Doing my homework, this Server Fault Question speaks to an identical error message and it might have the same cause, but how I got there is likely different and may provide clues.
In my case the system in trouble is one of a small number of otherwise identical servers that do firewall / gateway services, and they were configured and working fine. Unfortunately our immortal power supply failed recently and was not yet replaced when we just had a nasty power hit. (Tip: NEVER let your bean-counters convince you you can run temporarily without power supply protection on your servers!)
All the systems came back except one of the firewall / gateway boxes. It rebooted fine but the firewall was not behaving as configured, so I went to investigate.
I didn't recall what the zone names were on the box so the first thing I noticed was that this command returned NOTHING:
# firewall-cmd --get-active-zones
Hmmm. That's odd? So, I grabbed the script hidden away in the root's home directory that configures the net for this system (to make it easy to clone), and it seems to run all the various firewall-cmd commands EXCEPT these:
# firewall-cmd --add-interface=enp2s0 --zone=public
# firewall-cmd --add-interface=enp3s0 --zone=internal
Instead, it spits out two nearly identical instances of this noise:
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_public", "index": 4, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "raw_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "enp2s0"}}, {"goto": {"target": "raw_PRE_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "enp2s0"}}, {"goto": {"target": "mangle_PRE_public"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "enp2s0"}}, {"goto": {"target": "nat_PRE_public"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "enp2s0"}}, {"goto": {"target": "nat_PRE_public"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "enp2s0"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "enp2s0"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "enp2s0"}}, {"goto": {"target": "filter_IN_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "enp2s0"}}, {"goto": {"target": "filter_FWDI_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "enp2s0"}}, {"goto": {"target": "filter_FWDO_public"}}]}}}]}
I'm not particularly skilled with python, but it seems to have lost track of some configuration information. If it told me what file(s) were missing, I might be able to recover from one of its siblings, or maybe there's another way.
An additional clue might be that even though all the other configuration commands worked fine, and even though I could see the changes, and even though I used --runtime-to-permanent, following reboot the results of these commands were lost AND the system refused to honor its newly configured IP address (basically to take it out of service while it's being fixed) and persistently demanded that it was its old public IP. NOT OK! So, I merely unplugged the cable. Thankfully, the private interface did reconfigure properly so we can still get to it without having to be at the console.
Ideas?
I'm pondering removing the packages related and reinstalling / reconfiguring - these are:
firewalld-filesystem-0.8.3-1.fc32.noarch
python3-firewall-0.8.3-1.fc32.noarch
firewalld-0.8.3-1.fc32.noarch
But I don't have a good understanding yet if there are dependencies I haven't considered or whatnot. ... Does "refresh" of these packages hold a chance? I suppose that's my first thing to try after posting this question!
0 Answers