Firewalld from 0.6.x supports nftables, but building net-firewall/iptables with the nftables USE flag blocks ebtables that the firewalld-0.6.3.ebuild has a hard dependency on, when it probably should be conditional. It _might_ be logical to add a nftables USE flag for net-firewall/firewalld-0.6.3 that requires iptables[nftables] and does NOT require ebtables (given the USE flag is set).
Did this problem show up in this release? I've been trying to figure out why my firewall is all screwed up, and the firewalld service complains. By the way, the latest release upstream is 0.6.4; https://firewalld.org/2019/05/firewalld-0-6-4-release
May 25 10:42:33 riparch.vidi.lan firewalld[8530]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. May 25 10:42:33 riparch.vidi.lan firewalld[8530]: ERROR: '/sbin/nft add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; }' failed: Error: Could not process rule: No such file or directory add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; } ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ May 25 10:42:33 riparch.vidi.lan firewalld[8530]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. May 25 10:42:33 riparch.vidi.lan firewalld[8530]: ERROR: '/sbin/nft insert rule inet firewalld raw_PREROUTING meta nfproto ipv6 fib saddr . iif oif missing drop' failed: Error: Could not process rule: No such file or directory insert rule inet firewalld raw_PREROUTING meta nfproto ipv6 fib saddr . iif oif missing drop ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ May 25 10:42:34 riparch.vidi.lan firewalld[8530]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. May 25 10:42:34 riparch.vidi.lan firewalld[8530]: ERROR: '/sbin/nft add rule inet firewalld raw_PRE_internal_allow udp dport 137 ct helper netbios-ns' failed: nft: gmputil.c:67: mpz_get_uint32: Assertion `cnt <= 1' failed.
The cause for this issue is net-firewall/nftables-0.8-r3. Upgrading to net-firewall/nftables-0.8.5 fixes this for me. Almost any /sbin/nft rule action causing "mpz_get_uint32: Assertion `cnt <= 1' failed" in version 0.8-r3.
That's what I had suspected as well, among many other things :p . Thank you for testing this and confirming.
Actually, building iptables[nftables] along with firewalld still fails due to ebtables blocking it, even with nftables-0.8.5; just as the initial comment here describes.
The latest version of iptables resolves this issue for me; =net-firewall/iptables-1.8.3-r1[nftables] works fine even if/when ebtables is installed.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d8a9c901755ad38c1fdd98116a9104fdfc15d78 commit 6d8a9c901755ad38c1fdd98116a9104fdfc15d78 Author: Matthias Maier <tamiko@gentoo.org> AuthorDate: 2019-07-28 19:16:20 +0000 Commit: Matthias Maier <tamiko@gentoo.org> CommitDate: 2019-07-28 19:37:57 +0000 net-firewall/firewalld: fix dependency deadlock Let's relax the dependency on ebtables a bit Closes: https://bugs.gentoo.org/679760 Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Matthias Maier <tamiko@gentoo.org> net-firewall/firewalld/firewalld-0.6.3.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
