Summary: | net-firewall/firewalld does not work at all with nftables backend | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Stijn Tintel <stijn+gentoo> |
Component: | Current packages | Assignee: | Virtualization Team <virtualization> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | sam |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=703322 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | output of systemctl status firewalld.service |
Description
Stijn Tintel
2021-12-27 23:34:30 UTC
Created attachment 760601 [details]
output of systemctl status firewalld.service
egrep 'CONFIG_N(F|FT)_' /etc/kernels/kernel-config-5.15.0-gentoo-x86_64 CONFIG_NF_CONNTRACK=m CONFIG_NF_LOG_SYSLOG=m CONFIG_NF_CONNTRACK_MARK=y CONFIG_NF_CONNTRACK_ZONES=y # CONFIG_NF_CONNTRACK_PROCFS is not set CONFIG_NF_CONNTRACK_EVENTS=y CONFIG_NF_CONNTRACK_TIMEOUT=y CONFIG_NF_CONNTRACK_TIMESTAMP=y CONFIG_NF_CONNTRACK_LABELS=y CONFIG_NF_CT_PROTO_DCCP=y CONFIG_NF_CT_PROTO_GRE=y CONFIG_NF_CT_PROTO_SCTP=y CONFIG_NF_CT_PROTO_UDPLITE=y CONFIG_NF_CONNTRACK_AMANDA=m CONFIG_NF_CONNTRACK_FTP=m CONFIG_NF_CONNTRACK_H323=m CONFIG_NF_CONNTRACK_IRC=m CONFIG_NF_CONNTRACK_BROADCAST=m CONFIG_NF_CONNTRACK_NETBIOS_NS=m CONFIG_NF_CONNTRACK_SNMP=m CONFIG_NF_CONNTRACK_PPTP=m CONFIG_NF_CONNTRACK_SANE=m CONFIG_NF_CONNTRACK_SIP=m CONFIG_NF_CONNTRACK_TFTP=m CONFIG_NF_CT_NETLINK=m CONFIG_NF_CT_NETLINK_TIMEOUT=m CONFIG_NF_CT_NETLINK_HELPER=m CONFIG_NF_NAT=m CONFIG_NF_NAT_AMANDA=m CONFIG_NF_NAT_FTP=m CONFIG_NF_NAT_IRC=m CONFIG_NF_NAT_SIP=m CONFIG_NF_NAT_TFTP=m CONFIG_NF_NAT_REDIRECT=y CONFIG_NF_NAT_MASQUERADE=y CONFIG_NF_TABLES=m CONFIG_NF_TABLES_INET=y CONFIG_NF_TABLES_NETDEV=y CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_FLOW_OFFLOAD=m CONFIG_NFT_COUNTER=m CONFIG_NFT_CONNLIMIT=m CONFIG_NFT_LOG=m CONFIG_NFT_LIMIT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m CONFIG_NFT_NAT=m CONFIG_NFT_TUNNEL=m CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m CONFIG_NFT_FIB=m # CONFIG_NFT_FIB_INET is not set CONFIG_NFT_XFRM=m CONFIG_NFT_SOCKET=m CONFIG_NFT_OSF=m CONFIG_NFT_TPROXY=m CONFIG_NFT_SYNPROXY=m CONFIG_NF_DUP_NETDEV=m CONFIG_NFT_DUP_NETDEV=m CONFIG_NFT_FWD_NETDEV=m CONFIG_NFT_FIB_NETDEV=m CONFIG_NFT_REJECT_NETDEV=m CONFIG_NF_FLOW_TABLE_INET=m CONFIG_NF_FLOW_TABLE=m CONFIG_NF_DEFRAG_IPV4=m CONFIG_NF_SOCKET_IPV4=m CONFIG_NF_TPROXY_IPV4=m CONFIG_NF_TABLES_IPV4=y CONFIG_NFT_REJECT_IPV4=m CONFIG_NFT_DUP_IPV4=m CONFIG_NFT_FIB_IPV4=m CONFIG_NF_TABLES_ARP=y CONFIG_NF_FLOW_TABLE_IPV4=m CONFIG_NF_DUP_IPV4=m CONFIG_NF_LOG_ARP=m CONFIG_NF_LOG_IPV4=m CONFIG_NF_REJECT_IPV4=m CONFIG_NF_NAT_SNMP_BASIC=m CONFIG_NF_NAT_PPTP=m CONFIG_NF_NAT_H323=m CONFIG_NF_SOCKET_IPV6=m CONFIG_NF_TPROXY_IPV6=m CONFIG_NF_TABLES_IPV6=y CONFIG_NFT_REJECT_IPV6=m CONFIG_NFT_DUP_IPV6=m CONFIG_NFT_FIB_IPV6=m CONFIG_NF_FLOW_TABLE_IPV6=m CONFIG_NF_DUP_IPV6=m CONFIG_NF_REJECT_IPV6=m CONFIG_NF_LOG_IPV6=m CONFIG_NF_DEFRAG_IPV6=m CONFIG_NF_TABLES_BRIDGE=m CONFIG_NFT_BRIDGE_META=m CONFIG_NFT_BRIDGE_REJECT=m CONFIG_NF_CONNTRACK_BRIDGE=m People in #gentoo report it working for them, so it's probably going to be a (kernel) config issue. I did wipe /etc/firewalld and retested before opening this report. I'm now rebuilding with CONFIG_NFT_FIB_INET CONFIG_NF_CONNTRACK_PROCFS CONFIG_NETFILTER_XT_MATCH_IPVS enabled to see if that changes anything. After enabling the kernel config options from previous commit, it's working. A rule requiring the fib module is created: # nft list ruleset | grep fib meta nfproto ipv6 fib saddr . mark . iif oif missing drop So we need to add at least the CONFIG_NFT_FIB_INET as a requirement in the firewalld ebuild. Probably way more. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b1630545b0a0b1d71775a2c7ec89025be32c3f49 commit b1630545b0a0b1d71775a2c7ec89025be32c3f49 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-28 01:50:24 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-28 01:50:28 +0000 net-firewall/firewalld: update needed kernel options/modules See: https://zigford.org/firewalld-kernel-requirements.html Thanks-to: Jessie Harris <jesse@zigford.org> Thanks-to: Stijn Tintel <stijn+gentoo@linux-ipv6.be> Thanks-to: genr8eofl_ Closes: https://bugs.gentoo.org/830132 Closes: https://bugs.gentoo.org/703322 Signed-off-by: Sam James <sam@gentoo.org> net-firewall/firewalld/firewalld-1.0.2.ebuild | 89 ++++++++++++++++++++++++++- 1 file changed, 86 insertions(+), 3 deletions(-) |