Bug 1594657 - Docker with firewalld produces WARNING messages
Summary: Docker with firewalld produces WARNING messages
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld
Version: 7.5
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Eric Garver
QA Contact: Tomas Dolezal
URL:
Whiteboard:
Depends On: 1637204
Blocks: 1723958
TreeView+ depends on / blocked
 
Reported: 2018-06-25 06:51 UTC by Takayoshi Kimura
Modified: 2020-03-31 20:01 UTC (History)
6 users (show)

Fixed In Version: firewalld-0.6.3-1.el7
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-31 20:00:54 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:1109 None None None 2020-03-31 20:01:39 UTC

Description Takayoshi Kimura 2018-06-25 06:51:49 UTC
Description of problem:

Docker with firewalld produces the following WARNINGs:

Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER' failed: iptables: Too many links.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -X DOCKER-ISOLATION' failed: iptables: Too many links.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -n -L DOCKER' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:21 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C DOCKER-ISOLATION -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C PREROUTING -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C OUTPUT -m addrtype --dst-type LOCAL -j DOCKER ! --dst 127.0.0.0/8' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE' failed: iptables: No chain/target/match by that name.
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t nat -C DOCKER -i docker0 -j RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -i docker0 ! -o docker0 -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jun 25 12:33:22 tkimura.example.com firewalld[13363]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w2 -t filter -C FORWARD -o docker0 -j DOCKER' failed: iptables: No chain/target/match by that name.

Looks like docker is checking if the chain exists using -C option, this is normal operation and expected behavior.

firewalld WARNINGs for normal operation is not reasonable.

At this point it's not clear if these messages are harmless, or if it causes some issues.


Version-Release number of selected component (if applicable):

$ rpm -q docker firewalld
docker-1.13.1-63.git94f4240.el7.x86_64
firewalld-0.4.4.4-14.el7.noarch


How reproducible:

Always


Steps to Reproduce:
1. Start docker and firewalld
2.
3.

Actual results:

firewalld WARNINGs in journal logs, users need to extra effort to research if they indicate an issue or not.


Expected results:

No WARNINGs if there's nothing wrong.


Additional info:

Comment 2 Eric Garver 2018-07-25 21:16:46 UTC
(In reply to Takayoshi Kimura from comment #0)
[..]
> Looks like docker is checking if the chain exists using -C option, this is
> normal operation and expected behavior.

The initial failures are docker attempting to delete rules that don't exist. It looks like docker is attempting to delete rules even before it does a probe (-C) to see if they exist.

> firewalld WARNINGs for normal operation is not reasonable.

How is firewalld to determine if this is normal? The requests are coming from docker.

At best firewalld could check if "-C" or "-L" options are in the direct rule and squelch the log, but this won't address the other failed commands that are coming from docker. Those need to be addressed on the docker side.

Comment 3 Takayoshi Kimura 2018-07-26 00:24:26 UTC
> The initial failures are docker attempting to delete rules that don't exist. It looks like docker is attempting to delete rules even before it does a probe (-C) to see if they exist.

I agree that this is docker side issue. It needs to check the existing rules first.

> At best firewalld could check if "-C" or "-L" options are in the direct rule and squelch the log

I think this is reasonable, iptables -C could return -1 and it's not good condition for warnings.

Comment 4 Eric Garver 2018-07-31 18:56:54 UTC
I pushed two commits upstream to avoid the log if "-C" or "-L" are used. For the other issues you'll have to create a BZ against docker.

   8c1c0d047b2e ("test/regression: new test for untracked passthrough logging")
   7662061f1640 ("fw_direct: avoid log for untracked passthrough queries")

Comment 5 Eric Garver 2018-11-15 16:58:15 UTC
The log no longer occurs for "-C" and "-L" as of firewalld-0.6.3-1.el7, for the other log reports you'll have to file a bug with Docker as per comment 2.

Comment 15 errata-xmlrpc 2020-03-31 20:00:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1109


Note You need to log in before you can comment on or make changes to this bug.