when I try to reload firewalld, it tells me
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: Numerical result out of range
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}]}
I don’t know why this is, after Google, it still hasn’t been resolved
2
Answers
I had the same error message. I enabled verbose debugs on firewalld and tailed the logs to file for a deeper dive. In my case the exception was originally happening in "nftables.py" on line "361".
Exception:
Line 361 in "nftables.py":
Why this is a problem:
Basically nftables is a backend service and firewalld is a frontend service. They are dependent on each other to function. Each time you restart firewalld it has to reconcile the backend, in this case nftables. At some point during the reconciliation a conflict is occurring in the python code. That is unfortunate as the only real solution will likely have to come from code improvements from nftables in how it is able to populate policies into chains and tables.
A work-around:
The good news is, if you are like me, you don’t use ipv6, in which case we simply disable the policy rather than solve for the issue. I’ll put the work-around steps below.
Work-around Steps:
The proper way to remove the policy is to use the command "firewall-cmd –delete-policy=allow-host-ipv6 –permanent" but I encountered other errors and exceptions in python when attempting to do that. Since I don’t care about ipv6 I manually deleted the XML from configuration and restarted the firewalld service.
Side Note:
Once I fixed this conflict, I also had some additional conflicts between nftables/iptables/fail2ban that had to be cleared up. For that I just used the command "fail2ban-client unban –all" to make fail2ban wipe clean all of the chains it added to iptables.
In my case, I didn’t really care about using
nftables
, so on myCentos 8
installation, I went to /etc/firewalld/firewalld.conf e.g.and changed the backend for
firewalld
fromnftables
toiptables
.To do this, you will find the line:
Change it to:
Then save and restart
firewalld
using:Now check the status:
And everything should be fine.
Thanks for reading