"
}
chain forward-known {
# ct state established flow offload @f counter
accept
}
chain output {
type filter hook output priority filter;
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname $ifexternal masquerade comment "NAT on all external
interfaces"
}
}
include "/etc/nftables/*.nft"
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241111/a3830d5e/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-11 19:57 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777
--- Comment #16 from fs3000 at proton.me ---
So in a fresh system install, purged nftables, other related packages already
present and deleted nftables conf. Installed firewalld fresh, debian 12
packages.
Error:
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error:
Could
not process rule: No such file or directory
internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version":
1}}, {"add": {"chain":
{"family": "inet", "table": "firewalld",
"name": "filter_IN_internal"}}},
{"add": {"chain": {"family": "inet",
"table": "firewalld", "name":
"filter_IN_internal_pre"}}}, {"add": {"chain":
{"family": "inet", "table":
"firewalld", "name": "filter_IN_internal_log"}}},
{"add": {"chain": {"family":
"inet", "table": "firewalld", "name":
"filter_IN_internal_deny"}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name":
"filter_IN_internal_allow"}}}, {"add": {"chain":
{"family": "inet", "table":
"firewalld", "name": "filter_IN_internal_post"}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_IN_internal", "expr": [{"jump":
{"target": "filter_INPUT_POLICIES_pre"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_IN_internal", "expr": [{"jump":
{"target": "filter_IN_internal_pre"}}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_IN_internal", "expr": [{"jump":
{"target": "filter_IN_internal_log"}}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_IN_internal", "expr": [{"jump":
{"target": "filter_IN_internal_deny"}}]}}},
{"add": {"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_IN_internal", "expr": [{"jump":
{"target": "filter_IN_internal_allow"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_IN_internal", "expr": [{"jump":
{"target": "filter_IN_internal_post"}}]}}},
{"add": {"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_IN_internal", "expr": [{"jump":
{"target": "filter_INPUT_POLICIES_post"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_IN_internal", "expr":
[{"reject": {"type": "icmpx", "expr":
"admin-prohibited"}}]}}}, {"add":
{"rule": {"family": "inet", "table":
"firewalld", "chain":
"filter_IN_internal_allow", "expr": [{"match":
{"left": {"payload":
{"protocol": "tcp", "field": "dport"}},
"op": "==", "right": 22}}, {"accept":
null}]}}}, {"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_IN_internal_allow", "expr": [{"match":
{"left": {"payload":
{"protocol": "ip", "field": "daddr"}},
"op": "==", "right": "224.0.0.251"}},
{"match": {"left": {"payload":
{"protocol": "udp", "field": "dport"}},
"op":
"==", "right": 5353}}, {"accept": null}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_IN_internal_allow", "expr":
[{"match": {"left": {"payload":
{"protocol": "ip6", "field": "daddr"}},
"op":
"==", "right": "ff02::fb"}}, {"match":
{"left": {"payload": {"protocol": "udp",
"field": "dport"}}, "op": "==",
"right": 5353}}, {"accept": null}]}}}, {"add":
{"ct helper": {"family": "inet",
"table": "firewalld", "name":
"helper-netbios-ns-udp", "type": "netbios-ns",
"protocol": "udp"}}}, {"add":
{"rule": {"family": "inet", "table":
"firewalld", "chain":
"filter_IN_internal_allow", "expr": [{"match":
{"left": {"payload":
{"protocol": "udp", "field": "dport"}},
"op": "==", "right": 137}}, {"ct
helper": "helper-netbios-ns-udp"}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_IN_internal_allow", "expr": [{"match":
{"left": {"payload": {"protocol": "udp",
"field": "dport"}}, "op": "==",
"right": 137}}, {"accept": null}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_IN_internal_allow", "expr": [{"match":
{"left": {"payload": {"protocol": "udp",
"field": "dport"}}, "op": "==",
"right": 138}}, {"accept": null}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_IN_internal_allow", "expr": [{"match":
{"left": {"payload": {"protocol": "ip6",
"field": "daddr"}}, "op": "==",
"right": {"prefix": {"addr": "fe80::",
"len": 64}}}}, {"match": {"left":
{"payload": {"protocol": "udp", "field":
"dport"}}, "op": "==", "right": 546}},
{"accept": null}]}}}, {"add": {"chain":
{"family": "inet", "table":
"firewalld", "name": "nat_POST_internal"}}},
{"add": {"chain": {"family":
"inet", "table": "firewalld", "name":
"nat_POST_internal_pre"}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name":
"nat_POST_internal_log"}}}, {"add": {"chain":
{"family": "inet", "table":
"firewalld", "name": "nat_POST_internal_deny"}}},
{"add": {"chain": {"family":
"inet", "table": "firewalld", "name":
"nat_POST_internal_allow"}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name":
"nat_POST_internal_post"}}}, {"add": {"rule":
{"family": "inet", "table":
"firewalld", "chain": "nat_POST_internal",
"expr": [{"jump": {"target":
"nat_POSTROUTING_POLICIES_pre"}}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"nat_POST_internal", "expr": [{"jump":
{"target": "nat_POST_internal_pre"}}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"nat_POST_internal", "expr": [{"jump":
{"target": "nat_POST_internal_log"}}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"nat_POST_internal", "expr": [{"jump":
{"target": "nat_POST_internal_deny"}}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"nat_POST_internal", "expr": [{"jump":
{"target": "nat_POST_internal_allow"}}]}}},
{"add": {"rule": {"family": "inet",
"table": "firewalld", "chain":
"nat_POST_internal", "expr": [{"jump":
{"target": "nat_POST_internal_post"}}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"nat_POST_internal", "expr": [{"jump":
{"target": "nat_POSTROUTING_POLICIES_post"}}]}}},
{"add": {"chain": {"family":
"inet", "table": "firewalld", "name":
"filter_FWD_internal"}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name":
"filter_FWD_internal_pre"}}}, {"add": {"chain":
{"family": "inet", "table":
"firewalld", "name": "filter_FWD_internal_log"}}},
{"add": {"chain": {"family":
"inet", "table": "firewalld", "name":
"filter_FWD_internal_deny"}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name":
"filter_FWD_internal_allow"}}}, {"add": {"chain":
{"family": "inet", "table":
"firewalld", "name":
"filter_FWD_internal_post"}}}, {"add": {"rule":
{"family":
"inet", "table": "firewalld", "chain":
"filter_FWD_internal", "expr": [{"jump":
{"target": "filter_FORWARD_POLICIES_pre"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_FWD_internal", "expr": [{"jump":
{"target": "filter_FWD_internal_pre"}}]}}},
{"add": {"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_FWD_internal", "expr": [{"jump":
{"target": "filter_FWD_internal_log"}}]}}},
{"add": {"rule": {"family": "inet",
"table": "firewalld", "chain":
"filter_FWD_internal", "expr": [{"jump":
{"target": "filter_FWD_internal_deny"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_FWD_internal", "expr": [{"jump":
{"target": "filter_FWD_internal_allow"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_FWD_internal", "expr": [{"jump":
{"target": "filter_FWD_internal_post"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_FWD_internal", "expr": [{"jump":
{"target": "filter_FORWARD_POLICIES_post"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_FWD_internal", "expr":
[{"reject": {"type": "icmpx", "expr":
"admin-prohibited"}}]}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name":
"nat_PRE_internal"}}}, {"add": {"chain":
{"family": "inet", "table":
"firewalld", "name": "nat_PRE_internal_pre"}}},
{"add": {"chain": {"family":
"inet", "table": "firewalld", "name":
"nat_PRE_internal_log"}}}, {"add":
{"chain": {"family": "inet", "table":
"firewalld", "name":
"nat_PRE_internal_deny"}}}, {"add": {"chain":
{"family": "inet", "table":
"firewalld", "name": "nat_PRE_internal_allow"}}},
{"add": {"chain": {"family":
"inet", "table": "firewalld", "name":
"nat_PRE_internal_post"}}}, {"add":
{"rule": {"family": "inet", "table":
"firewalld", "chain": "nat_PRE_internal",
"expr": [{"jump": {"target":
"nat_PREROUTING_POLICIES_pre"}}]}}}, {"add":
{"rule": {"family": "inet", "table":
"firewalld", "chain": "nat_PRE_internal",
"expr": [{"jump": {"target":
"nat_PRE_internal_pre"}}]}}}, {"add": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "nat_PRE_internal", "expr":
[{"jump": {"target": "nat_PRE_internal_log"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"nat_PRE_internal", "expr": [{"jump":
{"target": "nat_PRE_internal_deny"}}]}}}, {"add":
{"rule": {"family": "inet",
"table": "firewalld", "chain":
"nat_PRE_internal", "expr": [{"jump":
{"target":
"nat_PRE_internal_allow"}}]}}}, {"add": {"rule":
{"family": "inet", "table":
"firewalld", "chain": "nat_PRE_internal",
"expr": [{"jump": {"target":
"nat_PRE_internal_post"}}]}}}, {"add": {"rule":
{"family": "inet", "table":
"firewalld", "chain": "nat_PRE_internal",
"expr": [{"jump": {"target":
"nat_PREROUTING_POLICIES_post"}}]}}}, {"add":
{"chain": {"family": "inet",
"table": "firewalld", "name":
"mangle_PRE_internal"}}}, {"add": {"chain":
{"family": "inet", "table": "firewalld",
"name": "mangle_PRE_internal_pre"}}},
{"add": {"chain": {"family": "inet",
"table": "firewalld", "name":
"mangle_PRE_internal_log"}}}, {"add": {"chain":
{"family": "inet", "table":
"firewalld", "name":
"mangle_PRE_internal_deny"}}}, {"add": {"chain":
{"family": "inet", "table": "firewalld",
"name":
"mangle_PRE_internal_allow"}}}, {"add": {"chain":
{"family": "inet", "table":
"firewalld", "name":
"mangle_PRE_internal_post"}}}, {"add": {"rule":
{"family":
"inet", "table": "firewalld", "chain":
"mangle_PRE_internal", "expr": [{"jump":
{"target": "mangle_PREROUTING_POLICIES_pre"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"mangle_PRE_internal", "expr": [{"jump":
{"target": "mangle_PRE_internal_pre"}}]}}},
{"add": {"rule": {"family": "inet",
"table": "firewalld", "chain":
"mangle_PRE_internal", "expr": [{"jump":
{"target": "mangle_PRE_internal_log"}}]}}},
{"add": {"rule": {"family": "inet",
"table": "firewalld", "chain":
"mangle_PRE_internal", "expr": [{"jump":
{"target": "mangle_PRE_internal_deny"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"mangle_PRE_internal", "expr": [{"jump":
{"target": "mangle_PRE_internal_allow"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"mangle_PRE_internal", "expr": [{"jump":
{"target": "mangle_PRE_internal_post"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"mangle_PRE_internal", "expr": [{"jump":
{"target": "mangle_PREROUTING_POLICIES_post"}}]}}},
{"add": {"rule": {"family":
"inet", "table": "firewalld", "chain":
"filter_IN_internal", "index": 6,
"expr": [{"match": {"left": {"meta":
{"key": "l4proto"}}, "op": "==",
"right":
{"set": ["icmp", "icmpv6"]}}},
{"accept": null}]}}}, {"insert": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_INPUT_ZONES", "expr":
[{"match": {"left": {"meta": {"key":
"iifname"}}, "op": "==", "right":
"eth1"}}, {"goto": {"target":
"filter_IN_internal"}}]}}}, {"insert": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "nat_POSTROUTING_ZONES",
"expr": [{"match": {"left": {"meta":
{"key": "oifname"}}, "op": "==",
"right":
"eth1"}}, {"goto": {"target":
"nat_POST_internal"}}]}}}, {"insert": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_FORWARD_ZONES",
"expr": [{"match": {"left": {"meta":
{"key": "iifname"}}, "op": "==",
"right":
"eth1"}}, {"goto": {"target":
"filter_FWD_internal"}}]}}}, {"insert": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "nat_PREROUTING_ZONES",
"expr": [{"match": {"left": {"meta":
{"key": "iifname"}}, "op": "==",
"right":
"eth1"}}, {"goto": {"target":
"nat_PRE_internal"}}]}}}, {"insert": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "mangle_PREROUTING_ZONES",
"expr": [{"match": {"left": {"meta":
{"key": "iifname"}}, "op": "==",
"right":
"eth1"}}, {"goto": {"target":
"mangle_PRE_internal"}}]}}}, {"add": {"rule":
{"family": "inet", "table": "firewalld",
"chain": "filter_FWD_internal_allow",
"expr": [{"match": {"left": {"meta":
{"key": "oifname"}}, "op": "==",
"right":
"eth1"}}, {"accept": null}]}}}]}
nftables.conf that came with the package:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter;
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241111/a53b2633/attachment-0001.html>
bugzilla-daemon at netfilter.org
2024-Nov-12 13:13 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #17 from Phil Sutter <phil at nwl.cc> --- Might as well just be a bug in Debian's firewalld. Did you report with Debian? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241112/ab8132c7/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-12 15:33 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #18 from fs3000 at proton.me --- (In reply to Phil Sutter from comment #17)> Might as well just be a bug in Debian's firewalld. Did you report with > Debian?I reported on firewalld's github page. But so far, no reply. Will report on Debian then. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241112/491cbc06/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-12 18:47 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #19 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to fs3000 from comment #16)> So in a fresh system install, purged nftables, other related packages > already present and deleted nftables conf. Installed firewalld fresh, debian > 12 packages. > > Error: > > Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: > Could not process rule: No such file or directory > > internal:0:0-0: Error: Could not process rule: No such file or directory > > > JSON blob: > {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": "filter_IN_internal"}}}, > {"add": {"chain": {"family": "inet", "table": "firewalld", "name": > "filter_IN_internal_pre"}}}, {"add": {"chain": {"family": "inet", "table": > "firewalld", "name": "filter_IN_internal_log"}}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": > "filter_IN_internal_deny"}}}, {"add": {"chain": {"family": "inet", "table": > "firewalld", "name": "filter_IN_internal_allow"}}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": > "filter_IN_internal_post"}}}, {"add": {"rule": {"family": "inet", "table": > "firewalld", "chain": "filter_IN_internal", "expr": [{"jump": {"target": > "filter_INPUT_POLICIES_pre"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "filter_IN_internal", "expr": [{"jump": > {"target": "filter_IN_internal_pre"}}]}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "filter_IN_internal", "expr": > [{"jump": {"target": "filter_IN_internal_log"}}]}}}, {"add": {"rule": > {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", > "expr": [{"jump": {"target": "filter_IN_internal_deny"}}]}}}, {"add": > {"rule": {"family": "inet", "table": "firewalld", "chain": > "filter_IN_internal", "expr": [{"jump": {"target": > "filter_IN_internal_allow"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "filter_IN_internal", "expr": [{"jump": > {"target": "filter_IN_internal_post"}}]}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "filter_IN_internal", "expr": > [{"jump": {"target": "filter_INPUT_POLICIES_post"}}]}}}, {"add": {"rule": > {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", > "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, > {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": > "filter_IN_internal_allow", "expr": [{"match": {"left": {"payload": > {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, > {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": > "firewalld", "chain": "filter_IN_internal_allow", "expr": [{"match": > {"left": {"payload": {"protocol": "ip", "field": "daddr"}}, "op": "==", > "right": "224.0.0.251"}}, {"match": {"left": {"payload": {"protocol": "udp", > "field": "dport"}}, "op": "==", "right": 5353}}, {"accept": null}]}}}, > {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": > "filter_IN_internal_allow", "expr": [{"match": {"left": {"payload": > {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": "ff02::fb"}}, > {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": > "==", "right": 5353}}, {"accept": null}]}}}, {"add": {"ct helper": > {"family": "inet", "table": "firewalld", "name": "helper-netbios-ns-udp", > "type": "netbios-ns", "protocol": "udp"}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "filter_IN_internal_allow", "expr": > [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, > "op": "==", "right": 137}}, {"ct helper": "helper-netbios-ns-udp"}]}}}, > {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": > "filter_IN_internal_allow", "expr": [{"match": {"left": {"payload": > {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 137}}, > {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": > "firewalld", "chain": "filter_IN_internal_allow", "expr": [{"match": > {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", > "right": 138}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "filter_IN_internal_allow", "expr": > [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, > "op": "==", "right": {"prefix": {"addr": "fe80::", "len": 64}}}}, {"match": > {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", > "right": 546}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", > "table": "firewalld", "name": "nat_POST_internal"}}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": "nat_POST_internal_pre"}}}, > {"add": {"chain": {"family": "inet", "table": "firewalld", "name": > "nat_POST_internal_log"}}}, {"add": {"chain": {"family": "inet", "table": > "firewalld", "name": "nat_POST_internal_deny"}}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": > "nat_POST_internal_allow"}}}, {"add": {"chain": {"family": "inet", "table": > "firewalld", "name": "nat_POST_internal_post"}}}, {"add": {"rule": > {"family": "inet", "table": "firewalld", "chain": "nat_POST_internal", > "expr": [{"jump": {"target": "nat_POSTROUTING_POLICIES_pre"}}]}}}, {"add": > {"rule": {"family": "inet", "table": "firewalld", "chain": > "nat_POST_internal", "expr": [{"jump": {"target": > "nat_POST_internal_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": > "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": {"target": > "nat_POST_internal_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": > "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": {"target": > "nat_POST_internal_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": > "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": {"target": > "nat_POST_internal_allow"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": > {"target": "nat_POST_internal_post"}}]}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "nat_POST_internal", "expr": > [{"jump": {"target": "nat_POSTROUTING_POLICIES_post"}}]}}}, {"add": > {"chain": {"family": "inet", "table": "firewalld", "name": > "filter_FWD_internal"}}}, {"add": {"chain": {"family": "inet", "table": > "firewalld", "name": "filter_FWD_internal_pre"}}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": > "filter_FWD_internal_log"}}}, {"add": {"