9:29 a.m.
Hello,
I'm trying to get firewalld going on Debian 12 a vps. I've asked on
the debian users list who refered me here with a way to get more
verbose error messages, see below. Unfortunately I'm clueless as to
what this could be. It from what I can see looks like it's trying to
delete a chain and failing which causes firewalld to fail, though I
could be wrong, python and myself are not friends.
Any help appreciated.
Thanks.
Dave.
root@hostname:~#systemctl --full --no-pager status firewalld
? firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled;
preset: enabled)
Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago
Duration: 2.316s
Docs: man:firewalld(1)
Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid
(code=exited, status=0/SUCCESS)
Main PID: 77366 (code=exited, status=0/SUCCESS)
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
'/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
(nf_tables):
line 3:
CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
'python-nftables' failed: internal:0:0-0: Error: Could not process
rule: No such file or directory
JSON blob:
{"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
{"family": "inet", "name": "firewalld"}}},
{"add": {"table":
{"family": "inet", "name": "firewalld"}}}]}
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed:
ebtables-restore v1.8.9 (nf_tables):
line 3:
CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most
recent call last):
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in
start
self._start()
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in
_start
self._start_apply_objects(reload=reload,
complete_reload=complete_reload)
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in
_start_apply_objects
transaction.execute(True)
File
"/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
161, in execute
raise
FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED:
'/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
(nf_tables):
line 3:
CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
During
handling of the above exception, another exception occurred:
Traceback
(most recent call last):
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in
start
self._start_failsafe()
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in
_start_failsafe
self._start_apply_objects(reload=reload,
complete_reload=complete_reload)
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in
_start_apply_objects
transaction.execute(True)
File
"/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
161, in execute
raise
FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables'
failed: internal:0:0-0: Error: Could not process rule: No such file or
directory
JSON blob:
{"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
{"family": "inet", "name": "firewalld"}}},
{"add": {"table":
{"family": "inet", "name": "firewalld"}}}]}
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could
not process rule: No such file or directory
JSON blob:
{"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
{"family": "inet", "name": "firewalld"}}},
{"add": {"table":
{"family": "inet", "name": "firewalld"}}}]}
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed
to load full stock configuration. This likely indicates a system level
issue, e.g. the firewall backend (nftables, iptables) is broken. All
hope is lost. Exiting.
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
'/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
(nf_tables):
line 3:
CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
'python-nftables' failed: internal:0:0-0: Error: Could not process
rule: No such file or directory
JSON blob:
{"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
{"family": "inet", "name": "firewalld"}}}]}
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising
SystemExit in run_server
Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service:
Deactivated successfully.
5:19 p.m.
Hello,
Adding to my previous message I do have a kludge/fix that does make
firewalld work, though with an error. The fix is to change the backend
option from nftables to iptables in /etc/firewalld/firewalld.conf. I
then can add my rules and all is good. I do see the below message:
#firewall-cmd --reload
Error: COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed:
ebtables-restore v1.8.9 (nf_tables):
line 3: CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
line 3: CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 3: CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
It does work but I'd love to know why the newer nftables backend keeps
failing and this error meaning?
Thank you.
Dave.
On 7/8/23, David Mehler <dave.mehler(a)gmail.com> wrote:
> Hello,
>
> I'm trying to get firewalld going on Debian 12 a vps. I've asked on
> the debian users list who refered me here with a way to get more
> verbose error messages, see below. Unfortunately I'm clueless as to
> what this could be. It from what I can see looks like it's trying to
> delete a chain and failing which causes firewalld to fail, though I
> could be wrong, python and myself are not friends.
>
> Any help appreciated.
> Thanks.
> Dave.
>
> root@hostname:~#systemctl --full --no-pager status firewalld
> ? firewalld.service - firewalld - dynamic firewall daemon
> Loaded: loaded (/lib/systemd/system/firewalld.service; enabled;
> preset: enabled)
> Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago
> Duration: 2.316s
> Docs: man:firewalld(1)
> Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid
> (code=exited, status=0/SUCCESS)
> Main PID: 77366 (code=exited, status=0/SUCCESS)
>
> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
> (nf_tables):
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
> 'python-nftables' failed: internal:0:0-0: Error: Could not process
> rule: No such file or directory
>
>
> JSON blob:
> {"nftables":
> [{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
> {"family": "inet", "name": "firewalld"}}},
{"add": {"table":
> {"family": "inet", "name": "firewalld"}}}]}
> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
> COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed:
> ebtables-restore v1.8.9 (nf_tables):
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
> Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most
> recent call last):
> File
> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in
> start
> self._start()
> File
> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in
> _start
>
> self._start_apply_objects(reload=reload,
> complete_reload=complete_reload)
> File
> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in
> _start_apply_objects
>
> transaction.execute(True)
> File
> "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
> 161, in execute
> raise
> FirewallError(errors.COMMAND_FAILED, errorMsg)
>
> firewall.errors.FirewallError: COMMAND_FAILED:
> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
> (nf_tables):
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>
>
> During
> handling of the above exception, another exception occurred:
>
> Traceback
> (most recent call last):
> File
> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in
> start
>
> self._start_failsafe()
> File
> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in
> _start_failsafe
>
> self._start_apply_objects(reload=reload,
> complete_reload=complete_reload)
> File
> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in
> _start_apply_objects
>
> transaction.execute(True)
> File
> "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
> 161, in execute
> raise
> FirewallError(errors.COMMAND_FAILED, errorMsg)
>
> firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables'
> failed: internal:0:0-0: Error: Could not process rule: No such file or
> directory
>
>
> JSON blob:
> {"nftables":
> [{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
> {"family": "inet", "name": "firewalld"}}},
{"add": {"table":
> {"family": "inet", "name": "firewalld"}}}]}
> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
> COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could
> not process rule: No such file or directory
>
>
> JSON blob:
> {"nftables":
> [{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
> {"family": "inet", "name": "firewalld"}}},
{"add": {"table":
> {"family": "inet", "name": "firewalld"}}}]}
> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed
> to load full stock configuration. This likely indicates a system level
> issue, e.g. the firewall backend (nftables, iptables) is broken. All
> hope is lost. Exiting.
> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
> (nf_tables):
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
> line 3:
> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
> 'python-nftables' failed: internal:0:0-0: Error: Could not process
> rule: No such file or directory
>
>
> JSON blob:
> {"nftables":
> [{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
> {"family": "inet", "name": "firewalld"}}}]}
> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising
> SystemExit in run_server
> Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service:
> Deactivated successfully.
>
7:23 a.m.
This looks like the firewalld backends are broken, e.g. nftables,
ebtables.
Are you using a Debian provided kernel? Or is this a custom kernel for
the VPS?
On Sat, Jul 08, 2023 at 10:29:45AM -0400, David Mehler wrote:
Hello,
I'm trying to get firewalld going on Debian 12 a vps. I've asked on
the debian users list who refered me here with a way to get more
verbose error messages, see below. Unfortunately I'm clueless as to
what this could be. It from what I can see looks like it's trying to
delete a chain and failing which causes firewalld to fail, though I
could be wrong, python and myself are not friends.
Any help appreciated.
Thanks.
Dave.
root@hostname:~#systemctl --full --no-pager status firewalld
? firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/lib/systemd/system/firewalld.service; enabled;
preset: enabled)
Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago
Duration: 2.316s
Docs: man:firewalld(1)
Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid
(code=exited, status=0/SUCCESS)
Main PID: 77366 (code=exited, status=0/SUCCESS)
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
'/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
(nf_tables):
line 3:
CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
'python-nftables' failed: internal:0:0-0: Error: Could not process
rule: No such file or directory
JSON blob:
{"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
{"family": "inet", "name": "firewalld"}}},
{"add": {"table":
{"family": "inet", "name": "firewalld"}}}]}
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed:
ebtables-restore v1.8.9 (nf_tables):
line 3:
CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most
recent call last):
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in
start
self._start()
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in
_start
self._start_apply_objects(reload=reload,
complete_reload=complete_reload)
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in
_start_apply_objects
transaction.execute(True)
File
"/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
161, in execute
raise
FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED:
'/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
(nf_tables):
line 3:
CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
During
handling of the above exception, another exception occurred:
Traceback
(most recent call last):
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in
start
self._start_failsafe()
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in
_start_failsafe
self._start_apply_objects(reload=reload,
complete_reload=complete_reload)
File
"/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in
_start_apply_objects
transaction.execute(True)
File
"/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
161, in execute
raise
FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables'
failed: internal:0:0-0: Error: Could not process rule: No such file or
directory
JSON blob:
{"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
{"family": "inet", "name": "firewalld"}}},
{"add": {"table":
{"family": "inet", "name": "firewalld"}}}]}
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could
not process rule: No such file or directory
JSON blob:
{"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
{"family": "inet", "name": "firewalld"}}},
{"add": {"table":
{"family": "inet", "name": "firewalld"}}}]}
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed
to load full stock configuration. This likely indicates a system level
issue, e.g. the firewall backend (nftables, iptables) is broken. All
hope is lost. Exiting.
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
'/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
(nf_tables):
line 3:
CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
line 3:
CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
'python-nftables' failed: internal:0:0-0: Error: Could not process
rule: No such file or directory
JSON blob:
{"nftables":
[{"metainfo": {"json_schema_version": 1}}, {"delete":
{"table":
{"family": "inet", "name": "firewalld"}}}]}
Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising
SystemExit in run_server
Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service:
Deactivated successfully.
_______________________________________________
firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
10:47 a.m.
Hello,
I'm not sure. The Debian vps is running on OpenVZ if that helps.
Why would this only effect nftables and not the iptables backend?
Thanks.
Dave.
On 7/10/23, Eric Garver <egarver(a)redhat.com> wrote:
> This looks like the firewalld backends are broken, e.g. nftables,
> ebtables.
>
> Are you using a Debian provided kernel? Or is this a custom kernel for
> the VPS?
>
> On Sat, Jul 08, 2023 at 10:29:45AM -0400, David Mehler wrote:
>> Hello,
>>
>> I'm trying to get firewalld going on Debian 12 a vps. I've asked on
>> the debian users list who refered me here with a way to get more
>> verbose error messages, see below. Unfortunately I'm clueless as to
>> what this could be. It from what I can see looks like it's trying to
>> delete a chain and failing which causes firewalld to fail, though I
>> could be wrong, python and myself are not friends.
>>
>> Any help appreciated.
>> Thanks.
>> Dave.
>>
>> root@hostname:~#systemctl --full --no-pager status firewalld
>> ? firewalld.service - firewalld - dynamic firewall daemon
>> Loaded: loaded (/lib/systemd/system/firewalld.service; enabled;
>> preset: enabled)
>> Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago
>> Duration: 2.316s
>> Docs: man:firewalld(1)
>> Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid
>> (code=exited, status=0/SUCCESS)
>> Main PID: 77366 (code=exited, status=0/SUCCESS)
>>
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
>> (nf_tables):
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> 'python-nftables' failed: internal:0:0-0: Error: Could not process
>> rule: No such file or directory
>>
>>
>> JSON blob:
>> {"nftables":
>> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> {"family": "inet", "name":
"firewalld"}}}]}
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed:
>> ebtables-restore v1.8.9 (nf_tables):
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most
>> recent call last):
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in
>> start
>>
>> self._start()
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in
>> _start
>>
>> self._start_apply_objects(reload=reload,
>> complete_reload=complete_reload)
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in
>> _start_apply_objects
>>
>> transaction.execute(True)
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
>> 161, in execute
>> raise
>> FirewallError(errors.COMMAND_FAILED, errorMsg)
>>
>> firewall.errors.FirewallError: COMMAND_FAILED:
>> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
>> (nf_tables):
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>>
>>
>> During
>> handling of the above exception, another exception occurred:
>>
>> Traceback
>> (most recent call last):
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in
>> start
>>
>> self._start_failsafe()
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in
>> _start_failsafe
>>
>> self._start_apply_objects(reload=reload,
>> complete_reload=complete_reload)
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in
>> _start_apply_objects
>>
>> transaction.execute(True)
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
>> 161, in execute
>> raise
>> FirewallError(errors.COMMAND_FAILED, errorMsg)
>>
>> firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables'
>> failed: internal:0:0-0: Error: Could not process rule: No such file or
>> directory
>>
>>
>> JSON blob:
>> {"nftables":
>> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> {"family": "inet", "name":
"firewalld"}}}]}
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could
>> not process rule: No such file or directory
>>
>>
>> JSON blob:
>> {"nftables":
>> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> {"family": "inet", "name":
"firewalld"}}}]}
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed
>> to load full stock configuration. This likely indicates a system level
>> issue, e.g. the firewall backend (nftables, iptables) is broken. All
>> hope is lost. Exiting.
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
>> (nf_tables):
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> 'python-nftables' failed: internal:0:0-0: Error: Could not process
>> rule: No such file or directory
>>
>>
>> JSON blob:
>> {"nftables":
>> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> {"family": "inet", "name":
"firewalld"}}}]}
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising
>> SystemExit in run_server
>> Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service:
>> Deactivated successfully.
>> _______________________________________________
>> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> firewalld-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>
>
12:18 p.m.
On Mon, Jul 10, 2023 at 11:47:50AM -0400, David Mehler wrote:
Hello,
I'm not sure. The Debian vps is running on OpenVZ if that helps.
Why would this only effect nftables and not the iptables backend?
It's possible that nftables is not usable inside OpenVZ. You can could
verify by trying to manipulate nftables manually.
e.g.
# nft list ruleset
# nft add table inet testing
If those commands don't work, then nftables in not functional inside the
OpenVZ environment.
Thanks.
Dave.
On 7/10/23, Eric Garver <egarver(a)redhat.com> wrote:
> This looks like the firewalld backends are broken, e.g. nftables,
> ebtables.
>
> Are you using a Debian provided kernel? Or is this a custom kernel for
> the VPS?
>
> On Sat, Jul 08, 2023 at 10:29:45AM -0400, David Mehler wrote:
>> Hello,
>>
>> I'm trying to get firewalld going on Debian 12 a vps. I've asked on
>> the debian users list who refered me here with a way to get more
>> verbose error messages, see below. Unfortunately I'm clueless as to
>> what this could be. It from what I can see looks like it's trying to
>> delete a chain and failing which causes firewalld to fail, though I
>> could be wrong, python and myself are not friends.
>>
>> Any help appreciated.
>> Thanks.
>> Dave.
>>
>> root@hostname:~#systemctl --full --no-pager status firewalld
>> ? firewalld.service - firewalld - dynamic firewall daemon
>> Loaded: loaded (/lib/systemd/system/firewalld.service; enabled;
>> preset: enabled)
>> Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago
>> Duration: 2.316s
>> Docs: man:firewalld(1)
>> Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid
>> (code=exited, status=0/SUCCESS)
>> Main PID: 77366 (code=exited, status=0/SUCCESS)
>>
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
>> (nf_tables):
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> 'python-nftables' failed: internal:0:0-0: Error: Could not process
>> rule: No such file or directory
>>
>>
>> JSON blob:
>> {"nftables":
>> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> {"family": "inet", "name":
"firewalld"}}}]}
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed:
>> ebtables-restore v1.8.9 (nf_tables):
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most
>> recent call last):
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 633, in
>> start
>>
>> self._start()
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 597, in
>> _start
>>
>> self._start_apply_objects(reload=reload,
>> complete_reload=complete_reload)
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in
>> _start_apply_objects
>>
>> transaction.execute(True)
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py",
line
>> 161, in execute
>> raise
>> FirewallError(errors.COMMAND_FAILED, errorMsg)
>>
>> firewall.errors.FirewallError: COMMAND_FAILED:
>> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
>> (nf_tables):
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>>
>>
>> During
>> handling of the above exception, another exception occurred:
>>
>> Traceback
>> (most recent call last):
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 638, in
>> start
>>
>> self._start_failsafe()
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 629, in
>> _start_failsafe
>>
>> self._start_apply_objects(reload=reload,
>> complete_reload=complete_reload)
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 495, in
>> _start_apply_objects
>>
>> transaction.execute(True)
>> File
>> "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py",
line
>> 161, in execute
>> raise
>> FirewallError(errors.COMMAND_FAILED, errorMsg)
>>
>> firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables'
>> failed: internal:0:0-0: Error: Could not process rule: No such file or
>> directory
>>
>>
>> JSON blob:
>> {"nftables":
>> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> {"family": "inet", "name":
"firewalld"}}}]}
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could
>> not process rule: No such file or directory
>>
>>
>> JSON blob:
>> {"nftables":
>> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> {"family": "inet", "name":
"firewalld"}}}]}
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed
>> to load full stock configuration. This likely indicates a system level
>> issue, e.g. the firewall backend (nftables, iptables) is broken. All
>> hope is lost. Exiting.
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore v1.8.9
>> (nf_tables):
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> line 3:
>> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> 'python-nftables' failed: internal:0:0-0: Error: Could not process
>> rule: No such file or directory
>>
>>
>> JSON blob:
>> {"nftables":
>> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> {"family": "inet", "name":
"firewalld"}}}]}
>> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising
>> SystemExit in run_server
>> Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service:
>> Deactivated successfully.
