Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

  1. #1

    Default firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

    I'm having trouble getting firewalld to load on a current Tumbleweed system. The service status error is below. There's no output of firewalld or nf_conntrack in dmesg. I don't know what nf_conntrack is. This is a system that was upgraded from LEAP to Tumbleweed. I'm happy to reset all firewall configs/rules to default if that would help but I can't figure out how to do that either. Suggestions?


    localhost:~ #
    rcfirewalld status
    * firewalld.service - firewalld - dynamic firewall daemon
    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
    Active: inactive (dead) since Fri 2019-07-26 12:57:53 UTC; 3s ago
    Docs: man:firewalld(1)
    Process: 2372 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
    Main PID: 2372 (code=exited, status=0/SUCCESS)

    Jul 26 12:57:53 localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
    Jul 26 12:57:53 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
    Jul 26 12:57:53 localhost firewalld[2372]: ERROR: Failed to load nf_conntrack module: modprobe: ERROR: could not find module by name='nf_conntrack'
    modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (see dmesg)
    modprobe: ERROR: Error running install command for nf_conntrack
    modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
    Jul 26 12:57:53 localhost firewalld[2372]: ERROR: Raising SystemExit in run_server
    Jul 26 12:57:53 localhost systemd[1]: firewalld.service: Succeeded.


  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,278
    Blog Entries
    2

    Default Re: firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

    Your posted log entries end with a SUCCESS.
    Does your firewall work?
    Is your machine set up as a Server or client, and can you test whether your connections work? conn-track in general supports long running sessions connecting to your service.

    Bottom line,
    I'm unsure if your error is non-cirtical, whether the module couldn't be loaded only initially or is still not loaded even later.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,378
    Blog Entries
    1

    Default Re: firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

    A quick search shows that similar firewalld regressions have been reported elsewhere, including RH and github...
    https://bugzilla.redhat.com/show_bug.cgi?id=1686654
    https://github.com/firewalld/firewalld/issues/353

    I'm not running TW, so not sure which firewalld version is in use, but seems to be related to the above?
    openSUSE Leap 15.0; KDE Plasma 5

  4. #4
    Join Date
    Apr 2016
    Location
    North America
    Posts
    537

    Default Re: firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

    Quote Originally Posted by deano_ferrari View Post
    I'm not running TW, so not sure which firewalld version is in use...
    Tumbleweed 20190724

    Code:
    > firewall-cmd -V
    0.6.3

  5. #5

    Default Re: firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

    Quote Originally Posted by tsu2 View Post
    Your posted log entries end with a SUCCESS.
    Does your firewall work?
    Is your machine set up as a Server or client, and can you test whether your connections work? conn-track in general supports long running sessions connecting to your service.

    Bottom line,
    I'm unsure if your error is non-cirtical, whether the module couldn't be loaded only initially or is still not loaded even later.

    TSU
    My machine is a server, but im not sure how you mean by "set up", is there a configuration option for that somewhere?

    The firewall is not working. Services that do not have an open port configured are reachable externally.

  6. #6

    Default Re: firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

    Quote Originally Posted by deano_ferrari View Post
    A quick search shows that similar firewalld regressions have been reported elsewhere, including RH and github...
    https://bugzilla.redhat.com/show_bug.cgi?id=1686654
    https://github.com/firewalld/firewalld/issues/353

    I'm not running TW, so not sure which firewalld version is in use, but seems to be related to the above?
    Those threads look similar but I got lost while reading them. The only thing I saw that made sense was to try to modprobe nf_conntrack, this is what I get:

    Code:
    a@localhost:~> sudo modprobe nf_conntrack
    modprobe: ERROR: could not find module by name='nf_conntrack'
    modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (see dmesg)
    modprobe: ERROR: Error running install command for nf_conntrack
    modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
    a@localhost:~> sudo dmesg | grep conntrack
    [ 2207.008696] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.
    amb@localhost:~>
    I tried searching for that error but it seems a bit common for a lot of different reasons. I don't understand what a CT-based firewall rule means. I'm just using the yast menu and havent modified any other files.

    Is there someway I can just reset the firewall rules to default to try to fix this?

  7. #7

    Default Re: firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

    I should add that my system is very basic, it's just a single interface and the only firewall rules I need are to open tcp 22 and 80 and deny everything else.. Thus my confusion why this is broken.

  8. #8
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,824
    Blog Entries
    15

    Default Re: firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

    Quote Originally Posted by jrivard View Post
    I should add that my system is very basic, it's just a single interface and the only firewall rules I need are to open tcp 22 and 80 and deny everything else.. Thus my confusion why this is broken.
    Hi
    From your initial output it would seem the system is not up to date... your systemd service output does not match what I see...

    Has the system been updated via zypper dup?

    Code:
    rcfirewalld status
    
    ● firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
       Active: active (running) since Sun 2019-08-04 09:40:52 CDT; 34min ago
         Docs: man:firewalld(1)
     Main PID: 12502 (firewalld)
        Tasks: 2 (limit: 4915)
       Memory: 22.8M
       CGroup: /system.slice/firewalld.service
               └─12502 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  9. #9

    Default Re: firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

    Quote Originally Posted by malcolmlewis View Post
    Hi
    From your initial output it would seem the system is not up to date... your systemd service output does not match what I see...

    Has the system been updated via zypper dup?

    Code:
    rcfirewalld status
    
    ● firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
       Active: active (running) since Sun 2019-08-04 09:40:52 CDT; 34min ago
         Docs: man:firewalld(1)
     Main PID: 12502 (firewalld)
        Tasks: 2 (limit: 4915)
       Memory: 22.8M
       CGroup: /system.slice/firewalld.service
               └─12502 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

    Yup, zypper dup shows current:

    Code:
    #sudo zypper dup
    Loading repository data...
    Reading installed packages...
    Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you contin
    ue. See 'man zypper' for more information about this command.
    Computing distribution upgrade...
    
    Nothing to do.
    
    And I'm pointed at tumbleweed repos:

    Code:
    #sudo zypper lr -u
    Repository priorities are without effect. All enabled repositories share the same priority.
    
    # | Alias        | Name         | Enabled | GPG Check | Refresh | URI                                                  
    --+--------------+--------------+---------+-----------+---------+-----------------------------------------------------
    1 | repo-debug   | repo-debug   | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/tumbleweed/repo/debug   
    2 | repo-non-oss | repo-non-oss | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/tumbleweed/repo/non-oss
    3 | repo-oss     | repo-oss     | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/tumbleweed/repo/oss     
    4 | repo-update  | repo-update  | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/update/tumbleweed/ 
    
    And my current rcfirewalld status:

    Code:
    #sudo rcfirewalld status
    * firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
       Active: inactive (dead) since Mon 2019-08-05 00:29:32 UTC; 4min 56s ago
         Docs: man:firewalld(1)
      Process: 30569 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
     Main PID: 30569 (code=exited, status=0/SUCCESS)
    
    Aug 05 00:29:31 localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
    Aug 05 00:29:32 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
    Aug 05 00:29:32 localhost firewalld[30569]: ERROR: Failed to load nf_conntrack module: modprobe: ERROR: could not find module by name='nf_connt>
                                                modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (s>
                                                modprobe: ERROR: Error running install command for nf_conntrack
                                                modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
    Aug 05 00:29:32 localhost firewalld[30569]: ERROR: Raising SystemExit in run_server
    Aug 05 00:29:32 localhost systemd[1]: firewalld.service: Succeeded.
    
    
    This is what happens when I try to load conntrack module:

    Code:
    #sudo modprobe nf_conntrack
    modprobe: ERROR: could not find module by name='nf_conntrack'
    modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (see dmesg)
    modprobe: ERROR: Error running install command for nf_conntrack
    modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
    #sudo dmesg | grep conntrack
    [ 2207.008696] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found.
     Use the iptables CT target to attach helpers instead.
    
    I can definitly connect to a service running on the box that the firewall should be blocking (port 8080/tomcat) so I know the firewall isn't working.

    Any other ideas? At this point I don't know what else to do but re-install the OS and rebuild the server from scratch

  10. #10
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,824
    Blog Entries
    15

    Default Re: firewalld won't run on Tumbleweed: Failed to load nf_conntrack module

    Quote Originally Posted by jrivard View Post
    Yup, zypper dup shows current:

    Code:
    #sudo zypper dup
    Loading repository data...
    Reading installed packages...
    Warning: You are about to do a distribution upgrade with all enabled repositories. Make sure these repositories are compatible before you contin
    ue. See 'man zypper' for more information about this command.
    Computing distribution upgrade...
    
    Nothing to do.
    
    And I'm pointed at tumbleweed repos:

    Code:
    #sudo zypper lr -u
    Repository priorities are without effect. All enabled repositories share the same priority.
    
    # | Alias        | Name         | Enabled | GPG Check | Refresh | URI                                                  
    --+--------------+--------------+---------+-----------+---------+-----------------------------------------------------
    1 | repo-debug   | repo-debug   | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/tumbleweed/repo/debug   
    2 | repo-non-oss | repo-non-oss | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/tumbleweed/repo/non-oss
    3 | repo-oss     | repo-oss     | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/tumbleweed/repo/oss     
    4 | repo-update  | repo-update  | Yes     | (r ) Yes  | Yes     | http://download.opensuse.org/update/tumbleweed/ 
    
    And my current rcfirewalld status:

    Code:
    #sudo rcfirewalld status
    * firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
       Active: inactive (dead) since Mon 2019-08-05 00:29:32 UTC; 4min 56s ago
         Docs: man:firewalld(1)
      Process: 30569 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
     Main PID: 30569 (code=exited, status=0/SUCCESS)
    
    Aug 05 00:29:31 localhost systemd[1]: Starting firewalld - dynamic firewall daemon...
    Aug 05 00:29:32 localhost systemd[1]: Started firewalld - dynamic firewall daemon.
    Aug 05 00:29:32 localhost firewalld[30569]: ERROR: Failed to load nf_conntrack module: modprobe: ERROR: could not find module by name='nf_connt>
                                                modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (s>
                                                modprobe: ERROR: Error running install command for nf_conntrack
                                                modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
    Aug 05 00:29:32 localhost firewalld[30569]: ERROR: Raising SystemExit in run_server
    Aug 05 00:29:32 localhost systemd[1]: firewalld.service: Succeeded.
    
    
    This is what happens when I try to load conntrack module:

    Code:
    #sudo modprobe nf_conntrack
    modprobe: ERROR: could not find module by name='nf_conntrack'
    modprobe: ERROR: could not insert 'nf_conntrack': Unknown symbol in module, or unknown parameter (see dmesg)
    modprobe: ERROR: Error running install command for nf_conntrack
    modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
    #sudo dmesg | grep conntrack
    [ 2207.008696] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found.
     Use the iptables CT target to attach helpers instead.
    
    I can definitly connect to a service running on the box that the firewall should be blocking (port 8080/tomcat) so I know the firewall isn't working.

    Any other ideas? At this point I don't know what else to do but re-install the OS and rebuild the server from scratch
    Hi
    Can you post the output from;

    Code:
    cat /etc/os-release
    uname -a
    /sbin/modinfo nf_conntrack | head -1
    If your already root user, no need for sudo? When you switched to root user did you use su - not just su?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •