Bug 2159838 - Firewalld in BedRock with nftables and iptables (Ubuntu 22.04 LTS, Debian 11 and Fedora 37) Broken.
Summary: Firewalld in BedRock with nftables and iptables (Ubuntu 22.04 LTS, Debian 11 ...
Keywords:
Status: CLOSED DUPLICATE of bug 1502646
Alias: None
Product: Fedora
Classification: Fedora
Component: tcpcrypt
Version: 37
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Paul Wouters
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2172584 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-10 22:23 UTC by Hugo Leonardo R. D. Lopes
Modified: 2023-07-14 17:21 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-07-14 17:21:05 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Hugo Leonardo R. D. Lopes 2023-01-10 22:23:10 UTC 
Good evening Linux community,

I don't know if this is the best place to post this problem, because it's BedRock Linux.

I'll explain and you tell me if you can help me... If not, tell me which forum I can ask for help.

I've noticed this is happening a few times and I haven't been able to resolve the issue.
First installation:
1. Ubuntu 22.04 LTS
2. BedRock Linux
3. Fedora 36
Second installation:
1. Ubuntu 22.04 LTS
2. BedRock Linux
3. Fedora 37
Third installation:
1. Debian 11
2. BedRock Linux
3. Fedora 37
All installations were x86_64.
Many packages were installed 1 and 3 (various types).
Graphic environments were installed 1 and 3 (more than 4).

On Ubuntu and Debian Firewalld works great, with all settings.
When I choose in BedRock to use Fedora... Firewalld and Firewall-applet crash.

Here is the log:

bash-5.2# cat /var/log/firewalld 
2023-01-08 21:37:38 ERROR: Failed to load user configuration. Falling back to full stock configuration.
2023-01-08 21:37:38 ERROR: PARSE_ERROR: Unexpected element direct
2023-01-08 21:37:38 Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 629, in start
    self._start()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 579, in _start
    self._start_load_stock_config()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 396, in _start_load_stock_config
    self._loader_services(config.FIREWALLD_SERVICES)
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 670, in _loader_services
    obj = service_reader(filename, path)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 237, in service_reader
    parser.parse(source)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 111, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 125, in parse
    self.feed(buffer)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 217, in feed
    self._parser.Parse(data, isFinal)
  File "/builddir/build/BUILD/Python-3.11.1/Modules/pyexpat.c", line 416, in StartElement
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 333, in start_element
    self._cont_handler.startElement(name, AttributesImpl(attrs))
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 140, in startElement
    self.item.parser_check_element_attrs(name, attrs)
  File "/usr/lib/python3.11/site-packages/firewall/core/io/io_object.py", line 183, in parser_check_element_attrs
    raise FirewallError(errors.PARSE_ERROR,
firewall.errors.FirewallError: PARSE_ERROR: Unexpected element direct

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 634, in start
    self._start_failsafe()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 618, in _start_failsafe
    self._start_load_stock_config()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 396, in _start_load_stock_config
    self._loader_services(config.FIREWALLD_SERVICES)
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 670, in _loader_services
    obj = service_reader(filename, path)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 237, in service_reader
    parser.parse(source)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 111, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 125, in parse
    self.feed(buffer)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 217, in feed
    self._parser.Parse(data, isFinal)
  File "/builddir/build/BUILD/Python-3.11.1/Modules/pyexpat.c", line 416, in StartElement
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 333, in start_element
    self._cont_handler.startElement(name, AttributesImpl(attrs))
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 140, in startElement
    self.item.parser_check_element_attrs(name, attrs)
  File "/usr/lib/python3.11/site-packages/firewall/core/io/io_object.py", line 183, in parser_check_element_attrs
    raise FirewallError(errors.PARSE_ERROR,
firewall.errors.FirewallError: PARSE_ERROR: Unexpected element direct

2023-01-08 21:37:38 ERROR: PARSE_ERROR: Unexpected element direct
2023-01-08 21:37:38 ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting.
2023-01-08 21:37:38 ERROR: Raising SystemExit in run_server
2023-01-10 19:28:06 ERROR: Failed to load user configuration. Falling back to full stock configuration.
2023-01-10 19:28:06 ERROR: PARSE_ERROR: Unexpected element direct
2023-01-10 19:28:06 Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 629, in start
    self._start()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 579, in _start
    self._start_load_stock_config()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 396, in _start_load_stock_config
    self._loader_services(config.FIREWALLD_SERVICES)
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 670, in _loader_services
    obj = service_reader(filename, path)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 237, in service_reader
    parser.parse(source)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 111, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 125, in parse
    self.feed(buffer)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 217, in feed
    self._parser.Parse(data, isFinal)
  File "/builddir/build/BUILD/Python-3.11.1/Modules/pyexpat.c", line 416, in StartElement
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 333, in start_element
    self._cont_handler.startElement(name, AttributesImpl(attrs))
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 140, in startElement
    self.item.parser_check_element_attrs(name, attrs)
  File "/usr/lib/python3.11/site-packages/firewall/core/io/io_object.py", line 183, in parser_check_element_attrs
    raise FirewallError(errors.PARSE_ERROR,
firewall.errors.FirewallError: PARSE_ERROR: Unexpected element direct