>> _______________________________________________
>> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> firewalld-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>
>
5:41 p.m.
Hello,
Thanks. The nft does work.
Thanks.
Dave.
#nft list ruleset
table ip security {
chain INPUT_direct {
}
chain INPUT {
type filter hook input priority 150; policy accept;
counter packets 56202 bytes 9139773 jump INPUT_direct
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority 150; policy accept;
counter packets 60753 bytes 9859487 jump OUTPUT_direct
}
chain FORWARD_direct {
}
chain FORWARD {
type filter hook forward priority 150; policy accept;
counter packets 0 bytes 0 jump FORWARD_direct
}
}
table ip raw {
chain PREROUTING_direct {
}
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 65225 bytes 9686211 jump PREROUTING_direct
counter packets 65225 bytes 9686211 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
ip saddr 104.13.105.101 counter packets 4150 bytes 337011 goto PRE_public
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 61075 bytes 9349200 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
counter packets 60753 bytes 9859487 jump OUTPUT_direct
}
chain PRE_public {
counter packets 65225 bytes 9686211 jump PREROUTING_POLICIES_pre
counter packets 65225 bytes 9686211 jump PRE_public_pre
counter packets 65225 bytes 9686211 jump PRE_public_log
counter packets 65225 bytes 9686211 jump PRE_public_deny
counter packets 65225 bytes 9686211 jump PRE_public_allow
counter packets 65225 bytes 9686211 jump PRE_public_post
counter packets 65225 bytes 9686211 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_pre
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_log
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_deny
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_allow
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
table ip mangle {
chain PREROUTING_direct {
}
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
counter packets 65225 bytes 9686211 jump PREROUTING_direct
counter packets 65225 bytes 9686211 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
ip saddr 104.13.105.101 counter packets 4150 bytes 337011 goto PRE_public
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 61075 bytes 9349200 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain POSTROUTING_direct {
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
counter packets 60753 bytes 9859487 jump POSTROUTING_direct
}
chain INPUT_direct {
}
chain INPUT {
type filter hook input priority mangle; policy accept;
counter packets 65225 bytes 9686211 jump INPUT_direct
}
chain OUTPUT_direct {
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
counter packets 60753 bytes 9859487 jump OUTPUT_direct
}
chain FORWARD_direct {
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
counter packets 0 bytes 0 jump FORWARD_direct
}
chain PRE_public {
counter packets 65225 bytes 9686211 jump PREROUTING_POLICIES_pre
counter packets 65225 bytes 9686211 jump PRE_public_pre
counter packets 65225 bytes 9686211 jump PRE_public_log
counter packets 65225 bytes 9686211 jump PRE_public_deny
counter packets 65225 bytes 9686211 jump PRE_public_allow
counter packets 65225 bytes 9686211 jump PRE_public_post
counter packets 65225 bytes 9686211 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_pre
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_log
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_deny
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_allow
counter packets 65225 bytes 9686211 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
table ip nat {
chain PREROUTING_direct {
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 14049 bytes 730383 jump PREROUTING_direct
counter packets 14049 bytes 730383 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
ip saddr 104.13.105.101 counter packets 54 bytes 2816 goto PRE_public
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 13995 bytes 727567 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain POSTROUTING_direct {
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 59 bytes 3899 jump POSTROUTING_direct
counter packets 59 bytes 3899 jump POSTROUTING_ZONES
}
chain POSTROUTING_POLICIES_pre {
}
chain POSTROUTING_ZONES {
ip daddr 104.13.105.101 counter packets 0 bytes 0 goto POST_public
oifname "venet0:0" counter packets 0 bytes 0 goto POST_public
counter packets 59 bytes 3899 goto POST_public
}
chain POSTROUTING_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
counter packets 59 bytes 3899 jump OUTPUT_direct
counter packets 59 bytes 3899 jump OUTPUT_POLICIES_pre
counter packets 59 bytes 3899 jump OUTPUT_POLICIES_post
}
chain OUTPUT_POLICIES_pre {
}
chain OUTPUT_POLICIES_post {
}
chain POST_public {
counter packets 59 bytes 3899 jump POSTROUTING_POLICIES_pre
counter packets 59 bytes 3899 jump POST_public_pre
counter packets 59 bytes 3899 jump POST_public_log
counter packets 59 bytes 3899 jump POST_public_deny
counter packets 59 bytes 3899 jump POST_public_allow
counter packets 59 bytes 3899 jump POST_public_post
counter packets 59 bytes 3899 jump POSTROUTING_POLICIES_post
}
chain POST_public_pre {
}
chain POST_public_log {
}
chain POST_public_deny {
}
chain POST_public_allow {
}
chain POST_public_post {
}
chain PRE_public {
counter packets 14049 bytes 730383 jump PREROUTING_POLICIES_pre
counter packets 14049 bytes 730383 jump PRE_public_pre
counter packets 14049 bytes 730383 jump PRE_public_log
counter packets 14049 bytes 730383 jump PRE_public_deny
counter packets 14049 bytes 730383 jump PRE_public_allow
counter packets 14049 bytes 730383 jump PRE_public_post
counter packets 14049 bytes 730383 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6_pre
counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6_log
counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6_deny
counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6_allow
counter packets 14049 bytes 730383 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
ct status dnat counter packets 50758 bytes 8823750 accept
iifname "lo" counter packets 0 bytes 0 accept
ct state invalid counter packets 418 bytes 132078 drop
counter packets 14049 bytes 730383 jump INPUT_direct
counter packets 14049 bytes 730383 jump INPUT_ZONES
counter packets 0 bytes 0 reject with icmp type host-prohibited
}
chain INPUT_direct {
}
chain INPUT_POLICIES_pre {
counter packets 13953 bytes 725755 jump IN_allow-host-ipv6
}
chain INPUT_ZONES {
ip saddr 104.13.105.101 counter packets 54 bytes 2816 goto IN_public
iifname "venet0:0" counter packets 0 bytes 0 goto IN_public
counter packets 13995 bytes 727567 goto IN_public
}
chain INPUT_POLICIES_post {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
ct status dnat counter packets 0 bytes 0 accept
iifname "lo" counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 drop
counter packets 0 bytes 0 jump FORWARD_direct
counter packets 0 bytes 0 jump FORWARD_ZONES
counter packets 0 bytes 0 reject with icmp type host-prohibited
}
chain FORWARD_direct {
}
chain FORWARD_POLICIES_pre {
}
chain FORWARD_ZONES {
ip saddr 104.13.105.101 counter packets 0 bytes 0 goto FWD_public
iifname "venet0:0" counter packets 0 bytes 0 goto FWD_public
counter packets 0 bytes 0 goto FWD_public
}
chain FORWARD_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
ct state related,established counter packets 60656 bytes 9851636 accept
oifname "lo" counter packets 0 bytes 0 accept
counter packets 97 bytes 7851 jump OUTPUT_direct
counter packets 97 bytes 7851 jump OUTPUT_POLICIES_pre
counter packets 97 bytes 7851 jump OUTPUT_POLICIES_post
}
chain OUTPUT_POLICIES_pre {
}
chain OUTPUT_POLICIES_post {
}
chain IN_public {
meta l4proto icmp counter packets 96 bytes 4628 accept
counter packets 13953 bytes 725755 jump INPUT_POLICIES_pre
counter packets 13953 bytes 725755 jump IN_public_pre
counter packets 13953 bytes 725755 jump IN_public_log
counter packets 13953 bytes 725755 jump IN_public_deny
counter packets 13953 bytes 725755 jump IN_public_allow
counter packets 8605 bytes 414360 jump IN_public_post
counter packets 8605 bytes 414360 jump INPUT_POLICIES_post
counter packets 8605 bytes 414360 reject
}
chain IN_public_pre {
}
chain IN_public_log {
}
chain IN_public_deny {
}
chain IN_public_allow {
tcp dport 22 counter packets 3741 bytes 224312 accept
tcp dport 80 counter packets 898 bytes 47735 accept
tcp dport 443 counter packets 228 bytes 11876 accept
tcp dport 25 counter packets 447 bytes 25664 accept
tcp dport 587 counter packets 24 bytes 1300 accept
tcp dport 143 counter packets 10 bytes 508 accept
}
chain IN_public_post {
}
chain FWD_public {
counter packets 0 bytes 0 jump FORWARD_POLICIES_pre
counter packets 0 bytes 0 jump FWD_public_pre
