Bug 1790681
| Summary: | Firewall configuration stopped working after upgrade | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Orion Poplawski <orion> | ||||
| Component: | firewalld | Assignee: | Eric Garver <egarver> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-daemons | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 8.1 | CC: | todoleza, toracat | ||||
| Target Milestone: | rc | ||||||
| Target Release: | 8.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-01-14 00:11:46 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Switching FirewallBackend to iptables does not help. Hmm, appears that this is expected behavior - though I swear it changed. https://access.redhat.com/solutions/1376003 Is it related to this by any chance? https://access.redhat.com/solutions/4586771 No, firewalld is starting fine. But on closer reading of https://access.redhat.com/solutions/1376003, I think this really is a regression as we should fall down to the interface zone. I think this is the relevant change:
--- EL8.0/0.6.3
+++ EL8.1/0.7.0
chain raw_PREROUTING {
type filter hook prerouting priority -290; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . iif oif missing drop
- jump raw_PREROUTING_ZONES_SOURCE
jump raw_PREROUTING_ZONES
}
- chain raw_PREROUTING_ZONES_SOURCE {
- ip saddr 10.0.0.0/8 goto raw_PRE_internal
- }
-
chain raw_PREROUTING_ZONES {
+ ip saddr 10.0.0.0/8 goto raw_PRE_internal
iifname "eth0" goto raw_PRE_public
goto raw_PRE_public
}
....
chain filter_INPUT {
type filter hook input priority 10; policy accept;
ct state established,related accept
+ ct status dnat accept
iifname "lo" accept
- jump filter_INPUT_ZONES_SOURCE
jump filter_INPUT_ZONES
ct state invalid drop
reject with icmpx type admin-prohibited
....
- chain filter_INPUT_ZONES_SOURCE {
- ip saddr 10.0.0.0/8 goto filter_IN_internal
- }
-
chain filter_INPUT_ZONES {
+ ip saddr 10.0.0.0/8 goto filter_IN_internal
iifname "eth0" goto filter_IN_public
goto filter_IN_public
}
# firewall-cmd --permanent --zone=internal --get-target default This is a duplicate of bug 1772208. *** This bug has been marked as a duplicate of bug 1772208 *** |
Created attachment 1652008 [details] Output of "nft list table inet firewalld" from firewalld 0.7.0 Description of problem: System configured with firewalld-0.6.3-7.el8.noarch (8.0) was working fine. After upgrade to firewalld-0.7.0-5.el8.noarch (8.1) it does not. I have two zones: # firewall-cmd --get-active-zones internal sources: 10.0.0.0/8 public interfaces: eth0 # firewall-cmd --list-all --zone internal internal (active) target: default icmp-block-inversion: no interfaces: sources: 10.0.0.0/8 services: cockpit dhcpv6-client mdns samba-client ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="10.0.1.39" port port="10050" protocol="tcp" accept # firewall-cmd --list-all --zone public public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client dns http https kerberos kpasswd ldap ldaps mdns ntp ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: Services in the "internal" zone are allowed. Services in the "public" zone are not. There is only the one interface (eth0). "nft list table inet firewalld" output is changed (new output attached), but I can't see anything obvious - but I'm not at all familiar with nftables yet. With logging on I see: kernel: FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:7e:62:ab:52:54:00:37:3c:2d:08:00 SRC=10.0.1.74 DST=10.0.1.72 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30951 DF PROTO=TCP SPT=48768 DPT=443 WINDOW=29200 RES=0x00 SYN URGP=0 kernel: FINAL_REJECT: IN=eth0 OUT= MAC=00:16:3e:7e:62:ab:b8:ae:ed:7b:6e:a1:08:00 SRC=10.0.0.99 DST=10.0.1.72 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=23141 DF PROTO=UDP SPT=123 DPT=123 LEN=56 which both should have been allow by the public rules.