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 634, in start
    self._start_failsafe()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 618, in _start_failsafe
    self._start_load_stock_config()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 396, in _start_load_stock_config
    self._loader_services(config.FIREWALLD_SERVICES)
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 670, in _loader_services
    obj = service_reader(filename, path)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 237, in service_reader
    parser.parse(source)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 111, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 125, in parse
    self.feed(buffer)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 217, in feed
    self._parser.Parse(data, isFinal)
  File "/builddir/build/BUILD/Python-3.11.1/Modules/pyexpat.c", line 416, in StartElement
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 333, in start_element
    self._cont_handler.startElement(name, AttributesImpl(attrs))
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 140, in startElement
    self.item.parser_check_element_attrs(name, attrs)
  File "/usr/lib/python3.11/site-packages/firewall/core/io/io_object.py", line 183, in parser_check_element_attrs
    raise FirewallError(errors.PARSE_ERROR,
firewall.errors.FirewallError: PARSE_ERROR: Unexpected element direct

2023-01-10 19:28:06 ERROR: PARSE_ERROR: Unexpected element direct
2023-01-10 19:28:06 ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting.
2023-01-10 19:28:06 ERROR: Raising SystemExit in run_server
2023-01-10 19:42:29 ERROR: Failed to load user configuration. Falling back to full stock configuration.
2023-01-10 19:42:29 ERROR: PARSE_ERROR: Unexpected element direct
2023-01-10 19:42:29 Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 629, in start
    self._start()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 579, in _start
    self._start_load_stock_config()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 396, in _start_load_stock_config
    self._loader_services(config.FIREWALLD_SERVICES)
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 670, in _loader_services
    obj = service_reader(filename, path)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 237, in service_reader
    parser.parse(source)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 111, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 125, in parse
    self.feed(buffer)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 217, in feed
    self._parser.Parse(data, isFinal)
  File "/builddir/build/BUILD/Python-3.11.1/Modules/pyexpat.c", line 416, in StartElement
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 333, in start_element
    self._cont_handler.startElement(name, AttributesImpl(attrs))
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 140, in startElement
    self.item.parser_check_element_attrs(name, attrs)
  File "/usr/lib/python3.11/site-packages/firewall/core/io/io_object.py", line 183, in parser_check_element_attrs
    raise FirewallError(errors.PARSE_ERROR,
firewall.errors.FirewallError: PARSE_ERROR: Unexpected element direct

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 634, in start
    self._start_failsafe()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 618, in _start_failsafe
    self._start_load_stock_config()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 396, in _start_load_stock_config
    self._loader_services(config.FIREWALLD_SERVICES)
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 670, in _loader_services
    obj = service_reader(filename, path)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 237, in service_reader
    parser.parse(source)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 111, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 125, in parse
    self.feed(buffer)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 217, in feed
    self._parser.Parse(data, isFinal)
  File "/builddir/build/BUILD/Python-3.11.1/Modules/pyexpat.c", line 416, in StartElement
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 333, in start_element
    self._cont_handler.startElement(name, AttributesImpl(attrs))
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 140, in startElement
    self.item.parser_check_element_attrs(name, attrs)
  File "/usr/lib/python3.11/site-packages/firewall/core/io/io_object.py", line 183, in parser_check_element_attrs
    raise FirewallError(errors.PARSE_ERROR,
firewall.errors.FirewallError: PARSE_ERROR: Unexpected element direct

