Bug 2095227
| Summary: | tcpcrypt firewalld rules are broken | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Brian Morrison <bdm> |
| Component: | tcpcrypt | Assignee: | Paul Wouters <paul.wouters> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 36 | CC: | 3wcq6pxz, bdm, dledford, egarver, glyffa, paul.wouters |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-25 18:19:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
In Fedora 37 this bug now crashes firewalld in startup. The log incorrectly reports that its likely a nftables/iptables issue, but it wasn't. Unlike the nice error message in the description above it no longer reports the file it has trouble handling. I had to turn on debug tracing to get that. Short term fix of removing tcpcrypt-0.5-9.fc37.x86_64 fixed the firewalld crash. Ideally two fixes would be nice, firewalld should better handle a bad config file and tcpcrypt should have a working config. Setting priority to Urgent. A problem that crashes firewalld on startup and leaves a person's system wide open to surface area attacks is entirely unacceptable. This package needs to be fixed or forcibly removed from people's systems until it is fixed as the problem it is causing is an extreme violation of the principle of least surprise. I'm using Fedora 36, and since Dec 23 my system was totally unprotected with firewalld sucessfully deactivated, and I was completely oblivious of that situation until today.
The history of the firewalld service since then was just the following:
Dec 23 17:19:33 t460 systemd[1]: Starting firewalld.service - firewalld - dynamic firewall daemon...
Dec 23 17:19:34 t460 systemd[1]: Started firewalld.service - firewalld - dynamic firewall daemon.
Dec 23 17:19:34 t460 firewalld[41704]: ERROR: Failed to load user configuration. Falling back to full stock configuration.
Dec 23 17:19:34 t460 firewalld[41704]: ERROR: PARSE_ERROR: Unexpected element direct
Dec 23 17:19:34 t460 firewalld[41704]: Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 629, in start
self._start()
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 579, in _start
self._start_load_stock_config()
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 396, in _start_load_stock_config
self._loader_services(config.FIREWALLD_SERVICES)
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 670, in _loader_services
obj = service_reader(filename, path)
File "/usr/lib/python3.10/site-packages/firewall/core/io/service.py", line 237, in service_reader
parser.parse(source)
File "/usr/lib64/python3.10/xml/sax/expatreader.py", line 111, in parse
xmlreader.IncrementalParser.parse(self, source)
File "/usr/lib64/python3.10/xml/sax/xmlreader.py", line 125, in parse
self.feed(buffer)
File "/usr/lib64/python3.10/xml/sax/expatreader.py", line 217, in feed
self._parser.Parse(data, isFinal)
File "/builddir/build/BUILD/Python-3.10.8/Modules/pyexpat.c", line 416, in StartElement
File "/usr/lib64/python3.10/xml/sax/expatreader.py", line 333, in start_element
self._cont_handler.startElement(name, AttributesImpl(attrs))
File "/usr/lib/python3.10/site-packages/firewall/core/io/service.py", line 140, in startElement
self.item.parser_check_element_attrs(name, attrs)
File "/usr/lib/python3.10/site-packages/firewall/core/io/io_object.py", line 183, in parser_check_element_attrs
raise FirewallError(errors.PARSE_ERROR,
firewall.errors.FirewallError: PARSE_ERROR: Unexpected element direct
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 634, in start
self._start_failsafe()
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 618, in _start_failsafe
self._start_load_stock_config()
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 396, in _start_load_stock_config
self._loader_services(config.FIREWALLD_SERVICES)
File "/usr/lib/python3.10/site-packages/firewall/core/fw.py", line 670, in _loader_services
obj = service_reader(filename, path)
File "/usr/lib/python3.10/site-packages/firewall/core/io/service.py", line 237, in service_reader
parser.parse(source)
File "/usr/lib64/python3.10/xml/sax/expatreader.py", line 111, in parse
xmlreader.IncrementalParser.parse(self, source)
File "/usr/lib64/python3.10/xml/sax/xmlreader.py", line 125, in parse
self.feed(buffer)
File "/usr/lib64/python3.10/xml/sax/expatreader.py", line 217, in feed
self._parser.Parse(data, isFinal)
File "/builddir/build/BUILD/Python-3.10.8/Modules/pyexpat.c", line 416, in StartElement
File "/usr/lib64/python3.10/xml/sax/expatreader.py", line 333, in start_element
self._cont_handler.startElement(name, AttributesImpl(attrs))
File "/usr/lib/python3.10/site-packages/firewall/core/io/service.py", line 140, in startElement
self.item.parser_check_element_attrs(name, attrs)
File "/usr/lib/python3.10/site-packages/firewall/core/io/io_object.py", line 183, in parser_check_element_attrs
raise FirewallError(errors.PARSE_ERROR,
firewall.errors.FirewallError: PARSE_ERROR: Unexpected element direct
Dec 23 17:19:34 t460 firewalld[41704]: ERROR: PARSE_ERROR: Unexpected element direct
Dec 23 17:19:34 t460 firewalld[41704]: ERROR: Failed to load full stock configuration. This likely indicates a system level issue, the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting.
