Bug 884346

Summary: firewall-cmd --reload causes libvirt to syslog spew errors when trying to clean up firewall rules that don't exist
Product: [Fedora] Fedora Reporter: Dean Hunter <deanhunter>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 18CC: berrange, clalancette, crobinso, itamar, jforbes, jpopelka, jyang, laine, libvirt-maint, twoerner, veillard, virt-maint
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-24 19:57:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dean Hunter 2012-12-06 01:50:35 UTC 
Description of problem:
firewall-cmd --reload fails when libvirtd.service is running


Version-Release number of selected component (if applicable):
firewalld.noarch            0.2.9-1.fc18            @koji-override-0/$releasever
libvirt.x86_64                      0.10.2.1-3.fc18                      @fedora


How reproducible:
consistent


Steps to Reproduce:
1.  Install Fedora 18 from Live CD
2.  yum update --assumeyes
3.  reboot
4.  yum group install --assumeyes Virtualization
5.  systemctl enable libvirtd.service
6.  systemctl start  libvirtd.service
7.  yum install --assumeyes xrdp
8.  systemctl enable xrdp.srvice
9.  systemctl start  xrdp.srvice
10. firewall-cmd --zone=public --add-port=3389/tcp
11. firewall-cmd --reload


Actual results:
In /var/log/messages:
Dec  5 19:18:40 client18 libvirtd[1017]: 2012-12-06 01:18:40.282+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table nat --delete POSTROUTING --source 192.168.122.0/24 -p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535) unexpected exit status 13
Dec  5 19:18:40 client18 libvirtd[1017]: 2012-12-06 01:18:40.380+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table nat --delete POSTROUTING --source 192.168.122.0/24 -p udp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535) unexpected exit status 13
Dec  5 19:18:40 client18 libvirtd[1017]: 2012-12-06 01:18:40.477+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table nat --delete POSTROUTING --source 192.168.122.0/24 '!' --destination 192.168.122.0/24 --jump MASQUERADE) unexpected exit status 13
Dec  5 19:18:40 client18 libvirtd[1017]: 2012-12-06 01:18:40.574+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table filter --delete FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match state --state ESTABLISHED,RELATED --jump ACCEPT) unexpected exit status 13
Dec  5 19:18:40 client18 libvirtd[1017]: 2012-12-06 01:18:40.670+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table filter --delete FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT) unexpected exit status 13
Dec  5 19:18:40 client18 libvirtd[1017]: 2012-12-06 01:18:40.767+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table filter --delete FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT) unexpected exit status 13
Dec  5 19:18:40 client18 libvirtd[1017]: 2012-12-06 01:18:40.864+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table filter --delete FORWARD --out-interface virbr0 --jump REJECT) unexpected exit status 13
Dec  5 19:18:40 client18 libvirtd[1017]: 2012-12-06 01:18:40.962+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table filter --delete FORWARD --in-interface virbr0 --jump REJECT) unexpected exit status 13
Dec  5 19:18:41 client18 libvirtd[1017]: 2012-12-06 01:18:41.062+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT) unexpected exit status 13
Dec  5 19:18:41 client18 libvirtd[1017]: 2012-12-06 01:18:41.159+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT) unexpected exit status 13
Dec  5 19:18:41 client18 libvirtd[1017]: 2012-12-06 01:18:41.256+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill) unexpected exit status 13
Dec  5 19:18:41 client18 libvirtd[1017]: 2012-12-06 01:18:41.353+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT) unexpected exit status 13
Dec  5 19:18:41 client18 libvirtd[1017]: 2012-12-06 01:18:41.450+0000: 1017: error : virCommandWait:2287 : internal error Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT) unexpected exit status 13


Expected results:
No errors in /var/log/messages


Additional info:
systemctl stop libvirtd.srvice # allows firewall-cmd --reload to complete successfully
Comment 1 Thomas Woerner 2012-12-06 10:56:10 UTC 
libvirt recreates firewall rules after firewalld gets reloaded. It tries to clean up the old rules in this case. The cleanup produces errors if the rules are not there anymore. This should be no error in my opinion.

Reassiging to libvirt.
Comment 2 Dean Hunter 2013-02-24 19:57:12 UTC 
I can no longer reproduce this error:

Installed Packages
firewalld.noarch                    0.2.12-2.fc18                       @updates
libvirt.x86_64                      0.10.2.3-1.fc18                     @updates