Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679760 - net-firewall/firewalld-0.6.3: Missing support for net-firewall/iptables[nftables]
Summary: net-firewall/firewalld-0.6.3: Missing support for net-firewall/iptables[nftab...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Virtualization Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-08 11:41 UTC by Steffen Rytter Postas
Modified: 2019-07-28 19:38 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Steffen Rytter Postas 2019-03-08 11:41:33 UTC
Firewalld from 0.6.x supports nftables, but building net-firewall/iptables with the nftables USE flag blocks ebtables that the firewalld-0.6.3.ebuild has a hard dependency on, when it probably should be conditional.

It _might_ be logical to add a nftables USE flag for net-firewall/firewalld-0.6.3 that requires iptables[nftables] and does NOT require ebtables (given the USE flag is set).
Comment 1 Amel Hodzic 2019-05-27 05:48:35 UTC
Did this problem show up in this release?

I've been trying to figure out why my firewall is all screwed up, and the firewalld service complains.  By the way, the latest release upstream is 0.6.4; https://firewalld.org/2019/05/firewalld-0-6-4-release
Comment 2 Amel Hodzic 2019-05-27 05:51:51 UTC
May 25 10:42:33 riparch.vidi.lan firewalld[8530]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
May 25 10:42:33 riparch.vidi.lan firewalld[8530]: ERROR: '/sbin/nft add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; }' failed: Error: Could not process rule: No such file or directory
                                                  add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; }
                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
May 25 10:42:33 riparch.vidi.lan firewalld[8530]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
May 25 10:42:33 riparch.vidi.lan firewalld[8530]: ERROR: '/sbin/nft insert rule inet firewalld raw_PREROUTING meta nfproto ipv6 fib saddr . iif oif missing drop' failed: Error: Could not process rule: No such file or directory
                                                  insert rule inet firewalld raw_PREROUTING meta nfproto ipv6 fib saddr . iif oif missing drop
                                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
May 25 10:42:34 riparch.vidi.lan firewalld[8530]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
May 25 10:42:34 riparch.vidi.lan firewalld[8530]: ERROR: '/sbin/nft add rule inet firewalld raw_PRE_internal_allow udp dport 137 ct helper netbios-ns' failed: nft: gmputil.c:67: mpz_get_uint32: Assertion `cnt <= 1' failed.
Comment 3 nE0sIghT 2019-05-27 14:23:30 UTC
The cause for this issue is net-firewall/nftables-0.8-r3.
Upgrading to net-firewall/nftables-0.8.5 fixes this for me.

Almost any /sbin/nft rule action causing "mpz_get_uint32: Assertion `cnt <= 1' failed" in version 0.8-r3.
Comment 4 Amel Hodzic 2019-06-12 02:16:21 UTC
That's what I had suspected as well, among many other things :p .  Thank you for testing this and confirming.
Comment 5 Amel Hodzic 2019-06-12 03:41:15 UTC
Actually, building iptables[nftables] along with firewalld still fails due to ebtables blocking it, even with nftables-0.8.5; just as the initial comment here describes.
Comment 6 Amel Hodzic 2019-06-12 04:57:26 UTC
The latest version of iptables resolves this issue for me; =net-firewall/iptables-1.8.3-r1[nftables] works fine even if/when ebtables is installed.
Comment 7 Larry the Git Cow gentoo-dev 2019-07-28 19:38:52 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d8a9c901755ad38c1fdd98116a9104fdfc15d78

commit 6d8a9c901755ad38c1fdd98116a9104fdfc15d78
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2019-07-28 19:16:20 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2019-07-28 19:37:57 +0000

    net-firewall/firewalld: fix dependency deadlock
    
    Let's relax the dependency on ebtables a bit
    
    Closes: https://bugs.gentoo.org/679760
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 net-firewall/firewalld/firewalld-0.6.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)