counter packets 0 bytes 0 jump FWD_public_log
counter packets 0 bytes 0 jump FWD_public_deny
counter packets 0 bytes 0 jump FWD_public_allow
counter packets 0 bytes 0 jump FWD_public_post
counter packets 0 bytes 0 jump FORWARD_POLICIES_post
counter packets 0 bytes 0 reject
}
chain FWD_public_pre {
}
chain FWD_public_log {
}
chain FWD_public_deny {
}
chain FWD_public_allow {
oifname "venet0:0" counter packets 0 bytes 0 accept
ip daddr 104.13.105.101 counter packets 0 bytes 0 accept
}
chain FWD_public_post {
}
chain IN_allow-host-ipv6 {
counter packets 13953 bytes 725755 jump IN_allow-host-ipv6_pre
counter packets 13953 bytes 725755 jump IN_allow-host-ipv6_log
counter packets 13953 bytes 725755 jump IN_allow-host-ipv6_deny
counter packets 13953 bytes 725755 jump IN_allow-host-ipv6_allow
counter packets 13953 bytes 725755 jump IN_allow-host-ipv6_post
}
chain IN_allow-host-ipv6_pre {
}
chain IN_allow-host-ipv6_log {
}
chain IN_allow-host-ipv6_deny {
}
chain IN_allow-host-ipv6_allow {
}
chain IN_allow-host-ipv6_post {
}
}
table ip6 security {
chain INPUT_direct {
}
chain INPUT {
type filter hook input priority 150; policy accept;
counter packets 0 bytes 0 jump INPUT_direct
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority 150; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
}
chain FORWARD_direct {
}
chain FORWARD {
type filter hook forward priority 150; policy accept;
counter packets 0 bytes 0 jump FORWARD_direct
}
}
table ip6 raw {
chain PREROUTING_direct {
}
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 0 bytes 0 jump PREROUTING_direct
counter packets 0 bytes 0 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 0 bytes 0 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
}
chain PRE_public {
counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre
counter packets 0 bytes 0 jump PRE_public_pre
counter packets 0 bytes 0 jump PRE_public_log
counter packets 0 bytes 0 jump PRE_public_deny
counter packets 0 bytes 0 jump PRE_public_allow
counter packets 0 bytes 0 jump PRE_public_post
counter packets 0 bytes 0 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
table ip6 mangle {
chain PREROUTING_direct {
}
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
counter packets 0 bytes 0 jump PREROUTING_direct
counter packets 0 bytes 0 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 0 bytes 0 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain POSTROUTING_direct {
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
counter packets 0 bytes 0 jump POSTROUTING_direct
}
chain INPUT_direct {
}
chain INPUT {
type filter hook input priority mangle; policy accept;
counter packets 0 bytes 0 jump INPUT_direct
}
chain OUTPUT_direct {
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
}
chain FORWARD_direct {
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
counter packets 0 bytes 0 jump FORWARD_direct
}
chain PRE_public {
counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre
counter packets 0 bytes 0 jump PRE_public_pre
counter packets 0 bytes 0 jump PRE_public_log
counter packets 0 bytes 0 jump PRE_public_deny
counter packets 0 bytes 0 jump PRE_public_allow
counter packets 0 bytes 0 jump PRE_public_post
counter packets 0 bytes 0 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
table ip6 nat {
chain PREROUTING_direct {
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 0 bytes 0 jump PREROUTING_direct
counter packets 0 bytes 0 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 0 bytes 0 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain POSTROUTING_direct {
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 0 bytes 0 jump POSTROUTING_direct
counter packets 0 bytes 0 jump POSTROUTING_ZONES
}
chain POSTROUTING_POLICIES_pre {
}
chain POSTROUTING_ZONES {
oifname "venet0:0" counter packets 0 bytes 0 goto POST_public
counter packets 0 bytes 0 goto POST_public
}
chain POSTROUTING_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
counter packets 0 bytes 0 jump OUTPUT_POLICIES_pre
counter packets 0 bytes 0 jump OUTPUT_POLICIES_post
}
chain OUTPUT_POLICIES_pre {
}
chain OUTPUT_POLICIES_post {
}
chain POST_public {
counter packets 0 bytes 0 jump POSTROUTING_POLICIES_pre
counter packets 0 bytes 0 jump POST_public_pre
counter packets 0 bytes 0 jump POST_public_log
counter packets 0 bytes 0 jump POST_public_deny
counter packets 0 bytes 0 jump POST_public_allow
counter packets 0 bytes 0 jump POST_public_post
counter packets 0 bytes 0 jump POSTROUTING_POLICIES_post
}
chain POST_public_pre {
}
chain POST_public_log {
}
chain POST_public_deny {
}
chain POST_public_allow {
}
chain POST_public_post {
}
chain PRE_public {
counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre
counter packets 0 bytes 0 jump PRE_public_pre
counter packets 0 bytes 0 jump PRE_public_log
counter packets 0 bytes 0 jump PRE_public_deny
counter packets 0 bytes 0 jump PRE_public_allow
counter packets 0 bytes 0 jump PRE_public_post
counter packets 0 bytes 0 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy accept;
ct status dnat counter packets 0 bytes 0 accept
iifname "lo" counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 drop
counter packets 0 bytes 0 jump INPUT_direct
counter packets 0 bytes 0 jump INPUT_ZONES
counter packets 0 bytes 0 reject with icmpv6 type admin-prohibited
}
chain INPUT_direct {
}
chain INPUT_POLICIES_pre {
counter packets 0 bytes 0 jump IN_allow-host-ipv6
}
chain INPUT_ZONES {
iifname "venet0:0" counter packets 0 bytes 0 goto IN_public
counter packets 0 bytes 0 goto IN_public
}
chain INPUT_POLICIES_post {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump RFC3964_IPv4
ct status dnat counter packets 0 bytes 0 accept
iifname "lo" counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 drop
counter packets 0 bytes 0 jump FORWARD_direct
counter packets 0 bytes 0 jump FORWARD_ZONES
counter packets 0 bytes 0 reject with icmpv6 type admin-prohibited
}
chain FORWARD_direct {
}
chain FORWARD_POLICIES_pre {
}
chain FORWARD_ZONES {
iifname "venet0:0" counter packets 0 bytes 0 goto FWD_public
counter packets 0 bytes 0 goto FWD_public
}
chain FORWARD_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 0 bytes 0 jump RFC3964_IPv4
ct state related,established counter packets 0 bytes 0 accept
oifname "lo" counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump OUTPUT_direct
counter packets 0 bytes 0 jump OUTPUT_POLICIES_pre
counter packets 0 bytes 0 jump OUTPUT_POLICIES_post
}
chain OUTPUT_POLICIES_pre {
}
chain OUTPUT_POLICIES_post {
}
chain RFC3964_IPv4 {
ip6 daddr 2002:e000::/19 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr 2002:a9fe::/32 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr 2002:c0a8::/32 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr 2002:ac10::/28 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr 2002:7f00::/24 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr 2002:a00::/24 counter packets 0 bytes 0 reject with icmpv6
type addr-unreachable
ip6 daddr 2002::/24 counter packets 0 bytes 0 reject with icmpv6
type addr-unreachable
ip6 daddr ::ffff:0.0.0.0/96 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr ::/96 counter packets 0 bytes 0 reject with icmpv6 type
addr-unreachable
}
chain IN_public {
meta l4proto ipv6-icmp counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump INPUT_POLICIES_pre
counter packets 0 bytes 0 jump IN_public_pre
counter packets 0 bytes 0 jump IN_public_log
counter packets 0 bytes 0 jump IN_public_deny
counter packets 0 bytes 0 jump IN_public_allow
counter packets 0 bytes 0 jump IN_public_post
counter packets 0 bytes 0 jump INPUT_POLICIES_post
counter packets 0 bytes 0 reject
}
chain IN_public_pre {
}
chain IN_public_log {
}
chain IN_public_deny {
}
chain IN_public_allow {
tcp dport 22 counter packets 0 bytes 0 accept
ip6 daddr fe80::/64 udp dport 546 counter packets 0 bytes 0 accept
tcp dport 80 counter packets 0 bytes 0 accept
tcp dport 443 counter packets 0 bytes 0 accept
tcp dport 25 counter packets 0 bytes 0 accept
tcp dport 587 counter packets 0 bytes 0 accept
tcp dport 143 counter packets 0 bytes 0 accept
}
chain IN_public_post {
}
chain FWD_public {
counter packets 0 bytes 0 jump FORWARD_POLICIES_pre
counter packets 0 bytes 0 jump FWD_public_pre
counter packets 0 bytes 0 jump FWD_public_log
counter packets 0 bytes 0 jump FWD_public_deny
counter packets 0 bytes 0 jump FWD_public_allow
counter packets 0 bytes 0 jump FWD_public_post
counter packets 0 bytes 0 jump FORWARD_POLICIES_post
counter packets 0 bytes 0 reject
}
chain FWD_public_pre {
}
chain FWD_public_log {
}
chain FWD_public_deny {
}
chain FWD_public_allow {
oifname "venet0:0" counter packets 0 bytes 0 accept
}
chain FWD_public_post {
}
chain IN_allow-host-ipv6 {