2023-01-10 19:42:29 ERROR: PARSE_ERROR: Unexpected element direct
2023-01-10 19:42:29 ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting.
2023-01-10 19:42:29 ERROR: Raising SystemExit in run_server
2023-01-10 20:34:37 ERROR: Failed to load user configuration. Falling back to full stock configuration.
2023-01-10 20:34:37 ERROR: PARSE_ERROR: Unexpected element direct
2023-01-10 20:34:37 Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 629, in start
    self._start()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 579, in _start
    self._start_load_stock_config()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 396, in _start_load_stock_config
    self._loader_services(config.FIREWALLD_SERVICES)
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 670, in _loader_services
    obj = service_reader(filename, path)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 237, in service_reader
    parser.parse(source)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 111, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 125, in parse
    self.feed(buffer)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 217, in feed
    self._parser.Parse(data, isFinal)
  File "/builddir/build/BUILD/Python-3.11.1/Modules/pyexpat.c", line 416, in StartElement
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 333, in start_element
    self._cont_handler.startElement(name, AttributesImpl(attrs))
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 140, in startElement
    self.item.parser_check_element_attrs(name, attrs)
  File "/usr/lib/python3.11/site-packages/firewall/core/io/io_object.py", line 183, in parser_check_element_attrs
    raise FirewallError(errors.PARSE_ERROR,
firewall.errors.FirewallError: PARSE_ERROR: Unexpected element direct

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 634, in start
    self._start_failsafe()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 618, in _start_failsafe
    self._start_load_stock_config()
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 396, in _start_load_stock_config
    self._loader_services(config.FIREWALLD_SERVICES)
  File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 670, in _loader_services
    obj = service_reader(filename, path)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 237, in service_reader
    parser.parse(source)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 111, in parse
    xmlreader.IncrementalParser.parse(self, source)
  File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 125, in parse
    self.feed(buffer)
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 217, in feed
    self._parser.Parse(data, isFinal)
  File "/builddir/build/BUILD/Python-3.11.1/Modules/pyexpat.c", line 416, in StartElement
  File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 333, in start_element
    self._cont_handler.startElement(name, AttributesImpl(attrs))
  File "/usr/lib/python3.11/site-packages/firewall/core/io/service.py", line 140, in startElement
    self.item.parser_check_element_attrs(name, attrs)
  File "/usr/lib/python3.11/site-packages/firewall/core/io/io_object.py", line 183, in parser_check_element_attrs
    raise FirewallError(errors.PARSE_ERROR,
firewall.errors.FirewallError: PARSE_ERROR: Unexpected element direct

2023-01-10 20:34:37 ERROR: PARSE_ERROR: Unexpected element direct
2023-01-10 20:34:37 ERROR: Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting.
2023-01-10 20:34:37 ERROR: Raising SystemExit in run_server
bash-5.2#
 
Unfortunately, I can't solve this problem.
If you want other configuration files or need anything else, just ask! And if you need to use a command, write everything here in detail and I'll post the result later.

Thanks! see you soon.
Follow the Light, and God bless you all!
Hugo Lopes
Comment 1 Eric Garver 2023-01-10 23:05:00 UTC 
This looks like there is broken configuration is /usr/lib/firewalld/services/. The XML parser is complaining about the existence of a "direct" element, which is _invalid_ is service definitions.

This command may show the offending file:

  # grep "direct" /usr/lib/firewalld/services/*
Comment 2 Hugo Leonardo R. D. Lopes 2023-01-17 13:18:22 UTC 
Hello Eric Garver!

I seend two output from command:

