Description of problem: firewalld doesn't respect iptables locks and fails to load default set of rules resulting in host inaccessible. Version-Release number of selected component (if applicable): firewalld-0.3.9.3-1.fc20.noarch How reproducible: Occasionally. Steps to Reproduce: 1. Fedora 20 minimal server netinstall. 2. Firewalld with default set of rules, SSH-service is allowed. 3. Reboot. Actual results: Error loading default set of rules, rejecting SSH-connections. Client log: $ ssh root@server ssh: connect to host server port 22: No route to host Server log: # LANG=C journalctl --no-pager -lu firewalld.service -- Reboot -- Feb 15 18:59:18 srv6.kola.fad.ru systemd[1]: Starting firewalld - dynamic firewall daemon... Feb 15 18:59:19 srv6.kola.fad.ru systemd[1]: Started firewalld - dynamic firewall daemon. Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: '/sbin/iptables -I FWDI_public 2 -t filter -j FWDI_public_deny' failed: iptables: Resource temporarily unavailable. Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: '/sbin/iptables -X FWDI_public -t filter' failed: iptables: Directory not empty. Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: '/sbin/iptables -D FWDI_public 1 -t filter -j FWDI_public_log' failed: iptables v1.4.19.1: Illegal option `-j' with this command Try `iptables -h' or 'iptables --help' for more information. Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: COMMAND_FAILED: '/sbin/iptables -I FWDI_public 2 -t filter -j FWDI_public_deny' failed: iptables: Resource temporarily unavailable. Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: '/sbin/iptables -N FWDI_public -t filter' failed: iptables: Chain already exists. Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: COMMAND_FAILED: '/sbin/iptables -N FWDI_public -t filter' failed: iptables: Chain already exists. Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: '/sbin/iptables -N FWDI_public -t filter' failed: iptables: Chain already exists. Feb 15 18:59:21 srv6.kola.fad.ru firewalld[491]: 2014-02-15 18:59:21 ERROR: COMMAND_FAILED: '/sbin/iptables -N FWDI_public -t filter' failed: iptables: Chain already exists.
What is locking netfilter in this machine?
Created attachment 865768 [details] System log Full system log after reboot: # LANG=C journalctl -l --since '2014-02-15 18:59:19' --until '2014-02-15 19:00:00' >journal-20140215.log
There are two services adding firewall rules at the same time. This results in both services failing. I would suggest to add "After: firewalld.service" to the fail2ban service. Then this will not happen. Having two or more services adding firewall rules at the same time is not a good idea at all. You do not know what the result will be in the end.
(In reply to ArcFi from comment #0) > '...' failed: iptables: Resource temporarily unavailable. I've also seen this from time to time - in some pre-releases of Fedora.
(In reply to Thomas Woerner from comment #3) > I would suggest to add "After: firewalld.service" > to the fail2ban service. Thanks. Looks like that resolves the issue. Reassign to fail2ban package and rename to "Race condition with firewalld.service"?
fail2ban-0.9-2.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/fail2ban-0.9-2.fc20
Package fail2ban-0.9-2.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing fail2ban-0.9-2.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6419/fail2ban-0.9-2.fc20 then log in and leave karma (feedback).
fail2ban-0.9-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.