[Pkg-utopia-maintainers] Bug#983203: [firewalld] error - invalid ipset sshguard4

Lyndon Brown jnqnfe at gmail.com
Sun Feb 21 02:14:20 GMT 2021 

Package: firewalld
Version: 0.9.3-2
Severity: important

I'm experiencing problems on a Sid system with firewalld and sshguard - firewalld does
not seem happy with the sshguard config for some reason.

I set things up for sshguard a while ago and today happened to notice a problem when trying to
add a temporary firewall rule while playing around with DLNA which resulted in an error...

`firewall-cmd --add-port=1900/udp` gave:
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory


JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_public_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 1900}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}]}

Checking `systemctl status firewalld` led to the discovery that firewalld did not seem
happy with the existing permanent sshguard config, which had been added with the following
commands (per sshguard setup instructions):
1. firewall-cmd --permanent --zone=public --add-rich-rule="rule source ipset=sshguard4 drop"
2. firewall-cmd --permanent --zone=public --add-rich-rule="rule source ipset=sshguard6 drop"

`firewall-cmd --info-ipset=sshguard4` gives:
Error: INVALID_IPSET: sshguard4

`firewall-cmd --state` gives:
failed

`systemctl status firewalld` gives:
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2021-02-21 00:44:38 GMT; 34min ago
       Docs: man:firewalld(1)
   Main PID: 1973 (firewalld)
      Tasks: 2 (limit: 4636)
     Memory: 25.1M
        CPU: 1.328s
     CGroup: /system.slice/firewalld.service
             └─1973 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Feb 21 00:44:37 debian systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 21 00:44:38 debian systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 21 00:44:38 debian firewalld[1973]: ERROR: INVALID_IPSET: sshguard4
Feb 21 00:44:38 debian firewalld[1973]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        
                                        JSON blob:
                                        {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [>
Feb 21 00:44:38 debian firewalld[1973]: ERROR: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        internal:0:0-0: Error: Could not process rule: No such file or directory
                                        
                                        
                                        JSON blob:
                                        {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [>



If I remove the sshguard4 & sshguard6 rich rules and reload firewalld, then it's happy. The
errors just reported in the status output all disappear; the state switches to running; the
temporary DLNA rule gets successfully added. Re-adding the sshguard rules causes the problems
to reappear.

More information about the Pkg-utopia-maintainers mailing list