Hello,
I'm trying to get firewalld going on Debian 12 a vps. I've asked on the debian users list who refered me here with a way to get more verbose error messages, see below. Unfortunately I'm clueless as to what this could be. It from what I can see looks like it's trying to delete a chain and failing which causes firewalld to fail, though I could be wrong, python and myself are not friends.
Any help appreciated. Thanks. Dave.
root@hostname:~#systemctl --full --no-pager status firewalld ? firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; preset: enabled) Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago Duration: 2.316s Docs: man:firewalld(1) Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid (code=exited, status=0/SUCCESS) Main PID: 77366 (code=exited, status=0/SUCCESS)
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in start self._start() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in _start
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
During handling of the above exception, another exception occurred:
Traceback (most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in start
self._start_failsafe() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in _start_failsafe
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting. Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising SystemExit in run_server Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service: Deactivated successfully.
Hello,
Adding to my previous message I do have a kludge/fix that does make firewalld work, though with an error. The fix is to change the backend option from nftables to iptables in /etc/firewalld/firewalld.conf. I then can add my rules and all is good. I do see the below message:
#firewall-cmd --reload Error: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
It does work but I'd love to know why the newer nftables backend keeps failing and this error meaning?
Thank you. Dave.
On 7/8/23, David Mehler dave.mehler@gmail.com wrote:
Hello,
I'm trying to get firewalld going on Debian 12 a vps. I've asked on the debian users list who refered me here with a way to get more verbose error messages, see below. Unfortunately I'm clueless as to what this could be. It from what I can see looks like it's trying to delete a chain and failing which causes firewalld to fail, though I could be wrong, python and myself are not friends.
Any help appreciated. Thanks. Dave.
root@hostname:~#systemctl --full --no-pager status firewalld ? firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; preset: enabled) Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago Duration: 2.316s Docs: man:firewalld(1) Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid (code=exited, status=0/SUCCESS) Main PID: 77366 (code=exited, status=0/SUCCESS)
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in start self._start() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in _start
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
During
handling of the above exception, another exception occurred:
Traceback
(most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in start
self._start_failsafe() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in _start_failsafe
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting. Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising SystemExit in run_server Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service: Deactivated successfully.
This looks like the firewalld backends are broken, e.g. nftables, ebtables.
Are you using a Debian provided kernel? Or is this a custom kernel for the VPS?
On Sat, Jul 08, 2023 at 10:29:45AM -0400, David Mehler wrote:
Hello,
I'm trying to get firewalld going on Debian 12 a vps. I've asked on the debian users list who refered me here with a way to get more verbose error messages, see below. Unfortunately I'm clueless as to what this could be. It from what I can see looks like it's trying to delete a chain and failing which causes firewalld to fail, though I could be wrong, python and myself are not friends.
Any help appreciated. Thanks. Dave.
root@hostname:~#systemctl --full --no-pager status firewalld ? firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; preset: enabled) Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago Duration: 2.316s Docs: man:firewalld(1) Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid (code=exited, status=0/SUCCESS) Main PID: 77366 (code=exited, status=0/SUCCESS)
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in start self._start() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in _start
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
During
handling of the above exception, another exception occurred:
Traceback
(most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in start
self._start_failsafe() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in _start_failsafe
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting. Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising SystemExit in run_server Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service: Deactivated successfully. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hello,
I'm not sure. The Debian vps is running on OpenVZ if that helps.
Why would this only effect nftables and not the iptables backend?
Thanks. Dave.
On 7/10/23, Eric Garver egarver@redhat.com wrote:
This looks like the firewalld backends are broken, e.g. nftables, ebtables.
Are you using a Debian provided kernel? Or is this a custom kernel for the VPS?
On Sat, Jul 08, 2023 at 10:29:45AM -0400, David Mehler wrote:
Hello,
I'm trying to get firewalld going on Debian 12 a vps. I've asked on the debian users list who refered me here with a way to get more verbose error messages, see below. Unfortunately I'm clueless as to what this could be. It from what I can see looks like it's trying to delete a chain and failing which causes firewalld to fail, though I could be wrong, python and myself are not friends.
Any help appreciated. Thanks. Dave.
root@hostname:~#systemctl --full --no-pager status firewalld ? firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; preset: enabled) Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago Duration: 2.316s Docs: man:firewalld(1) Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid (code=exited, status=0/SUCCESS) Main PID: 77366 (code=exited, status=0/SUCCESS)
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in start
self._start() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in _start
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
During
handling of the above exception, another exception occurred:
Traceback
(most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in start
self._start_failsafe() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in _start_failsafe
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting. Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising SystemExit in run_server Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service: Deactivated successfully. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Mon, Jul 10, 2023 at 11:47:50AM -0400, David Mehler wrote:
Hello,
I'm not sure. The Debian vps is running on OpenVZ if that helps.
Why would this only effect nftables and not the iptables backend?
It's possible that nftables is not usable inside OpenVZ. You can could verify by trying to manipulate nftables manually.
e.g.
# nft list ruleset
# nft add table inet testing
If those commands don't work, then nftables in not functional inside the OpenVZ environment.
Thanks. Dave.
On 7/10/23, Eric Garver egarver@redhat.com wrote:
This looks like the firewalld backends are broken, e.g. nftables, ebtables.
Are you using a Debian provided kernel? Or is this a custom kernel for the VPS?
On Sat, Jul 08, 2023 at 10:29:45AM -0400, David Mehler wrote:
Hello,
I'm trying to get firewalld going on Debian 12 a vps. I've asked on the debian users list who refered me here with a way to get more verbose error messages, see below. Unfortunately I'm clueless as to what this could be. It from what I can see looks like it's trying to delete a chain and failing which causes firewalld to fail, though I could be wrong, python and myself are not friends.
Any help appreciated. Thanks. Dave.
root@hostname:~#systemctl --full --no-pager status firewalld ? firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; preset: enabled) Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago Duration: 2.316s Docs: man:firewalld(1) Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid (code=exited, status=0/SUCCESS) Main PID: 77366 (code=exited, status=0/SUCCESS)
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in start
self._start() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in _start
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
During
handling of the above exception, another exception occurred:
Traceback
(most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in start
self._start_failsafe() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in _start_failsafe
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting. Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising SystemExit in run_server Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service: Deactivated successfully. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Hello,
Thanks. The nft does work.
Thanks. Dave.
