Question 26998 in CentOS Question posted in
The official documentation can be found here.

centos 8, firewalld error `COMMAND_FAILED: 'python-nftables' failed`

when I try to reload firewalld, it tells me

Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: Numerical result out of range


JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}]}

I don’t know why this is, after Google, it still hasn’t been resolved

Tags:

2

Answers


  1. 0

    I had the same error message. I enabled verbose debugs on firewalld and tailed the logs to file for a deeper dive. In my case the exception was originally happening in "nftables.py" on line "361".

    Exception:

    2022-01-23 14:00:23 DEBUG3: <class ‘firewall.core.nftables.nftables’>: calling python-nftables with JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}]}
    2022-01-23 14:00:23 DEBUG1: Traceback (most recent call last):
    File "/usr/lib/python3.6/site-packages/firewall/core/fw.py", line 888, in rules
    backend.set_rule(rule, self._log_denied)
    File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 390, in set_rule
    self.set_rules([rule], log_denied)
    File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 361, in set_rules
    raise ValueError("’%s’ failed: %snJSON blob:n%s" % ("python-nftables", error, json.dumps(json_blob)))
    ValueError: ‘python-nftables’ failed: internal:0:0-0: Error: Could not process rule: Numerical result out of range

    Line 361 in "nftables.py":

    self._loader(config.FIREWALLD_POLICIES, "policy")

    Why this is a problem:
    Basically nftables is a backend service and firewalld is a frontend service. They are dependent on each other to function. Each time you restart firewalld it has to reconcile the backend, in this case nftables. At some point during the reconciliation a conflict is occurring in the python code. That is unfortunate as the only real solution will likely have to come from code improvements from nftables in how it is able to populate policies into chains and tables.

    A work-around:
    The good news is, if you are like me, you don’t use ipv6, in which case we simply disable the policy rather than solve for the issue. I’ll put the work-around steps below.

    Work-around Steps:
    The proper way to remove the policy is to use the command "firewall-cmd –delete-policy=allow-host-ipv6 –permanent" but I encountered other errors and exceptions in python when attempting to do that. Since I don’t care about ipv6 I manually deleted the XML from configuration and restarted the firewalld service.

    rm /usr/lib/firewalld/policies/allow-host-ipv6.xml

    rm /etc/firewalld/policies/allow-host-ipv6.xml

    systemctl restart firewalld

    Side Note:
    Once I fixed this conflict, I also had some additional conflicts between nftables/iptables/fail2ban that had to be cleared up. For that I just used the command "fail2ban-client unban –all" to make fail2ban wipe clean all of the chains it added to iptables.

    Login or Signup to reply.
  2. 0

    In my case, I didn’t really care about using nftables, so on my Centos 8 installation, I went to /etc/firewalld/firewalld.conf e.g.

    vi /etc/firewalld/firewalld.conf

    and changed the backend for firewalld from nftables to iptables.

    To do this, you will find the line:

    FirewallBackend=nftables

    Change it to:

    FirewallBackend=iptables

    Then save and restart firewalld using:

    systemctl restart firewalld

    Now check the status:

    systemctl status firewalld

    And everything should be fine.

    Thanks for reading

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search