Description of problem: When there is a zone with source specified and in this zone is a service, which requires helper, firewalld creates chain for it in raw table and puts there helper's firewall rule. For example: if service samba is added to home zone, chain PRE_home_allow is created, where rule for helper netbios-ns is later added. This however does not work, when service is added using rich rule and not using service. In this case, PRE_home_allow chain does not exist and load of the whole zone fails ( all zone rules are removed in the consequence ). Version-Release number of selected component (if applicable): firewalld-0.4.4.2-2.fc25.noarch How reproducible: Steps to Reproduce: 1. firewall-cmd --permanent --new-zone=bugzone01 firewall-cmd --permanent --zone=bugzone01 --add-source=10.20.30.40/32 firewall-cmd --permanent --zone=bugzone01 --add-rich-rule='rule service name="samba" accept' 2. systemctl restart firewalld Actual results: Zone bugzone01 is not applied in iptables, samba is not allowed from the source. DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables -w2 -A PRE_bugzone01_allow -t raw -p udp --dport 137 -j CT --helper netbios-ns ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. ERROR: '/usr/sbin/iptables -w2 -A PRE_bugzone01_allow -t raw -p udp --dport 137 -j CT --helper netbios-ns' failed: Expected results: Necessary chains (PRE_bugzone01_allow in this case) to be created during the zone's start, so rules can be successfully added. Zone bugzone01 is applied in iptables, samba is allowed from the source.
Fixed upstream: https://github.com/t-woerner/firewalld/commit/63948af9fa99f1b3bad8a76c538f765126cf2d2a
I've tested updated package firewalld-0.4.4.3-1.fc25.noarch, which includes the upstream fix. Solves the problem for me. Thanks.