Firewall-cmd failed python-nftables No such file or directory

Rocky Linux General
1

I can’t seem to get firewalld running properly again. I’m not sure what broke it or when. This was a centos8 host that I migrated to Rocky a few weeks or so ago. I suspect I hosed it up when improperly installing crowdsec a couple days ago. I had installed crowdsec-firewall-bouncer-iptables I’m using nftables, the default for centos8, so I should have installed crowdsec-firewall-bouncer-nftables while working this problem I’ve removed crowdsec, but not the repositories.

FWIW I’ve apparently succeeded in migrating centos8 → rocky and installed and verified blocking ip with crowdsec on another vps provider.

Back to the host in question.

myhost ~ # dnf list installed | grep crowd
myhost ~ #

About this time, I also renamed the host that was somewhat problamatic with log files until I discovered sysctl -w kernel.hostname=redacted.tld

The problem is ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory

� firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2021-12-30 10:06:56 MST; 22min ago
     Docs: man:firewalld(1)
 Main PID: 4439 (firewalld)
    Tasks: 2 (limit: 3276)
   Memory: 31.4M
   CGroup: /system.slice/firewalld.service
           ��4439 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

Dec 30 10:06:55 redacted0.domain.tld systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 30 10:06:56 redacted0.domain.tld systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 30 10:06:57 redacted0.domain.tld firewalld[4439]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.
Dec 30 10:07:11 redacted0.domain.tld firewalld[4439]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory

                                                      internal:0:0-0: Error: Could not process rule: Numerical result out of range

                                                      internal:0:0-0: Error: Could not process rule: Numerical result out of range

                                                      internal:0:0-0: Error: Could not process rule: Numerical result out of range

myhost ~ # uname -r
4.18.0
myhost ~ #

FWIW the systemctl status firewalld doesn’t show the errors until I issue the firewall-cmd --state

I’ve tried reinstalling firewalld and what I hope are all related packages.

myhost ~ # history | grep reinstall | cut -c 8- | sort | uniq
dnf reinstall firewalld-filesystem.noarch
dnf reinstall firewalld.noarch
dnf reinstall firewalld.noarch firewalld-filesystem.noarch python3-firewall.noarch
dnf reinstall ipset.x86_64 ipset-libs.x86_64
dnf reinstall nftables.x86_64
dnf reinstall python3-firewall.noarch
history | grep reinstall | cut -c 8- | sort | uniq
myhost ~ #

I found some bug reports that contained the error string

They didn’t lead me to an easily implemented fix, if at all.

2

First, there is command hostnamectl for checking and changing hostname (static, pretty, etc).

Second, the default firewalld config (from packages) is in /usr/lib/firewalld and local customizations are in /etc/firewalld. Removing content from the latter should return you to default config. (Obviously a “move out” is probably better, so you can still peek what you had.) When you get functional firewall, reintroduce desired changes until all are in or you find a change that crashes your config.

3

I wiped those two directories and reinstalled firewalld.

 myhost ~ # restic backup /etc/firewalld /usr/lib/firewalld
 myhost ~ # rm -rf /etc/firewalld
 myhost ~ # rm -rf /usr/lib/firewalld
 myhost ~ # dnf reinstall firewalld

Still errors on firewall-cmd --state first time after wipe and reinstall is more verbose than second run.

[root@myhost ~]# firewall-cmd --state
ERROR:dbus.proxies:Introspect error on :1.54:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
failed
[root@myhost ~]#

myhost ~ # firewall-cmd --state
failed
myhost ~ #

My /var/log/messages is getting huge sometimes, actually often, the dates seem confused when I tail and / or less - like from Oct weird. I don’t know if it’s related, seemed to crop up after hostname change yesterday, then again when I ran hostnamectl set-hostname redacted today. I’m pretty sure I ran it yesterday as is my habit but just to be sure.

myhost ~ # ll -h  /var/log/messages*
-rw------- 1 root root  10M Dec 30 20:34 /var/log/messages
-rw------- 1 root root 274K Dec  5 02:24 /var/log/messages-20211205
-rw------- 1 root root 315K Dec 12 02:24 /var/log/messages-20211212
-rw------- 1 root root 252K Dec 19 02:24 /var/log/messages-20211219
-rw------- 1 root root 2.1M Dec 26 02:24 /var/log/messages-20211226
myhost ~ #

Anyway, I noticed Dec 30 18:54:06 redacted.new dbus-daemon[122]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.40" (uid=0 pid=822 comm="/usr/libexec/platform-python -s /usr/sbin/firewall") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.E
Lot’s more ‘slice’ errors…

I installed polkit and rebooted. - I have another Rocky instance on another VPS provider where firewalld and crowdsec are working I am using for some comparisons. The working vm had polkit installed…

myhost ~ # cat /var/log/messages | grep 'Dec 30' | grep sbin
Dec 30 18:54:06 new.redacted.hostname dbus-daemon[122]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.40" (uid=0 pid=822 comm="/usr/libexec/platform-python -s /usr/sbin/firewall") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.51" (uid=0 pid=968 comm="/usr/libexec/platform-python -s /usr/bin/firewall-")

