`firewall-applet` constantly crashes

For some weeks now, firewall-applet constantly crashes whether it gets initiated by auto-run or launched from the CLI.

This is the error I get in the pop-up window (nothing in the console though):

Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/firewall/client.py", line 3488, in _signal_receiver
    cb(*cb_args)
  File "/usr/bin/firewall-applet", line 1018, in connection_established
    self.update_active_zones()
  File "/usr/bin/firewall-applet", line 741, in update_active_zones
    escape(binding.format(zone=zone, entry=connection_name)), self
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
KeyError: 'vnos'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/firewall/client.py", line 46, in _impl
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/firewall/client.py", line 3490, in _signal_receiver
    if firewall.functions.wrong_args_for_callable(cb, *cb_args):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/firewall/functions.py", line 669, in wrong_args_for_callable
    inspect.bind(fcn, *a, **kw)
    ^^^^^^^^^^^^
AttributeError: module 'inspect' has no attribute 'bind'

Have you tried re-installing python?

sudo pacman -S python

Is python-pyqt5 installed?

sudo pacman -S python-pyqt5

Then:

sudo systemctl enable --now firewalld

1 Like

could also be a partial update situation. The applet works fine here.

Regenerate your mirror list
do a full update with sudo pacman -Syu
Make sure you have no packges in IgnorePkg/IgnoreGroup in your /etc/pacman.conf - if you have, remove that entry and do a full update again.

1 Like

OK, so now I did:

eos-rankmirrors
sudo pacman --sync --refresh --sysupgrade
yay python
yay python-qt5
yay python-pyqt5
yay firewalld
systemctl restart firewalld.service
firewall-applet

…and I get the exact same error.

you only refreshed your EndeavourOS mirror list.
You need to refresh your Arch mirror list, basically all packages come from there.
Use the welcome app if you are unsure how to do.

1 Like

Got it. Did that now (through the app) and repeated the same commands as above (minus the eos-rankmirrors)

…again exactly the same result.


P.S. Thanks to both of you for trying to help me here.

Other firewalld dependencies (requirements) you could check:

dbus-python
python-capng
python-gobject
nftables
glib2
hicolor-icon-theme

Maybe someone more knowledgeable has an answer.

1 Like

As far as I can tell from reading the applet’s source code from github, this is most likely a bug in firewalld’s error-handling code.

TLDR
Solution: Downgrade firewalld to version 2.0

$ sudo downgrade firewalld

Explanation: The crash is caused by the addition of a poorly-written function called wrong_args_for_callable() inside functions.py That function was only added recently into version 2.1; therefore, downgrading to 2.0 should make the problem go away.

Alternative Solution: Just don’t use the applet to begin with. You can do this by preventing it from autostarting. You can do most of the firewall-configuration work from the command line.

The nitty-gritty
The crash is first triggered by this block inside client.py:

try:
        cb(*cb_args)
except Exception:
        if firewall.functions.wrong_args_for_callable(cb, *cb_args):
             # Unexpected function signature. The D-Bus arguments (*cb_args) are
             # not as expected. This either means we wrongly implement the D-Bus API
             # or the D-Bus API changed.
             # Both cases might be interesting to know (logging!), but we also
             # should treat D-Bus as untrusted and don't barf on unexpected
             # data from D-Bus. Like above, silently ignore.
             return

         raise

The callback function cb(*cb_args) is expected to raise an exception in certain situations depending on the DBus arguments received. When an exception is caught, the code is supposed to handle it gracefully by first checking whether the exception is caused by a signature mismatch in the function call. The wrong_args_for_callable() function is supposed to perform this check.

However, if we look at the contents of wrong_args_for_callable():

def wrong_args_for_callable(fcn, *a, **kw):
    import inspect

    # Check whether fcn(*a, **kw) will fail due to invalid
    # arguments.

    try:
        inspect.bind(fcn, *a, **kw)
    except TypeError:
        return False
    return True

It is plain-as-day why this function will fail. According to the python documentation for the inspect module, bind() is not a top-level function but a method for the Signature type. The call inspect.bind() will fail with an AttributeError because the inspect module object does not have an attribute called bind.

On that note, how much are you willing to bet that the person who wrote that function is also a Javascript developer? Because the bind() function is used in this exact way in Javascript. Either the author of the function didn’t bother to RTFM, or he thought he was writing in Javascript not python.

3 Likes

Thanks, this fixed it!

I got that far, but am not experienced enough with Python (or coding at all) to make that

So I identified the commit that introduced this (and the committer does seem to typically commit to C and Python repos):

@anthony93 , would you be willing to open a bug report upstream or should I (and if so, may I quote you)?

1 Like

Based on the source code, that had to be the case. I’d be quite surprised if the applet didn’t work properly after the downgrade.

You can report upstream; hopefully they will roll out a quick fix. Whether or not to quote me is entirely up to you.

Regardless, I’m glad that you managed to resolve this issue. You mentioned that this issue had bothered you for weeks, which makes logical sense because guess how long ago version 2.1 of firewalld was released? 3 weeks ago.

1 Like

Sounds about right, yes.

I didn’t whine about it before, because I assumed it would get fixed soon enough either upstream or in Arch/EndeavourOS. After a while it got a bit annoying.

Have done so now:

Thanks again to all for helping me with this :slight_smile:

1 Like

You’re welcome.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.