Issue with firewalld after upgrading from 15.2 to 15.3

NUXGUY · May 2, 2022, 2:08am

Hello, I finally got around to upgrading to 15.3 and now I’m seeing issues with my firewalld.
This is my version.
/var/log # firewall-cmd --version
0.9.3

The firewall service is running but it’s not pulling tables correctly or showing my info via>
iptables -L

Someone on linuxquestions mentioned they downgraded and it worked for a while but I don’t think that sounds like a good solution.

Here’s what it shows for the service.


 firewalld.service - firewalld - dynamic firewall daemon 
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) 
     Active: **active (running)** since Sun 2022-05-01 17:23:09 MDT; 41min ago 
       Docs: man:firewalld(1) 
   Main PID: 9170 (firewalld) 
      Tasks: 2 (limit: 4545) 
     CGroup: /system.slice/firewalld.service 
             └─9170 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid 

May 01 17:23:08 asus2 systemd[1]: Starting firewalld - dynamic firewall daemon... 
May 01 17:23:09 asus2 systemd[1]: Started firewalld - dynamic firewall daemon. 
May 01 17:23:09 asus2 firewalld[9170]: **ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.F**>
May 01 17:23:09 asus2 firewalld[9170]: **ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.F**>
May 01 17:23:10 asus2 firewalld[9170]: **ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.F**>

And here’s some additional errors I noticed in /var/log/firewalld


[FONT=monospace]2022-05-01 17:23:09 ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'
>(True, True, True, 'INIT', False, '', {}, ], True, True, True, False, 'off')>(()) failed: check_config_dict() takes 2 po
sitional arguments but 3 were given 
2022-05-01 17:23:09 ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.Firewall'
>(True, True, True, 'RUNNING', False, 'public', {}, ], True, True, True, False, 'off')>(()) failed: check_config_dict() t
akes 2 positional arguments but 3 were given

Is this a known issue? I was thinking of removing it and re-installing but then I would likely need to recreate my rules.

Thanks for any ideas or help.
[/FONT]

arvidjaar · May 2, 2022, 6:54am

In Leap 15.3 firewalld defaults to nftables backend, not to iptables.

arvidjaar · May 2, 2022, 7:43am

https://bugzilla.opensuse.org/show_bug.cgi?id=1198214

Remove and lock patch mentioned in this thread and revert to previous firewalld version before patch.

NUXGUY · May 2, 2022, 8:34pm

Thanks for this info arvidjaar. It looks like I will need to install nftables since I don’t currently have it installed.
Also, my issue seems slightly different than this bug report post since mine actually starts up fine. I’ll probably look into trying to reverting to the previous firewalld version for now to see if that works out for me.

NUXGUY · June 9, 2022, 11:45pm

Hello, they are claiming this is now fixed in this bug report

https://bugzilla.suse.com/show_bug.cgi?id=1197911

Any ideas how I’m supposed to apply said “fix”?

Thanks

arvidjaar · June 10, 2022, 6:35am

Update your system.

NUXGUY · June 20, 2022, 6:33am

Oh, update to 15.4? It seems like I just finally got around upgrading to 15.3 but if firewalld works again in 15.4 I’ll get the upgrade done before 15.3 goes EOL whenever that is.?

arvidjaar · June 20, 2022, 6:46am

I said “update your system” which means running “zypper up”, “zyper patch” or some GUI to do the same.

I did not say “upgrade to the next release”.

NUXGUY · July 7, 2022, 4:37am

Good info. I just finally got back around to messing with my 15.3 again. I didn’t check before running this zypper update but afterwards I noticed firewalld is no longer showing the error ouput I mentioned previously!

zypper refresh
This updated some of my 15.3 repo's and then ended with>
All repositories have been refreshed.

After that I noticed iptables -L still didn’t show any rules but as you mentioned previously per firewalld.conf the rules are now managed by nftables.

# FirewallBackend 
# Selects the firewall backend implementation. 
# Choices are: 
#       - nftables (default) 
#       - iptables (iptables, ip6tables, ebtables and ipset) 
FirewallBackend=nftables

So, now that I have a functioning firewall again (w00h00) I get to learn about nftables and helping keep my SUSE load secure.

hcvv · July 7, 2022, 11:52am

I do not think that the advice anywhere mentioned zypper refresh. It mentioned zypper up, zypper ptach or similar using YaST > Software Management.

Please, you are free to follow advice or not. But when you decide not to follow advice, then do not complain.

dcurtisfra · July 7, 2022, 4:20pm

NUXGUY:

Here’s what it shows for the service.


 firewalld.service - firewalld - dynamic firewall daemon 
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) 
     Active: **active (running)** since Sun 2022-05-01 17:23:09 MDT; 41min ago 
       Docs: man:firewalld(1) 
   Main PID: 9170 (firewalld) 
      Tasks: 2 (limit: 4545) 
     CGroup: /system.slice/firewalld.service 
             └─9170 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid 

May 01 17:23:08 asus2 systemd[1]: Starting firewalld - dynamic firewall daemon... 
May 01 17:23:09 asus2 systemd[1]: Started firewalld - dynamic firewall daemon. 
May 01 17:23:09 asus2 firewalld[9170]: **ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.F**>
May 01 17:23:09 asus2 firewalld[9170]: **ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.F**>
May 01 17:23:10 asus2 firewalld[9170]: **ERROR: Calling pre func <bound method Firewall.full_check_config of <class 'firewall.core.fw.F**>

Back in April this year, I reported this openSUSE Leap 15.3 Bug – <https://bugzilla.opensuse.org/show_bug.cgi?id=1197911>