Bug 1395909

Summary: firewalld not properly supporting samba & ftp from ver 0.4.4.1-1.fc24
Product: [Fedora] Fedora Reporter: dan
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 24CC: dan, Jeroen.Huisman, joe, johncwoods, michael.finn.jorgensen, phceac, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-22 11:40:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dan 2016-11-16 22:55:02 UTC
Description of problem:

When using the firewalld GUI and the Fedora Workstation profile I am unable to successfully add samba to the policy.  Checking the smb box produces an error as follows:  INVALID_HELPER: nf_conntrack_netbios_ns not available in kernel.

However, as a workaround, I switched to the Fedora Server profile and was able to successfully add samba.

Comment 1 dan 2016-11-17 00:32:27 UTC
On further check, the situation seems to be more serious.  Samba cannot be accessed from the network when firewalld is running, disabling firewalld allows access.  Will see if I can gather some additional info.

Comment 2 dan 2016-11-17 00:58:29 UTC
Iptables output does not show that firewalld has inserted a rule for samba, ie ports 139/tcp, 445/tcp, etc.  Now I also see that trying to uncheck samba from the FedoraServer policy also triggers the error as above.

I next used firewalld to create an samba-workaround object with the proper ports, then reloaded firewalld.

Reload of firewalld also shows:

Nov 16 19:53:13 ears.private firewalld[3934]: WARNING: INVALID_HELPER: 'nf_conntrack_netbios_ns' not available in kernel

I next selected samba-workaround in the FedoraServer policy and it created the rules in iptables.

Issue worked around but obviously a serious problem for anyone running firewalld and samba.  


The issue began today after a dnf upgrade:

Nov 16 12:32:52 DEBUG ---> Package firewalld.noarch 0.4.3.3-1.fc24 will be upgraded
Nov 16 12:32:52 DEBUG ---> Package firewalld.noarch 0.4.4.1-1.fc24 will be an upgrade
Nov 16 12:32:52 DEBUG ---> Package firewalld-filesystem.noarch 0.4.3.3-1.fc24 will be upgraded
Nov 16 12:32:52 DEBUG ---> Package firewalld-filesystem.noarch 0.4.4.1-1.fc24 will be an upgrade

Comment 3 dan 2016-11-17 13:23:56 UTC
ftp also affected with similar error, unable to load nf_conntrack_ftp, not in kernel.

Comment 4 dan 2016-11-18 04:41:05 UTC
Modprobe of modules prior to starting firewalld does not help.

Comment 5 John 2016-11-20 05:36:21 UTC
Added info:

A "systemctl status firewalld" results in:

Nov 17 11:21:55 bilbo systemd[1]: Starting firewalld - dynamic firewall daemon...
Nov 17 11:22:01 bilbo systemd[1]: Started firewalld - dynamic firewall daemon.
Nov 17 11:22:15 bilbo firewalld[724]: WARNING: INVALID_HELPER: 'nf_conntrack_ftp' not available in kernel
Nov 17 11:22:17 bilbo firewalld[724]: WARNING: INVALID_HELPER: 'nf_conntrack_netbios_ns' not available in kernel

Comment 6 Jeroen Huisman 2016-11-21 16:16:18 UTC
Identical issue on Fedora 24 kernel 4.8.8-200.fc24.armv7hl

Upgraded:
Nov 21 10:21:22 DEBUG ---> Package firewall-config.noarch 0.4.3.3-1.fc24 will be upgraded
Nov 21 10:21:22 DEBUG ---> Package firewall-config.noarch 0.4.4.1-1.fc24 will be an upgrade
Nov 21 10:21:22 DEBUG ---> Package firewalld.noarch 0.4.3.3-1.fc24 will be upgraded
Nov 21 10:21:22 DEBUG ---> Package firewalld.noarch 0.4.4.1-1.fc24 will be an upgrade
Nov 21 10:21:22 DEBUG ---> Package firewalld-filesystem.noarch 0.4.3.3-1.fc24 will be upgraded
Nov 21 10:21:22 DEBUG ---> Package firewalld-filesystem.noarch 0.4.4.1-1.fc24 will be an upgrade

Comment 7 Igor Gnatenko 2016-11-22 11:40:29 UTC

*** This bug has been marked as a duplicate of bug 1394597 ***