chain": {"family": "inet", "table": > "firewalld", "name": "filter_FWD_internal_deny"}}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": > "filter_FWD_internal_allow"}}}, {"add": {"chain": {"family": "inet", > "table": "firewalld", "name": "filter_FWD_internal_post"}}}, {"add": > {"rule": {"family": "inet", "table": "firewalld", "chain": > "filter_FWD_internal", "expr": [{"jump": {"target": > "filter_FORWARD_POLICIES_pre"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "filter_FWD_internal", "expr": [{"jump": > {"target": "filter_FWD_internal_pre"}}]}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "filter_FWD_internal", "expr": > [{"jump": {"target": "filter_FWD_internal_log"}}]}}}, {"add": {"rule": > {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal", > "expr": [{"jump": {"target": "filter_FWD_internal_deny"}}]}}}, {"add": > {"rule": {"family": "inet", "table": "firewalld", "chain": > "filter_FWD_internal", "expr": [{"jump": {"target": > "filter_FWD_internal_allow"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "filter_FWD_internal", "expr": [{"jump": > {"target": "filter_FWD_internal_post"}}]}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "filter_FWD_internal", "expr": > [{"jump": {"target": "filter_FORWARD_POLICIES_post"}}]}}}, {"add": {"rule": > {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal", > "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, > {"add": {"chain": {"family": "inet", "table": "firewalld", "name": > "nat_PRE_internal"}}}, {"add": {"chain": {"family": "inet", "table": > "firewalld", "name": "nat_PRE_internal_pre"}}}, {"add": {"chain": {"family": > "inet", "table": "firewalld", "name": "nat_PRE_internal_log"}}}, {"add": > {"chain": {"family": "inet", "table": "firewalld", "name": > "nat_PRE_internal_deny"}}}, {"add": {"chain": {"family": "inet", "table": > "firewalld", "name": "nat_PRE_internal_allow"}}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": "nat_PRE_internal_post"}}}, > {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": > "nat_PRE_internal", "expr": [{"jump": {"target": > "nat_PREROUTING_POLICIES_pre"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": > {"target": "nat_PRE_internal_pre"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": > {"target": "nat_PRE_internal_log"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": > {"target": "nat_PRE_internal_deny"}}]}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": > {"target": "nat_PRE_internal_allow"}}]}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": > {"target": "nat_PRE_internal_post"}}]}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": > {"target": "nat_PREROUTING_POLICIES_post"}}]}}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": "mangle_PRE_internal"}}}, > {"add": {"chain": {"family": "inet", "table": "firewalld", "name": > "mangle_PRE_internal_pre"}}}, {"add": {"chain": {"family": "inet", "table": > "firewalld", "name": "mangle_PRE_internal_log"}}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": > "mangle_PRE_internal_deny"}}}, {"add": {"chain": {"family": "inet", "table": > "firewalld", "name": "mangle_PRE_internal_allow"}}}, {"add": {"chain": > {"family": "inet", "table": "firewalld", "name": > "mangle_PRE_internal_post"}}}, {"add": {"rule": {"family": "inet", "table": > "firewalld", "chain": "mangle_PRE_internal", "expr": [{"jump": {"target": > "mangle_PREROUTING_POLICIES_pre"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "mangle_PRE_internal", "expr": [{"jump": > {"target": "mangle_PRE_internal_pre"}}]}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "mangle_PRE_internal", "expr": > [{"jump": {"target": "mangle_PRE_internal_log"}}]}}}, {"add": {"rule": > {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_internal", > "expr": [{"jump": {"target": "mangle_PRE_internal_deny"}}]}}}, {"add": > {"rule": {"family": "inet", "table": "firewalld", "chain": > "mangle_PRE_internal", "expr": [{"jump": {"target": > "mangle_PRE_internal_allow"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "mangle_PRE_internal", "expr": [{"jump": > {"target": "mangle_PRE_internal_post"}}]}}}, {"add": {"rule": {"family": > "inet", "table": "firewalld", "chain": "mangle_PRE_internal", "expr": > [{"jump": {"target": "mangle_PREROUTING_POLICIES_post"}}]}}}, {"add": > {"rule": {"family": "inet", "table": "firewalld", "chain": > "filter_IN_internal", "index": 