Since its recent installation (AFAICT), net-firewall/nftables-0.9.0-r2 fails to start: jan 11 17:04:41 sysoppad systemd[1]: Starting Store and restore nftables firewall rules... -- Subject: Unit nftables-restore.service has begun start-up -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit nftables-restore.service has begun starting up. jan 11 17:04:41 sysoppad nftables.sh[28843]: /dev/stdin:458:65-65: Error: syntax error, unexpected newline jan 11 17:04:41 sysoppad systemd[1]: nftables-restore.service: Main process exited, code=exited, status=1/FAILURE jan 11 17:04:41 sysoppad systemd[1]: nftables-restore.service: Failed with result 'exit-code'. jan 11 17:04:41 sysoppad systemd[1]: Failed to start Store and restore nftables firewall rules. -- Subject: Unit nftables-restore.service has failed -- Defined-By: systemd -- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel -- -- Unit nftables-restore.service has failed. -- -- The result is RESULT. Is this a bug, or could it be a configuration issue?
Hi Erik! I suspect there is a bashism inside the shell nftables.sh script which I missed. Can you tell me where is your /bin/sh pointing to?
(In reply to Francisco Blas Izquierdo Riera from comment #1) > Can you tell me where is your /bin/sh pointing to? lrwxrwxrwx 1 root root 4 3 jan 2018 /bin/sh -> bash
Okay can you also tell me what the output of /bin/sh --version is?
(In reply to Francisco Blas Izquierdo Riera from comment #3) > Okay can you also tell me what the output of /bin/sh --version is? GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu) Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software; you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Okay that's really weird, I have the same version of bash and /bin/sh link and the script works flawlessly on my system. I suspect this may be related to systemd. Just to be on the safe side can you show me the output of /bin/sh /usr/libexec/nftables/nftables.sh I'm not interested in the ruleset, only on whether it gives you any errors.
(In reply to Francisco Blas Izquierdo Riera from comment #5) > Just to be on the safe side can you show me the output of /bin/sh > /usr/libexec/nftables/nftables.sh > > I'm not interested in the ruleset, only on whether it gives you any errors. There is no output whatsoever when I run that command.
Okay just some last tests to make sure this is an issue with systemd: Copy your current ruleset from /var/lib/nftables/rules-save to /var/lib/nftables/rules-save.bkp (or something similar). Run "/usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save" to load the ruleset, check for any errors. Run "/usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save" to save your ruleset, check for any errors. Create an empty /var/lib/nftables/rules-save and run again the load and save commands and check for any errors. Finally restore your ruleset from the backup you made before. Be careful not to name your backup /var/lib/nftables/rules-save.tmp or you will lose your ruleset.
(In reply to Francisco Blas Izquierdo Riera from comment #7) > Okay just some last tests to make sure this is an issue with systemd: sysoppad /var/lib/nftables # cp rules-save rules-save.bkp sysoppad /var/lib/nftables # /usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save /dev/stdin:458:65-65: Error: syntax error, unexpected newline sysoppad /var/lib/nftables # /usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save sysoppad /var/lib/nftables # echo "" > rules-save sysoppad /var/lib/nftables # /usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save sysoppad /var/lib/nftables # /usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save sysoppad /var/lib/nftables # mv rules-save.bkp rules-save
Thanks Erik! The output you are sending shows that the problem seems to be in your ruleset. Can you please send me a copy of your /var/lib/nftables/rules-save file? If you want to keep it private instead of posting it here, you can send it to my mail address using GPG key: 0x5608AEA28AAFC0EC (fingerprint 27BA AD13 B77D 1643 44FE 787F 5608 AEA2 8AAF C0EC). Just post a comment here when you have sent it so I can check it up. It would also help if you can share the output of uname -a so I can try to reproduce your issue.
Created attachment 560912 [details] rules-save that seems to be problematic This file is generated by firewalld. So this bug may end up having to be reassigned to its maintainers or even moved upstream.
(In reply to Francisco Blas Izquierdo Riera from comment #9) > It would also help if you can share the output of uname -a so I can try to > reproduce your issue. Linux sysoppad 4.14.83-gentoo #2 SMP Sat Nov 24 21:29:21 CET 2018 x86_64 Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz GenuineIntel GNU/Linux
I have reproduced it, seems the problem is caused by nftables being unable to parse long rulesets. I'll prepare a patch so that the ruleset is included instead.
@prometheanfire can you please review and merge the changes on https://github.com/gentoo/gentoo/pull/10842 The ebuild is exactly the same (I just pushed the r version to ensure the fixed libexec is used). The only shortcoming is when the user has special characters on the path to the ruleset like newlines, double quotes or some wildcards but this is more unlikely than a long ruleset. I could make this a bit more simple by just including the file but that requires setting up more complex logic to check the flush ruleset line is included (which isn't in old saved rulesets).
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5340dc96865d410a32ab4cb9f900bcb88e035600 commit 5340dc96865d410a32ab4cb9f900bcb88e035600 Author: Francisco Blas (klondike) Izquierdo Riera <klondike@gentoo.org> AuthorDate: 2019-01-15 23:13:18 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2019-01-15 23:20:42 +0000 net-firewall/nftables: Minor fixes on the script closes #675188 * Use printf instead of echo for better shell compatibility. * Use an include instead of concatenating the ruleset. (Note that this is likely to fail is the ruleset path contains special characters). * Empty the table first when executing panic actions. Fixes: https://bugs.gentoo.org/675188 Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org> Package-Manager: Portage-2.3.51, Repoman-2.3.11 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> net-firewall/nftables/files/libexec/nftables-mk.sh | 7 ++++--- .../{nftables-0.9.0-r2.ebuild => nftables-0.9.0-r3.ebuild} | 0 2 files changed, 4 insertions(+), 3 deletions(-)
