Description of problem: Currently I cannot start any VMs on my Rawhide box. The problem is the "default" libvirt network is missing. I cannot start the default network because it fails with: $ sudo virsh net-list --all Name State Autostart Persistent ---------------------------------------------- default inactive yes yes $ sudo virsh net-start default error: Failed to start network default error: error from service: GDBus.Error:org.fedoraproject.FirewallD1.Exception: COMMAND_FAILED: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_IN_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDO_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==" Version-Release number of selected component (if applicable): libvirt-daemon-6.10.0-2.fc34.1.x86_64 firewalld-0.9.2-2.fc34.noarch How reproducible: 100% Steps to Reproduce: 1. See above.
Created attachment 1746284 [details] /var/log/firewalld (compressed)
It says ERROR: COMMAND_FAILED: 'python-nftables' failed, but is "python-nftables" an actual command? I can't see any file with that name.
Your log shows various ERRORS. I expect firewalld is operating in a `failed` state. Check: # firewall-cmd --state I expect the errors you're seeing are actually secondary errors. The original cause being the configuration ERRORs.
From your logs: 2021-01-09 20:25:43 ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml'
$ sudo firewall-cmd --state failed
systemctl shows it's running but there are a bunch of errors. ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2021-01-09 20:25:43 GMT; 1 day 18h ago Docs: man:firewalld(1) Main PID: 2664998 (firewalld) Tasks: 2 (limit: 38374) Memory: 35.2M CPU: 572ms CGroup: /system.slice/firewalld.service └─2664998 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid Jan 09 20:25:47 pick firewalld[2664998]: ERROR: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld_policy_drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_input", "type": "filter", "hook": "input", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_forward", "type": "filter", "hook": "forward", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_output", "type": "filter", "hook": "output", "prio": 9, "policy": "drop"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_input", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_forward", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_output", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}]} Jan 09 20:25:47 pick firewalld[2664998]: ERROR: COMMAND_FAILED: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld_policy_drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_input", "type": "filter", "hook": "input", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_forward", "type": "filter", "hook": "forward", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_output", "type": "filter", "hook": "output", "prio": 9, "policy": "drop"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_input", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_forward", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_output", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}]} Jan 11 14:11:57 pick firewalld[2664998]: ERROR: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 67}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 547}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 53}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 53}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"ct helper": {"family": "inet", "table": "firewalld", "name": "helper-tftp-udp", "type": "tftp", "protocol": "udp"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 69}}, {"ct helper": "helper-tftp-udp"}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 69}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_post", "expr": [{"reject": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": "icmp"}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": "ipv6-icmp"}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"accept": null}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"accept": null}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_IN_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDO_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDI_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "mangle_PRE_libvirt"}}]}}}]} Jan 11 14:11:57 pick firewalld[2664998]: ERROR: COMMAND_FAILED: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 67}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 547}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 53}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 53}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"ct helper": {"family": "inet", "table": "firewalld", "name": "helper-tftp-udp", "type": "tftp", "protocol": "udp"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 69}}, {"ct helper": "helper-tftp-udp"}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 69}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_post", "expr": [{"reject": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": "icmp"}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": "ipv6-icmp"}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"accept": null}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"accept": null}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_IN_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDO_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDI_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "mangle_PRE_libvirt"}}]}}}]} Jan 