Error: syntax error, unexpected junk add rule inet firewalld filter_IN_block %%reject%%

user · August 27, 2018, 6:32pm

Hi,

I am getting this in journalctl on each and every boot:


Aug 27 16:24:48 pc firewalld[1006]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
Aug 27 16:24:48 pc firewalld[1006]: ERROR: '/usr/sbin/nft add rule inet firewalld filter_IN_block %%reject%%' failed: Error: syntax error, unexpected junk
                                      add rule inet firewalld filter_IN_block %%reject%%
                                                                              ^

I checked:


# grep -ri "%%reject%%" *
zones/block.xml:<zone target="%%REJECT%%">
zones/block.xml.old:<zone target="%%REJECT%%">

How do I fix this? I am new to firewalld and nft.

tsu2 · August 27, 2018, 7:40pm

From what you’ve described,
You <might> be affected by this recent TW announcement describing fixes in latest snapshots…
https://forums.opensuse.org/showthread.php/532766-Tumbleweed-Snapshots-Bring-Changes-for-KVM-QEMU-Xen?p=2878114#post2878114

In other words,

zypper dup

Your problems <might> be fixed.

Good Luck,
TSU

user · August 27, 2018, 10:36pm

Before starting the thread I was running 20180815. After reading your post I updated the system and now it is 20180820. Nothing changed in regards to the message though - it still shows up.

doscott · August 27, 2018, 11:39pm

I ran into a similar issue with docker recently and the fix I found may help. The firewalld.conf file has a new section in it and defaults to nftables; for docker I needed iptables. In my case I found it in firewalld.conf.rpmnew.

It is the last section, I copied and pasted to my firewalld.conf file and the problem went away. The section is:


# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
#    - nftables (default)
#    - iptables (iptables, ip6tables, ebtables and ipset)
FirewallBackend=nftables

user · August 28, 2018, 11:59am

Changing that to iptables worked. Thank you!

But is it normal to happen at all? Isn’t it supposed to work in sync with its own rules/configs?

doscott · August 28, 2018, 12:14pm

Reasoning for the change is given here:

https://firewalld.org/2018/07/nftables-backend

In my opinion the default backend should have been iptables to accommodate existing configs and then they could have specified nftables for new installs.

Note that this is not a TW issue.

user · August 28, 2018, 10:39pm

doscott,

Thank you for this info! Very interesting.

I will definitely learn about firewalld and nftables.

doscott · August 29, 2018, 5:26pm

Today’s update (0828) has switched to iptables for the default:

# FirewallBackend
# Selects the firewall backend implementation.
# Choices are:
#    - nftables
#    - iptables (default)
FirewallBackend=iptables

user · August 29, 2018, 7:15pm

Thanks for the update. That’s interesting: they make the default contrary firewalld’s default. Wouldn’t it be more appropriate to fix the block.xml? If I knew how I would do it but I don’t (still need to learn.