Bug 1688185
| Summary: | iptables related errors in journald | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Lukas Slebodnik <lslebodn> |
| Component: | firewalld | Assignee: | Eric Garver <egarver> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | bgalvani, dcbw, egarver, fgiudici, gnome-sig, john.j5live, jpopelka, lkundrak, mclasen, rhughes, rstrode, sandmann, twoerner |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-03-13 16:29:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Errors come from firewalld, reassigning... There is currently a rawhide selinx-policy bug, bug 1686660, that prevents firewalld from functioning. This is probably a duplicate of that. Lukas, can you verify? (In reply to Eric Garver from comment #2) > There is currently a rawhide selinx-policy bug, bug 1686660, that prevents > firewalld from functioning. This is probably a duplicate of that. > > Lukas, can you verify? I can see error even in permissive mode. (In reply to Lukas Slebodnik from comment #3) > (In reply to Eric Garver from comment #2) > > There is currently a rawhide selinx-policy bug, bug 1686660, that prevents > > firewalld from functioning. This is probably a duplicate of that. > > > > Lukas, can you verify? > > I can see error even in permissive mode. Please check the firewalld logs. # systemctl status firewalld You can also attach /var/log/firewalld. Please double check you're not looking at the old instances of the errors in journalctl. [root@host ~]# systemctl status firewalld | cat | sed -e 's/graviton.brq.red hat.com/host.example.com/'
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr eset: enabled)
Active: active (running) since Wed 2019-03-13 09:49:06 CET; 5h 41min ago
Docs: man:firewalld(1)
Main PID: 4623 (firewalld)
Tasks: 2 (limit: 4915)
Memory: 25.1M
CGroup: /system.slice/firewalld.service
└─4623 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
Mar 13 11:43:57 host.example.com firewalld[4623]: ERROR: COMMAND_FAILED: '/usr/s bin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_ FedoraServer' is not a chain
Error occurred at line: 2
Try `iptables-restore - h' or 'iptables-restore --help' for more information.
Mar 13 11:44:42 host.example.com firewalld[4623]: ERROR: UNKNOWN_INTERFACE: 'vet h744c327' is not in any zone
Mar 13 11:44:42 host.example.com firewalld[4623]: ERROR: '/usr/sbin/iptables-res tore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain
Error occurred at line: 2
Try `iptables-restore - h' or 'iptables-restore --help' for more information.
Mar 13 11:44:42 host.example.com firewalld[4623]: ERROR: COMMAND_FAILED: '/usr/s bin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_ FedoraServer' is not a chain
Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
sh# tail /var/log/firewalld 2019-03-13 11:44:42 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 11:45:18 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 11:45:18 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 14:51:51 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 14:51:51 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 14:52:37 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 14:52:37 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. sh# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-ISOLATION all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (1 references) target prot opt source destination Chain DOCKER-ISOLATION (1 references) target prot opt source destination RETURN all -- anywhere anywhere comment 6 is not enough of the log to indicate the issue. Please do the following # setenforce 0 # systemctl restart firewalld # firewall-cmd --state Then attach the full log (/var/log/firewalld). (In reply to Eric Garver from comment #7) > comment 6 is not enough of the log to indicate the issue. > > Please do the following > > # setenforce 0 > # systemctl restart firewalld > # firewall-cmd --state > > Then attach the full log (/var/log/firewalld). Restarting firewalld helped. Previously, I restarted just NM. [root@host ~]# > /var/log/firewalld [root@host ~]# setenforce 0 [root@host ~]# systemctl restart firewalld [root@host ~]# firewall-cmd --state running [root@host ~]# setenforce 1 [root@host ~]# cat /var/log/firewalld 2019-03-13 16:40:48 ERROR: Failed to load zone file '/usr/lib/firewalld/zones/libvirt.xml': PARSE_ERROR: rule: Unexpected attribute priority 2019-03-13 16:40:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?). (In reply to Lukas Slebodnik from comment #8) > (In reply to Eric Garver from comment #7) > > comment 6 is not enough of the log to indicate the issue. > > > > Please do the following > > > > # setenforce 0 > > # systemctl restart firewalld > > # firewall-cmd --state > > > > Then attach the full log (/var/log/firewalld). > > Restarting firewalld helped. Previously, I restarted just NM. > > [root@host ~]# > /var/log/firewalld > [root@host ~]# setenforce 0 > [root@host ~]# systemctl restart firewalld > > [root@host ~]# firewall-cmd --state > running Marking this as a duplicate of the policy issue. > [root@host ~]# setenforce 1 > [root@host ~]# cat /var/log/firewalld > 2019-03-13 16:40:48 ERROR: Failed to load zone file > '/usr/lib/firewalld/zones/libvirt.xml': PARSE_ERROR: rule: Unexpected > attribute priority > 2019-03-13 16:40:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D > FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a > matching rule exist in that chain?). This is a separate issue. libvirt is attempting to use firewalld's rich rule priority support, which is not yet in Fedora nor an upstream release. Please file a ticket against libvirt for this. *** This bug has been marked as a duplicate of bug 1686660 *** |
Description of problem: I did debugging of unrelated issue and found errors in journald Version-Release number of selected component (if applicable): sh$ rpm -q NetworkManager firewalld NetworkManager-1.16.0-0.3.fc31.x86_64 firewalld-0.6.3-2.fc30.noarch How reproducible: Deterministic on my laptop Steps to Reproduce: 1. systemctl restart NetworkManager Actual results: Mar 13 11:45:17 host.example.com nm-dispatcher[22358]: req:2 'connectivity-change': start running ordered scripts... Mar 13 11:45:18 host.example.com kernel: IPv6: ADDRCONF(NETDEV_UP): wlp3s0: link is not ready Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1746] device (enp0s25): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'assume') Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1750] supplicant: wpa_supplicant running Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1751] device (wlp3s0): supplicant interface state: init -> starting Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1752] device (enp0s25): state change: prepare -> config (reason 'none', sys-iface-state: 'assume') Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1956] sup-iface[0x55e5303850e0,wlp3s0]: supports 5 scan SSIDs Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1960] device (wlp3s0): supplicant interface state: starting -> ready Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1960] Wi-Fi P2P device controlled by interface wlp3s0 created Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1962] manager: (p2p-dev-wlp3s0): new 802.11 Wi-Fi P2P device (/org/freedesktop/NetworkManager/Devices/5) Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1965] device (p2p-dev-wlp3s0): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'exte rnal') Mar 13 11:45:18 host.example.com NetworkManager[22350]: <warn> [1552473918.1971] sup-iface: failed to cancel p2p connect: P2P cancel failed Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1972] device (p2p-dev-wlp3s0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'mana ged') Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1976] device (wlp3s0): state change: unavailable -> disconnected (reason 'supplicant-available', sys-iface-stat e: 'managed') Mar 13 11:45:18 host.example.com kernel: IPv6: ADDRCONF(NETDEV_UP): wlp3s0: link is not ready Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1986] agent-manager: req[0x55e53045ced0, :1.1642/org.freedesktop.nm-applet/1000]: agent registered Mar 13 11:45:18 host.example.com firewalld[4623]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Mar 13 11:45:18 host.example.com firewalld[4623]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chai n Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Mar 13 11:45:18 host.example.com NetworkManager[22350]: <warn> [1552473918.2039] firewall: [0x7f3754005940,change:"enp0s25"]: complete: request failed (COMMAND_FAILED: '/usr/sbin/iptable s-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ) Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.2040] device (enp0s25): state change: config -> ip-config (reason 'none', sys-iface-state: 'assume') Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.2047] dhcp4 (enp0s25): activation: beginning transaction (timeout in 45 seconds) Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.2063] dhcp4 (enp0s25): dhclient started with pid 22380 Expected results: No errors in journald Additional info: