Bug 1516881

Summary: firewalld modprobe hook breaks iptables rules that automatically load nf_conntrack
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Dolezal <todoleza>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: high Docs Contact:
Priority: high    
Version: 7.5-AltCC: atragler, egarver, network-qe, psutter, rkhan, shuali, todoleza
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firewalld-0.4.4.4-13.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 10:32:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 3 Phil Sutter 2017-11-28 12:06:26 UTC 
That call to iptables succeeds on second try. The point is whether nf_conntrack.ko is loaded or not:

# lsmod | grep '\(nf_\|xt_\|iptable\|ip_tables\)'
# iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes
iptables: No chain/target/match by that name.
# lsmod | grep '\(nf_\|xt_\|iptable\|ip_tables\)'
nf_conntrack          262144  0 
iptable_filter        262144  0 
ip_tables             262144  1 iptable_filter
libcrc32c             262144  2 nf_conntrack,xfs
# iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes
# lsmod | grep '\(nf_\|xt_\|iptable\|ip_tables\)'
nf_conntrack_ipv4     262144  1 
nf_defrag_ipv4        262144  1 nf_conntrack_ipv4
xt_connbytes          262144  1 
nf_conntrack          262144  2 nf_conntrack_ipv4,xt_connbytes
iptable_filter        262144  1 
ip_tables             262144  1 iptable_filter
libcrc32c             262144  2 nf_conntrack,xfs
# iptables -F INPUT
# rmmod nf_conntrack_ipv4 xt_connbytes nf_conntrack
# iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes
iptables: No chain/target/match by that name.
Comment 4 Phil Sutter 2017-11-28 19:39:29 UTC 
The problem here is caused by /etc/modprobe.d/firewalld-sysctls.conf: If I remove the file, module auto-loading proceeds as expected. The problematic file's content is as such:

| install nf_conntrack /usr/sbin/modprobe --ignore-install nf_conntrack && /usr/sbin/sysctl --pattern 'net[.]netfilter[.]nf_conntrack.*' --system

This causes a call to sysctl after nf_conntrack has been loaded (either automatically by the kernel or on command line using 'modprobe').

It seems that printing to stdout by sysctl upsets module auto-loading somehow. Adding '--quiet' to the sysctl call fixes the issue.

Note that while being at it, one should also add $CMDLINE_OPTS as last parameter to the modprobe call as explained in modprobe.conf(5) to allow passing module parameters via 'modprobe'.
Comment 5 Phil Sutter 2017-11-28 20:10:38 UTC 
A commit with above mentioned changes is available in my recent pull request upstream: https://github.com/firewalld/firewalld/pull/265
Comment 11 Eric Garver 2017-12-04 14:25:43 UTC 
(In reply to Phil Sutter from comment #5)
> A commit with above mentioned changes is available in my recent pull request
> upstream: https://github.com/firewalld/firewalld/pull/265

Merged upstream, 8a8d61822d.
Comment 13 Eric Garver 2017-12-05 15:39:46 UTC 
*** Bug 1519638 has been marked as a duplicate of this bug. ***
Comment 21 errata-xmlrpc 2018-04-10 10:32:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0702