6, "expr": [{"match": {"left": {"meta": > {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, > {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": > "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": > {"meta": {"key": "iifname"}}, "op": "==", "right": "eth1"}}, {"goto": > {"target": "filter_IN_internal"}}]}}}, {"insert": {"rule": {"family": > "inet", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": > [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": > "eth1"}}, {"goto": {"target": "nat_POST_internal"}}]}}}, {"insert": {"rule": > {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_ZONES", > "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", > "right": "eth1"}}, {"goto": {"target": "filter_FWD_internal"}}]}}}, > {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": > "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": > "iifname"}}, "op": "==", "right": "eth1"}}, {"goto": {"target": > "nat_PRE_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": > "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": > {"meta": {"key": "iifname"}}, "op": "==", "right": "eth1"}}, {"goto": > {"target": "mangle_PRE_internal"}}]}}}, {"add": {"rule": {"family": "inet", > "table": "firewalld", "chain": "filter_FWD_internal_allow", "expr": > [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": > "eth1"}}, {"accept": null}]}}}]}I still see in this JSON blob reference to chains that do not exist.> nftables.conf that came with the package: > > #!/usr/sbin/nft -f > > flush ruleset > > table inet filter { > chain input { > type filter hook input priority filter; > } > chain forward { > type filter hook forward priority filter; > } > chain output { > type filter hook output priority filter; > } > }Is this your existing ruleset? Makes no sense to me. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241112/225937d3/attachment-0001.html>
bugzilla-daemon at netfilter.org
2024-Nov-12 19:10 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #20 from fs3000 at proton.me --- (In reply to Pablo Neira Ayuso from comment #19)> > I still see in this JSON blob reference to chains that do not exist.> > > nftables.conf that came with the package: > > > > #!/usr/sbin/nft -f > > > > flush ruleset > > > > table inet filter { > > chain input { > > type filter hook input priority filter; > > } > > chain forward { > > type filter hook forward priority filter; > > } > > chain output { > > type filter hook output priority filter; > > } > > } > > Is this your existing ruleset? Makes no sense to me.This is the original conf from the package. Anyway, i did submit a bug with Debian and Michael Biebl replied saying custom kernels are not supported. Which in this case it might be the culprit as it probably does not have necessary features, even tough i copied all NFT, FILTER and NAT configs from the original Debian kernel to this custom kernel build config. I would like to figure this out, but as i already tried using firewalld in a raspberry pi and it worked without problems, i guess it's safe to close this bug. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241112/10cfa37a/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-12 19:12 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777
Pablo Neira Ayuso <pablo at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |INVALID
--- Comment #21 from Pablo Neira Ayuso <pablo at netfilter.org> ---
(In reply to fs3000 from comment #20)> (In reply to Pablo Neira Ayuso from comment #19)
> >
> > I still see in this JSON blob reference to chains that do not exist.
>
> >
> > > nftables.conf that came with the package:
> > >
> > > #!/usr/sbin/nft -f
> > >
> > > flush ruleset
> > >
> > > table inet filter {
> > > chain input {
> > > type filter hook input priority filter;
> > > }
> > > chain forward {
> > > type filter hook forward priority filter;
> > > }
> > > chain output {
> > > type filter hook output priority filter;
> > > }
> > > }
> >
> > Is this your existing ruleset? Makes no sense to me.
>
> This is the original conf from the package. Anyway, i did submit a bug
with
> Debian and Michael Biebl replied saying custom kernels are not supported.
> Which in this case it might be the culprit as it probably does not have
> necessary features, even tough i copied all NFT, FILTER and NAT configs
from
> the original Debian kernel to this custom kernel build config.
>
> I would like to figure this out, but as i already tried using firewalld in
a
> raspberry pi and it worked without problems, i guess it's safe to close
this
> bug.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241112/35bda04d/attachment.html>
bugzilla-daemon at netfilter.org
2024-Nov-12 19:13 UTC
[Bug 1777] Error: COMMAND_FAILED: 'python-nftables' failed
https://bugzilla.netfilter.org/show_bug.cgi?id=1777 --- Comment #22 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to Pablo Neira Ayuso from comment #21)> > I would like to figure this out, but as i already tried using firewalld in a > > raspberry pi and it worked without problems, i guess it's safe to close this > > bug.Closing, thanks -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241112/10ec2b4c/attachment.html>