debian firewalld reload issue

nooobeee · 12-19-2020, 09:12 PM

I have a vanilla debian 10 setup with nginx. I installed firewalld which went fine. I added the HTTP and HTTPS rules using:

Code:

firewall-cmd --add-service={http,https} --permanent --zone=public

However when I attempt to reload, I run into an error:

Code:

sudo firewall-cmd --reload
Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (nf_tables):
line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT

Doing some digging, it seems there may be a bug.
https://bugs.debian.org/cgi-bin/bugr...cgi?bug=914694

Most of this is, honestly, above my head. But I found a nugget in there so I tried the IndividualCalls=yes attribute and restarting the service because it seemed this may have been a workaround but that didn't seem to work for me:

Code:

> > Setting InvividualCalls=yes in /etc/firewalld/firewalld.conf will be
> > more verbose and help in debugging the cause.
> 
> Fun, this actually *fixes* the problem:

That makes it smell like an iptables-restore issue in the nftables
backed version of iptables. It would be great if we could reproduce
without firewalld using iptables-restore.

apt indicates my firewalld is currently 1.8.2-4.

Has anyone else run into this? Any suggestions or thoughts would be appreciated.

nooobeee · 12-19-2020, 09:19 PM

NVM, I think I was wrong about what they indicted "fixes" the problem in that workaround. Turns out rebooting the server applies the new services without issue. I don't think I'll be modifying the firewall much so it shouldn't be too much of an issue. I guess we may just have to wait until Debian merges the newer versions of iptables into their stable repos.