11 14:12:22 pick firewalld[2664998]: ERROR: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld_policy_drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_input", "type": "filter", "hook": "input", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_forward", "type": "filter", "hook": "forward", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_output", "type": "filter", "hook": "output", "prio": 9, "policy": "drop"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_input", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_forward", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_output", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}]} Jan 11 14:12:22 pick firewalld[2664998]: ERROR: COMMAND_FAILED: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld_policy_drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_input", "type": "filter", "hook": "input", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_forward", "type": "filter", "hook": "forward", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_output", "type": "filter", "hook": "output", "prio": 9, "policy": "drop"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_input", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_forward", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_output", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}]} Jan 11 14:12:22 pick firewalld[2664998]: ERROR: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld_policy_drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_input", "type": "filter", "hook": "input", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_forward", "type": "filter", "hook": "forward", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_output", "type": "filter", "hook": "output", "prio": 9, "policy": "drop"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_input", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_forward", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_output", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}]} Jan 11 14:12:22 pick firewalld[2664998]: ERROR: COMMAND_FAILED: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld_policy_drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_input", "type": "filter", "hook": "input", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_forward", "type": "filter", "hook": "forward", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_output", "type": "filter", "hook": "output", "prio": 9, "policy": "drop"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_input", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_forward", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_output", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}]} Jan 11 14:12:41 pick firewalld[2664998]: ERROR: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_IN_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDO_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDI_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "mangle_PRE_libvirt"}}]}}}]} Jan 11 14:12:41 pick firewalld[2664998]: ERROR: COMMAND_FAILED: 'python-nftables' failed: JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_IN_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDO_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDI_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "mangle_PRE_libvirt"}}]}}}]}
There is no such file called FedoraWorkstation.xml $ sudo ls -l /etc/firewalld/zones total 12 -rw-r--r--. 1 root root 591 Jan 12 2019 FedoraServer.xml -rw-r--r--. 1 root root 469 Jan 12 2019 FedoraServer.xml~ -rw-r--r--. 1 root root 422 Dec 14 2018 FedoraServer.xml.old
/etc/firewalld/firewalld.conf is a symlink to firewalld-server.conf There is a file /etc/firewalld/firewalld-workstation.conf which is the only one that appears to mention DefaultZone=FedoraWorkstation but afaik this config file should not be used.
(In reply to Richard W.M. Jones from comment #8) > /etc/firewalld/firewalld.conf is a symlink to firewalld-server.conf > > There is a file /etc/firewalld/firewalld-workstation.conf which is > the only one that appears to mention DefaultZone=FedoraWorkstation > but afaik this config file should not be used. I don't know. At one point it attempted to load /etc/firewalld/zones/FedoraWorkstation.xml. It appears to have existed at some point. FWIW, the default exists as /usr/lib/firewalld/zones/FedoraWorkstation.xml. It gets copied to /etc/firewalld when the user makes changes. Have you only issued a --reload? Or have you done a full `systemctl restart firewalld` ?
After restarting firewalld it's still in the failed state. # systemctl restart firewalld # firewall-cmd --state failed Although systemd still thinks it's active and running. The journal errors start off with: Jan 11 15:30:37 pick systemd[1]: Started firewalld - dynamic firewall daemon. Jan 11 15:30:37 pick firewalld[2884485]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '10809:tcp' already in 'FedoraWorkstation' Jan 11 15:30:37 pick firewalld[2884485]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory internal:0:0-0: Error: No such file or directory JSON blob: {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "raw_PREROUTING", "type": "filter", "hook": "prerouting", "prio": -290}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING", "type": "filter", "hook": "prerouting", "prio": -140}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING_POLICIES_pre"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING", "expr": [{"jump": {"target": "mangle_PREROUTING_POLICIES_pre"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING", "expr": [{"jump": {"target": "mangle_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PREROUTING_POLICIES_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING", "expr": [{"jump": {"target": "mangle_PREROUTING_POLICIES_post"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING_POLICIES_pre"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_POLICIES_pre"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PREROUTING_POLICIES_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_POLICIES_post"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING", "type": "nat", "hook": "postrouting", "prio": 110}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING_POLICIES_pre"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_POLICIES_pre"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POSTROUTING_POLICIES_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_POLICIES_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING", "type": "nat", "hook": "prerouting", "prio": -90}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING_POLICIES_pre"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_POLICIES_pre"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PREROUTING_POLICIES_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING", "expr": [{"jump": {"target": "nat_PREROUTING_POLICIES_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING", "type": "nat", "hook": "postrouting", "prio": 110}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING_POLICIES_pre"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_POLICIES_pre"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING_ZONES"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_ZONES"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POSTROUTING_POLICIES_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING", "expr": [{"jump": {"target": "nat_POSTROUTING_POLICIES_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT", "type": "filter", "hook": "input", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD", "type": "filter", "hook": "forward", "prio": 10}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_OUTPUT", "type": "filter", "hook": "output", "prio": 10}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "status"}}, "op": "in", "right": "dnat"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT_POLICIES_pre"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"jump": {"target": "filter_INPUT_POLICIES_pre"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"jump": {"target": "filter_INPUT_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_INPUT_POLICIES_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"jump": {"target": "filter_INPUT_POLICIES_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["invalid"]}}}, {"drop": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "status"}}, "op": "in", "right": "dnat"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_POLICIES_pre"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_POLICIES_pre"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_IN_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_IN_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_OUT_ZONES"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_OUT_ZONES"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FORWARD_POLICIES_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"jump": {"target": "filter_FORWARD_POLICIES_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["invalid"]}}}, {"drop": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "lo"}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_OUTPUT_POLICIES_pre"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "expr": [{"jump": {"target": "filter_OUTPUT_POLICIES_pre"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_OUTPUT_POLICIES_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "expr": [{"jump": {"target": "filter_OUTPUT_POLICIES_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv6"}}, {"match": {"left": {"fib": {"flags": ["saddr", "iif"], "result": "oif"}}, "op": "==", "right": false}}, {"drop": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING", "expr": [{"match": {"left": {"payload": {"protocol": "icmpv6", "field": "type"}}, "op": "==", "right": {"set": ["nd-router-advert", "nd-neighbor-solicit"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_OUTPUT", "index": 0, "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"set": [{"prefix": {"addr": "::0.0.0.0", "len": 96}}, {"prefix": {"addr": "::ffff:0.0.0.0", "len": 96}}, {"prefix": {"addr": "2002:0000::", "len": 24}}, {"prefix": {"addr": "2002:0a00::", "len": 24}}, {"prefix": {"addr": "2002:7f00::", "len": 24}}, {"prefix": {"addr": "2002:ac10::", "len": 28}}, {"prefix": {"addr": "2002:c0a8::", "len": 32}}, {"prefix": {"addr": "2002:a9fe::", "len": 32}}, {"prefix": {"addr": "2002:e000::", "len": 19}}]}}}, {"reject": {"type": "icmpv6", "expr": "addr-unreachable"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD", "index": 2, "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"set": [{"prefix": {"addr": "::0.0.0.0", "len": 96}}, {"prefix": {"addr": "::ffff:0.0.0.0", "len": 96}}, {"prefix": {"addr": "2002:0000::", "len": 24}}, {"prefix": {"addr": "2002:0a00::", "len": 24}}, {"prefix": {"addr": "2002:7f00::", "len": 24}}, {"prefix": {"addr": "2002:ac10::", "len": 28}}, {"prefix": {"addr": "2002:c0a8::", "len": 