counter packets 0 bytes 0 jump IN_allow-host-ipv6_pre
counter packets 0 bytes 0 jump IN_allow-host-ipv6_log
counter packets 0 bytes 0 jump IN_allow-host-ipv6_deny
counter packets 0 bytes 0 jump IN_allow-host-ipv6_allow
counter packets 0 bytes 0 jump IN_allow-host-ipv6_post
}
chain IN_allow-host-ipv6_pre {
}
chain IN_allow-host-ipv6_log {
}
chain IN_allow-host-ipv6_deny {
}
chain IN_allow-host-ipv6_allow {
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert counter
packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit counter
packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-router-advert counter packets
0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-redirect counter packets 0
bytes 0 accept
}
chain IN_allow-host-ipv6_post {
}
}
table inet testing {
}
table bridge nat {
chain PREROUTING_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain PREROUTING {
type filter hook prerouting priority dstnat; policy accept;
counter packets 0 bytes 0 jump PREROUTING_direct
}
chain POSTROUTING_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain POSTROUTING {
type filter hook postrouting priority srcnat; policy accept;
counter packets 0 bytes 0 jump POSTROUTING_direct
}
chain OUTPUT_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority out; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
}
}
table bridge filter {
chain INPUT_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 0 bytes 0 jump INPUT_direct
}
chain OUTPUT_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
}
chain FORWARD_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump FORWARD_direct
}
}
#nft add table inet testing
#nft add table inet testinglist ruleset
table ip security {
chain INPUT_direct {
}
chain INPUT {
type filter hook input priority 150; policy accept;
counter packets 56231 bytes 9141307 jump INPUT_direct
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority 150; policy accept;
counter packets 60787 bytes 9898317 jump OUTPUT_direct
}
chain FORWARD_direct {
}
chain FORWARD {
type filter hook forward priority 150; policy accept;
counter packets 0 bytes 0 jump FORWARD_direct
}
}
table ip raw {
chain PREROUTING_direct {
}
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 65257 bytes 9687865 jump PREROUTING_direct
counter packets 65257 bytes 9687865 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
ip saddr 104.13.105.101 counter packets 4178 bytes 338511 goto PRE_public
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 61079 bytes 9349354 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
counter packets 60787 bytes 9898317 jump OUTPUT_direct
}
chain PRE_public {
counter packets 65257 bytes 9687865 jump PREROUTING_POLICIES_pre
counter packets 65257 bytes 9687865 jump PRE_public_pre
counter packets 65257 bytes 9687865 jump PRE_public_log
counter packets 65257 bytes 9687865 jump PRE_public_deny
counter packets 65257 bytes 9687865 jump PRE_public_allow
counter packets 65257 bytes 9687865 jump PRE_public_post
counter packets 65257 bytes 9687865 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_pre
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_log
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_deny
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_allow
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
table ip mangle {
chain PREROUTING_direct {
}
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
counter packets 65257 bytes 9687865 jump PREROUTING_direct
counter packets 65257 bytes 9687865 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
ip saddr 104.13.105.101 counter packets 4178 bytes 338511 goto PRE_public
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 61079 bytes 9349354 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain POSTROUTING_direct {
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
counter packets 60787 bytes 9898317 jump POSTROUTING_direct
}
chain INPUT_direct {
}
chain INPUT {
type filter hook input priority mangle; policy accept;
counter packets 65257 bytes 9687865 jump INPUT_direct
}
chain OUTPUT_direct {
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
counter packets 60787 bytes 9898317 jump OUTPUT_direct
}
chain FORWARD_direct {
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
counter packets 0 bytes 0 jump FORWARD_direct
}
chain PRE_public {
counter packets 65257 bytes 9687865 jump PREROUTING_POLICIES_pre
counter packets 65257 bytes 9687865 jump PRE_public_pre
counter packets 65257 bytes 9687865 jump PRE_public_log
counter packets 65257 bytes 9687865 jump PRE_public_deny
counter packets 65257 bytes 9687865 jump PRE_public_allow
counter packets 65257 bytes 9687865 jump PRE_public_post
counter packets 65257 bytes 9687865 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_pre
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_log
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_deny
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_allow
counter packets 65257 bytes 9687865 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
table ip nat {
chain PREROUTING_direct {
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 14053 bytes 730537 jump PREROUTING_direct
counter packets 14053 bytes 730537 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
ip saddr 104.13.105.101 counter packets 54 bytes 2816 goto PRE_public
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 13999 bytes 727721 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain POSTROUTING_direct {
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 59 bytes 3899 jump POSTROUTING_direct
counter packets 59 bytes 3899 jump POSTROUTING_ZONES
}
chain POSTROUTING_POLICIES_pre {
}
chain POSTROUTING_ZONES {
ip daddr 104.13.105.101 counter packets 0 bytes 0 goto POST_public
oifname "venet0:0" counter packets 0 bytes 0 goto POST_public
counter packets 59 bytes 3899 goto POST_public
}
chain POSTROUTING_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
counter packets 59 bytes 3899 jump OUTPUT_direct
counter packets 59 bytes 3899 jump OUTPUT_POLICIES_pre
counter packets 59 bytes 3899 jump OUTPUT_POLICIES_post
}
chain OUTPUT_POLICIES_pre {
}
chain OUTPUT_POLICIES_post {
}
chain POST_public {
counter packets 59 bytes 3899 jump POSTROUTING_POLICIES_pre
counter packets 59 bytes 3899 jump POST_public_pre
counter packets 59 bytes 3899 jump POST_public_log
counter packets 59 bytes 3899 jump POST_public_deny
counter packets 59 bytes 3899 jump POST_public_allow
counter packets 59 bytes 3899 jump POST_public_post
counter packets 59 bytes 3899 jump POSTROUTING_POLICIES_post
}
chain POST_public_pre {
}
chain POST_public_log {
}
chain POST_public_deny {
}
chain POST_public_allow {
}
chain POST_public_post {
}
chain PRE_public {
counter packets 14053 bytes 730537 jump PREROUTING_POLICIES_pre
counter packets 14053 bytes 730537 jump PRE_public_pre
counter packets 14053 bytes 730537 jump PRE_public_log
counter packets 14053 bytes 730537 jump PRE_public_deny
counter packets 14053 bytes 730537 jump PRE_public_allow
counter packets 14053 bytes 730537 jump PRE_public_post
counter packets 14053 bytes 730537 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6_pre
counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6_log
counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6_deny
counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6_allow
counter packets 14053 bytes 730537 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
ct status dnat counter packets 50786 bytes 8825250 accept
iifname "lo" counter packets 0 bytes 0 accept
ct state invalid counter packets 418 bytes 132078 drop
counter packets 14053 bytes 730537 jump INPUT_direct
counter packets 14053 bytes 730537 jump INPUT_ZONES
counter packets 0 bytes 0 reject with icmp type host-prohibited
}
chain INPUT_direct {
}
chain INPUT_POLICIES_pre {
counter packets 13956 bytes 725875 jump IN_allow-host-ipv6
}
chain INPUT_ZONES {
ip saddr 104.13.105.101 counter packets 54 bytes 2816 goto IN_public
iifname "venet0:0" counter packets 0 bytes 0 goto IN_public
counter packets 13999 bytes 727721 goto IN_public
}
chain INPUT_POLICIES_post {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
ct status dnat counter packets 0 bytes 0 accept
iifname "lo" counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 drop
counter packets 0 bytes 0 jump FORWARD_direct
counter packets 0 bytes 0 jump FORWARD_ZONES
counter packets 0 bytes 0 reject with icmp type host-prohibited
}
chain FORWARD_direct {
}
chain FORWARD_POLICIES_pre {
}
chain FORWARD_ZONES {
ip saddr 104.13.105.101 counter packets 0 bytes 0 goto FWD_public
iifname "venet0:0" counter packets 0 bytes 0 goto FWD_public
counter packets 0 bytes 0 goto FWD_public
}
chain FORWARD_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