#nft list ruleset table ip security { chain INPUT_direct { }
chain INPUT { type filter hook input priority 150; policy accept; counter packets 56202 bytes 9139773 jump INPUT_direct }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority 150; policy accept; counter packets 60753 bytes 9859487 jump OUTPUT_direct }
chain FORWARD_direct { }
chain FORWARD { type filter hook forward priority 150; policy accept; counter packets 0 bytes 0 jump FORWARD_direct } } table ip raw { chain PREROUTING_direct { }
chain PREROUTING { type filter hook prerouting priority raw; policy accept; counter packets 65225 bytes 9686211 jump PREROUTING_direct counter packets 65225 bytes 9686211 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { ip saddr 104.13.105.101 counter packets 4150 bytes 337011 goto PRE_public iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 61075 bytes 9349200 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority raw; policy accept; counter packets 60753 bytes 9859487 jump OUTPUT_direct }
chain PRE_public { counter packets 65225 bytes 9686211 jump PREROUTING_POLICIES_pre counter packets 65225 bytes 9686211 jump PRE_public_pre counter packets 65225 bytes 9686211 jump PRE_public_log counter packets 65225 bytes 9686211 jump PRE_public_deny counter packets 65225 bytes 9686211 jump PRE_public_allow counter packets 65225 bytes 9686211 jump PRE_public_post counter packets 65225 bytes 9686211 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_pre counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_log counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_deny counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_allow counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } table ip mangle { chain PREROUTING_direct { }
chain PREROUTING { type filter hook prerouting priority mangle; policy accept; counter packets 65225 bytes 9686211 jump PREROUTING_direct counter packets 65225 bytes 9686211 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { ip saddr 104.13.105.101 counter packets 4150 bytes 337011 goto PRE_public iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 61075 bytes 9349200 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain POSTROUTING_direct { }
chain POSTROUTING { type filter hook postrouting priority mangle; policy accept; counter packets 60753 bytes 9859487 jump POSTROUTING_direct }
chain INPUT_direct { }
chain INPUT { type filter hook input priority mangle; policy accept; counter packets 65225 bytes 9686211 jump INPUT_direct }
chain OUTPUT_direct { }
chain OUTPUT { type route hook output priority mangle; policy accept; counter packets 60753 bytes 9859487 jump OUTPUT_direct }
chain FORWARD_direct { }
chain FORWARD { type filter hook forward priority mangle; policy accept; counter packets 0 bytes 0 jump FORWARD_direct }
chain PRE_public { counter packets 65225 bytes 9686211 jump PREROUTING_POLICIES_pre counter packets 65225 bytes 9686211 jump PRE_public_pre counter packets 65225 bytes 9686211 jump PRE_public_log counter packets 65225 bytes 9686211 jump PRE_public_deny counter packets 65225 bytes 9686211 jump PRE_public_allow counter packets 65225 bytes 9686211 jump PRE_public_post counter packets 65225 bytes 9686211 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_pre counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_log counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_deny counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_allow counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } table ip nat { chain PREROUTING_direct { }
chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; counter packets 14049 bytes 730383 jump PREROUTING_direct counter packets 14049 bytes 730383 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { ip saddr 104.13.105.101 counter packets 54 bytes 2816 goto PRE_public iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 13995 bytes 727567 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain POSTROUTING_direct { }
chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; counter packets 59 bytes 3899 jump POSTROUTING_direct counter packets 59 bytes 3899 jump POSTROUTING_ZONES }
chain POSTROUTING_POLICIES_pre { }
chain POSTROUTING_ZONES { ip daddr 104.13.105.101 counter packets 0 bytes 0 goto POST_public oifname "venet0:0" counter packets 0 bytes 0 goto POST_public counter packets 59 bytes 3899 goto POST_public }
chain POSTROUTING_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type nat hook output priority -100; policy accept; counter packets 59 bytes 3899 jump OUTPUT_direct counter packets 59 bytes 3899 jump OUTPUT_POLICIES_pre counter packets 59 bytes 3899 jump OUTPUT_POLICIES_post }
chain OUTPUT_POLICIES_pre { }
chain OUTPUT_POLICIES_post { }
chain POST_public { counter packets 59 bytes 3899 jump POSTROUTING_POLICIES_pre counter packets 59 bytes 3899 jump POST_public_pre counter packets 59 bytes 3899 jump POST_public_log counter packets 59 bytes 3899 jump POST_public_deny counter packets 59 bytes 3899 jump POST_public_allow counter packets 59 bytes 3899 jump POST_public_post counter packets 59 bytes 3899 jump POSTROUTING_POLICIES_post }
chain POST_public_pre { }
chain POST_public_log { }
chain POST_public_deny { }
chain POST_public_allow { }
chain POST_public_post { }
chain PRE_public { counter packets 14049 bytes 730383 jump PREROUTING_POLICIES_pre counter packets 14049 bytes 730383 jump PRE_public_pre counter packets 14049 bytes 730383 jump PRE_public_log counter packets 14049 bytes 730383 jump PRE_public_deny counter packets 14049 bytes 730383 jump PRE_public_allow counter packets 14049 bytes 730383 jump PRE_public_post counter packets 14049 bytes 730383 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6_pre counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6_log counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6_deny counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6_allow counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } # Warning: table ip filter is managed by iptables-nft, do not touch! table ip filter { chain INPUT { type filter hook input priority filter; policy accept; ct status dnat counter packets 50758 bytes 8823750 accept iifname "lo" counter packets 0 bytes 0 accept ct state invalid counter packets 418 bytes 132078 drop counter packets 14049 bytes 730383 jump INPUT_direct counter packets 14049 bytes 730383 jump INPUT_ZONES counter packets 0 bytes 0 reject with icmp type host-prohibited }
chain INPUT_direct { }
chain INPUT_POLICIES_pre { counter packets 13953 bytes 725755 jump IN_allow-host-ipv6 }
chain INPUT_ZONES { ip saddr 104.13.105.101 counter packets 54 bytes 2816 goto IN_public iifname "venet0:0" counter packets 0 bytes 0 goto IN_public counter packets 13995 bytes 727567 goto IN_public }