Dec 30 18:54:06 new.redacted.hostname dbus-daemon[122]: [system] Rejected send message, 0 matched rules; type="error", sender=":1.40" (uid=0 pid=822 comm="/usr/libexec/platform-python -s /usr/sbin/firewall") interface="(unset)" member="(unset)" error name="org.freedesktop.DBus.Error.ServiceUnknown" requested_reply="0" destination=":1.51" (uid=0 pid=968 comm="/usr/libexec/platform-python -s /usr/bin/firewall-")

Dec 30 19:05:42 new.redacted.hostname dbus-daemon[122]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' requested by ':1.59' (uid=0 pid=1644 comm="/usr/libexec/platform-python -s /usr/sbin/firewall")

Dec 30 19:08:25 new.redacted.hostname dbus-daemon[127]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' requested by ':1.2' (uid=0 pid=129 comm="/usr/libexec/platform-python -s /usr/sbin/firewall")

Dec 30 19:16:24 new.redacted.hostname dbus-daemon[119]: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkit.service' requested by ':1.2' (uid=0 pid=120 comm="/usr/libexec/platform-python -s /usr/sbin/firewall")

myhost ~ #

An example of weird dates. I’m thinking of forcing a logrotate

myhost ~ # systemctl status  user@1000

● user@1000.service - User Manager for UID 1000

   Loaded: loaded (/usr/lib/systemd/system/user@.service; static; vendor preset: disabled)

   Active: failed (Result: protocol) since Thu 2021-12-30 20:54:50 MST; 1min 25s ago

  Process: 2372 ExecStart=/usr/lib/systemd/systemd --user (code=exited, status=1/FAILURE)

 Main PID: 2372 (code=exited, status=1/FAILURE)

Dec 30 20:54:50 new.redacted.hostname systemd[1]: Starting User Manager for UID 1000...

Dec 30 20:54:50 new.redacted.hostname systemd[2372]: pam_unix(systemd-user:session): session opened for user jeffa by (uid=0)

Dec 30 20:54:50 new.redacted.hostname systemd[1]: user@1000.service: Failed with result 'protocol'.

Dec 30 20:54:50 new.redacted.hostname systemd[1]: Failed to start User Manager for UID 1000.

Oct 15 04:12:20 old.redacted.hostname systemd[14224]: Failed to create /user.slice/user-1000.slice/user@1000.service/init.scope control group: Permission denied

Oct 15 04:12:20 old.redacted.hostname systemd[14224]: Failed to allocate manager object: Permission denied

Aug 20 23:25:02 old.redacted.hostname systemd[194600]: Failed to create /user.slice/user-1000.slice/user@1000.service/init.scope control group: Permission denied

Aug 20 23:25:02 old.redacted.hostname systemd[194600]: Failed to allocate manager object: Permission denied

Aug 20 23:25:02 old.redacted.hostname systemd[194601]: pam_unix(systemd-user:session): session closed for user jeffa

Dec 24 09:39:51 old.redacted.hostname systemd[142358]: Failed to create /user.slice/user-1000.slice/user@1000.service/init.scope control group: Permission denied

Dec 24 09:39:51 old.redacted.hostname systemd[142358]: Failed to allocate manager object: Permission denied

Dec 26 14:02:20 old.redacted.hostname systemd[236186]: Failed to create /user.slice/user-1000.slice/user@1000.service/init.scope control group: Permission denied

Dec 26 14:02:20 old.redacted.hostname systemd[236186]: Failed to allocate manager object: Permission denied

Dec 26 14:05:38 old.redacted.hostname systemd[236257]: Failed to create /user.slice/user-1000.slice/user@1000.service/init.scope control group: Permission denied

Dec 26 14:05:38 old.redacted.hostname systemd[236257]: Failed to allocate manager object: Permission denied

Dec 27 08:55:23 old.redacted.hostname systemd[268377]: Failed to create /user.slice/user-1000.slice/user@1000.service/init.scope control group: Permission denied

Dec 27 08:55:23 old.redacted.hostname systemd[268377]: Failed to allocate manager object: Permission denied

Dec 27 20:06:23 old.redacted.hostname systemd[280499]: Failed to create /user.slice/user-1000.slice/user@1000.service/init.scope control group: Permission denied

Dec 27 20:06:23 old.redacted.hostname systemd[280499]: Failed to allocate manager object: Permission denied

Dec 27 20:06:23 old.redacted.hostname systemd[280500]: pam_unix(systemd-user:session): session closed for user jeffa

Dec 30 20:54:50 new.redacted.hostname systemd[2372]: Failed to create /user.slice/user-1000.slice/user@1000.service/init.scope control group: Permission denied

Dec 30 20:54:50 new.redacted.hostname systemd[2372]: Failed to allocate manager object: Permission denied

myhost ~ #

I feel I should perhaps fix this as I’ve seen some indication that the sbin/rirewall command is failing related to the user@1000 problems… Perhaps I should start a new thread for that.