Firewalld issues with armbian kernel

revomman · December 30, 2022, 7:55am

While installing cri-o on the Armbian bullseye image I get an error when adding firewalld. I’m not sure if the kernel is missing iptables support or the package is broken.

Looking for suggestions. I’m about to work on recompiling the kernel to see if that’s the issue. Wish this was baked into the kernel.

root@rock-5b-alpha:~# firewall-cmd --state
failed
root@rock-5b-alpha:~# systemctl restart firewalld
root@rock-5b-alpha:~# systemctl status firewalld --no-pager -l
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2022-12-30 00:53:13 MST; 19s ago
       Docs: man:firewalld(1)
   Main PID: 7303 (firewalld)
      Tasks: 2 (limit: 18534)
     Memory: 21.5M
        CPU: 821ms
     CGroup: /system.slice/firewalld.service
             └─7303 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Dec 30 00:53:12 rock-5b-alpha systemd[1]: Starting firewalld - dynamic firewall daemon...
Dec 30 00:53:13 rock-5b-alpha systemd[1]: Started firewalld - dynamic firewall daemon.
Dec 30 00:53:13 rock-5b-alpha firewalld[7303]: ERROR: 'python-nftables' failed:
                                               JSON blob:
                                               {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "ip", "name": "firewalld"}}}, {"add": {"table": {"family": "ip6", "name": "firewalld"}}}]}
Dec 30 00:53:13 rock-5b-alpha firewalld[7303]: ERROR: COMMAND_FAILED: 'python-nftables' failed:
                                               JSON blob:
                                               {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}, {"add": {"table": {"family": "ip", "name": "firewalld"}}}, {"add": {"table": {"family": "ip6", "name": "firewalld"}}}]}

revomman · December 30, 2022, 9:10am

I worked around the issue by reverting firewalld back to iptables.

Install Firewalld
apt install firewalld arptables ebtables iptables conmon conntrack conntrackd ipset python-is-python3

Revert firewalld back to iptables
If for some reason you need to revert to the old iptables backend, you can easily do so by setting FirewallBackend in /etc/firewalld/firewalld.conf to iptables, then restart firewalld.

Switching to the legacy tables:

update-alternatives --set iptables /usr/sbin/iptables-legacy

update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

update-alternatives --set arptables /usr/sbin/arptables-legacy

update-alternatives --set ebtables /usr/sbin/ebtables-legacy

systemctl restart firewalld

Now the logs of firewalld are clean and I can run iptables -L with successful output
also try, firewall-cmd --state