Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1516881 - firewalld modprobe hook breaks iptables rules that automatically load nf_conntrack
firewalld modprobe hook breaks iptables rules that automatically load nf_conn...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld (Show other bugs)
7.5-Alt
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Eric Garver
Tomas Dolezal
: Regression
: 1519638 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-23 08:40 EST by Tomas Dolezal
Modified: 2018-04-10 06:32 EDT (History)
7 users (show)

See Also:
Fixed In Version: firewalld-0.4.4.4-13.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 06:32:16 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0702 None None None 2018-04-10 06:32 EDT

  None (edit)
Comment 3 Phil Sutter 2017-11-28 07:06:26 EST
That call to iptables succeeds on second try. The point is whether nf_conntrack.ko is loaded or not:

# lsmod | grep '\(nf_\|xt_\|iptable\|ip_tables\)'
# iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes
iptables: No chain/target/match by that name.
# lsmod | grep '\(nf_\|xt_\|iptable\|ip_tables\)'
nf_conntrack          262144  0 
iptable_filter        262144  0 
ip_tables             262144  1 iptable_filter
libcrc32c             262144  2 nf_conntrack,xfs
# iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes
# lsmod | grep '\(nf_\|xt_\|iptable\|ip_tables\)'
nf_conntrack_ipv4     262144  1 
nf_defrag_ipv4        262144  1 nf_conntrack_ipv4
xt_connbytes          262144  1 
nf_conntrack          262144  2 nf_conntrack_ipv4,xt_connbytes
iptable_filter        262144  1 
ip_tables             262144  1 iptable_filter
libcrc32c             262144  2 nf_conntrack,xfs
# iptables -F INPUT
# rmmod nf_conntrack_ipv4 xt_connbytes nf_conntrack
# iptables -A INPUT -m connbytes --connbytes 10000:100000 --connbytes-dir both --connbytes-mode bytes
iptables: No chain/target/match by that name.
Comment 4 Phil Sutter 2017-11-28 14:39:29 EST
The problem here is caused by /etc/modprobe.d/firewalld-sysctls.conf: If I remove the file, module auto-loading proceeds as expected. The problematic file's content is as such:

| install nf_conntrack /usr/sbin/modprobe --ignore-install nf_conntrack && /usr/sbin/sysctl --pattern 'net[.]netfilter[.]nf_conntrack.*' --system

This causes a call to sysctl after nf_conntrack has been loaded (either automatically by the kernel or on command line using 'modprobe').

It seems that printing to stdout by sysctl upsets module auto-loading somehow. Adding '--quiet' to the sysctl call fixes the issue.

Note that while being at it, one should also add $CMDLINE_OPTS as last parameter to the modprobe call as explained in modprobe.conf(5) to allow passing module parameters via 'modprobe'.
Comment 5 Phil Sutter 2017-11-28 15:10:38 EST
A commit with above mentioned changes is available in my recent pull request upstream: https://github.com/firewalld/firewalld/pull/265
Comment 11 Eric Garver 2017-12-04 09:25:43 EST
(In reply to Phil Sutter from comment #5)
> A commit with above mentioned changes is available in my recent pull request
> upstream: https://github.com/firewalld/firewalld/pull/265

Merged upstream, 8a8d61822d.
Comment 13 Eric Garver 2017-12-05 10:39:46 EST
*** Bug 1519638 has been marked as a duplicate of this bug. ***
Comment 21 errata-xmlrpc 2018-04-10 06:32:16 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0702

Note You need to log in before you can comment on or make changes to this bug.