ERROR: COMMAND_FAILED: 'handle'

[desolatorxxl]

I'm running firewalld 0.8.0-1 on Arch Linux 5.3.13-arch1-1 via systemd.
When starting firewalld with systemctl start firewalld I get the following errors in the journal logs:

journalctl -xe -u firewalld
Nov 29 12:55:19 kneterkasten firewalld[759]: ERROR: 'handle'
Nov 29 12:55:19 kneterkasten firewalld[759]: ERROR: COMMAND_FAILED: 'handle'

Running it with debug enabled returns the following output:

/usr/bin/python /usr/bin/firewalld --nofork --nopid --debug=1
...
2019-11-29 13:10:42 DEBUG1: Applying zone 'public'
2019-11-29 13:10:42 DEBUG1: Applying zone 'trusted'
2019-11-29 13:10:42 DEBUG1: Applying zone 'work'
2019-11-29 13:10:42 DEBUG1: Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/firewall/core/fw_transaction.py", line 128, in execute
    self.fw.rules(backend_name, rules[backend_name])
  File "/usr/lib/python3.8/site-packages/firewall/core/fw.py", line 858, in rules
    backend.set_rules(_rules, self._log_denied)
  File "/usr/lib/python3.8/site-packages/firewall/core/nftables.py", line 381, in set_rules
    self.rule_to_handle[rule_key] = output["nftables"][index][verb]["rule"]["handle"]
KeyError: 'handle'

2019-11-29 13:10:42 ERROR: 'handle'
2019-11-29 13:10:42 DEBUG1: Setting policy to 'ACCEPT'
2019-11-29 13:10:42 DEBUG1: Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/firewall/server/decorators.py", line 53, in handle_exceptions
    return func(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/firewall/server/firewalld.py", line 94, in start
    return self.fw.start()
  File "/usr/lib/python3.8/site-packages/firewall/core/fw.py", line 464, in start
    self._start()
  File "/usr/lib/python3.8/site-packages/firewall/core/fw.py", line 435, in _start
    transaction.execute(True)
  File "/usr/lib/python3.8/site-packages/firewall/core/fw_transaction.py", line 173, in execute
    raise FirewallError(errors.COMMAND_FAILED, errorMsg)
firewall.errors.FirewallError: COMMAND_FAILED: 'handle'

2019-11-29 13:10:42 ERROR: COMMAND_FAILED: 'handle'
2019-11-29 13:10:42 DEBUG1: GetAll('org.fedoraproject.FirewallD1')
...

Afterwards any firewall-cmd output is kind of empty, there should be atleast some services and ports in my case:

firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

But firewalld seems to work as expected, e.g. not specified ports and services are blocked.

A reload brings back the expected output results:

firewall-cmd --reload
success
firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client openvpn ssh
  ports: 3389/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I have no clue what's going wrong as the error is rather non-descriptive for me.
I appreciate any help / guidance.

[djlucas]

That looks familiar. I'm not positive, but this is probably #540 and Arch is still using the released tarball for nftables-0.9.2.

[igo95862]

I wonder if forcing iptables instead of nftables serves as a good work around...

[erig0]

I wonder if forcing iptables instead of nftables serves as a good work around...

Yes. That should work. You can switch back once Arch updates their nftables package.

[erig0]

Duplicate of #540.

[desolatorxxl]

Arch upgraded nftables to 0.9.3, the issues is fixed now.