I’ve just upgraded a fully-working Leap 15.2 installation to 15.3 - all has gone well (yes, I took backups first! :)) except that firewalld won’t start because python-nftables fails when trying to convert the existing firewalld configuration to JSON… the error is:
ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: You must add 'flags interval' to your set declaration if you want to add prefix elements
I understand completely what the problem is: when some of the ipset files are being converted by python-nftables into set declarations, they need the addition of “flags interval” to make them valid firewall rules acceptable for use by nft. Investigation shows that three sets are correctly being converted before the failure.
In theory I could start the firewall specification from scratch using line-by-line nft commands then export the full configuration back into an XML or JSON file, but (1) that doesn’t help anyone else with a similar issue, and (2) I’m slightly too lazy to do so right now!
Seriously, though, all is still OK with my public.xml zone file and the various ipset files as I’ve been checking them with the firewall-config visual editor, I just can’t get firewalld to start. Any ideas, or suggestions as to how I can automate the correct inclusion of the “interval” flag in the relevant configuration sets?
Yes, I’ve done exactly that so as to keep things ticking over, and everything works as it did before the upgrade to 15.3… the issue seems to be the way python-nftables uses the firewalld configuration to set up the “new” back-end. In fairness, it fails gracefully with the error message shown in my post but clearly it shouldn’t.
If the same firewalld configuration works with iptables, but fails with nftables, it is firewalld bug that should be reported. Whether it should be reported to openSUSE or upstream depends on whether you can reproduce it using current upstream version. If you posted your ipset definition, someone could test it.
Given that the fault appears to be in python-nftables, i.e. nftables would presumably work if the “flags interval” was added to the relevant nft set declarations, isn’t that where the problem lies? As stated, the failure is “graceful” and the error message offers what (from the perspective of nftables) is the solution. Or is the python-nftables Python script maintained by the same group?
Thanks for replying promptly, but now we’re going round in circles. The firewalld configuration managed by firewall-config consistes of properly-structured zone files and ipsets that work when iptables is used as the back end for the firewall, and have never been problematic: python-nftables generates the JSON to set up the nftables firewall configuration from those same zone files and ipsets when nftables is used as the back end, but that configuration isn’t generated to successful completion because python-nftables fails with the quoted error message after processing three of the ipsets and firewalld cannot therefore be started. It’s therefore hard to understand what data you are referring to, nor why you believe that the issue lies within firewalld and not python-nftables, unless it’s because you’re just having a bad day.
However, I now have a working firewall with iptables and know with certainty that nftables cannot be used with my working configuration due to the absence of “flags interval” from at least one of the nft set declarations generated by python-nftables. Having flagged up the post-upgrade problem via this post, and having no present need to migrate to nft, I will leave the resolution to those with a vested interest in finding a fix.
