0

Trying to run firewalld on a fresh AlmaLinux 9 VPS (OpenVZ). Only did the ff. so far:

dnf upgrade
systemctl start firewalld
systemctl enable firewalld
systemctl status firewalld

I am immediately greeted with these errors:

Oct 26 06:58:14 myserver firewalld[1097]: ERROR: '/usr/sbin/iptables -w10 -t mangle -X' failed: iptables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain POSTROUTING_direct
Oct 26 06:58:15 myserver firewalld[793]: ERROR: '/usr/sbin/iptables -w10 -t nat -A PREROUTING -j PREROUTING_direct' failed: iptables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING
Oct 26 06:58:16 myserver firewalld[793]: ERROR: '/usr/sbin/iptables -w10 -t nat -A PREROUTING -j PREROUTING_direct' failed: iptables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING
Oct 26 06:58:17 myserver firewalld[1097]: ERROR: '/usr/sbin/ip6tables -w10 -t raw -X' failed: ip6tables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain PREROUTING_direct
Oct 26 06:58:17 myserver firewalld[1097]: ERROR: '/usr/sbin/ip6tables -w10 -t raw -X' failed: ip6tables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain PREROUTING_direct
Oct 26 06:58:18 myserver firewalld[793]: ERROR: '/usr/sbin/ip6tables -w10 -t nat -A PREROUTING -j PREROUTING_direct' failed: ip6tables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING
Oct 26 06:58:20 myserver firewalld[793]: ERROR: '/usr/sbin/ip6tables -w10 -t nat -A PREROUTING -j PREROUTING_direct' failed: ip6tables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING
Oct 26 06:58:20 myserver firewalld[1097]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t mangle -X' failed: iptables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain POSTROUTING_direct
Oct 26 06:58:23 myserver firewalld[793]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -t nat -A PREROUTING -j PREROUTING_direct' failed: ip6tables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING

Any ideas?

IMB
  • 511
  • 2
  • 7
  • 13
  • Please don't post images of text. Put the text of the errors in your question, formatted as a code sample. – larsks Oct 26 '22 at 12:36
  • @larsks done thanks. – IMB Oct 26 '22 at 14:23
  • I believe that OpenVZ is a "container" type solution, which means all VPS instances are using the host kernel. It looks like your host kernel doesn't have the necessary support for `nf_tables` that is required by modern versions of `firewalld` and `iptables`. That's not something you can fix. – larsks Oct 26 '22 at 14:28
  • @larsks I see, do you think this is also an issue with KVM? – IMB Oct 26 '22 at 15:13
  • KVM is real hypervisor where your virtual hosts run their own kernel, so you should not experience the same issue using a KVM-based VPS. – larsks Oct 26 '22 at 15:21
  • @larsks Thanks, you can "officially" answer if you want, I'll accept it. – IMB Oct 26 '22 at 15:30

1 Answers1

1

OpenVZ is a container-based solution; from their features page:

The architecture of OpenVZ is different from the traditional virtual machines architecture because it always runs the same OS kernel as the host system (while still allowing multiple Linux distributions in individual containers). This single-kernel implementation technology enables running containers with a near-zero overhead. Thus, OpenVZ offer an order of magnitude higher efficiency and manageability than traditional virtualization technologies.

This makes OpenVZ much more similar to Docker than it is to virtualization solutions like KVM, VMware, VirtualBox, etc. In particular, it means that all containers on the physical server are using the same host kernel.

If in your VPS you attempt to run commands that require specific kernel features not available in the host kernel, that's not something you can resolve within your VPS.

In your case, it appears that firewalld is looking for nftables support, and that support appears to be missing.

Finding a VPS solution that uses a real hypervisor, in which each VPS runs its own kernel, would avoid this problem.

larsks
  • 43,623
  • 14
  • 121
  • 180