Bug 1151067

Summary: firewalld is running, but firewall-cmd reports that daemon process is not running
Product: Red Hat Enterprise Linux 7 Reporter: Michal Sekletar <msekleta>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: jpopelka, ngalvin
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-14 12:43:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1156411    
Bug Blocks:    
Attachments:
Description Flags
firewalld debug log none

Description Michal Sekletar 2014-10-09 14:22:24 UTC 
Description of problem:
$subject

Version-Release number of selected component (if applicable):
firewalld-0.3.9-7.el7.noarch

How reproducible:
sometimes

Steps to Reproduce:
Not really sure tough. I had firewalld disabled because I was doing some debugging hence didn't want firewalld interfering. After reboot 'firewall-cmd --state' prints out that firewalld is not running, but after consulting output of systemctl I can see firewalld daemon process is running.

Actual results:
firewalld is running as per output of 'systemctl status firewalld.service' but 'firewall-cmd --state' reports "not-running".

Expected results:
firewalld is running as per output of 'systemctl status firewalld.service' and 'firewall-cmd --state' reports "running".

Additional info:
/var/log/firewalld attached
Comment 1 Michal Sekletar 2014-10-09 14:23:33 UTC 
Created attachment 945329 [details]
firewalld debug log
Comment 3 Jiri Popelka 2014-10-09 14:42:15 UTC 
Something seems to be using iptables command at the same moment as firewalld.

I tried:

while true;
do
  lsof -U | grep xtables
done

to catch the culprit with no luck (but I guess it's libvirtd).

We might use a patch [1] for iptables and then add for example -w2 to each iptables call in firewalld. I tried that some time ago and it worked nicely (I actually created that patch for this reason).

[1] https://git.netfilter.org/iptables/commit/?id=aaa4ace72ba1d195bbf436134a336816c33f7bd0
Comment 4 Jiri Popelka 2014-10-09 14:43:10 UTC 
(In reply to Jiri Popelka from comment #3)
> I tried:

Some time ago when I was also seeing this.
Comment 5 Jiri Popelka 2014-10-27 17:01:18 UTC 
(In reply to Jiri Popelka from comment #3)
> ... add for example -w2 to each
> iptables call in firewalld. I tried that some time ago and it worked nicely

Upstream commit:
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=b3b451d6f8946986b8f50c8bcddeef50ed7a5f8f
Comment 6 Jiri Popelka 2014-11-14 12:43:28 UTC 

*** This bug has been marked as a duplicate of bug 1161745 ***