Question
After upgrading from Ubuntu 20.04 to 20.10 I want to finally get started with firewalld instead of the old manual iptables approach, but all I get from the service is the following, which also breaks any network integration with Docker:
Feb 13 13:28:20 myhost firewalld[36390]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
That error message is not really helpful, since it doesn't say "what" can not be found.
I also tried to execute the JSON blob (from journalctl --unit firewalld --no-pager
) using the nft
command directly, but that just gives the same error message, actually mutliple times. So the error message is the one coming from libnftables1
.
Answer
After reviewing a bit of Python code here and here it became clear that I need to disassemble the big JSON blob and see which instructions exactly fail, which lead me to the following (after storing the JSON blob into ~/nftables.json
):
jq '.nftables | length' ~/nftables.json
...to get the number of entries (225 in my case) and then:
for i in $(seq 1 224); do \
jq --argjson index "$i" '{"nftables": [.nftables[0], .nftables[$index]]}' ~/nftables.json | tee nft.json; \
sudo nft --json --file nft.json || break; \
done
...which failed just for the first entry:
{
"nftables": [
{
"metainfo": {
"json_schema_version": 1
}
},
{
"add": {
"chain": {
"family": "inet",
"table": "firewalld",
"name": "raw_PREROUTING",
"type": "filter",
"hook": "prerouting",
"prio": -290
}
}
}
]
}
internal:0:0-0: Error: No such file or directory
As this was just adding a chain, the only thing that could be wrong here is a missing table, which was confirmed by:
$ sudo nft list tables
table bridge filter
table bridge nat
...so we need to add it:
sudo nft add table inet firewalld
After some more similar failures, I ended up with just the following tables being added manually:
table inet firewalld
table ip firewalld
table ip6 firewalld
原文 iptables - firewalld - No such file or directory - Ask Ubuntu