[Pkg-utopia-maintainers] Bug#1087387: Bug#1087387: firewalld not working on arm64, Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0:

Michael Biebl biebl at debian.org
Tue Nov 12 18:23:41 GMT 2024


Am 10.10.24 um 19:50 schrieb fs3000:
> Package: firewalld
> Version: 1.3.3-1~deb12u1
> Severity: important
> X-Debbugs-Cc: fs3000 at proton.me
> 
> Dear Maintainer,
> 
> On a fresh install of Debian 12 on a arm64 router using an image create with this repo https://github.com/frank-w/BPI-Router-Images and using original packages, firewalld is not working properly.
> 
> While doing "firewall-cmd --add-interface=eth1 --zone=internal", it fails with this error:
> 
> root at bpi-r4 /root $ firewall-cmd --add-interface=eth1 --zone=internal
> Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory
> 
> internal:0:0-0: Error: Could not process rule: No such file or directory
> 
> 
> JSON blob:
> {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_internal"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_internal_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_internal_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_internal_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_internal_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_internal_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", "expr": [{"jump": {"target": "filter_INPUT_POLICIES_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", "expr": [{"jump": {"target": "filter_IN_internal_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", "expr": [{"jump": {"target": "filter_IN_internal_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", "expr": [{"jump": {"target": "filter_IN_internal_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", "expr": [{"jump": {"target": "filter_IN_internal_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", "expr": [{"jump": {"target": "filter_IN_internal_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", "expr": [{"jump": {"target": "filter_INPUT_POLICIES_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip", "field": "daddr"}}, "op": "==", "right": "224.0.0.251"}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 5353}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": "ff02::fb"}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 5353}}, {"accept": null}]}}}, {"add": {"ct helper": {"family": "inet", "table": "firewalld", "name": "helper-netbios-ns-udp", "type": "netbios-ns", "protocol": "udp"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 137}}, {"ct helper": "helper-netbios-ns-udp"}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 137}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 138}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal_allow", "expr": [{"match": {"left": {"payload": {"protocol": "ip6", "field": "daddr"}}, "op": "==", "right": {"prefix": {"addr": "fe80::", "len": 64}}}}, {"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 546}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_POST_internal"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_POST_internal_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_POST_internal_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_POST_internal_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_POST_internal_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_POST_internal_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": {"target": "nat_POSTROUTING_POLICIES_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": {"target": "nat_POST_internal_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": {"target": "nat_POST_internal_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": {"target": "nat_POST_internal_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": {"target": "nat_POST_internal_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": {"target": "nat_POST_internal_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POST_internal", "expr": [{"jump": {"target": "nat_POSTROUTING_POLICIES_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWD_internal"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWD_internal_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWD_internal_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWD_internal_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWD_internal_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWD_internal_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal", "expr": [{"jump": {"target": "filter_FORWARD_POLICIES_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal", "expr": [{"jump": {"target": "filter_FWD_internal_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal", "expr": [{"jump": {"target": "filter_FWD_internal_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal", "expr": [{"jump": {"target": "filter_FWD_internal_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal", "expr": [{"jump": {"target": "filter_FWD_internal_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal", "expr": [{"jump": {"target": "filter_FWD_internal_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal", "expr": [{"jump": {"target": "filter_FORWARD_POLICIES_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal", "expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PRE_internal"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PRE_internal_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PRE_internal_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PRE_internal_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PRE_internal_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "nat_PRE_internal_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": {"target": "nat_PREROUTING_POLICIES_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": {"target": "nat_PRE_internal_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": {"target": "nat_PRE_internal_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": {"target": "nat_PRE_internal_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": {"target": "nat_PRE_internal_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": {"target": "nat_PRE_internal_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PRE_internal", "expr": [{"jump": {"target": "nat_PREROUTING_POLICIES_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_internal"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_internal_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_internal_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_internal_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_internal_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_internal_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_internal", "expr": [{"jump": {"target": "mangle_PREROUTING_POLICIES_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_internal", "expr": [{"jump": {"target": "mangle_PRE_internal_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_internal", "expr": [{"jump": {"target": "mangle_PRE_internal_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_internal", "expr": [{"jump": {"target": "mangle_PRE_internal_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_internal", "expr": [{"jump": {"target": "mangle_PRE_internal_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_internal", "expr": [{"jump": {"target": "mangle_PRE_internal_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_internal", "expr": [{"jump": {"target": "mangle_PREROUTING_POLICIES_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_internal", "index": 6, "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": {"set": ["icmp", "icmpv6"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth1"}}, {"goto": {"target": "filter_IN_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth1"}}, {"goto": {"target": "nat_POST_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth1"}}, {"goto": {"target": "filter_FWD_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth1"}}, {"goto": {"target": "nat_PRE_internal"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth1"}}, {"goto": {"target": "mangle_PRE_internal"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWD_internal_allow", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth1"}}, {"accept": null}]}}}]}
> 
> 
> ########### /etc/nftables.conf
> #!/usr/sbin/nft -f
> 
> flush ruleset
> 
> table inet filter {
>          chain input {
>                  type filter hook input priority filter;
>          }
>          chain forward {
>                  type filter hook forward priority filter;
>          }
>          chain output {
>                  type filter hook output priority filter;
>          }
> }
> 
> 
> ####################### nft list ruleset
> root at bpi-r4 /root $  nft list ruleset
> table inet firewalld {
>          chain mangle_PREROUTING {
>                  type filter hook prerouting priority mangle + 10; policy accept;
>                  jump mangle_PREROUTING_ZONES
>          }
> 
>          chain mangle_PREROUTING_POLICIES_pre {
>                  jump mangle_PRE_policy_allow-host-ipv6
>          }
> 
>          chain mangle_PREROUTING_ZONES {
>                  goto mangle_PRE_public
>          }
> 
>          chain mangle_PREROUTING_POLICIES_post {
>          }
> 
>          chain nat_PREROUTING {
>                  type nat hook prerouting priority dstnat + 10; policy accept;
>                  jump nat_PREROUTING_ZONES
>          }
> 
>          chain nat_PREROUTING_POLICIES_pre {
>                  jump nat_PRE_policy_allow-host-ipv6
>          }
> 
>          chain nat_PREROUTING_ZONES {
>                  goto nat_PRE_public
>          }
> 
>          chain nat_PREROUTING_POLICIES_post {
>          }
> 
>          chain nat_POSTROUTING {
>                  type nat hook postrouting priority srcnat + 10; policy accept;
>                  jump nat_POSTROUTING_ZONES
>          }
> 
>          chain nat_POSTROUTING_POLICIES_pre {
>          }
> 
>          chain nat_POSTROUTING_ZONES {
>                  goto nat_POST_public
>          }
> 
>          chain nat_POSTROUTING_POLICIES_post {
>          }
> 
>          chain nat_OUTPUT {
>                  type nat hook output priority -90; policy accept;
>                  jump nat_OUTPUT_POLICIES_pre
>                  jump nat_OUTPUT_POLICIES_post
>          }
> 
>          chain nat_OUTPUT_POLICIES_pre {
>          }
> 
>          chain nat_OUTPUT_POLICIES_post {
>          }
> 
>          chain filter_PREROUTING {
>                  type filter hook prerouting priority filter + 10; policy accept;
>                  icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
>                  meta nfproto ipv6 fib saddr . mark . iif oif missing drop
>          }
> 
>          chain filter_INPUT {
>                  type filter hook input priority filter + 10; policy accept;
>                  ct state { established, related } accept
>                  ct status dnat accept
>                  iifname "lo" accept
>                  ct state invalid drop
>                  jump filter_INPUT_ZONES
>                  reject with icmpx admin-prohibited
>          }
> 
>          chain filter_FORWARD {
>                  type filter hook forward priority filter + 10; policy accept;
>                  ct state { established, related } accept
>                  ct status dnat accept
>                  iifname "lo" accept
>                  ct state invalid drop
>                  ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
>                  jump filter_FORWARD_ZONES
>                  reject with icmpx admin-prohibited
>          }
> 
>          chain filter_OUTPUT {
>                  type filter hook output priority filter + 10; policy accept;
>                  ct state { established, related } accept
>                  oifname "lo" accept
>                  ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
>                  jump filter_OUTPUT_POLICIES_pre
>                  jump filter_OUTPUT_POLICIES_post
>          }
> 
>          chain filter_INPUT_POLICIES_pre {
>                  jump filter_IN_policy_allow-host-ipv6
>          }
> 
>          chain filter_INPUT_ZONES {
>                  goto filter_IN_public
>          }
> 
>          chain filter_INPUT_POLICIES_post {
>          }
> 
>          chain filter_FORWARD_POLICIES_pre {
>          }
> 
>          chain filter_FORWARD_ZONES {
>                  goto filter_FWD_public
>          }
> 
>          chain filter_FORWARD_POLICIES_post {
>          }
> 
>          chain filter_OUTPUT_POLICIES_pre {
>          }
> 
>          chain filter_OUTPUT_POLICIES_post {
>          }
> 
>          chain filter_IN_public {
>                  jump filter_INPUT_POLICIES_pre
>                  jump filter_IN_public_pre
>                  jump filter_IN_public_log
>                  jump filter_IN_public_deny
>                  jump filter_IN_public_allow
>                  jump filter_IN_public_post
>                  jump filter_INPUT_POLICIES_post
>                  meta l4proto { icmp, ipv6-icmp } accept
>                  reject with icmpx admin-prohibited
>          }
> 
>          chain filter_IN_public_pre {
>          }
> 
>          chain filter_IN_public_log {
>          }
> 
>          chain filter_IN_public_deny {
>          }
> 
>          chain filter_IN_public_allow {
>                  tcp dport 22 accept
>                  ip6 daddr fe80::/64 udp dport 546 accept
>          }
> 
>          chain filter_IN_public_post {
>          }
> 
>          chain nat_POST_public {
>                  jump nat_POSTROUTING_POLICIES_pre
>                  jump nat_POST_public_pre
>                  jump nat_POST_public_log
>                  jump nat_POST_public_deny
>                  jump nat_POST_public_allow
>                  jump nat_POST_public_post
>                  jump nat_POSTROUTING_POLICIES_post
>          }
> 
>          chain nat_POST_public_pre {
>          }
> 
>          chain nat_POST_public_log {
>          }
> 
>          chain nat_POST_public_deny {
>          }
> 
>          chain nat_POST_public_allow {
>          }
> 
>          chain nat_POST_public_post {
>          }
> 
>          chain filter_FWD_public {
>                  jump filter_FORWARD_POLICIES_pre
>                  jump filter_FWD_public_pre
>                  jump filter_FWD_public_log
>                  jump filter_FWD_public_deny
>                  jump filter_FWD_public_allow
>                  jump filter_FWD_public_post
>                  jump filter_FORWARD_POLICIES_post
>                  reject with icmpx admin-prohibited
>          }
> 
>          chain filter_FWD_public_pre {
>          }
> 
>          chain filter_FWD_public_log {
>          }
> 
>          chain filter_FWD_public_deny {
>          }
> 
>          chain filter_FWD_public_allow {
>          }
> 
>          chain filter_FWD_public_post {
>          }
> 
>          chain nat_PRE_public {
>                  jump nat_PREROUTING_POLICIES_pre
>                  jump nat_PRE_public_pre
>                  jump nat_PRE_public_log
>                  jump nat_PRE_public_deny
>                  jump nat_PRE_public_allow
>                  jump nat_PRE_public_post
>                  jump nat_PREROUTING_POLICIES_post
>          }
> 
>          chain nat_PRE_public_pre {
>          }
> 
>          chain nat_PRE_public_log {
>          }
> 
>          chain nat_PRE_public_deny {
>          }
> 
>          chain nat_PRE_public_allow {
>          }
> 
>          chain nat_PRE_public_post {
>          }
> 
>          chain mangle_PRE_public {
>                  jump mangle_PREROUTING_POLICIES_pre
>                  jump mangle_PRE_public_pre
>                  jump mangle_PRE_public_log
>                  jump mangle_PRE_public_deny
>                  jump mangle_PRE_public_allow
>                  jump mangle_PRE_public_post
>                  jump mangle_PREROUTING_POLICIES_post
>          }
> 
>          chain mangle_PRE_public_pre {
>          }
> 
>          chain mangle_PRE_public_log {
>          }
> 
>          chain mangle_PRE_public_deny {
>          }
> 
>          chain mangle_PRE_public_allow {
>          }
> 
>          chain mangle_PRE_public_post {
>          }
> 
>          chain filter_IN_policy_allow-host-ipv6 {
>                  jump filter_IN_policy_allow-host-ipv6_pre