chain INPUT_POLICIES_post { }
chain FORWARD { type filter hook forward priority filter; policy accept; ct status dnat counter packets 0 bytes 0 accept iifname "lo" counter packets 0 bytes 0 accept ct state invalid counter packets 0 bytes 0 drop counter packets 0 bytes 0 jump FORWARD_direct counter packets 0 bytes 0 jump FORWARD_ZONES counter packets 0 bytes 0 reject with icmp type host-prohibited }
chain FORWARD_direct { }
chain FORWARD_POLICIES_pre { }
chain FORWARD_ZONES { ip saddr 104.13.105.101 counter packets 0 bytes 0 goto FWD_public iifname "venet0:0" counter packets 0 bytes 0 goto FWD_public counter packets 0 bytes 0 goto FWD_public }
chain FORWARD_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority filter; policy accept; ct state related,established counter packets 60656 bytes 9851636 accept oifname "lo" counter packets 0 bytes 0 accept counter packets 97 bytes 7851 jump OUTPUT_direct counter packets 97 bytes 7851 jump OUTPUT_POLICIES_pre counter packets 97 bytes 7851 jump OUTPUT_POLICIES_post }
chain OUTPUT_POLICIES_pre { }
chain OUTPUT_POLICIES_post { }
chain IN_public { meta l4proto icmp counter packets 96 bytes 4628 accept counter packets 13953 bytes 725755 jump INPUT_POLICIES_pre counter packets 13953 bytes 725755 jump IN_public_pre counter packets 13953 bytes 725755 jump IN_public_log counter packets 13953 bytes 725755 jump IN_public_deny counter packets 13953 bytes 725755 jump IN_public_allow counter packets 8605 bytes 414360 jump IN_public_post counter packets 8605 bytes 414360 jump INPUT_POLICIES_post counter packets 8605 bytes 414360 reject }
chain IN_public_pre { }
chain IN_public_log { }
chain IN_public_deny { }
chain IN_public_allow { tcp dport 22 counter packets 3741 bytes 224312 accept tcp dport 80 counter packets 898 bytes 47735 accept tcp dport 443 counter packets 228 bytes 11876 accept tcp dport 25 counter packets 447 bytes 25664 accept tcp dport 587 counter packets 24 bytes 1300 accept tcp dport 143 counter packets 10 bytes 508 accept }
chain IN_public_post { }
chain FWD_public { counter packets 0 bytes 0 jump FORWARD_POLICIES_pre counter packets 0 bytes 0 jump FWD_public_pre counter packets 0 bytes 0 jump FWD_public_log counter packets 0 bytes 0 jump FWD_public_deny counter packets 0 bytes 0 jump FWD_public_allow counter packets 0 bytes 0 jump FWD_public_post counter packets 0 bytes 0 jump FORWARD_POLICIES_post counter packets 0 bytes 0 reject }
chain FWD_public_pre { }
chain FWD_public_log { }
chain FWD_public_deny { }
chain FWD_public_allow { oifname "venet0:0" counter packets 0 bytes 0 accept ip daddr 104.13.105.101 counter packets 0 bytes 0 accept }
chain FWD_public_post { }
chain IN_allow-host-ipv6 { counter packets 13953 bytes 725755 jump IN_allow-host-ipv6_pre counter packets 13953 bytes 725755 jump IN_allow-host-ipv6_log counter packets 13953 bytes 725755 jump IN_allow-host-ipv6_deny counter packets 13953 bytes 725755 jump IN_allow-host-ipv6_allow counter packets 13953 bytes 725755 jump IN_allow-host-ipv6_post }
chain IN_allow-host-ipv6_pre { }
chain IN_allow-host-ipv6_log { }
chain IN_allow-host-ipv6_deny { }
chain IN_allow-host-ipv6_allow { }
chain IN_allow-host-ipv6_post { } } table ip6 security { chain INPUT_direct { }
chain INPUT { type filter hook input priority 150; policy accept; counter packets 0 bytes 0 jump INPUT_direct }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority 150; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct }
chain FORWARD_direct { }
chain FORWARD { type filter hook forward priority 150; policy accept; counter packets 0 bytes 0 jump FORWARD_direct } } table ip6 raw { chain PREROUTING_direct { }
chain PREROUTING { type filter hook prerouting priority raw; policy accept; counter packets 0 bytes 0 jump PREROUTING_direct counter packets 0 bytes 0 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 0 bytes 0 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 0 bytes 0 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority raw; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct }
chain PRE_public { counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre counter packets 0 bytes 0 jump PRE_public_pre counter packets 0 bytes 0 jump PRE_public_log counter packets 0 bytes 0 jump PRE_public_deny counter packets 0 bytes 0 jump PRE_public_allow counter packets 0 bytes 0 jump PRE_public_post counter packets 0 bytes 0 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } table ip6 mangle { chain PREROUTING_direct { }
chain PREROUTING { type filter hook prerouting priority mangle; policy accept; counter packets 0 bytes 0 jump PREROUTING_direct counter packets 0 bytes 0 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 0 bytes 0 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 0 bytes 0 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain POSTROUTING_direct { }
chain POSTROUTING { type filter hook postrouting priority mangle; policy accept; counter packets 0 bytes 0 jump POSTROUTING_direct }
chain INPUT_direct { }
chain INPUT { type filter hook input priority mangle; policy accept; counter packets 0 bytes 0 jump INPUT_direct }
chain OUTPUT_direct { }
chain OUTPUT { type route hook output priority mangle; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct }
chain FORWARD_direct { }
chain FORWARD { type filter hook forward priority mangle; policy accept; counter packets 0 bytes 0 jump FORWARD_direct }
chain PRE_public { counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre counter packets 0 bytes 0 jump PRE_public_pre counter packets 0 bytes 0 jump PRE_public_log counter packets 0 bytes 0 jump PRE_public_deny counter packets 0 bytes 0 jump PRE_public_allow counter packets 0 bytes 0 jump PRE_public_post counter packets 0 bytes 0 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } table ip6 nat { chain PREROUTING_direct { }
chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; counter packets 0 bytes 0 jump PREROUTING_direct counter packets 0 bytes 0 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 0 bytes 0 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 0 bytes 0 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain POSTROUTING_direct { }
chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; counter packets 0 bytes 0 jump POSTROUTING_direct counter packets 0 bytes 0 jump POSTROUTING_ZONES }
chain POSTROUTING_POLICIES_pre { }
chain POSTROUTING_ZONES { oifname "venet0:0" counter packets 0 bytes 0 goto POST_public counter packets 0 bytes 0 goto POST_public }
