Using firewalld with the nftables backend does not work at all. Reproducible: Always Steps to Reproduce: 1. emerge net-firewall/firewalld 2. systemctl start firewalld.service Actual Results: The nftables ruleset is completely empty: $ nft list ruleset table inet firewalld { } The systemd service status is full of errors. See attached file. Expected Results: firewalld should create rules without errors. This has been happening for a while now in different versions of firewalld. I usually resort to using the iptables backend, as I use firewall in combination with NetworkManager to filter traffic on untrusted WiFi networks. Non-working firewalld is a security hazard. Suggestions to use nft directly, or use ufw are pretty much useless. The firewalld package is provided, so it is supposed to work. Given that the iptables backend is now deprecated, there is no excuse for not fixing the nftables backend. I have been trying to figure things out myself, but so far I'm not getting anywhere, and would appreciate any help or insight.
Created attachment 760601 [details] output of systemctl status firewalld.service
egrep 'CONFIG_N(F|FT)_' /etc/kernels/kernel-config-5.15.0-gentoo-x86_64 CONFIG_NF_CONNTRACK=m CONFIG_NF_LOG_SYSLOG=m CONFIG_NF_CONNTRACK_MARK=y CONFIG_NF_CONNTRACK_ZONES=y # CONFIG_NF_CONNTRACK_PROCFS is not set CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_NF_CONNTRACK_TIMEOUT=y CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_LABELS=y CONFIG_NF_CT_PROTO_DCCP=y CONFIG_NF_CT_PROTO_GRE=y CONFIG_NF_CT_PROTO_SCTP=y CONFIG_NF_CT_PROTO_UDPLITE=y CONFIG_NF_CONNTRACK_AMANDA=m CONFIG_NF_CONNTRACK_FTP=m CONFIG_NF_CONNTRACK_H323=m CONFIG_NF_CONNTRACK_IRC=m CONFIG_NF_CONNTRACK_BROADCAST=m CONFIG_NF_CONNTRACK_NETBIOS_NS=m CONFIG_NF_CONNTRACK_SNMP=m CONFIG_NF_CONNTRACK_PPTP=m CONFIG_NF_CONNTRACK_SANE=m CONFIG_NF_CONNTRACK_SIP=m CONFIG_NF_CONNTRACK_TFTP=m CONFIG_NF_CT_NETLINK=m CONFIG_NF_CT_NETLINK_TIMEOUT=m CONFIG_NF_CT_NETLINK_HELPER=m CONFIG_NF_NAT=m CONFIG_NF_NAT_AMANDA=m CONFIG_NF_NAT_FTP=m CONFIG_NF_NAT_IRC=m CONFIG_NF_NAT_SIP=m CONFIG_NF_NAT_TFTP=m CONFIG_NF_NAT_REDIRECT=y CONFIG_NF_NAT_MASQUERADE=y CONFIG_NF_TABLES=m CONFIG_NF_TABLES_INET=y CONFIG_NF_TABLES_NETDEV=y CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_FLOW_OFFLOAD=m CONFIG_NFT_COUNTER=m CONFIG_NFT_CONNLIMIT=m CONFIG_NFT_LOG=m CONFIG_NFT_LIMIT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m CONFIG_NFT_NAT=m CONFIG_NFT_TUNNEL=m CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m CONFIG_NFT_FIB=m # CONFIG_NFT_FIB_INET is not set CONFIG_NFT_XFRM=m CONFIG_NFT_SOCKET=m CONFIG_NFT_OSF=m CONFIG_NFT_TPROXY=m CONFIG_NFT_SYNPROXY=m CONFIG_NF_DUP_NETDEV=m CONFIG_NFT_DUP_NETDEV=m CONFIG_NFT_FWD_NETDEV=m CONFIG_NFT_FIB_NETDEV=m CONFIG_NFT_REJECT_NETDEV=m CONFIG_NF_FLOW_TABLE_INET=m CONFIG_NF_FLOW_TABLE=m CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_SOCKET_IPV4=m CONFIG_NF_TPROXY_IPV4=m CONFIG_NF_TABLES_IPV4=y CONFIG_NFT_REJECT_IPV4=m CONFIG_NFT_DUP_IPV4=m CONFIG_NFT_FIB_IPV4=m CONFIG_NF_TABLES_ARP=y CONFIG_NF_FLOW_TABLE_IPV4=m CONFIG_NF_DUP_IPV4=m CONFIG_NF_LOG_ARP=m CONFIG_NF_LOG_IPV4=m CONFIG_NF_REJECT_IPV4=m CONFIG_NF_NAT_SNMP_BASIC=m CONFIG_NF_NAT_PPTP=m CONFIG_NF_NAT_H323=m CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m CONFIG_NF_TABLES_IPV6=y CONFIG_NFT_REJECT_IPV6=m CONFIG_NFT_DUP_IPV6=m CONFIG_NFT_FIB_IPV6=m CONFIG_NF_FLOW_TABLE_IPV6=m CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m CONFIG_NF_LOG_IPV6=m CONFIG_NF_DEFRAG_IPV6=m CONFIG_NF_TABLES_BRIDGE=m CONFIG_NFT_BRIDGE_META=m CONFIG_NFT_BRIDGE_REJECT=m CONFIG_NF_CONNTRACK_BRIDGE=m
People in #gentoo report it working for them, so it's probably going to be a (kernel) config issue. I did wipe /etc/firewalld and retested before opening this report. I'm now rebuilding with CONFIG_NFT_FIB_INET CONFIG_NF_CONNTRACK_PROCFS CONFIG_NETFILTER_XT_MATCH_IPVS enabled to see if that changes anything.
After enabling the kernel config options from previous commit, it's working. A rule requiring the fib module is created: # nft list ruleset | grep fib meta nfproto ipv6 fib saddr . mark . iif oif missing drop So we need to add at least the CONFIG_NFT_FIB_INET as a requirement in the firewalld ebuild. Probably way more.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1630545b0a0b1d71775a2c7ec89025be32c3f49 commit b1630545b0a0b1d71775a2c7ec89025be32c3f49 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-28 01:50:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-28 01:50:28 +0000 net-firewall/firewalld: update needed kernel options/modules See: https://zigford.org/firewalld-kernel-requirements.html Thanks-to: Jessie Harris <jesse@zigford.org> Thanks-to: Stijn Tintel <stijn+gentoo@linux-ipv6.be> Thanks-to: genr8eofl_ Closes: https://bugs.gentoo.org/830132 Closes: https://bugs.gentoo.org/703322 Signed-off-by: Sam James <sam@gentoo.org> net-firewall/firewalld/firewalld-1.0.2.ebuild | 89 ++++++++++++++++++++++++++- 1 file changed, 86 insertions(+), 3 deletions(-)