>                  jump filter_IN_policy_allow-host-ipv6_log
>                  jump filter_IN_policy_allow-host-ipv6_deny
>                  jump filter_IN_policy_allow-host-ipv6_allow
>                  jump filter_IN_policy_allow-host-ipv6_post
>          }
> 
>          chain filter_IN_policy_allow-host-ipv6_pre {
>          }
> 
>          chain filter_IN_policy_allow-host-ipv6_log {
>          }
> 
>          chain filter_IN_policy_allow-host-ipv6_deny {
>          }
> 
>          chain filter_IN_policy_allow-host-ipv6_allow {
>                  icmpv6 type nd-neighbor-advert accept
>                  icmpv6 type nd-neighbor-solicit accept
>                  icmpv6 type nd-router-advert accept
>                  icmpv6 type nd-redirect accept
>          }
> 
>          chain filter_IN_policy_allow-host-ipv6_post {
>          }
> 
>          chain nat_PRE_policy_allow-host-ipv6 {
>                  jump nat_PRE_policy_allow-host-ipv6_pre
>                  jump nat_PRE_policy_allow-host-ipv6_log
>                  jump nat_PRE_policy_allow-host-ipv6_deny
>                  jump nat_PRE_policy_allow-host-ipv6_allow
>                  jump nat_PRE_policy_allow-host-ipv6_post
>          }
> 
>          chain nat_PRE_policy_allow-host-ipv6_pre {
>          }
> 
>          chain nat_PRE_policy_allow-host-ipv6_log {
>          }
> 
>          chain nat_PRE_policy_allow-host-ipv6_deny {
>          }
> 
>          chain nat_PRE_policy_allow-host-ipv6_allow {
>          }
> 
>          chain nat_PRE_policy_allow-host-ipv6_post {
>          }
> 
>          chain mangle_PRE_policy_allow-host-ipv6 {
>                  jump mangle_PRE_policy_allow-host-ipv6_pre
>                  jump mangle_PRE_policy_allow-host-ipv6_log
>                  jump mangle_PRE_policy_allow-host-ipv6_deny
>                  jump mangle_PRE_policy_allow-host-ipv6_allow
>                  jump mangle_PRE_policy_allow-host-ipv6_post
>          }
> 
>          chain mangle_PRE_policy_allow-host-ipv6_pre {
>          }
> 
>          chain mangle_PRE_policy_allow-host-ipv6_log {
>          }
> 
>          chain mangle_PRE_policy_allow-host-ipv6_deny {
>          }
> 
>          chain mangle_PRE_policy_allow-host-ipv6_allow {
>          }
> 
>          chain mangle_PRE_policy_allow-host-ipv6_post {
>          }
> }
> 
> 
> 
> ############################ lsmod
> root at bpi-r4 /root $ lsmod
> Module                  Size  Used by
> nft_fib_inet           12288  1
> nft_fib_ipv4           12288  1 nft_fib_inet
> nft_fib_ipv6           12288  1 nft_fib_inet
> nft_fib                12288  3 nft_fib_ipv6,nft_fib_ipv4,nft_fib_inet
> nft_reject_inet        12288  6
> nf_reject_ipv4         12288  1 nft_reject_inet
> nf_reject_ipv6         20480  1 nft_reject_inet
> nft_reject             12288  1 nft_reject_inet
> nft_ct                 16384  7
> nft_chain_nat          12288  3
> nf_nat                 45056  1 nft_chain_nat
> nf_conntrack          106496  2 nf_nat,nft_ct
> nf_defrag_ipv6         20480  1 nf_conntrack
> nf_defrag_ipv4         12288  1 nf_conntrack
> ip_set                 49152  0
> nf_tables             225280  166 nft_ct,nft_reject_inet,nft_fib_ipv6,nft_fib_ipv4,nft_chain_nat,nft_reject,nft_fib,nft_fib_inet
> libcrc32c              12288  3 nf_conntrack,nf_nat,nf_tables
> nfnetlink              16384  3 nf_tables,ip_set
> mt7925e                16384  0
> mt7925_common          86016  1 mt7925e
> mt792x_lib             40960  2 mt7925e,mt7925_common
> mt76_connac_lib        53248  3 mt792x_lib,mt7925e,mt7925_common
> mt76                   86016  4 mt792x_lib,mt7925e,mt76_connac_lib,mt7925_common
> mac80211              823296  4 mt792x_lib,mt76,mt76_connac_lib,mt7925_common
> libarc4                12288  1 mac80211
> cfg80211              811008  4 mt76,mac80211,mt76_connac_lib,mt7925_common
> fuse                  151552  1
> ip_tables              28672  0
> x_tables               36864  1 ip_tables
> 
> 
> ########################## packages
> root at bpi-r4 /root $ dpkg -l |grep "fire\|nft"
> ii  firewalld                     1.3.3-1~deb12u1                      all          dynamically managed firewall with support for network zones
> ii  libnftables1:arm64            1.0.6-2+deb12u2                      arm64        Netfilter nftables high level userspace API library
> ii  libnftnl11:arm64              1.2.4-2                              arm64        Netfilter nftables userspace API library
> ii  nftables                      1.0.6-2+deb12u2                      arm64        Program to control packet filtering rules by Netfilter project
> ii  python3-firewall              1.3.3-1~deb12u1                      all          Python3 bindings for firewalld
> ii  python3-nftables              1.0.6-2+deb12u2                      arm64        nftables/libnftables python3 module
> root at bpi-r4 /root $
> 
> 
> 
> 
> 
> -- System Information:
> Debian Release: 12.8
>    APT prefers stable-updates
>    APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
> Architecture: arm64 (aarch64)
> 
> Kernel: Linux 6.12.0-rc1-bpi-r4 (SMP w/4 CPU threads)

This is not a Debian provided kernel afaics, so you might be missing 
certain kernel features required by firewalld. In general, we don't 
provide support for non-Debian spin-offs.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20241112/05c5528a/attachment-0001.sig>


More information about the Pkg-utopia-maintainers mailing list