Bug 1594657

Summary: Docker with firewalld produces WARNING messages
Product: Red Hat Enterprise Linux 7 Reporter: Takayoshi Kimura <tkimura>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: low Docs Contact:
Priority: low    
Version: 7.5CC: dapark, egarver, hasuzuki, jmaxwell, sbrivio, todoleza
Target Milestone: rcKeywords: TestOnly
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firewalld-0.6.3-1.el7 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-31 20:00:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1637204    
Bug Blocks: 1723958    

Description Takayoshi Kimura 2018-06-25 06:51:49 UTC 
Description of problem:

Docker with firewalld produces the following WARNINGs:

Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER' failed: iptables: Too many links.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION' failed: iptables: Too many links.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -n -L DOCKER' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed: iptables: No chain/target/match by that name.

Looks like docker is checking if the chain exists using -C option, this is normal operation and expected behavior.

firewalld WARNINGs for normal operation is not reasonable.

At this point it's not clear if these messages are harmless, or if it causes some issues.


Version-Release number of selected component (if applicable):

$ rpm -q docker firewalld
docker-1.13.1-63.git94f4240.el7.x86_64
firewalld-0.4.4.4-14.el7.noarch


How reproducible:

Always


Steps to Reproduce:
1. Start docker and firewalld
2.
3.

Actual results:

firewalld WARNINGs in journal logs, users need to extra effort to research if they indicate an issue or not.


Expected results:

No WARNINGs if there's nothing wrong.


Additional info:
Comment 2 Eric Garver 2018-07-25 21:16:46 UTC 
(In reply to Takayoshi Kimura from comment #0)
[..]
> Looks like docker is checking if the chain exists using -C option, this is
> normal operation and expected behavior.

The initial failures are docker attempting to delete rules that don't exist. It looks like docker is attempting to delete rules even before it does a probe (-C) to see if they exist.

> firewalld WARNINGs for normal operation is not reasonable.

How is firewalld to determine if this is normal? The requests are coming from docker.

At best firewalld could check if "-C" or "-L" options are in the direct rule and squelch the log, but this won't address the other failed commands that are coming from docker. Those need to be addressed on the docker side.
Comment 3 Takayoshi Kimura 2018-07-26 00:24:26 UTC 
> The initial failures are docker attempting to delete rules that don't exist. It looks like docker is attempting to delete rules even before it does a probe (-C) to see if they exist.

I agree that this is docker side issue. It needs to check the existing rules first.

> At best firewalld could check if "-C" or "-L" options are in the direct rule and squelch the log

I think this is reasonable, iptables -C could return -1 and it's not good condition for warnings.
Comment 4 Eric Garver 2018-07-31 18:56:54 UTC 
I pushed two commits upstream to avoid the log if "-C" or "-L" are used. For the other issues you'll have to create a BZ against docker.

   8c1c0d047b2e ("test/regression: new test for untracked passthrough logging")
   7662061f1640 ("fw_direct: avoid log for untracked passthrough queries")
Comment 5 Eric Garver 2018-11-15 16:58:15 UTC 
The log no longer occurs for "-C" and "-L" as of firewalld-0.6.3-1.el7, for the other log reports you'll have to file a bug with Docker as per comment 2.
Comment 15 errata-xmlrpc 2020-03-31 20:00:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1109