ct state related,established counter packets 60690 bytes 9890466 accept
oifname "lo" counter packets 0 bytes 0 accept
counter packets 97 bytes 7851 jump OUTPUT_direct
counter packets 97 bytes 7851 jump OUTPUT_POLICIES_pre
counter packets 97 bytes 7851 jump OUTPUT_POLICIES_post
}
chain OUTPUT_POLICIES_pre {
}
chain OUTPUT_POLICIES_post {
}
chain IN_public {
meta l4proto icmp counter packets 97 bytes 4662 accept
counter packets 13956 bytes 725875 jump INPUT_POLICIES_pre
counter packets 13956 bytes 725875 jump IN_public_pre
counter packets 13956 bytes 725875 jump IN_public_log
counter packets 13956 bytes 725875 jump IN_public_deny
counter packets 13956 bytes 725875 jump IN_public_allow
counter packets 8608 bytes 414480 jump IN_public_post
counter packets 8608 bytes 414480 jump INPUT_POLICIES_post
counter packets 8608 bytes 414480 reject
}
chain IN_public_pre {
}
chain IN_public_log {
}
chain IN_public_deny {
}
chain IN_public_allow {
tcp dport 22 counter packets 3741 bytes 224312 accept
tcp dport 80 counter packets 898 bytes 47735 accept
tcp dport 443 counter packets 228 bytes 11876 accept
tcp dport 25 counter packets 447 bytes 25664 accept
tcp dport 587 counter packets 24 bytes 1300 accept
tcp dport 143 counter packets 10 bytes 508 accept
}
chain IN_public_post {
}
chain FWD_public {
counter packets 0 bytes 0 jump FORWARD_POLICIES_pre
counter packets 0 bytes 0 jump FWD_public_pre
counter packets 0 bytes 0 jump FWD_public_log
counter packets 0 bytes 0 jump FWD_public_deny
counter packets 0 bytes 0 jump FWD_public_allow
counter packets 0 bytes 0 jump FWD_public_post
counter packets 0 bytes 0 jump FORWARD_POLICIES_post
counter packets 0 bytes 0 reject
}
chain FWD_public_pre {
}
chain FWD_public_log {
}
chain FWD_public_deny {
}
chain FWD_public_allow {
oifname "venet0:0" counter packets 0 bytes 0 accept
ip daddr 104.13.105.101 counter packets 0 bytes 0 accept
}
chain FWD_public_post {
}
chain IN_allow-host-ipv6 {
counter packets 13956 bytes 725875 jump IN_allow-host-ipv6_pre
counter packets 13956 bytes 725875 jump IN_allow-host-ipv6_log
counter packets 13956 bytes 725875 jump IN_allow-host-ipv6_deny
counter packets 13956 bytes 725875 jump IN_allow-host-ipv6_allow
counter packets 13956 bytes 725875 jump IN_allow-host-ipv6_post
}
chain IN_allow-host-ipv6_pre {
}
chain IN_allow-host-ipv6_log {
}
chain IN_allow-host-ipv6_deny {
}
chain IN_allow-host-ipv6_allow {
}
chain IN_allow-host-ipv6_post {
}
}
table ip6 security {
chain INPUT_direct {
}
chain INPUT {
type filter hook input priority 150; policy accept;
counter packets 0 bytes 0 jump INPUT_direct
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority 150; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
}
chain FORWARD_direct {
}
chain FORWARD {
type filter hook forward priority 150; policy accept;
counter packets 0 bytes 0 jump FORWARD_direct
}
}
table ip6 raw {
chain PREROUTING_direct {
}
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 0 bytes 0 jump PREROUTING_direct
counter packets 0 bytes 0 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 0 bytes 0 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
}
chain PRE_public {
counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre
counter packets 0 bytes 0 jump PRE_public_pre
counter packets 0 bytes 0 jump PRE_public_log
counter packets 0 bytes 0 jump PRE_public_deny
counter packets 0 bytes 0 jump PRE_public_allow
counter packets 0 bytes 0 jump PRE_public_post
counter packets 0 bytes 0 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
table ip6 mangle {
chain PREROUTING_direct {
}
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
counter packets 0 bytes 0 jump PREROUTING_direct
counter packets 0 bytes 0 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 0 bytes 0 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain POSTROUTING_direct {
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
counter packets 0 bytes 0 jump POSTROUTING_direct
}
chain INPUT_direct {
}
chain INPUT {
type filter hook input priority mangle; policy accept;
counter packets 0 bytes 0 jump INPUT_direct
}
chain OUTPUT_direct {
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
}
chain FORWARD_direct {
}
chain FORWARD {
type filter hook forward priority mangle; policy accept;
counter packets 0 bytes 0 jump FORWARD_direct
}
chain PRE_public {
counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre
counter packets 0 bytes 0 jump PRE_public_pre
counter packets 0 bytes 0 jump PRE_public_log
counter packets 0 bytes 0 jump PRE_public_deny
counter packets 0 bytes 0 jump PRE_public_allow
counter packets 0 bytes 0 jump PRE_public_post
counter packets 0 bytes 0 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
table ip6 nat {
chain PREROUTING_direct {
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 0 bytes 0 jump PREROUTING_direct
counter packets 0 bytes 0 jump PREROUTING_ZONES
}
chain PREROUTING_POLICIES_pre {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6
}
chain PREROUTING_ZONES {
iifname "venet0:0" counter packets 0 bytes 0 goto PRE_public
counter packets 0 bytes 0 goto PRE_public
}
chain PREROUTING_POLICIES_post {
}
chain POSTROUTING_direct {
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 0 bytes 0 jump POSTROUTING_direct
counter packets 0 bytes 0 jump POSTROUTING_ZONES
}
chain POSTROUTING_POLICIES_pre {
}
chain POSTROUTING_ZONES {
oifname "venet0:0" counter packets 0 bytes 0 goto POST_public
counter packets 0 bytes 0 goto POST_public
}
chain POSTROUTING_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
counter packets 0 bytes 0 jump OUTPUT_POLICIES_pre
counter packets 0 bytes 0 jump OUTPUT_POLICIES_post
}
chain OUTPUT_POLICIES_pre {
}
chain OUTPUT_POLICIES_post {
}
chain POST_public {
counter packets 0 bytes 0 jump POSTROUTING_POLICIES_pre
counter packets 0 bytes 0 jump POST_public_pre
counter packets 0 bytes 0 jump POST_public_log
counter packets 0 bytes 0 jump POST_public_deny
counter packets 0 bytes 0 jump POST_public_allow
counter packets 0 bytes 0 jump POST_public_post
counter packets 0 bytes 0 jump POSTROUTING_POLICIES_post
}
chain POST_public_pre {
}
chain POST_public_log {
}
chain POST_public_deny {
}
chain POST_public_allow {
}
chain POST_public_post {
}
chain PRE_public {
counter packets 0 bytes 0 jump PREROUTING_POLICIES_pre
counter packets 0 bytes 0 jump PRE_public_pre
counter packets 0 bytes 0 jump PRE_public_log
counter packets 0 bytes 0 jump PRE_public_deny
counter packets 0 bytes 0 jump PRE_public_allow
counter packets 0 bytes 0 jump PRE_public_post
counter packets 0 bytes 0 jump PREROUTING_POLICIES_post
}
chain PRE_public_pre {
}
chain PRE_public_log {
}
chain PRE_public_deny {
}
chain PRE_public_allow {
}
chain PRE_public_post {
}
chain PRE_allow-host-ipv6 {
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_pre
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_log
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_deny
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_allow
counter packets 0 bytes 0 jump PRE_allow-host-ipv6_post
}
chain PRE_allow-host-ipv6_pre {
}
chain PRE_allow-host-ipv6_log {
}
chain PRE_allow-host-ipv6_deny {
}
chain PRE_allow-host-ipv6_allow {
}
chain PRE_allow-host-ipv6_post {
}
}
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy accept;
ct status dnat counter packets 0 bytes 0 accept
iifname "lo" counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 drop
counter packets 0 bytes 0 jump INPUT_direct
counter packets 0 bytes 0 jump INPUT_ZONES
counter packets 0 bytes 0 reject with icmpv6 type admin-prohibited
}
chain INPUT_direct {
}
chain INPUT_POLICIES_pre {
counter packets 0 bytes 0 jump IN_allow-host-ipv6
}
chain INPUT_ZONES {
iifname "venet0:0" counter packets 0 bytes 0 goto IN_public
counter packets 0 bytes 0 goto IN_public
}
chain INPUT_POLICIES_post {
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump RFC3964_IPv4
ct status dnat counter packets 0 bytes 0 accept
iifname "lo" counter packets 0 bytes 0 accept
ct state invalid counter packets 0 bytes 0 drop
counter packets 0 bytes 0 jump FORWARD_direct
counter packets 0 bytes 0 jump FORWARD_ZONES
counter packets 0 bytes 0 reject with icmpv6 type admin-prohibited
}
chain FORWARD_direct {
}
chain FORWARD_POLICIES_pre {
}
chain FORWARD_ZONES {
iifname "venet0:0" counter packets 0 bytes 0 goto FWD_public
counter packets 0 bytes 0 goto FWD_public
}
chain FORWARD_POLICIES_post {
}
chain OUTPUT_direct {
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 0 bytes 0 jump RFC3964_IPv4
ct state related,established counter packets 0 bytes 0 accept
oifname "lo" counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump OUTPUT_direct
counter packets 0 bytes 0 jump OUTPUT_POLICIES_pre
counter packets 0 bytes 0 jump OUTPUT_POLICIES_post
}
chain OUTPUT_POLICIES_pre {
}
chain OUTPUT_POLICIES_post {
}
chain RFC3964_IPv4 {
ip6 daddr 2002:e000::/19 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr 2002:a9fe::/32 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr 2002:c0a8::/32 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr 2002:ac10::/28 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr 2002:7f00::/24 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr 2002:a00::/24 counter packets 0 bytes 0 reject with icmpv6
type addr-unreachable
ip6 daddr 2002::/24 counter packets 0 bytes 0 reject with icmpv6
type addr-unreachable
ip6 daddr ::ffff:0.0.0.0/96 counter packets 0 bytes 0 reject with
icmpv6 type addr-unreachable
ip6 daddr ::/96 counter packets 0 bytes 0 reject with icmpv6 type
addr-unreachable
}
chain IN_public {
meta l4proto ipv6-icmp counter packets 0 bytes 0 accept
counter packets 0 bytes 0 jump INPUT_POLICIES_pre
counter packets 0 bytes 0 jump IN_public_pre
counter packets 0 bytes 0 jump IN_public_log
counter packets 0 bytes 0 jump IN_public_deny
counter packets 0 bytes 0 jump IN_public_allow
counter packets 0 bytes 0 jump IN_public_post
counter packets 0 bytes 0 jump INPUT_POLICIES_post
counter packets 0 bytes 0 reject
}
chain IN_public_pre {
}
chain IN_public_log {
}
chain IN_public_deny {
}
chain IN_public_allow {
tcp dport 22 counter packets 0 bytes 0 accept
ip6 daddr fe80::/64 udp dport 546 counter packets 0 bytes 0 accept
tcp dport 80 counter packets 0 bytes 0 accept
tcp dport 443 counter packets 0 bytes 0 accept
tcp dport 25 counter packets 0 bytes 0 accept
tcp dport 587 counter packets 0 bytes 0 accept
tcp dport 143 counter packets 0 bytes 0 accept
}
chain IN_public_post {
}
chain FWD_public {
counter packets 0 bytes 0 jump FORWARD_POLICIES_pre
counter packets 0 bytes 0 jump FWD_public_pre
counter packets 0 bytes 0 jump FWD_public_log
counter packets 0 bytes 0 jump FWD_public_deny
counter packets 0 bytes 0 jump FWD_public_allow
counter packets 0 bytes 0 jump FWD_public_post
counter packets 0 bytes 0 jump FORWARD_POLICIES_post
counter packets 0 bytes 0 reject
}
chain FWD_public_pre {
}
chain FWD_public_log {
}
chain FWD_public_deny {
}
chain FWD_public_allow {
oifname "venet0:0" counter packets 0 bytes 0 accept
}
chain FWD_public_post {
}
chain IN_allow-host-ipv6 {
counter packets 0 bytes 0 jump IN_allow-host-ipv6_pre
counter packets 0 bytes 0 jump IN_allow-host-ipv6_log
counter packets 0 bytes 0 jump IN_allow-host-ipv6_deny
counter packets 0 bytes 0 jump IN_allow-host-ipv6_allow
counter packets 0 bytes 0 jump IN_allow-host-ipv6_post
}
chain IN_allow-host-ipv6_pre {
}
chain IN_allow-host-ipv6_log {
}
chain IN_allow-host-ipv6_deny {
}
chain IN_allow-host-ipv6_allow {
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-advert counter
packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-neighbor-solicit counter
packets 0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-router-advert counter packets
0 bytes 0 accept
meta l4proto ipv6-icmp icmpv6 type nd-redirect counter packets 0
bytes 0 accept
}
chain IN_allow-host-ipv6_post {
}
}
table inet testing {
}
table bridge nat {
chain PREROUTING_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain PREROUTING {
type filter hook prerouting priority dstnat; policy accept;
counter packets 0 bytes 0 jump PREROUTING_direct
}
chain POSTROUTING_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain POSTROUTING {
type filter hook postrouting priority srcnat; policy accept;
counter packets 0 bytes 0 jump POSTROUTING_direct
}
chain OUTPUT_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority out; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
}
}
table bridge filter {
chain INPUT_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 0 bytes 0 jump INPUT_direct
}
chain OUTPUT_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 0 bytes 0 jump OUTPUT_direct
}
chain FORWARD_direct {
counter packets 0 bytes 0 return
counter packets 0 bytes 0 accept
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump FORWARD_direct
}
}
On 7/10/23, Eric Garver <egarver(a)redhat.com> wrote:
> On Mon, Jul 10, 2023 at 11:47:50AM -0400, David Mehler wrote:
>> Hello,
>>
>> I'm not sure. The Debian vps is running on OpenVZ if that helps.
>>
>> Why would this only effect nftables and not the iptables backend?
>
> It's possible that nftables is not usable inside OpenVZ. You can could
> verify by trying to manipulate nftables manually.
>
> e.g.
>
> # nft list ruleset
>
> # nft add table inet testing
>
> If those commands don't work, then nftables in not functional inside the
> OpenVZ environment.
>
>> Thanks.
>> Dave.
>>
>>
>> On 7/10/23, Eric Garver <egarver(a)redhat.com> wrote:
>> > This looks like the firewalld backends are broken, e.g. nftables,
>> > ebtables.
>> >
>> > Are you using a Debian provided kernel? Or is this a custom kernel for
>> > the VPS?
>> >
>> > On Sat, Jul 08, 2023 at 10:29:45AM -0400, David Mehler wrote:
>> >> Hello,
>> >>
>> >> I'm trying to get firewalld going on Debian 12 a vps. I've asked
on
>> >> the debian users list who refered me here with a way to get more
>> >> verbose error messages, see below. Unfortunately I'm clueless as to
>> >> what this could be. It from what I can see looks like it's trying
to
>> >> delete a chain and failing which causes firewalld to fail, though I
>> >> could be wrong, python and myself are not friends.
>> >>
>> >> Any help appreciated.
>> >> Thanks.
>> >> Dave.
>> >>
>> >> root@hostname:~#systemctl --full --no-pager status firewalld
>> >> ? firewalld.service - firewalld - dynamic firewall daemon
>> >> Loaded: loaded (/lib/systemd/system/firewalld.service; enabled;
>> >> preset: enabled)
>> >> Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago
>> >> Duration: 2.316s
>> >> Docs: man:firewalld(1)
>> >> Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid
>> >> (code=exited, status=0/SUCCESS)
>> >> Main PID: 77366 (code=exited, status=0/SUCCESS)
>> >>
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore
v1.8.9
>> >> (nf_tables):
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> 'python-nftables' failed: internal:0:0-0: Error: Could not
process
>> >> rule: No such file or directory
>> >>
>> >>
>> >> JSON blob:
>> >>
{"nftables":
>> >> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}]}
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed:
>> >> ebtables-restore v1.8.9 (nf_tables):
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most
>> >> recent call last):
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
633, in
>> >> start
>> >>
>> >> self._start()
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
597, in
>> >> _start
>> >>
>> >> self._start_apply_objects(reload=reload,
>> >> complete_reload=complete_reload)
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
495, in
>> >> _start_apply_objects
>> >>
>> >> transaction.execute(True)
>> >> File
>> >>
"/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
>> >> 161, in execute
>> >> raise
>> >> FirewallError(errors.COMMAND_FAILED, errorMsg)
>> >>
>> >> firewall.errors.FirewallError: COMMAND_FAILED:
>> >> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore
v1.8.9
>> >> (nf_tables):
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> >>
>> >>
>> >> During
>> >> handling of the above exception, another exception occurred:
>> >>
>> >> Traceback
>> >> (most recent call last):
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
638, in
>> >> start
>> >>
>> >> self._start_failsafe()
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
629, in
>> >> _start_failsafe
>> >>
>> >> self._start_apply_objects(reload=reload,
>> >> complete_reload=complete_reload)
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
495, in
>> >> _start_apply_objects
>> >>
>> >> transaction.execute(True)
>> >> File
>> >>
"/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
>> >> 161, in execute
>> >> raise
>> >> FirewallError(errors.COMMAND_FAILED, errorMsg)
>> >>
>> >> firewall.errors.FirewallError: COMMAND_FAILED:
'python-nftables'
>> >> failed: internal:0:0-0: Error: Could not process rule: No such file or
>> >> directory
>> >>
>> >>
>> >> JSON blob:
>> >>
{"nftables":
>> >> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}]}
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error:
Could
>> >> not process rule: No such file or directory
>> >>
>> >>
>> >> JSON blob:
>> >>
{"nftables":
>> >> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}]}
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed
>> >> to load full stock configuration. This likely indicates a system level
>> >> issue, e.g. the firewall backend (nftables, iptables) is broken. All
>> >> hope is lost. Exiting.
