centos 8, firewalld error `COMMAND_FAILED: 'python-nftables' failed`
Question:
when I try to reload firewalld, it tells me
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: Numerical result out of range
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}]}
I don’t know why this is, after Google, it still hasn’t been resolved
Answers:
I had the same error message. I enabled verbose debugs on firewalld and tailed the logs to file for a deeper dive. In my case the exception was originally happening in "nftables.py" on line "361".
Exception:
2022-01-23 14:00:23 DEBUG3: <class ‘firewall.core.nftables.nftables’>: calling python-nftables with JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}]}
2022-01-23 14:00:23 DEBUG1: Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/firewall/core/fw.py", line 888, in rules
backend.set_rule(rule, self._log_denied)
File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 390, in set_rule
self.set_rules([rule], log_denied)
File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 361, in set_rules
raise ValueError("’%s’ failed: %snJSON blob:n%s" % ("python-nftables", error, json.dumps(json_blob)))
ValueError: ‘python-nftables’ failed: internal:0:0-0: Error: Could not process rule: Numerical result out of range
Line 361 in "nftables.py":
self._loader(config.FIREWALLD_POLICIES, "policy")
Why this is a problem:
Basically nftables is a backend service and firewalld is a frontend service. They are dependent on each other to function. Each time you restart firewalld it has to reconcile the backend, in this case nftables. At some point during the reconciliation a conflict is occurring in the python code. That is unfortunate as the only real solution will likely have to come from code improvements from nftables in how it is able to populate policies into chains and tables.
A work-around:
The good news is, if you are like me, you don’t use ipv6, in which case we simply disable the policy rather than solve for the issue. I’ll put the work-around steps below.
Work-around Steps:
The proper way to remove the policy is to use the command "firewall-cmd –delete-policy=allow-host-ipv6 –permanent" but I encountered other errors and exceptions in python when attempting to do that. Since I don’t care about ipv6 I manually deleted the XML from configuration and restarted the firewalld service.
rm /usr/lib/firewalld/policies/allow-host-ipv6.xml
rm /etc/firewalld/policies/allow-host-ipv6.xml
systemctl restart firewalld
Side Note:
Once I fixed this conflict, I also had some additional conflicts between nftables/iptables/fail2ban that had to be cleared up. For that I just used the command "fail2ban-client unban –all" to make fail2ban wipe clean all of the chains it added to iptables.
In my case, I didn’t really care about using nftables, so on my Centos 8 installation, I went to /etc/firewalld/firewalld.conf e.g.
vi /etc/firewalld/firewalld.conf
and changed the backend for firewalld from nftables to iptables.
To do this, you will find the line:
FirewallBackend=nftables
Change it to:
FirewallBackend=iptables
Then save and restart firewalld using:
systemctl restart firewalld
Now check the status:
systemctl status firewalld
And everything should be fine.
Thanks for reading
when I try to reload firewalld, it tells me
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: Numerical result out of range
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}]}
I don’t know why this is, after Google, it still hasn’t been resolved
I had the same error message. I enabled verbose debugs on firewalld and tailed the logs to file for a deeper dive. In my case the exception was originally happening in "nftables.py" on line "361".
Exception:
2022-01-23 14:00:23 DEBUG3: <class ‘firewall.core.nftables.nftables’>: calling python-nftables with JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}]}
2022-01-23 14:00:23 DEBUG1: Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/firewall/core/fw.py", line 888, in rules
backend.set_rule(rule, self._log_denied)
File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 390, in set_rule
self.set_rules([rule], log_denied)
File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 361, in set_rules
raise ValueError("’%s’ failed: %snJSON blob:n%s" % ("python-nftables", error, json.dumps(json_blob)))
ValueError: ‘python-nftables’ failed: internal:0:0-0: Error: Could not process rule: Numerical result out of range
Line 361 in "nftables.py":
self._loader(config.FIREWALLD_POLICIES, "policy")
Why this is a problem:
Basically nftables is a backend service and firewalld is a frontend service. They are dependent on each other to function. Each time you restart firewalld it has to reconcile the backend, in this case nftables. At some point during the reconciliation a conflict is occurring in the python code. That is unfortunate as the only real solution will likely have to come from code improvements from nftables in how it is able to populate policies into chains and tables.
A work-around:
The good news is, if you are like me, you don’t use ipv6, in which case we simply disable the policy rather than solve for the issue. I’ll put the work-around steps below.
Work-around Steps:
The proper way to remove the policy is to use the command "firewall-cmd –delete-policy=allow-host-ipv6 –permanent" but I encountered other errors and exceptions in python when attempting to do that. Since I don’t care about ipv6 I manually deleted the XML from configuration and restarted the firewalld service.
rm /usr/lib/firewalld/policies/allow-host-ipv6.xml
rm /etc/firewalld/policies/allow-host-ipv6.xml
systemctl restart firewalld
Side Note:
Once I fixed this conflict, I also had some additional conflicts between nftables/iptables/fail2ban that had to be cleared up. For that I just used the command "fail2ban-client unban –all" to make fail2ban wipe clean all of the chains it added to iptables.
In my case, I didn’t really care about using nftables, so on my Centos 8 installation, I went to /etc/firewalld/firewalld.conf e.g.
vi /etc/firewalld/firewalld.conf
and changed the backend for firewalld from nftables to iptables.
To do this, you will find the line:
FirewallBackend=nftables
Change it to:
FirewallBackend=iptables
Then save and restart firewalld using:
systemctl restart firewalld
Now check the status:
systemctl status firewalld
And everything should be fine.
Thanks for reading