32}}, {"prefix": {"addr": "2002:a9fe::", "len": 32}}, {"prefix": {"addr": "2002:e000::", "len": 19}}]}}}, {"reject": {"type": "icmpv6", "expr": "addr-unreachable"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_FedoraWorkstation", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_FedoraWorkstation", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_policy_allow-host-ipv6_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_policy_allow-host-ipv6", "expr": [{"jump": {"target": "filter_IN_policy_allow-host-ipv6_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_policy_allow-host-ipv6", "expr": [{"jump": {"target": "filter_IN_policy_allow-host-ipv6_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_policy_allow-host-ipv6", "expr": [{"jump": {"target": "filter_IN_policy_allow-host-ipv6_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_policy_allow-host-ipv6", "expr": [{"jump": {"target": "filter_IN_policy_allow-host-ipv6_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_policy_allow-host-ipv6", "expr": [{"jump": {"target": "filter_IN_policy_allow-host-ipv6_post"}}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_policy_allow-host-ipv6_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_policy_allow-host-ipv6"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_policy_allow-host-ipv6_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_policy_allow-host-ipv6_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_policy_allow-host-ipv6_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_policy_allow-host-ipv6_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_policy_allow-host-ipv6_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "mangle_PRE_policy_allow-host-ipv6_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "mangle_PRE_policy_allow-host-ipv6_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "mangle_PRE_policy_allow-host-ipv6_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "mangle_PRE_policy_allow-host-ipv6_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_policy_allow-host-ipv6", "expr": [{"jump": {"target": "mangle_PRE_policy_allow-host-ipv6_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_POLICIES_pre", "expr": [{"jump": {"target": "filter_IN_policy_allow-host-ipv6"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_POLICIES_pre", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_POLICIES_pre", "expr": [{"jump": {"target": "nat_PRE_policy_allow-host-ipv6"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_POLICIES_pre", "expr": [{"jump": {"target": "mangle_PRE_policy_allow-host-ipv6"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_policy_allow-host-ipv6_allow", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv6"}}, {"match": {"left": {"payload": {"protocol": "icmpv6", "field": "type"}}, "op": "==", "right": "nd-neighbor-advert"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_policy_allow-host-ipv6_allow", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv6"}}, {"match": {"left": {"payload": {"protocol": "icmpv6", "field": "type"}}, "op": "==", "right": "nd-neighbor-solicit"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_policy_allow-host-ipv6_allow", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv6"}}, {"match": {"left": {"payload": {"protocol": "icmpv6", "field": "type"}}, "op": "==", "right": "nd-router-advert"}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_policy_allow-host-ipv6_allow", "expr": [{"match": {"left": {"meta": {"key": "nfproto"}}, "op": "==", "right": "ipv6"}}, {"match": {"left": {"payload": {"protocol": "icmpv6", "field": "type"}}, "op": "==", "right": "nd-redirect"}}, {"accept": null}]}}}]} No clue why it's trying to load FedoraWorkstation.xml still.
Anyway, I got rid of firewalld-workstation.conf ... and now it works. Which is very peculiar.
I'm closing this as it's working now, but I don't really understand what went wrong.
(In reply to Richard W.M. Jones from comment #10) > After restarting firewalld it's still in the failed state. > > # systemctl restart firewalld > # firewall-cmd --state > failed > > Although systemd still thinks it's active and running. Unfortunately firewalld still needs to start fully even with configuration errors. Otherwise the UIs (firewall-cmd, firewall-config) can't make configuration requests to the daemon over dbus. Many users aren't even aware of firewall-offline-cmd. :(
Re-opening because this issue is still present after upgrading to Fedora 34 which broke all my libvirt environmnet. I didn't change anything and just made an upgrade from 33 to 34 where what was previously working, now is unusable and I get the same errors everytime I try to start a virtual network.
Andre - The root cause of your failure can be determined by looking in journalctl for errors when firewalld.service is starting. It could be any number of problems in your firewalld config. Another example is chronicled in Bug 1958246 (overlapping port ranges in a zone file). Eric - Would it be possible to change this error message ("ERROR: COMMAND_FAILED: 'python-nftables' failed") to be less cryptic? If it is always caused by a pre-existing firewalld configuration problem, it would be useful if the error message could say something like "pre-existing configuration error in firewalld" or something like that (which would prevent the re-opening of Bug 1958246, for example). Of course if the message might be caused by something else, then such a change could be just as misleading in some other circumstances...