bash-5.2# grep "direct" /bedrock/strata/fedora/usr/lib/firewalld/services/*
/bedrock/strata/fedora/usr/lib/firewalld/services/pmcd.xml:  <description>This option allows PCP (Performance Co-Pilot) monitoring. If you need to allow remote hosts to connect directly to your machine to monitor aspects of its performance, enable this option. You need the pcp package installed for this option to be useful.</description>
/bedrock/strata/fedora/usr/lib/firewalld/services/pmproxy.xml:  <description>This option allows indirect PCP (Performance Co-Pilot) monitoring via a proxy. If you need to allow remote hosts to connect through your machine to monitor aspects of performance of one or more proxied hosts, enable this option. You need the pcp package installed for this option to be useful.</description>
/bedrock/strata/fedora/usr/lib/firewalld/services/proxy-dhcp.xml:  <description>PXE redirection service (Proxy DHCP) responds to PXE clients and provides redirection to PXE boot servers.</description>
/bedrock/strata/fedora/usr/lib/firewalld/services/smtps.xml:  <description>This option allows incoming SMTPs mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail in a secure way, enable this option. You do not need to enable this if you collect your mail from your ISP's server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.</description>
/bedrock/strata/fedora/usr/lib/firewalld/services/smtp.xml:  <description>This option allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.</description>
/bedrock/strata/fedora/usr/lib/firewalld/services/synergy.xml:  <description>Synergy lets you easily share your mouse and keyboard between multiple computers, where each computer has its own display. No special hardware is required, all you need is a local area network. Synergy is supported on Windows, Mac OS X and Linux. Redirecting the mouse and keyboard is as simple as moving the mouse off the edge of your screen.</description>
/bedrock/strata/fedora/usr/lib/firewalld/services/tcpcryptd.xml:<direct>
/bedrock/strata/fedora/usr/lib/firewalld/services/tcpcryptd.xml:</direct>
/bedrock/strata/fedora/usr/lib/firewalld/services/tor-socks.xml:  <description>Tor enables online anonymity and censorship resistance by directing Internet traffic through a network of relays. It conceals user's location from anyone conducting network surveillance and traffic analysis. A user wishing to use Tor for anonymity can configure a program such as a web browser to direct traffic to a Tor client using its SOCKS proxy port. Enable this if you run Tor and would like to configure your web browser or other programs to channel their traffic through the Tor SOCKS proxy port. It is recommended that you make this service available only for your computer or your internal networks.</description>
/bedrock/strata/fedora/usr/lib/firewalld/services/vnc-server.xml:  <description>A VNC server provides an external accessible X session. Enable this option if you plan to provide a VNC server with direct access. The access will be possible for displays :0 to :3. If you plan to provide access with SSH, do not open this option and use the via option of the VNC viewer.</description>
/bedrock/strata/fedora/usr/lib/firewalld/services/xmpp-bosh.xml:  <description>Extensible Messaging and Presence Protocol (XMPP) web client protocol allows web based chat clients such as JWChat to connect to the XMPP (Jabber) server. This is also known as the Bidirectional-streams Over Synchronous HTTP (BOSH) protocol. Enable this if you run an XMPP (Jabber) server and you wish web clients to connect to your server.</description>


--------------------------------------------------------------------------------

bash-5.2# grep "direct" /usr/lib/firewalld/services/*
/usr/lib/firewalld/services/pmcd.xml:  <description>This option allows PCP (Performance Co-Pilot) monitoring. If you need to allow remote hosts to connect directly to your machine to monitor aspects of its performance, enable this option. You need the pcp package installed for this option to be useful.</description>
/usr/lib/firewalld/services/pmproxy.xml:  <description>This option allows indirect PCP (Performance Co-Pilot) monitoring via a proxy. If you need to allow remote hosts to connect through your machine to monitor aspects of performance of one or more proxied hosts, enable this option. You need the pcp package installed for this option to be useful.</description>
/usr/lib/firewalld/services/proxy-dhcp.xml:  <description>PXE redirection service (Proxy DHCP) responds to PXE clients and provides redirection to PXE boot servers.</description>
/usr/lib/firewalld/services/smtps.xml:  <description>This option allows incoming SMTPs mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail in a secure way, enable this option. You do not need to enable this if you collect your mail from your ISP's server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.</description>
/usr/lib/firewalld/services/smtp.xml:  <description>This option allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.</description>
/usr/lib/firewalld/services/synergy.xml:  <description>Synergy lets you easily share your mouse and keyboard between multiple computers, where each computer has its own display. No special hardware is required, all you need is a local area network. Synergy is supported on Windows, Mac OS X and Linux. Redirecting the mouse and keyboard is as simple as moving the mouse off the edge of your screen.</description>
/usr/lib/firewalld/services/tcpcryptd.xml:<direct>
/usr/lib/firewalld/services/tcpcryptd.xml:</direct>
/usr/lib/firewalld/services/tor-socks.xml:  <description>Tor enables online anonymity and censorship resistance by directing Internet traffic through a network of relays. It conceals user's location from anyone conducting network surveillance and traffic analysis. A user wishing to use Tor for anonymity can configure a program such as a web browser to direct traffic to a Tor client using its SOCKS proxy port. Enable this if you run Tor and would like to configure your web browser or other programs to channel their traffic through the Tor SOCKS proxy port. It is recommended that you make this service available only for your computer or your internal networks.</description>
/usr/lib/firewalld/services/vnc-server.xml:  <description>A VNC server provides an external accessible X session. Enable this option if you plan to provide a VNC server with direct access. The access will be possible for displays :0 to :3. If you plan to provide access with SSH, do not open this option and use the via option of the VNC viewer.</description>
/usr/lib/firewalld/services/xmpp-bosh.xml:  <description>Extensible Messaging and Presence Protocol (XMPP) web client protocol allows web based chat clients such as JWChat to connect to the XMPP (Jabber) server. This is also known as the Bidirectional-streams Over Synchronous HTTP (BOSH) protocol. Enable this if you run an XMPP (Jabber) server and you wish web clients to connect to your server.</description>
bash-5.2# 