chain POSTROUTING_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type nat hook output priority -100; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct counter packets 0 bytes 0 jump OUTPUT_POLICIES_pre counter packets 0 bytes 0 jump OUTPUT_POLICIES_post }
chain OUTPUT_POLICIES_pre { }
chain OUTPUT_POLICIES_post { }
chain POST_public { counter packets 0 bytes 0 jump POSTROUTING_POLICIES_pre counter packets 0 bytes 0 jump POST_public_pre counter packets 0 bytes 0 jump POST_public_log counter packets 0 bytes 0 jump POST_public_deny counter packets 0 bytes 0 jump POST_public_allow counter packets 0 bytes 0 jump POST_public_post counter packets 0 bytes 0 jump POSTROUTING_POLICIES_post }
chain POST_public_pre { }
chain POST_public_log { }
chain POST_public_deny { }
chain POST_public_allow { }
chain POST_public_post { }
chain PRE_public { counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre counter packets 0 bytes 0 jump PRE_public_pre counter packets 0 bytes 0 jump PRE_public_log counter packets 0 bytes 0 jump PRE_public_deny counter packets 0 bytes 0 jump PRE_public_allow counter packets 0 bytes 0 jump PRE_public_post counter packets 0 bytes 0 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } # Warning: table ip6 filter is managed by iptables-nft, do not touch! table ip6 filter { chain INPUT { type filter hook input priority filter; policy accept; ct status dnat counter packets 0 bytes 0 accept iifname "lo" counter packets 0 bytes 0 accept ct state invalid counter packets 0 bytes 0 drop counter packets 0 bytes 0 jump INPUT_direct counter packets 0 bytes 0 jump INPUT_ZONES counter packets 0 bytes 0 reject with icmpv6 type admin-prohibited }
chain INPUT_direct { }
chain INPUT_POLICIES_pre { counter packets 0 bytes 0 jump IN_allow-host-ipv6 }
chain INPUT_ZONES { iifname "venet0:0" counter packets 0 bytes 0 goto IN_public counter packets 0 bytes 0 goto IN_public }
chain INPUT_POLICIES_post { }
chain FORWARD { type filter hook forward priority filter; policy accept; counter packets 0 bytes 0 jump RFC3964_IPv4 ct status dnat counter packets 0 bytes 0 accept iifname "lo" counter packets 0 bytes 0 accept ct state invalid counter packets 0 bytes 0 drop counter packets 0 bytes 0 jump FORWARD_direct counter packets 0 bytes 0 jump FORWARD_ZONES counter packets 0 bytes 0 reject with icmpv6 type admin-prohibited }
chain FORWARD_direct { }
chain FORWARD_POLICIES_pre { }
chain FORWARD_ZONES { iifname "venet0:0" counter packets 0 bytes 0 goto FWD_public counter packets 0 bytes 0 goto FWD_public }
chain FORWARD_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority filter; policy accept; counter packets 0 bytes 0 jump RFC3964_IPv4 ct state related,established counter packets 0 bytes 0 accept oifname "lo" counter packets 0 bytes 0 accept counter packets 0 bytes 0 jump OUTPUT_direct counter packets 0 bytes 0 jump OUTPUT_POLICIES_pre counter packets 0 bytes 0 jump OUTPUT_POLICIES_post }
chain OUTPUT_POLICIES_pre { }
chain OUTPUT_POLICIES_post { }
chain RFC3964_IPv4 { ip6 daddr 2002:e000::/19 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002:a9fe::/32 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002:c0a8::/32 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002:ac10::/28 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002:7f00::/24 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002:a00::/24 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002::/24 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr ::ffff:0.0.0.0/96 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr ::/96 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable }
chain IN_public { meta l4proto ipv6-icmp counter packets 0 bytes 0 accept counter packets 0 bytes 0 jump INPUT_POLICIES_pre counter packets 0 bytes 0 jump IN_public_pre counter packets 0 bytes 0 jump IN_public_log counter packets 0 bytes 0 jump IN_public_deny counter packets 0 bytes 0 jump IN_public_allow counter packets 0 bytes 0 jump IN_public_post counter packets 0 bytes 0 jump INPUT_POLICIES_post counter packets 0 bytes 0 reject }
chain IN_public_pre { }
chain IN_public_log { }
chain IN_public_deny { }
chain IN_public_allow { tcp dport 22 counter packets 0 bytes 0 accept ip6 daddr fe80::/64 udp dport 546 counter packets 0 bytes 0 accept tcp dport 80 counter packets 0 bytes 0 accept tcp dport 443 counter packets 0 bytes 0 accept tcp dport 25 counter packets 0 bytes 0 accept tcp dport 587 counter packets 0 bytes 0 accept tcp dport 143 counter packets 0 bytes 0 accept }
chain IN_public_post { }
chain FWD_public { counter packets 0 bytes 0 jump FORWARD_POLICIES_pre counter packets 0 bytes 0 jump FWD_public_pre counter packets 0 bytes 0 jump FWD_public_log counter packets 0 bytes 0 jump FWD_public_deny counter packets 0 bytes 0 jump FWD_public_allow counter packets 0 bytes 0 jump FWD_public_post counter packets 0 bytes 0 jump FORWARD_POLICIES_post counter packets 0 bytes 0 reject }
chain FWD_public_pre { }
chain FWD_public_log { }
chain FWD_public_deny { }
chain FWD_public_allow { oifname "venet0:0" counter packets 0 bytes 0 accept }
chain FWD_public_post { }
chain IN_allow-host-ipv6 { counter packets 0 bytes 0 jump IN_allow-host-ipv6_pre counter packets 0 bytes 0 jump IN_allow-host-ipv6_log counter packets 0 bytes 0 jump IN_allow-host-ipv6_deny counter packets 0 bytes 0 jump IN_allow-host-ipv6_allow counter packets 0 bytes 0 jump IN_allow-host-ipv6_post }
chain IN_allow-host-ipv6_pre { }
chain IN_allow-host-ipv6_log { }
chain IN_allow-host-ipv6_deny { }
chain IN_allow-host-ipv6_allow { meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert counter packets 0 bytes 0 accept meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit counter packets 0 bytes 0 accept meta l4proto ipv6-icmp icmpv6 type nd-router-advert counter packets 0 bytes 0 accept meta l4proto ipv6-icmp icmpv6 type nd-redirect counter packets 0 bytes 0 accept }
chain IN_allow-host-ipv6_post { } } table inet testing { } table bridge nat { chain PREROUTING_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain PREROUTING { type filter hook prerouting priority dstnat; policy accept; counter packets 0 bytes 0 jump PREROUTING_direct }
chain POSTROUTING_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain POSTROUTING { type filter hook postrouting priority srcnat; policy accept; counter packets 0 bytes 0 jump POSTROUTING_direct }
chain OUTPUT_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain OUTPUT { type filter hook output priority out; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct } } table bridge filter { chain INPUT_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain INPUT { type filter hook input priority filter; policy accept; counter packets 0 bytes 0 jump INPUT_direct }
chain OUTPUT_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain OUTPUT { type filter hook output priority filter; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct }
chain FORWARD_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain FORWARD { type filter hook forward priority filter; policy accept; counter packets 0 bytes 0 jump FORWARD_direct } }
#nft add table inet testing #nft add table inet testinglist ruleset table ip security { chain INPUT_direct { }
chain INPUT { type filter hook input priority 150; policy accept; counter packets 56231 bytes 9141307 jump INPUT_direct }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority 150; policy accept; counter packets 60787 bytes 9898317 jump OUTPUT_direct }
chain FORWARD_direct { }
chain FORWARD { type filter hook forward priority 150; policy accept; counter packets 0 bytes 0 jump FORWARD_direct } } table ip raw { chain PREROUTING_direct { }
chain PREROUTING { type filter hook prerouting priority raw; policy accept; counter packets 65257 bytes 9687865 jump PREROUTING_direct counter packets 65257 bytes 9687865 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { ip saddr 104.13.105.101 counter packets 4178 bytes 338511 goto PRE_public iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 61079 bytes 9349354 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority raw; policy accept; counter packets 60787 bytes 9898317 jump OUTPUT_direct }
chain PRE_public { counter packets 65257 bytes 9687865 jump PREROUTING_POLICIES_pre counter packets 65257 bytes 9687865 jump PRE_public_pre counter packets 65257 bytes 9687865 jump PRE_public_log counter packets 65257 bytes 9687865 jump PRE_public_deny counter packets 65257 bytes 9687865 jump PRE_public_allow counter packets 65257 bytes 9687865 jump PRE_public_post counter packets 65257 bytes 9687865 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_pre counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_log counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_deny counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_allow counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } table ip mangle { chain PREROUTING_direct { }
chain PREROUTING { type filter hook prerouting priority mangle; policy accept; counter packets 65257 bytes 9687865 jump PREROUTING_direct counter packets 65257 bytes 9687865 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { ip saddr 104.13.105.101 counter packets 4178 bytes 338511 goto PRE_public iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 61079 bytes 9349354 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain POSTROUTING_direct { }
chain POSTROUTING { type filter hook postrouting priority mangle; policy accept; counter packets 60787 bytes 9898317 jump POSTROUTING_direct }
chain INPUT_direct { }
chain INPUT { type filter hook input priority mangle; policy accept; counter packets 65257 bytes 9687865 jump INPUT_direct }
chain OUTPUT_direct { }
chain OUTPUT { type route hook output priority mangle; policy accept; counter packets 60787 bytes 9898317 jump OUTPUT_direct }
chain FORWARD_direct { }
chain FORWARD { type filter hook forward priority mangle; policy accept; counter packets 0 bytes 0 jump FORWARD_direct }
chain PRE_public { counter packets 65257 bytes 9687865 jump PREROUTING_POLICIES_pre counter packets 65257 bytes 9687865 jump PRE_public_pre counter packets 65257 bytes 9687865 jump PRE_public_log counter packets 65257 bytes 9687865 jump PRE_public_deny counter packets 65257 bytes 9687865 jump PRE_public_allow counter packets 65257 bytes 9687865 jump PRE_public_post counter packets 65257 bytes 9687865 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_pre counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_log counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_deny counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_allow counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } table ip nat { chain PREROUTING_direct { }
chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; counter packets 14053 bytes 730537 jump PREROUTING_direct counter packets 14053 bytes 730537 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { ip saddr 104.13.105.101 counter packets 54 bytes 2816 goto PRE_public iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 13999 bytes 727721 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain POSTROUTING_direct { }
chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; counter packets 59 bytes 3899 jump POSTROUTING_direct counter packets 59 bytes 3899 jump POSTROUTING_ZONES }
chain POSTROUTING_POLICIES_pre { }
chain POSTROUTING_ZONES { ip daddr 104.13.105.101 counter packets 0 bytes 0 goto POST_public oifname "venet0:0" counter packets 0 bytes 0 goto POST_public counter packets 59 bytes 3899 goto POST_public }
chain POSTROUTING_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type nat hook output priority -100; policy accept; counter packets 59 bytes 3899 jump OUTPUT_direct counter packets 59 bytes 3899 jump OUTPUT_POLICIES_pre counter packets 59 bytes 3899 jump OUTPUT_POLICIES_post }
chain OUTPUT_POLICIES_pre { }
chain OUTPUT_POLICIES_post { }
chain POST_public { counter packets 59 bytes 3899 jump POSTROUTING_POLICIES_pre counter packets 59 bytes 3899 jump POST_public_pre counter packets 59 bytes 3899 jump POST_public_log counter packets 59 bytes 3899 jump POST_public_deny counter packets 59 bytes 3899 jump POST_public_allow counter packets 59 bytes 3899 jump POST_public_post counter packets 59 bytes 3899 jump POSTROUTING_POLICIES_post }
chain POST_public_pre { }
chain POST_public_log { }
chain POST_public_deny { }
chain POST_public_allow { }
chain POST_public_post { }
chain PRE_public { counter packets 14053 bytes 730537 jump PREROUTING_POLICIES_pre counter packets 14053 bytes 730537 jump PRE_public_pre counter packets 14053 bytes 730537 jump PRE_public_log counter packets 14053 bytes 730537 jump PRE_public_deny counter packets 14053 bytes 730537 jump PRE_public_allow counter packets 14053 bytes 730537 jump PRE_public_post counter packets 14053 bytes 730537 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6_pre counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6_log counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6_deny counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6_allow counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } # Warning: table ip filter is managed by iptables-nft, do not touch! table ip filter { chain INPUT { type filter hook input priority filter; policy accept; ct status dnat counter packets 50786 bytes 8825250 accept iifname "lo" counter packets 0 bytes 0 accept ct state invalid counter packets 418 bytes 132078 drop counter packets 14053 bytes 730537 jump INPUT_direct counter packets 14053 bytes 730537 jump INPUT_ZONES counter packets 0 bytes 0 reject with icmp type host-prohibited }