Dec 23 17:19:34 t460 firewalld[41704]: ERROR: Raising SystemExit in run_server
Dec 23 17:19:34 t460 systemd[1]: firewalld.service: Deactivated successfully.
Before Dec 23, the firewalld service was starting and running fine. The only error was related to tcpcryptd service:
Dec 23 15:00:25 t460 systemd[1]: Starting firewalld.service - firewalld - dynamic firewall daemon...
Dec 23 15:00:26 t460 systemd[1]: Started firewalld.service - firewalld - dynamic firewall daemon.
Dec 23 15:00:27 t460 firewalld[1333]: ERROR: Failed to load service file '/usr/lib/firewalld/services/tcpcryptd.xml': PARSE_ERROR: Unexpected element direct
To get firewalld working again, I renamed the service file "/usr/lib/firewalld/services/tcpcryptd.xml" to something without the suffix ".xml" and restarted the firewalld.service
100% agree with Doug Leford:
> This package needs to be fixed or forcibly removed from people's systems until it is fixed as the problem it is causing is an extreme violation of the principle of least surprise.
Proposed PR for this: https://src.fedoraproject.org/rpms/tcpcrypt/pull-request/1 This message is a reminder that Fedora Linux 36 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 36 on 2023-05-16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '36'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 36 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed. Today I upgraded Fedora to 37 and, as expected and reported in this thread, firewalld crashes on startup silently. It is possible to change the "version" in this bug report from 36 to 37, please? Thanks. Fedora Linux 36 entered end-of-life (EOL) status on 2023-05-16. Fedora Linux 36 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed. |
Description of problem: The rules tcpcrypt adds are not understood by firewalld. As a result connections are not encrypted. Version-Release number of selected component (if applicable): tcpcrypt-libs-0.5-8.fc36.x86_64 tcpcrypt-0.5-8.fc36.x86_64 firewalld-filesystem-1.0.4-1.fc36.noarch firewalld-1.0.4-1.fc36.noarch How reproducible: Continuously broken for many Fedora releases. Steps to Reproduce: 1. systemctl status tcpcryptd 2. systemctl status firewalld 3. Actual results: ● tcpcryptd.service - tcpcryptd Server Loaded: loaded (/usr/lib/systemd/system/tcpcryptd.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2022-06-07 17:44:23 BST; 1 day 17h ago Main PID: 2210 (tcpcryptd) Tasks: 1 (limit: 76926) Memory: 30.9M CPU: 327ms CGroup: /system.slice/tcpcryptd.service └─ 2210 /usr/bin/tcpcryptd -f -x 0x10 Jun 07 17:44:22 deangelis.fenrir.org.uk systemd[1]: Starting tcpcryptd.service - tcpcryptd Server... Jun 07 17:44:23 deangelis.fenrir.org.uk tcpcryptd-firewall[1830]: success Jun 07 17:44:23 deangelis.fenrir.org.uk systemd[1]: Started tcpcryptd.service - tcpcryptd Server. 1.● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-06-07 17:44:22 BST; 1 day 17h ago Docs: man:firewalld(1) Main PID: 1769 (firewalld) Tasks: 4 (limit: 76926) Memory: 46.0M CPU: 616ms CGroup: /system.slice/firewalld.service └─ 1769 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid Jun 07 17:44:20 deangelis.fenrir.org.uk systemd[1]: Starting firewalld.service - firewalld - dynamic firewall daemon... Jun 07 17:44:22 deangelis.fenrir.org.uk systemd[1]: Started firewalld.service - firewalld - dynamic firewall daemon. Jun 07 17:44:22 deangelis.fenrir.org.uk firewalld[1769]: ERROR: Failed to load service file '/usr/lib/firewalld/services/tcpcryptd.xml': PARSE_ERROR: Unexpected element direct Jun 07 17:44:23 deangelis.fenrir.org.uk firewalld[1769]: ERROR: Failed to load service file '/usr/lib/firewalld/services/tcpcryptd.xml': PARSE_ERROR: Unexpected element direct Expected results: Connection encrypted and no firewalld error. Additional info: