Arch Linux

ttoirrah

Member

Registered: 2015-01-29

Posts: 52

[SOLVED] ebtables* missing, ipset not usable

I've got one mature Arch install, which I use as my main desktop machine. Firewalld seems to be doing its job:

$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
     Active: active (running) since Wed 2020-11-11 01:05:00 CET; 17h ago
       Docs: man:firewalld(1)
   Main PID: 346 (firewalld)
      Tasks: 2 (limit: 2308)
     Memory: 1.2M
     CGroup: /system.slice/firewalld.service
             └─346 /usr/bin/python /usr/bin/firewalld --nofork --nopid

Warning: some journal files were not opened due to insufficient permissions.

- which seems okay, though I don't understand the implications of that last line.

I've been building up a second Arch install on another faster machine, which I'm intending to move to. The only significant difference is that I installed dkms (I've explained in a note below why). Here Firewalld seems to behave differently:

$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
     Active: active (running) since Tue 2020-11-10 08:33:31 CET; 3min 54s ago
       Docs: man:firewalld(1)
   Main PID: 420 (firewalld)
      Tasks: 2 (limit: 9479)
     Memory: 41.7M
     CGroup: /system.slice/firewalld.service
             └─420 /usr/bin/python /usr/bin/firewalld --nofork --nopid

Nov 10 08:33:30 sbMb systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 10 08:33:31 sbMb systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 10 08:33:31 sbMb firewalld[420]: WARNING: ipset not usable, disabling ipset usage in firewall.
Nov 10 08:33:31 sbMb firewalld[420]: WARNING: ebtables-restore and ebtables are missing, disabling bridge firewall.

Those two warnings are highlighted in yellow in my terminal.

• Any ideas why they appear only on my new machine and not on my old?

• Is this a security concern for me?

Neither machine has ebtables (which provides ebtables-restore) or ipset installed.
The lone post I can find online about this is for Linux Mint, firewalld Warnings - ipset not usable, ebtables are missing.

Note: why I have dkms on my new Arch install.
I installed dkms to allow subsequent installation of AUR 8192eu-dkms to get networking through my TL-WN821N USB WiFi key. That worked, but at the cost of occasional system seizures, so I removed 8192eu-dkms, but then removing dkms caused $userresources in ~/.xinitrc to not be respected, for reasons beyond me, so I re-installed dkms, though I have no positive reason for it.

Last edited by ttoirrah (2020-11-12 07:32:31)

V1del

Forum Moderator

Registered: 2012-10-16

Posts: 21,668

Re: [SOLVED] ebtables* missing, ipset not usable

I'd assume you'd see the same warning if you were to run the status command on your first system as root .

The implications of the warnings seem also to not be an issue, there are multiple firewall backends for firewalld. If you have rules that need the old backends you might have to install them, they are declared as optional dependencies for firewalld. If you don't there doesn't appear to be a need to.
As for why your normal user does or doesn't see the warnings without elevation depends on the groups. By default "wheel" group users are considered admins and have full access to the journal. If your user on the old system is not part of the wheel group you need to elevate the permissions to see system level journal entries.

I highly doubt dkms has any relevance on this.

ttoirrah

Member

Registered: 2015-01-29

Posts: 52

Re: [SOLVED] ebtables* missing, ipset not usable

Thanks for the reassurance, and yes, I see the same yellow warnings as root on the old machine, and groups jo shows me that I'm in wheel only on the new machine.