chain INPUT_direct { }
chain INPUT_POLICIES_pre { counter packets 13956 bytes 725875 jump IN_allow-host-ipv6 }
chain INPUT_ZONES { ip saddr 104.13.105.101 counter packets 54 bytes 2816 goto IN_public iifname "venet0:0" counter packets 0 bytes 0 goto IN_public counter packets 13999 bytes 727721 goto IN_public }
chain INPUT_POLICIES_post { }
chain FORWARD { type filter hook forward priority filter; policy accept; ct status dnat counter packets 0 bytes 0 accept iifname "lo" counter packets 0 bytes 0 accept ct state invalid counter packets 0 bytes 0 drop counter packets 0 bytes 0 jump FORWARD_direct counter packets 0 bytes 0 jump FORWARD_ZONES counter packets 0 bytes 0 reject with icmp type host-prohibited }
chain FORWARD_direct { }
chain FORWARD_POLICIES_pre { }
chain FORWARD_ZONES { ip saddr 104.13.105.101 counter packets 0 bytes 0 goto FWD_public iifname "venet0:0" counter packets 0 bytes 0 goto FWD_public counter packets 0 bytes 0 goto FWD_public }
chain FORWARD_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority filter; policy accept; ct state related,established counter packets 60690 bytes 9890466 accept oifname "lo" counter packets 0 bytes 0 accept counter packets 97 bytes 7851 jump OUTPUT_direct counter packets 97 bytes 7851 jump OUTPUT_POLICIES_pre counter packets 97 bytes 7851 jump OUTPUT_POLICIES_post }
chain OUTPUT_POLICIES_pre { }
chain OUTPUT_POLICIES_post { }
chain IN_public { meta l4proto icmp counter packets 97 bytes 4662 accept counter packets 13956 bytes 725875 jump INPUT_POLICIES_pre counter packets 13956 bytes 725875 jump IN_public_pre counter packets 13956 bytes 725875 jump IN_public_log counter packets 13956 bytes 725875 jump IN_public_deny counter packets 13956 bytes 725875 jump IN_public_allow counter packets 8608 bytes 414480 jump IN_public_post counter packets 8608 bytes 414480 jump INPUT_POLICIES_post counter packets 8608 bytes 414480 reject }
chain IN_public_pre { }
chain IN_public_log { }
chain IN_public_deny { }
chain IN_public_allow { tcp dport 22 counter packets 3741 bytes 224312 accept tcp dport 80 counter packets 898 bytes 47735 accept tcp dport 443 counter packets 228 bytes 11876 accept tcp dport 25 counter packets 447 bytes 25664 accept tcp dport 587 counter packets 24 bytes 1300 accept tcp dport 143 counter packets 10 bytes 508 accept }
chain IN_public_post { }
chain FWD_public { counter packets 0 bytes 0 jump FORWARD_POLICIES_pre counter packets 0 bytes 0 jump FWD_public_pre counter packets 0 bytes 0 jump FWD_public_log counter packets 0 bytes 0 jump FWD_public_deny counter packets 0 bytes 0 jump FWD_public_allow counter packets 0 bytes 0 jump FWD_public_post counter packets 0 bytes 0 jump FORWARD_POLICIES_post counter packets 0 bytes 0 reject }
chain FWD_public_pre { }
chain FWD_public_log { }
chain FWD_public_deny { }
chain FWD_public_allow { oifname "venet0:0" counter packets 0 bytes 0 accept ip daddr 104.13.105.101 counter packets 0 bytes 0 accept }
chain FWD_public_post { }
chain IN_allow-host-ipv6 { counter packets 13956 bytes 725875 jump IN_allow-host-ipv6_pre counter packets 13956 bytes 725875 jump IN_allow-host-ipv6_log counter packets 13956 bytes 725875 jump IN_allow-host-ipv6_deny counter packets 13956 bytes 725875 jump IN_allow-host-ipv6_allow counter packets 13956 bytes 725875 jump IN_allow-host-ipv6_post }
chain IN_allow-host-ipv6_pre { }
chain IN_allow-host-ipv6_log { }
chain IN_allow-host-ipv6_deny { }
chain IN_allow-host-ipv6_allow { }
chain IN_allow-host-ipv6_post { } } table ip6 security { chain INPUT_direct { }
chain INPUT { type filter hook input priority 150; policy accept; counter packets 0 bytes 0 jump INPUT_direct }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority 150; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct }
chain FORWARD_direct { }
chain FORWARD { type filter hook forward priority 150; policy accept; counter packets 0 bytes 0 jump FORWARD_direct } } table ip6 raw { chain PREROUTING_direct { }
chain PREROUTING { type filter hook prerouting priority raw; policy accept; counter packets 0 bytes 0 jump PREROUTING_direct counter packets 0 bytes 0 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 0 bytes 0 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 0 bytes 0 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority raw; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct }
chain PRE_public { counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre counter packets 0 bytes 0 jump PRE_public_pre counter packets 0 bytes 0 jump PRE_public_log counter packets 0 bytes 0 jump PRE_public_deny counter packets 0 bytes 0 jump PRE_public_allow counter packets 0 bytes 0 jump PRE_public_post counter packets 0 bytes 0 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } table ip6 mangle { chain PREROUTING_direct { }
chain PREROUTING { type filter hook prerouting priority mangle; policy accept; counter packets 0 bytes 0 jump PREROUTING_direct counter packets 0 bytes 0 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 0 bytes 0 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 0 bytes 0 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain POSTROUTING_direct { }
chain POSTROUTING { type filter hook postrouting priority mangle; policy accept; counter packets 0 bytes 0 jump POSTROUTING_direct }
chain INPUT_direct { }
chain INPUT { type filter hook input priority mangle; policy accept; counter packets 0 bytes 0 jump INPUT_direct }
chain OUTPUT_direct { }
chain OUTPUT { type route hook output priority mangle; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct }
chain FORWARD_direct { }
chain FORWARD { type filter hook forward priority mangle; policy accept; counter packets 0 bytes 0 jump FORWARD_direct }
chain PRE_public { counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre counter packets 0 bytes 0 jump PRE_public_pre counter packets 0 bytes 0 jump PRE_public_log counter packets 0 bytes 0 jump PRE_public_deny counter packets 0 bytes 0 jump PRE_public_allow counter packets 0 bytes 0 jump PRE_public_post counter packets 0 bytes 0 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } table ip6 nat { chain PREROUTING_direct { }
chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; counter packets 0 bytes 0 jump PREROUTING_direct counter packets 0 bytes 0 jump PREROUTING_ZONES }
chain PREROUTING_POLICIES_pre { counter packets 0 bytes 0 jump PRE_allow-host-ipv6 }
chain PREROUTING_ZONES { iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public counter packets 0 bytes 0 goto PRE_public }
chain PREROUTING_POLICIES_post { }
chain POSTROUTING_direct { }
chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; counter packets 0 bytes 0 jump POSTROUTING_direct counter packets 0 bytes 0 jump POSTROUTING_ZONES }
chain POSTROUTING_POLICIES_pre { }
chain POSTROUTING_ZONES { oifname "venet0:0" counter packets 0 bytes 0 goto POST_public counter packets 0 bytes 0 goto POST_public }
chain POSTROUTING_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type nat hook output priority -100; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct counter packets 0 bytes 0 jump OUTPUT_POLICIES_pre counter packets 0 bytes 0 jump OUTPUT_POLICIES_post }
chain OUTPUT_POLICIES_pre { }
chain OUTPUT_POLICIES_post { }
chain POST_public { counter packets 0 bytes 0 jump POSTROUTING_POLICIES_pre counter packets 0 bytes 0 jump POST_public_pre counter packets 0 bytes 0 jump POST_public_log counter packets 0 bytes 0 jump POST_public_deny counter packets 0 bytes 0 jump POST_public_allow counter packets 0 bytes 0 jump POST_public_post counter packets 0 bytes 0 jump POSTROUTING_POLICIES_post }
chain POST_public_pre { }
chain POST_public_log { }
chain POST_public_deny { }
chain POST_public_allow { }
chain POST_public_post { }
chain PRE_public { counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre counter packets 0 bytes 0 jump PRE_public_pre counter packets 0 bytes 0 jump PRE_public_log counter packets 0 bytes 0 jump PRE_public_deny counter packets 0 bytes 0 jump PRE_public_allow counter packets 0 bytes 0 jump PRE_public_post counter packets 0 bytes 0 jump PREROUTING_POLICIES_post }
chain PRE_public_pre { }
chain PRE_public_log { }
chain PRE_public_deny { }
chain PRE_public_allow { }
chain PRE_public_post { }
chain PRE_allow-host-ipv6 { counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post }
chain PRE_allow-host-ipv6_pre { }
chain PRE_allow-host-ipv6_log { }
chain PRE_allow-host-ipv6_deny { }
chain PRE_allow-host-ipv6_allow { }
chain PRE_allow-host-ipv6_post { } } # Warning: table ip6 filter is managed by iptables-nft, do not touch! table ip6 filter { chain INPUT { type filter hook input priority filter; policy accept; ct status dnat counter packets 0 bytes 0 accept iifname "lo" counter packets 0 bytes 0 accept ct state invalid counter packets 0 bytes 0 drop counter packets 0 bytes 0 jump INPUT_direct counter packets 0 bytes 0 jump INPUT_ZONES counter packets 0 bytes 0 reject with icmpv6 type admin-prohibited }
chain INPUT_direct { }
chain INPUT_POLICIES_pre { counter packets 0 bytes 0 jump IN_allow-host-ipv6 }
chain INPUT_ZONES { iifname "venet0:0" counter packets 0 bytes 0 goto IN_public counter packets 0 bytes 0 goto IN_public }
chain INPUT_POLICIES_post { }
chain FORWARD { type filter hook forward priority filter; policy accept; counter packets 0 bytes 0 jump RFC3964_IPv4 ct status dnat counter packets 0 bytes 0 accept iifname "lo" counter packets 0 bytes 0 accept ct state invalid counter packets 0 bytes 0 drop counter packets 0 bytes 0 jump FORWARD_direct counter packets 0 bytes 0 jump FORWARD_ZONES counter packets 0 bytes 0 reject with icmpv6 type admin-prohibited }
chain FORWARD_direct { }
chain FORWARD_POLICIES_pre { }
chain FORWARD_ZONES { iifname "venet0:0" counter packets 0 bytes 0 goto FWD_public counter packets 0 bytes 0 goto FWD_public }
chain FORWARD_POLICIES_post { }
chain OUTPUT_direct { }
chain OUTPUT { type filter hook output priority filter; policy accept; counter packets 0 bytes 0 jump RFC3964_IPv4 ct state related,established counter packets 0 bytes 0 accept oifname "lo" counter packets 0 bytes 0 accept counter packets 0 bytes 0 jump OUTPUT_direct counter packets 0 bytes 0 jump OUTPUT_POLICIES_pre counter packets 0 bytes 0 jump OUTPUT_POLICIES_post }
chain OUTPUT_POLICIES_pre { }
chain OUTPUT_POLICIES_post { }
chain RFC3964_IPv4 { ip6 daddr 2002:e000::/19 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002:a9fe::/32 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002:c0a8::/32 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002:ac10::/28 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002:7f00::/24 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002:a00::/24 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr 2002::/24 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr ::ffff:0.0.0.0/96 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable ip6 daddr ::/96 counter packets 0 bytes 0 reject with icmpv6 type addr-unreachable }
chain IN_public { meta l4proto ipv6-icmp counter packets 0 bytes 0 accept counter packets 0 bytes 0 jump INPUT_POLICIES_pre counter packets 0 bytes 0 jump IN_public_pre counter packets 0 bytes 0 jump IN_public_log counter packets 0 bytes 0 jump IN_public_deny counter packets 0 bytes 0 jump IN_public_allow counter packets 0 bytes 0 jump IN_public_post counter packets 0 bytes 0 jump INPUT_POLICIES_post counter packets 0 bytes 0 reject }
chain IN_public_pre { }
chain IN_public_log { }
chain IN_public_deny { }
chain IN_public_allow { tcp dport 22 counter packets 0 bytes 0 accept ip6 daddr fe80::/64 udp dport 546 counter packets 0 bytes 0 accept tcp dport 80 counter packets 0 bytes 0 accept tcp dport 443 counter packets 0 bytes 0 accept tcp dport 25 counter packets 0 bytes 0 accept tcp dport 587 counter packets 0 bytes 0 accept tcp dport 143 counter packets 0 bytes 0 accept }
chain IN_public_post { }
chain FWD_public { counter packets 0 bytes 0 jump FORWARD_POLICIES_pre counter packets 0 bytes 0 jump FWD_public_pre counter packets 0 bytes 0 jump FWD_public_log counter packets 0 bytes 0 jump FWD_public_deny counter packets 0 bytes 0 jump FWD_public_allow counter packets 0 bytes 0 jump FWD_public_post counter packets 0 bytes 0 jump FORWARD_POLICIES_post counter packets 0 bytes 0 reject }
chain FWD_public_pre { }
chain FWD_public_log { }
chain FWD_public_deny { }
chain FWD_public_allow { oifname "venet0:0" counter packets 0 bytes 0 accept }
chain FWD_public_post { }
chain IN_allow-host-ipv6 { counter packets 0 bytes 0 jump IN_allow-host-ipv6_pre counter packets 0 bytes 0 jump IN_allow-host-ipv6_log counter packets 0 bytes 0 jump IN_allow-host-ipv6_deny counter packets 0 bytes 0 jump IN_allow-host-ipv6_allow counter packets 0 bytes 0 jump IN_allow-host-ipv6_post }
chain IN_allow-host-ipv6_pre { }
chain IN_allow-host-ipv6_log { }
chain IN_allow-host-ipv6_deny { }
chain IN_allow-host-ipv6_allow { meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert counter packets 0 bytes 0 accept meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit counter packets 0 bytes 0 accept meta l4proto ipv6-icmp icmpv6 type nd-router-advert counter packets 0 bytes 0 accept meta l4proto ipv6-icmp icmpv6 type nd-redirect counter packets 0 bytes 0 accept }
chain IN_allow-host-ipv6_post { } } table inet testing { } table bridge nat { chain PREROUTING_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain PREROUTING { type filter hook prerouting priority dstnat; policy accept; counter packets 0 bytes 0 jump PREROUTING_direct }
chain POSTROUTING_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain POSTROUTING { type filter hook postrouting priority srcnat; policy accept; counter packets 0 bytes 0 jump POSTROUTING_direct }
chain OUTPUT_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain OUTPUT { type filter hook output priority out; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct } } table bridge filter { chain INPUT_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain INPUT { type filter hook input priority filter; policy accept; counter packets 0 bytes 0 jump INPUT_direct }
chain OUTPUT_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain OUTPUT { type filter hook output priority filter; policy accept; counter packets 0 bytes 0 jump OUTPUT_direct }
chain FORWARD_direct { counter packets 0 bytes 0 return counter packets 0 bytes 0 accept }
chain FORWARD { type filter hook forward priority filter; policy accept; counter packets 0 bytes 0 jump FORWARD_direct } }
On 7/10/23, Eric Garver egarver@redhat.com wrote:
On Mon, Jul 10, 2023 at 11:47:50AM -0400, David Mehler wrote:
Hello,
I'm not sure. The Debian vps is running on OpenVZ if that helps.
Why would this only effect nftables and not the iptables backend?
It's possible that nftables is not usable inside OpenVZ. You can could verify by trying to manipulate nftables manually.
e.g.
# nft list ruleset
# nft add table inet testing
If those commands don't work, then nftables in not functional inside the OpenVZ environment.
Thanks. Dave.
On 7/10/23, Eric Garver egarver@redhat.com wrote:
This looks like the firewalld backends are broken, e.g. nftables, ebtables.
Are you using a Debian provided kernel? Or is this a custom kernel for the VPS?
On Sat, Jul 08, 2023 at 10:29:45AM -0400, David Mehler wrote:
Hello,
I'm trying to get firewalld going on Debian 12 a vps. I've asked on the debian users list who refered me here with a way to get more verbose error messages, see below. Unfortunately I'm clueless as to what this could be. It from what I can see looks like it's trying to delete a chain and failing which causes firewalld to fail, though I could be wrong, python and myself are not friends.
Any help appreciated. Thanks. Dave.
root@hostname:~#systemctl --full --no-pager status firewalld ? firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; preset: enabled) Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago Duration: 2.316s Docs: man:firewalld(1) Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid (code=exited, status=0/SUCCESS) Main PID: 77366 (code=exited, status=0/SUCCESS)
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in start
self._start() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in _start
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
During
handling of the above exception, another exception occurred:
Traceback
(most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in start
self._start_failsafe() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in _start_failsafe
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting. Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising SystemExit in run_server Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service: Deactivated successfully. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Mon, Jul 10, 2023 at 06:41:20PM -0400, David Mehler wrote:
Hello,
Thanks. The nft does work.
That's good news.
You can get better debug output by setting IndividualCalls=yes in /etc/firewalld/fireawalld.conf.
Also enable debug logging by passing --debug=9 to the daemon. This should be done in /etc/sysconfig/firewalld.
[..]
On 7/10/23, Eric Garver egarver@redhat.com wrote:
On Mon, Jul 10, 2023 at 11:47:50AM -0400, David Mehler wrote:
Hello,
I'm not sure. The Debian vps is running on OpenVZ if that helps.
Why would this only effect nftables and not the iptables backend?
It's possible that nftables is not usable inside OpenVZ. You can could verify by trying to manipulate nftables manually.
e.g.
# nft list ruleset
# nft add table inet testing
If those commands don't work, then nftables in not functional inside the OpenVZ environment.
Thanks. Dave.
On 7/10/23, Eric Garver egarver@redhat.com wrote:
This looks like the firewalld backends are broken, e.g. nftables, ebtables.
Are you using a Debian provided kernel? Or is this a custom kernel for the VPS?
On Sat, Jul 08, 2023 at 10:29:45AM -0400, David Mehler wrote:
Hello,
I'm trying to get firewalld going on Debian 12 a vps. I've asked on the debian users list who refered me here with a way to get more verbose error messages, see below. Unfortunately I'm clueless as to what this could be. It from what I can see looks like it's trying to delete a chain and failing which causes firewalld to fail, though I could be wrong, python and myself are not friends.
Any help appreciated. Thanks. Dave.
root@hostname:~#systemctl --full --no-pager status firewalld ? firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; preset: enabled) Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago Duration: 2.316s Docs: man:firewalld(1) Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid (code=exited, status=0/SUCCESS) Main PID: 77366 (code=exited, status=0/SUCCESS)
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in start
self._start() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in _start
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
During
handling of the above exception, another exception occurred:
Traceback
(most recent call last): File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in start
self._start_failsafe() File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in _start_failsafe
self._start_apply_objects(reload=reload, complete_reload=complete_reload) File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in _start_apply_objects
transaction.execute(True) File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line 161, in execute raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting. Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9 (nf_tables): line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
JSON blob: {"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}]} Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising SystemExit in run_server Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service: Deactivated successfully. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
firewalld-users@lists.fedorahosted.org