1594657 – Docker with firewalld produces WARNING messages

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1594657 - Docker with firewalld produces WARNING messages

Summary: Docker with firewalld produces WARNING messages

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Eric Garver
QA Contact:	Tomas Dolezal
Docs Contact:
URL:
Whiteboard:
Depends On:	1637204
Blocks:	1723958
TreeView+	depends on / blocked

Reported:	2018-06-25 06:51 UTC by Takayoshi Kimura
Modified:	2023-03-24 14:07 UTC (History)
CC List:	6 users (show)
Fixed In Version:	firewalld-0.6.3-1.el7
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-31 20:00:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:1109	0	None	None	None	2020-03-31 20:01:39 UTC

Description Takayoshi Kimura 2018-06-25 06:51:49 UTC

Description of problem:

Docker with firewalld produces the following WARNINGs:

Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER' failed: iptables: Too many links.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION' failed: iptables: Too many links.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -n -L DOCKER' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed: iptables: No chain/target/match by that name.

Looks like docker is checking if the chain exists using -C option, this is normal operation and expected behavior.

firewalld WARNINGs for normal operation is not reasonable.

At this point it's not clear if these messages are harmless, or if it causes some issues.


Version-Release number of selected component (if applicable):

$ rpm -q docker firewalld
docker-1.13.1-63.git94f4240.el7.x86_64
firewalld-0.4.4.4-14.el7.noarch


How reproducible:

Always


Steps to Reproduce:
1. Start docker and firewalld
2.
3.

Actual results:

firewalld WARNINGs in journal logs, users need to extra effort to research if they indicate an issue or not.


Expected results:

No WARNINGs if there's nothing wrong.


Additional info:

Comment 2 Eric Garver 2018-07-25 21:16:46 UTC

(In reply to Takayoshi Kimura from comment #0)
[..]
> Looks like docker is checking if the chain exists using -C option, this is
> normal operation and expected behavior.

The initial failures are docker attempting to delete rules that don't exist. It looks like docker is attempting to delete rules even before it does a probe (-C) to see if they exist.

> firewalld WARNINGs for normal operation is not reasonable.

How is firewalld to determine if this is normal? The requests are coming from docker.

At best firewalld could check if "-C" or "-L" options are in the direct rule and squelch the log, but this won't address the other failed commands that are coming from docker. Those need to be addressed on the docker side.

Comment 3 Takayoshi Kimura 2018-07-26 00:24:26 UTC

> The initial failures are docker attempting to delete rules that don't exist. It looks like docker is attempting to delete rules even before it does a probe (-C) to see if they exist.

I agree that this is docker side issue. It needs to check the existing rules first.

> At best firewalld could check if "-C" or "-L" options are in the direct rule and squelch the log

I think this is reasonable, iptables -C could return -1 and it's not good condition for warnings.

Comment 4 Eric Garver 2018-07-31 18:56:54 UTC

I pushed two commits upstream to avoid the log if "-C" or "-L" are used. For the other issues you'll have to create a BZ against docker.

   8c1c0d047b2e ("test/regression: new test for untracked passthrough logging")
   7662061f1640 ("fw_direct: avoid log for untracked passthrough queries")

Comment 5 Eric Garver 2018-11-15 16:58:15 UTC

The log no longer occurs for "-C" and "-L" as of firewalld-0.6.3-1.el7, for the other log reports you'll have to file a bug with Docker as per comment 2.

Comment 15 errata-xmlrpc 2020-03-31 20:00:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1109

Note You need to log in before you can comment on or make changes to this bug.