Error response from daemon: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed

godeke22397 · February 20, 2024, 6:01am

Hi,

I am using docker compose on debian 11. The docker daemon is up and running, however something seems to be wrong with the firewall as the containers will not start and come up with an error.

Here is the output of systemctl status docker.service:

 docker.service - Docker Application Container Engine
     Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
    Drop-In: /etc/systemd/system/docker.service.d
             └─waitAllMounts.conf
     Active: active (running) since Mon 2024-02-19 18:19:04 CET; 12h ago
TriggeredBy: ● docker.socket
       Docs: https://docs.docker.com
   Main PID: 7294 (dockerd)
      Tasks: 12
     Memory: 29.3M
     CGroup: /system.slice/docker.service
             └─7294 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

Feb 19 18:19:04 wdmch systemd[1]: Started Docker Application Container Engine.
Feb 19 18:19:48 wdmch dockerd[7294]: time="2024-02-19T18:19:48.500212402+01:00" level=info msg="Firewalld: interface docker0 already part of docker zone, returning"

and here for your reference the output of systemctl status firewalld.service:

● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2024-02-19 18:27:35 CET; 12h ago
       Docs: man:firewalld(1)
   Main PID: 8554 (firewalld)
      Tasks: 2 (limit: 1099)
     Memory: 24.9M
     CGroup: /system.slice/firewalld.service
             └─8554 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Feb 19 18:27:32 wdmch systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 19 18:27:35 wdmch systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 19 18:27:35 wdmch firewalld[8554]: WARNING: ipset not usable, disabling ipset usage in firewall.
Feb 19 18:27:36 wdmch firewalld[8554]: ERROR: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory internal:0:0-0: Error: Could not process rule: Numerical result out of range

Finally when I start the container I get the error:

Error response from daemon: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed

any ideas how this can be solved?

rimelek · February 20, 2024, 7:39am

Is this your topic too?

It would mean you are using OpenMediaVault which you forgot to mention and could be important.

godeke22397 · February 20, 2024, 11:28am

Hi Rimelek, yes, indeed system is OMV6.

Topic		Replies	Views
Failing to start dockerd: failed to create NAT chain DOCKER General	8	105457	September 20, 2022
About correct starting order for docker daemon and firewalld daemon Docker Hub docker	1	2870	May 27, 2021
Unable to enable nat rule during docker compose Compose docker	0	1126	December 20, 2017
Docker tries to create a chain on table nat with ip6tables (but there's no nat table on ipv6) [SOLVED] General docker-compose , networking , linux	6	1438	February 8, 2025
Issue with Docker 1.12.1 and Firewalld on RHEL 7 General	1	5512	November 16, 2016

Error response from daemon: Failed to program NAT chain: COMMAND_FAILED: 'python-nftables' failed

Related topics