CentOS7.7 Failed to load nf_conntrack module(Firewalld)

Overview

Firewalld stopped working after upgrading to CentOS7.7.

It looks like a bug firewalld. so I tried downgrade firewalld, it was successfully recovered.

I will write a note so that I don’t forget it.

Check the current status

#systemctl status firewalld.service

# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead) since 月 2019-11-18 21:02:00 JST; 1 day 23h ago
     Docs: man:firewalld(1)
  Process: 9341 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 9341 (code=exited, status=0/SUCCESS)

11月 18 21:02:00 xxx.net systemd[1]: Starting firewalld - dynamic firewall daemon...
11月 18 21:02:00 xxx.net systemd[1]: Started firewalld - dynamic firewall daemon.
11月 18 21:02:00 xxx.net firewalld[9341]: WARNING: ipset not usable, disabling ipset usage in firewall.
11月 18 21:02:00 xxx.net firewalld[9341]: ERROR: Failed to load nf_conntrack module: modprobe: FATAL: Module nf_conntrack not found.
11月 18 21:02:00 xxx.net firewalld[9341]: ERROR: Raising SystemExit in run_server
#

firewalld is stopping. This is not good.

I will start firewalld immediately.

# systemctl start firewalld.service

I checked the journal log and got an error log…

ERROR: Failed to load nf_conntrack module: modprobe: ERROR: could not find module by name='nf_conntrack'
modprobe: ERROR: could not insert 'nf_conntrack': Function not implemented
modprobe: ERROR: Error running install command for nf_conntrack
modprobe: ERROR: could not insert 'nf_conntrack': Operation not permitted
ERROR: Raising SystemExit in run_server

Oh! no!

I was angry that there was no nf_conntrack module…

Iptables is also stopped, which is not good.

# /sbin/iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
#

Since firewalld has stopped, run iptables instead.

# systemctl start iptables.service

I will check the reflection status.

# /sbin/iptables -nL

I confirm that the iptables filter settings are displayed.

Confirm with other commands

# modprobe nf_conntrack
modprobe: ERROR: could not find module by name=’nf_conntrack’
modprobe: ERROR: could not insert ‘nf_conntrack’: Function not implemented
modprobe: ERROR: Error running install command for nf_conntrack
modprobe: ERROR: could not insert ‘nf_conntrack’: Operation not permitted
#

Downgrade firewalld

Obtain the packages required for the downgrade from the following site.

Index of /7.6.1810/os/x86_64/Packages

vault.centos.org

Get the above two packages and python-firewall package with the wget command.

# wget http://vault.centos.org/7.6.1810/os/x86_64/Packages/firewalld-0.5.3-5.el7.noarch.rpm

# wget http://vault.centos.org/7.6.1810/os/x86_64/Packages/firewalld-filesystem-0.5.3-5.el7.noarch.rpm

# wget http://vault.centos.org/7.6.1810/os/x86_64/Packages/python-firewall-0.5.3-5.el7.noarch.rpm

Run downgrade firewalld

# yum downgrade firewalld-0.5.3-5.el7.noarch.rpm firewalld-filesystem-0.5.3-5.el7.noarch.rpm python-firewall-0.5.3-5.el7.noarch.rpm

Start firewalld.

# systemctl restart firewalld.service

Check if it started up safely.

# systemctl status firewalld.service

It worked safely.

Also check the iptales.

# /sbin/iptables -nL

Ok! Good.