(In reply to Laine Stump from comment #15) > Eric - Would it be possible to change this error message ("ERROR: > COMMAND_FAILED: 'python-nftables' failed") to be less cryptic? Unfortunately not. It's saying nftables returned a failed error code. We print the error string returned from nftables, but it doesn't always give one. e.g. firewalld[2884485]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ verbatim string from nftables > If it is > always caused by a pre-existing firewalld configuration problem, It's not. All we know is that nftables rejected the rule update. > it would be > useful if the error message could say something like "pre-existing > configuration error in firewalld" or something like that (which would > prevent the re-opening of Bug 1958246, for example). Programmatically we don't know why nftables is rejecting the rules. There are upstream plans to handle the failure of zone loading better, but it hasn't been worked on yet. > Of course if the > message might be caused by something else, then such a change could be just > as misleading in some other circumstances...
(In reply to Eric Garver from comment #16) > (In reply to Laine Stump from comment #15) > > Eric - Would it be possible to change this error message ("ERROR: > > COMMAND_FAILED: 'python-nftables' failed") to be less cryptic? > > Unfortunately not. It's saying nftables returned a failed error code. We > print the error string returned from nftables, but it doesn't always give > one. > > e.g. > > firewalld[2884485]: ERROR: 'python-nftables' failed: internal:0:0-0: > Error: No such file or directory > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > verbatim string from > nftables psutter tried to improve jansson [1] to allow pointing at the actual bit of JSON that triggered the error, but the patch was rejected by upstream. [1]: https://github.com/akheron/jansson/pull/461
Just experienced the same issue as Richard and Andre on F34. I had to delete /etc/firewalld/zones/FedoraWorkstation.xml. The file did not belong to any RPM package and I'm pretty sure I did not create it. This machine was upgraded from previous Fedora releases multiple times so I guess this file was a left-over from a previous Fedora release. ls -l /etc/firewalld/zones/ -rw-rw-r--. 1 root root 587 4. Nov 2019 FedoraWorkstation.xml -rw-rw-r--. 1 root root 550 12. Dez 2018 FedoraWorkstation.xml.old sudo journalctl -u firewalld -x ... firewalld[1286]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '7500:tcp' already in 'FedoraWorkstation' firewalld[1286]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Datei oder Verzeichnis nicht gefunden ("file or directory not found")
Is it possible there may have been a change in behavior in firewalld blocking duplicate entries while previous it allowed them? Problematic zone file. $ sudo cat /etc/firewalld/zones/FedoraWorkstation.xml --- <?xml version="1.0" encoding="utf-8"?> <zone> <short>Fedora Workstation</short> <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <service name="samba-client"/> <service name="mdns"/> <service name="http"/> <service name="https"/> <port port="1025-65535" protocol="udp"/> <port port="1025-65535" protocol="tcp"/> <port port="9000" protocol="tcp"/> <port port="22623" protocol="tcp"/> <port port="6443" protocol="tcp"/> <port port="8001" protocol="tcp"/> </zone> --- Editing out the values one by one that were also covered by the range <port port="1025-65535" protocol="tcp"/> and then restarting with "$ sudo systemctl restart firewalld" after each edit seems to indicate where it was getting stuck. Also the first occurrence correlates with the F34 upgrade on May 10. $ sudo journalctl -u firewalld | grep FedoraWorkstation.xml --- May 10 00:17:57 t580 firewalld[1512]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '9000:tcp' already in 'FedoraWorkstation' May 23 22:58:18 t580 firewalld[1665]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '9000:tcp' already in 'FedoraWorkstation' May 24 08:03:15 t580 firewalld[1423]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '9000:tcp' already in 'FedoraWorkstation' May 24 21:27:14 t580 firewalld[1560]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '9000:tcp' already in 'FedoraWorkstation' May 24 21:33:13 t580 firewalld[1451]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '9000:tcp' already in 'FedoraWorkstation' May 24 21:38:55 t580 firewalld[1949]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '9000:tcp' already in 'FedoraWorkstation' May 25 07:54:45 t580 firewalld[1407]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '9000:tcp' already in 'FedoraWorkstation' May 25 21:25:37 t580 firewalld[1468]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '9000:tcp' already in 'FedoraWorkstation' May 27 07:34:45 t580 firewalld[1455]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '9000:tcp' already in 'FedoraWorkstation' May 27 15:16:36 t580 firewalld[15039]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '22623:tcp' already in 'FedoraWorkstation' May 27 15:17:26 t580 firewalld[15210]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '6443:tcp' already in 'FedoraWorkstation' May 27 15:18:15 t580 firewalld[15411]: ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '8001:tcp' already in 'FedoraWorkstation' --- Timestamp of last update to /etc/firewalld/zones/FedoraWorkstation.xml $ sudo ls -l /etc/firewalld/zones --- total 24 -rw-r--r--. 1 root root 329 Jul 18 2019 external.xml -rw-r--r--. 1 root root 410 Jul 18 2019 external.xml.old -rw-rw-r--. 1 root root 750 Jan 13 2020 FedoraWorkstation.xml -rw-rw-r--. 1 root root 713 Jul 18 2019 FedoraWorkstation.xml.old -rw-r--r--. 1 root root 913 Jan 15 2020 libvirt.xml -rw-r--r--. 1 root root 870 Jan 15 2020 libvirt.xml.old --- Presumably my current F34 machine started with F30 based on number and frequency of "system-upgrade upgrade" runs, if it's any help on correlating anything. $ sudo dnf history list | grep "system-upgrade upgrade" --- 153 | system-upgrade upgrade | 2021-05-10 00:00 | ?, D, E, I, O, | 2237 EE 140 | system-upgrade upgrade | 2021-03-15 10:51 | D, E, I, O, U | 2136 EE 114 | system-upgrade upgrade | 2020-06-24 11:10 | D, E, I, O, U | 2003 EE 79 | system-upgrade upgrade | 2019-10-30 09:31 | D, E, I, O, U | 1982 EE --- Package versions $ rpm -qa | grep firewalld --- firewalld-filesystem-0.9.3-2.fc34.noarch firewalld-0.9.3-2.fc34.noarch ---
My opinion is that overlapping rules shouldn't be considered an error as long as they don't demand conflicting actions (which isn't even possible in this case, since all the rules have the implied action of "accept"). But that's not for me to decide - just making my vote heard :-)
It's a combination of things that caused this. Below is mostly notes for myself. 1. port coalescing and breaking (v0.9.0+) - a5291bcee84b ("improvement: port: allow coalescing and breaking of ranges") - prior to this overlapping ports were not detected at all - if your zone already had ports "1024-65535" and you tried to add "1234" it would NOT be detected as already enabled. It will get added to the permanent config. - with this change it WILL be detected and rejected. It won't be added to the permanent config. 2. Overlapping ranges detected at startup (v0.9.0+) - the check for overlapping ports previously (< v0.9.0) did not occur during startup - this detection occurs now due refactoring done for policy objects So here's what happened: 1. prior configuration of firewalld (< v0.9.0) allowed the overlapping port ranges to exist in the permanent config (#1 above) 2. update to v0.9.0 or later 3. startup fails (#2 above) 4. due to startup failure (#3), further actions fail - e.g. adding an interface to a zone. - the zone was not fully loaded due to the error so chains were missing Workaround: - remove the overlapping port ranges
Upstream PR: https://github.com/firewalld/firewalld/pull/807 The above is intended as a quick fix, but is suitable for the stable branches. There are plans for an overhaul of the the config checks, but those will be firewalld v1.0.0 or later depending on upstream developer bandwidth.
Upstream commits: 012a87a34367 ("test(zone): verify overlapping ports don't halt zone loading") b71e532bc21f ("fix(policy): warn instead of error for overlapping ports") 23dc028083db ("test(functions): improve checking firewalld.log for errors") 748bcaee9a1d ("test(functions): FWD_GREP_LOG: allow checking error code")
FEDORA-2021-a091f2e696 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a091f2e696
FEDORA-2021-a091f2e696 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a091f2e696` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a091f2e696 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-a091f2e696 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days