Unfortunately, I can't solve this problem.
I need help!
Thanks!
Hugo Lopes
Comment 3 Eric Garver 2023-01-23 16:09:50 UTC 
/usr/lib/firewalld/services/tcpcryptd.xml:<direct>
/usr/lib/firewalld/services/tcpcryptd.xml:</direct>

"tcpcrypt" is installing this file. It is invalid. This must be fixed in tcpcrypt package.

https://src.fedoraproject.org/rpms/tcpcrypt/blob/rawhide/f/tcpcrypt.spec#_66
Comment 4 Eric Garver 2023-01-23 16:17:44 UTC 
More context..

I'm not sure this service ever worked. "direct" rules have never been allowed in service definitions. See man firewalld.service(5).

https://src.fedoraproject.org/rpms/tcpcrypt/blob/rawhide/f/tcpcrypt-firewalld.xml
Comment 5 Eric Garver 2023-02-23 12:58:31 UTC 
*** Bug 2172584 has been marked as a duplicate of this bug. ***
Comment 6 Eric Garver 2023-02-23 13:00:04 UTC 
This seems to affect many users. Also see f36 bug 2095227.

I'll try to work on a PR for tcpcrypt that simply removes the service definition. As I said in comment 4, I don't think it ever worked.
Comment 7 Eric Garver 2023-02-23 14:42:37 UTC 
I created a pull request against rawhide (f39). Once approved this could be cherry-picked to other releases.

https://src.fedoraproject.org/rpms/tcpcrypt/pull-request/1
Comment 8 Hugo Leonardo R. D. Lopes 2023-02-23 17:38:53 UTC 
(In reply to Eric Garver from comment #7)
> I created a pull request against rawhide (f39). Once approved this could be
> cherry-picked to other releases.
> 
> https://src.fedoraproject.org/rpms/tcpcrypt/pull-request/1

Hello Eric, Good afternoon!

Sorry for only replying today. I should have responded sooner and said I was running some tests on this issue.

I was able to see the Links you posted and I didn't find anything divergent.
1. I removed Firewalld, Firewall-applet and tcpcryptd with all settings and tried to do a fresh install.

1A. I reinstalled the Firewalld and the Firewall-applet and after a new installation of the Fedora kernel, inside Bedrock with Debian 11 distros, the problem happened again (only when Fedora is selected, regardless of the Kernel to be used. Either from Fedora or from Debian).

1B. I noticed that the same also happens when we have a primary installation on the Ubuntu computer and also on Deepin (20.8) with Bedrock Fedora as strata.

1C. The firewalld and the firewall-applet work without problems, can start and are available for configuration, on Debian 11, Ubuntu 22.04 and Deepin 20.8 machines. Independent of the Kernel to be used. When we select the BedRock Fedora strata at boot, regardless of the Kernel, RPM or DEB, the Firewalld and the Firewall-applet do not start and it is not possible to configure it, even if we try to start it using the "$" or "#" terminal.

2. After that I tried to install tcpcrypt again through the terminal:
dnf install tcpcrypt
The installation was successful and in the terminal I was able to run the program with "systemctl start tcpcrypt".
Between September 2022 and December 2022 I noticed this error happening, with Debian 11 and Ubuntu 18.04 with Strata Bedrock Fedora 36.

3. Between September 2022 and the present date (23-02-2023), as mentioned, the problem persists.
I also noticed that tcpcrypt is no longer starting at boot, causing several problems. Before September 2022, I used the "systemctl enable tcpcryptd" command, and it started at boot without a problem.

The tests I did were just visual, in the experience of the graphical interface, I consulted some logs, but I didn't modify any configuration file after installing these programs, in relation to these programs that I mentioned.

I am currently using Debian 11 with Strata Bedrock Fedora 37, Ubuntu 22.04 importing (brl import") from a VMDK (Vbox) due to an installation error using the command, "brl fetch Ubuntu --release 22.04", where it presented a duality error of systems.
Firewall problem persists in Fedora strata, regardless of Kernel. Just like tcpcrypt also no longer starts at boot (I aborted this configuration, starting every time I browse)

Thanks for the help Eric and I hope I've given you some useful information that will help you and the Linux community.
I await news.
Hugo Leonardo R.D. Lopes

----------Portuguese------------

Hello Eric, Boa tarde!

