Running firewalld on fresh AlmaLinux 9 CHAIN_USER_DEL CHAIN_ADD failed

IMB

10/26/23, 11:21 AM

Trying to run firewalld on a fresh AlmaLinux 9 VPS (OpenVZ). Only did the ff. so far:

dnf upgrade
systemctl start firewalld
systemctl enable firewalld
systemctl status firewalld

I am immediately greeted with these errors:

Oct 26 06:58:14 myserver firewalld[1097]: ERROR: '/usr/sbin/iptables -w10 -t mangle -X' failed: iptables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain POSTROUTING_direct
Oct 26 06:58:15 myserver firewalld[793]: ERROR: '/usr/sbin/iptables -w10 -t nat -A PREROUTING -j PREROUTING_direct' failed: iptables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING
Oct 26 06:58:16 myserver firewalld[793]: ERROR: '/usr/sbin/iptables -w10 -t nat -A PREROUTING -j PREROUTING_direct' failed: iptables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING
Oct 26 06:58:17 myserver firewalld[1097]: ERROR: '/usr/sbin/ip6tables -w10 -t raw -X' failed: ip6tables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain PREROUTING_direct
Oct 26 06:58:17 myserver firewalld[1097]: ERROR: '/usr/sbin/ip6tables -w10 -t raw -X' failed: ip6tables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain PREROUTING_direct
Oct 26 06:58:18 myserver firewalld[793]: ERROR: '/usr/sbin/ip6tables -w10 -t nat -A PREROUTING -j PREROUTING_direct' failed: ip6tables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING
Oct 26 06:58:20 myserver firewalld[793]: ERROR: '/usr/sbin/ip6tables -w10 -t nat -A PREROUTING -j PREROUTING_direct' failed: ip6tables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING
Oct 26 06:58:20 myserver firewalld[1097]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t mangle -X' failed: iptables v1.8.7 (nf_tables):  CHAIN_USER_DEL failed (Device or resource busy): chain POSTROUTING_direct
Oct 26 06:58:23 myserver firewalld[793]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -t nat -A PREROUTING -j PREROUTING_direct' failed: ip6tables v1.8.7 (nf_tables):  CHAIN_ADD failed (No such file or directory): chain PREROUTING

Any ideas?

479

1 + 6

linux

vps

firewall

openvz

firewalld

larsks

10/26/23, 12:36 PM

Please don't post images of text. Put the text of the errors in your question, formatted as a code sample.

IMB

10/26/23, 2:23 PM

@larsks done thanks.

larsks

10/26/23, 2:28 PM

I believe that OpenVZ is a "container" type solution, which means all VPS instances are using the host kernel. It looks like your host kernel doesn't have the necessary support for `nf_tables` that is required by modern versions of `firewalld` and `iptables`. That's not something you can fix.

IMB

10/26/23, 3:13 PM

@larsks I see, do you think this is also an issue with KVM?

larsks

10/26/23, 3:21 PM

KVM is real hypervisor where your virtual hosts run their own kernel, so you should not experience the same issue using a KVM-based VPS.

IMB

10/26/23, 3:30 PM

@larsks Thanks, you can "officially" answer if you want, I'll accept it.

Score:1

Server

larsks

10/26/23, 3:39 PM

OpenVZ is a container-based solution; from their features page:

The architecture of OpenVZ is different from the traditional virtual machines architecture because it always runs the same OS kernel as the host system (while still allowing multiple Linux distributions in individual containers). This single-kernel implementation technology enables running containers with a near-zero overhead. Thus, OpenVZ offer an order of magnitude higher efficiency and manageability than traditional virtualization technologies.

This makes OpenVZ much more similar to Docker than it is to virtualization solutions like KVM, VMware, VirtualBox, etc. In particular, it means that all containers on the physical server are using the same host kernel.

If in your VPS you attempt to run commands that require specific kernel features not available in the host kernel, that's not something you can resolve within your VPS.

In your case, it appears that firewalld is looking for nftables support, and that support appears to be missing.

Finding a VPS solution that uses a real hypervisor, in which each VPS runs its own kernel, would avoid this problem.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Running firewalld on fresh AlmaLinux 9 CHAIN_USER_DEL CHAIN_ADD failed

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.