nftables, netlink broken on linux-pinephone
I was trying to use firewalld
(having a firewall on a mobile devices might be a good idea) but couldn't start it.
`systemctl status firewalld` output
Nov 24 18:37:31 plasma-mobile firewalld[8839]: ERROR: Failed to load user configuration. Falling back to full stock configuration.
Nov 24 18:37:32 plasma-mobile firewalld[8839]: ERROR: 'python-nftables' failed: netlink: Error: cache initialization failed: Invalid argument
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {>
Nov 24 18:37:32 plasma-mobile firewalld[8839]: ERROR: COMMAND_FAILED: 'python-nftables' failed: netlink: Error: cache initialization failed: Invalid argument
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]}
Nov 24 18:37:32 plasma-mobile firewalld[8839]: Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 629, in start
self._start()
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 593, in _start
self._start_apply_objects(reload=reload, complete_reload=complete_reload)
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 491, in _start_apply_objects
transaction.execute(True)
File "/usr/lib/python3.10/site-packages/firewall/core/fw_transaction.py", line 161, in execute
raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables' failed: netlink: Error: cache initialization failed: Inv>
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld"}}}]}
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 634, in start
self._start_failsafe()
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 625, in _start_failsafe
self._start_apply_objects(reload=reload, complete_reload=complete_reload)
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 491, in _start_apply_objects
transaction.execute(True)
File "/usr/lib/python3.10/site-packages/firewall/core/fw_transaction.py", line 161, in execute
raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'python-nftables' failed: netlink: Error: cache initialization failed: Inv>
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"delete": {"table": {"family": "inet", "name": "firewalld"}}}, {>
Testing nftables itself turns out this isn't working at all: a simple nft list tables
or nft list ruleset
both result in: "netlink: Error: cache initialization failed: Invalid argument". Searching for this exact message on DuckDuckGo (Google had same result) gave exactly one result with no useful info.
Both are clean firewalld/nftables installs, as far as I'm aware; also tried removing both packages, wiping all traces of them from /etc
(checked /var
as well but found nothing relevant) and reinstalling them again, to no avail.
On my pinebook pro, both firewalld
and nftables
are working fine, so it doesn't seem to be a generic issue with Manjaro Arm. Both pinephone and pinebook pro are running latest Manjaro Arm stable.
#19 reports at least having firewalld
with nftables running, 5 months ago. I did an earlier attempt to get this working, about 8-10 months ago, and as far as I remember I was hitting the exact same issues as I am now (at least the systemctl firewalld status
one, didn't dig too deep into it back then).
The only other thing I could think of, combined with some other related searching, is that this may be related to the kernel config. Comparing the linux-pinephone
to the regular linux
config (running on pinebook pro), the former has quite a few CONFIG_NF_*
options disabled whereas the latter only has CONFIG_NF_FLOW_TABLE_PROCFS
disabled; and the former has some *NETLINK*
options disabled, whereas the latter only has CONFIG_NETFILTER_NETLINK_HOOK
disabled. Installing the regular linux
kernel on my pinephone makes nft list rulesets
work, firewalld
start successfully. Switching back to linux-pinephone
breaks both again.
Also nft --debug all ...
gives no useful info at all:
nft --debug all list ruleset
Entering state 0
Stack now 0
Reducing stack by rule 1 (line 914):
-> $$ = nterm input (: )
Entering state 1
Stack now 0 1
Reading a token
--accepting rule at line 353 ("list")
Next token is token "list" (: )
Shifting token "list" (: )
Entering state 26
Stack now 0 1 26
Reading a token
--accepting rule at line 859 (" ")
--accepting rule at line 324 ("ruleset")
Next token is token "ruleset" (: )
Shifting token "ruleset" (: )
Entering state 115
Stack now 0 1 26 115
Reading a token
--accepting rule at line 853 ("
")
Next token is token "newline" (: )
Reducing stack by rule 424 (line 2777):
-> $$ = nterm ruleset_spec (: )
Entering state 455
Stack now 0 1 26 115 455
Reducing stack by rule 170 (line 1473):
$1 = token "ruleset" (: )
$2 = nterm ruleset_spec (: )
-> $$ = nterm list_cmd (: )
Entering state 130
Stack now 0 1 26 130
Reducing stack by rule 31 (line 956):
-> $$ = nterm close_scope_list (: )
Entering state 480
Stack now 0 1 26 130 480
Reducing stack by rule 73 (line 1064):
$1 = token "list" (: )
$2 = nterm list_cmd (: )
$3 = nterm close_scope_list (: )
-> $$ = nterm base_cmd (: )
Entering state 46
Stack now 0 1 46
Next token is token "newline" (: )
Shifting token "newline" (: )
Entering state 4
Stack now 0 1 46 4
Reducing stack by rule 3 (line 924):
$1 = token "newline" (: )
-> $$ = nterm stmt_separator (: )
Entering state 279
Stack now 0 1 46 279
Reducing stack by rule 64 (line 1036):
$1 = nterm base_cmd (: )
$2 = nterm stmt_separator (: )
-> $$ = nterm line (: )
Entering state 45
Stack now 0 1 45
Reducing stack by rule 2 (line 915):
$1 = nterm input (: )
$2 = nterm line (: )
-> $$ = nterm input (: )
Entering state 1
Stack now 0 1
Reading a token
--(end of buffer or a NUL)
--EOF (start condition 0)
Now at end of input.
Shifting token "end of file" (: )
Entering state 2
Stack now 0 1 2
Stack now 0 1 2
Cleanup: popping token "end of file" (: )
Cleanup: popping nterm input (: )
---------------- ------------------
| 0000000020 | | message length |
| 02576 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 00 | | extra header |
---------------- ------------------
---------------- ------------------
| 0000000020 | | message length |
| 02561 | R--- | | type | flags |
| 0000000000 | | sequence number|
| 0000000000 | | port ID |
---------------- ------------------
| 00 00 00 00 | | extra header |
---------------- ------------------
netlink: Error: cache initialization failed: Invalid argument
Segmentation fault (core dumped)
Version info:
- linux-pinephone: 6.0.3-1
- nftables: 1:1.0.5-1
- python: 3.10.8-2
- iptables: 1:1.8.8-2
- firewalld: 1.2.1-1