Me desculpe por estar respondendo apenas hoje. Eu devira ter respondido a mais tempo e ter dito que estava fazendo alguns testes em relação a esse problema.

Consegui ver os Links que você postou e não constatei nada divergente.
1. Removi o Firewalld, o Firewall-applet e o tcpcryptd com todas as configurações e tentei fazer uma nova instalação.

1A. Voltei a instalar o Firewalld e o Firewall-applet e apos nova instalação do kernel do Fedora, dentro do Bedrock com distros Debian 11, o problema voltou a acontecer (apenas quando se seleciona o Fedora, idependente do Kernel a ser usado. Seja do Fedora ou do Debian).

1B. Notei que o mesmo também acontece quando temos uma instalação primaria no computador do Ubuntu e também no Deepin (20.8) com o Bedrock Fedora como strata.

1C. O firewalld e o firewall-applet funciona sem problemas, consegue iniciar e fica disponivel para fazer configurações, nas maquinas Debian 11, Ubuntu 22.04 e Deepin 20.8. Independente do Kernel a ser usado. Quando no boot selecionamos o strata do BedRock Fedora, independente do Kernel, RPM ou DEB, o Firewalld e o Firewall-applet não inicia e não é possivel fazer configuração, mesmo se tentar iniciar por terminal "$" ou "#".

2. Apos isso tentei instalar o tcpcrypt novamente pelo terminal:
dnf install tcpcrypt
A instalação foi feita com sucesso e no terminal consegui executar o programa com "systemctl start tcpcrypt".
Entre setembro de 2022 e dezembro de 2022, notei que esse erro acontecia, com  Debian 11 e Ubuntu 18.04 com o strata Bedrock Fedora 36.

3. Entre setembro de 2022 até presente data (23-02-2023), como mencionando o problema persiste.
Notei também que o tcpcrypt passou a não inicar mais no boot, causando diversos problemas. Eu utilizava antes de setembro de 2022 o comando " systemctl enable tcpcryptd", e iniciava no boot sem problema.

Os testes que fiz foram apenas visuais, na experiencia da interface grafica, consultei alguns logs, mas não modifiquei nenhum arquivo de configuração apos instalação destes programas, em relação a esses programas que referi.

Atualmente estou utilizando o Debian 11 com strata Bedrock Fedora 37, Ubuntu 22.04 importando (brl import") de um VMDK (Vbox) por motivos de erro de instalação pelo comando, "brl fetch Ubuntu --release 22.04", onde apresentou erro de dualidade de sistemas.
O problema do Firewall persiste no strata Fedora, independente do Kernel. Assim como o tcpcrypt também não inicia mais no boot (abortei essa configuração, iniciando sempre que vou navegar)

Obrigado pela ajuda Eric e espero ter dando alguma informação util, que lhe ajude e a comunidade Linux.
Aguardo novidades.
Hugo Leonardo R. D. Lopes
Comment 9 Eric Garver 2023-02-23 18:28:19 UTC 
I am not familiar with BedRock.

For Fedora you can try the scratch builds created from my pull request.

  https://koji.fedoraproject.org/koji/taskinfo?taskID=97901042
Comment 10 Eric Garver 2023-03-02 19:25:07 UTC 
Verified official rawhide build. I'll open PRs for stable releases.

--->8---

# systemctl restart firewalld
# firewall-cmd --state
not running
# systemctl status firewalld |grep ERROR | head -n1
Mar 02 14:19:19 vm-local-fedora-1 firewalld[18017]: ERROR: Failed to load user configuration. Falling back to full stock configuration.

# dnf -y install https://kojipkgs.fedoraproject.org//work/tasks/2816/98202816/tcpcrypt-0.5-12.fc39.x86_64.rpm https://kojipkgs.fedoraproject.org//work/tasks/2816/98202816/tcpcrypt-libs-0.5-12.fc39.x86_64.rpm
[..]

# systemctl restart firewalld
# firewall-cmd --state
running
# systemctl status firewalld |grep ERROR | head -n1
Comment 11 Eric Garver 2023-03-02 19:48:48 UTC 
f37 PR: https://src.fedoraproject.org/rpms/tcpcrypt/pull-request/3
Comment 12 Adam Williamson 2023-07-14 17:21:05 UTC 
Marking as a dupe of the ur-report of this. I'm sending the fixes to F37 and F38 currently.

*** This bug has been marked as a duplicate of bug 1502646 ***
Note You need to log in before you can comment on or make changes to this bug.