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore
v1.8.9
>> >> (nf_tables):
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> 'python-nftables' failed: internal:0:0-0: Error: Could not
process
>> >> rule: No such file or directory
>> >>
>> >>
>> >> JSON blob:
>> >>
{"nftables":
>> >> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}]}
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising
>> >> SystemExit in run_server
>> >> Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service:
>> >> Deactivated successfully.
>> >> _______________________________________________
>> >> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
>> >> To unsubscribe send an email to
>> >> firewalld-users-leave(a)lists.fedorahosted.org
>> >> Fedora Code of Conduct:
>> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> >> List Guidelines:
>> >> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> >> List Archives:
>> >>
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>> >> Do not reply to spam, report it:
>> >> https://pagure.io/fedora-infrastructure/new_issue
>> >
>> >
>>
>
>
8:35 a.m.
On Mon, Jul 10, 2023 at 06:41:20PM -0400, David Mehler wrote:
Hello,
Thanks. The nft does work.
That's good news.
You can get better debug output by setting IndividualCalls=yes in
/etc/firewalld/fireawalld.conf.
Also enable debug logging by passing --debug=9 to the daemon. This
should be done in /etc/sysconfig/firewalld.
[..]
On 7/10/23, Eric Garver <egarver(a)redhat.com> wrote:
> On Mon, Jul 10, 2023 at 11:47:50AM -0400, David Mehler wrote:
>> Hello,
>>
>> I'm not sure. The Debian vps is running on OpenVZ if that helps.
>>
>> Why would this only effect nftables and not the iptables backend?
>
> It's possible that nftables is not usable inside OpenVZ. You can could
> verify by trying to manipulate nftables manually.
>
> e.g.
>
> # nft list ruleset
>
> # nft add table inet testing
>
> If those commands don't work, then nftables in not functional inside the
> OpenVZ environment.
>
>> Thanks.
>> Dave.
>>
>>
>> On 7/10/23, Eric Garver <egarver(a)redhat.com> wrote:
>> > This looks like the firewalld backends are broken, e.g. nftables,
>> > ebtables.
>> >
>> > Are you using a Debian provided kernel? Or is this a custom kernel for
>> > the VPS?
>> >
>> > On Sat, Jul 08, 2023 at 10:29:45AM -0400, David Mehler wrote:
>> >> Hello,
>> >>
>> >> I'm trying to get firewalld going on Debian 12 a vps. I've
asked on
>> >> the debian users list who refered me here with a way to get more
>> >> verbose error messages, see below. Unfortunately I'm clueless as
to
>> >> what this could be. It from what I can see looks like it's trying
to
>> >> delete a chain and failing which causes firewalld to fail, though I
>> >> could be wrong, python and myself are not friends.
>> >>
>> >> Any help appreciated.
>> >> Thanks.
>> >> Dave.
>> >>
>> >> root@hostname:~#systemctl --full --no-pager status firewalld
>> >> ? firewalld.service - firewalld - dynamic firewall daemon
>> >> Loaded: loaded (/lib/systemd/system/firewalld.service; enabled;
>> >> preset: enabled)
>> >> Active: inactive (dead) since Sat 2023-07-08 02:06:48 EDT; 7h ago
>> >> Duration: 2.316s
>> >> Docs: man:firewalld(1)
>> >> Process: 77366 ExecStart=/usr/sbin/firewalld --nofork --nopid
>> >> (code=exited, status=0/SUCCESS)
>> >> Main PID: 77366 (code=exited, status=0/SUCCESS)
>> >>
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore
v1.8.9
>> >> (nf_tables):
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> 'python-nftables' failed: internal:0:0-0: Error: Could not
process
>> >> rule: No such file or directory
>> >>
>> >>
>> >> JSON blob:
>> >>
{"nftables":
>> >> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}]}
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> COMMAND_FAILED: '/usr/sbin/ebtables-restore --noflush' failed:
>> >> ebtables-restore v1.8.9 (nf_tables):
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: Traceback (most
>> >> recent call last):
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
633, in
>> >> start
>> >>
>> >> self._start()
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
597, in
>> >> _start
>> >>
>> >> self._start_apply_objects(reload=reload,
>> >> complete_reload=complete_reload)
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
495, in
>> >> _start_apply_objects
>> >>
>> >> transaction.execute(True)
>> >> File
>> >>
"/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
>> >> 161, in execute
>> >> raise
>> >> FirewallError(errors.COMMAND_FAILED, errorMsg)
>> >>
>> >> firewall.errors.FirewallError: COMMAND_FAILED:
>> >> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore
v1.8.9
>> >> (nf_tables):
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> >>
>> >>
>> >> During
>> >> handling of the above exception, another exception occurred:
>> >>
>> >> Traceback
>> >> (most recent call last):
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
638, in
>> >> start
>> >>
>> >> self._start_failsafe()
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
629, in
>> >> _start_failsafe
>> >>
>> >> self._start_apply_objects(reload=reload,
>> >> complete_reload=complete_reload)
>> >> File
>> >> "/usr/lib/python3/dist-packages/firewall/core/fw.py", line
495, in
>> >> _start_apply_objects
>> >>
>> >> transaction.execute(True)
>> >> File
>> >>
"/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py", line
>> >> 161, in execute
>> >> raise
>> >> FirewallError(errors.COMMAND_FAILED, errorMsg)
>> >>
>> >> firewall.errors.FirewallError: COMMAND_FAILED:
'python-nftables'
>> >> failed: internal:0:0-0: Error: Could not process rule: No such file or
>> >> directory
>> >>
>> >>
>> >> JSON blob:
>> >>
{"nftables":
>> >> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}]}
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0:
Error: Could
>> >> not process rule: No such file or directory
>> >>
>> >>
>> >> JSON blob:
>> >>
{"nftables":
>> >> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}, {"add": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}]}
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Failed
>> >> to load full stock configuration. This likely indicates a system level
>> >> issue, e.g. the firewall backend (nftables, iptables) is broken. All
>> >> hope is lost. Exiting.
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> '/usr/sbin/ebtables-restore --noflush' failed: ebtables-restore
v1.8.9
>> >> (nf_tables):
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain PREROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain POSTROUTING_direct
>> >> line 3:
>> >> CHAIN_DEL failed (Device or resource busy): chain OUTPUT_direct
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR:
>> >> 'python-nftables' failed: internal:0:0-0: Error: Could not
process
>> >> rule: No such file or directory
>> >>
>> >>
>> >> JSON blob:
>> >>
{"nftables":
>> >> [{"metainfo": {"json_schema_version": 1}},
{"delete": {"table":
>> >> {"family": "inet", "name":
"firewalld"}}}]}
>> >> Jul 08 02:06:48 hostname.example.com firewalld[77366]: ERROR: Raising
>> >> SystemExit in run_server
>> >> Jul 08 02:06:48 hostname.example.com systemd[1]: firewalld.service:
>> >> Deactivated successfully.
>> >> _______________________________________________
>> >> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
>> >> To unsubscribe send an email to
>> >> firewalld-users-leave(a)lists.fedorahosted.org
>> >> Fedora Code of Conduct:
>> >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> >> List Guidelines:
>> >> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> >> List Archives:
>> >>
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
>> >> Do not reply to spam, report it:
>> >> https://pagure.io/fedora-infrastructure/new_issue
>> >
>> >
>>
>
>
303
days inactive
306
days old
firewalld-users@lists.fedorahosted.org
6 comments
2 participants
participants (2)
-
David Mehler -
Eric Garver