Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1571957 - using set-log-denied after adding icmp-block-inversion shows firewalld error
Summary: using set-log-denied after adding icmp-block-inversion shows firewalld error
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld
Version: 7.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Eric Garver
QA Contact: Tomas Dolezal
URL:
Whiteboard:
: 1636146 (view as bug list)
Depends On: 1637204
Blocks: 1654714
TreeView+ depends on / blocked
 
Reported: 2018-04-25 19:22 UTC by Akhil John
Modified: 2019-08-06 12:03 UTC (History)
3 users (show)

Fixed In Version: firewalld-0.6.3-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 12:03:14 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3486611 0 Troubleshoot None Firewalld shows ERROR when set-log-denied after enabling icmp-block-inversion. 2019-07-25 09:17:43 UTC
Red Hat Product Errata RHBA-2019:2024 0 None None None 2019-08-06 12:03:34 UTC

Description Akhil John 2018-04-25 19:22:11 UTC
Description of problem:


Version-Release number of selected component (if applicable):
firewalld-0.4.4.4-14.el7

How reproducible:


Steps to Reproduce:
1. # firewall-cmd --permanent --zone=public --add-icmp-block-inversion
2. # firewall-cmd --reload
3. # firewall-cmd --set-log-denied=all

Actual results:

---------- /var/log/firewalld -----------------
2018-04-25 14:30:33 ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
2018-04-25 14:30:33 ERROR: '/usr/sbin/iptables -w2 -I FWDI_public 5 -t filter -p icmp -j LOG --log-prefix FWDI_public_ICMP_BLOCK: ' failed: iptables: Index of insertion too big.

2018-04-25 14:30:34 ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
2018-04-25 14:30:34 ERROR: '/usr/sbin/ip6tables -w2 -I FWDI_public 5 -t filter -p ipv6-icmp -j LOG --log-prefix FWDI_public_ICMP_BLOCK: ' failed: ip6tables: Index of insertion too big.

Expected results:
There should be no errors.

Comment 2 Eric Garver 2018-08-08 21:17:56 UTC
Upstream commits:

  95e15bf5c621 ("nftables: fix set-log-denied if target is not ACCEPT")
  0603c8b2a983 ("tests/regression: add coverage for rhbz 1571957")
  5c5efa952611 ("backends: always pass log_denied value to set_rule()/set_rules()")
  9b3d7255be65 ("ipXtables: fix ICMP block inversion with set-log-denied")

Comment 3 Eric Garver 2018-10-04 15:13:54 UTC
*** Bug 1636146 has been marked as a duplicate of this bug. ***

Comment 8 errata-xmlrpc 2019-08-06 12:03:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2024


Note You need to log in before you can comment on or make changes to this bug.