1614048 – Last package updates breaks firewalld because nftables is now used instead of iptables and some rules were not migrated

Bug 1614048 - Last package updates breaks firewalld because nftables is now used instead of iptables and some rules were not migrated

Summary: Last package updates breaks firewalld because nftables is now used instead of...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firewalld
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Eric Garver
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-08-08 21:50 UTC by David Hill
Modified:	2018-11-02 04:15 UTC (History)
CC List:	6 users (show)
Fixed In Version:	firewalld-0.6.1-1.fc29
Clone Of:
Environment:
Last Closed:	2018-09-20 17:48:38 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
dnf.rpm.log (84.58 KB, text/plain) 2018-08-08 21:51 UTC, David Hill	no flags	Details
View All

Description David Hill 2018-08-08 21:50:33 UTC

Description of problem:

Aug 08 17:43:21 zappa.orion systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 08 17:43:24 zappa.orion firewalld[4389]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
Aug 08 17:43:24 zappa.orion firewalld[4389]: ERROR: '/usr/sbin/nft add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; }' failed: Error: Could not process rule: No such file or>
                                             add chain inet firewalld raw_PREROUTING { type filter hook prerouting priority -290 ; }
                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 08 17:43:24 zappa.orion firewalld[4389]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
Aug 08 17:43:24 zappa.orion firewalld[4389]: ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING meta nfproto ipv6 fib saddr . iif oif missing drop' failed: Error: Could not process rule: No such fi>
                                             insert rule inet firewalld raw_PREROUTING meta nfproto ipv6 fib saddr . iif oif missing drop
                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 08 17:43:25 zappa.orion firewalld[4389]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
Aug 08 17:43:25 zappa.orion firewalld[4389]: ERROR: '/usr/sbin/nft add rule inet firewalld raw_PREROUTING_ZONES goto raw_PRE_FedoraWorkstation' failed: Error: Could not process rule: No such file or directory
                                             add rule inet firewalld raw_PREROUTING_ZONES goto raw_PRE_FedoraWorkstation
                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 08 17:43:26 zappa.orion firewalld[4389]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 7 failed
Aug 08 17:43:26 zappa.orion firewalld[4389]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 7 failed
Aug 08 17:43:27 zappa.orion firewalld[4389]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
Aug 08 17:43:27 zappa.orion firewalld[4389]: ERROR: '/usr/sbin/nft add rule ip6 firewalld nat_POST_external_allow oifname != lo masquerade' failed: Error: Could not process rule: No such file or directory
                                             add rule ip6 firewalld nat_POST_external_allow oifname != lo masquerade
                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Aug 08 17:43:29 zappa.orion firewalld[4389]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
Aug 08 17:43:29 zappa.orion firewalld[4389]: ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname eno2 goto raw_PRE_internal' failed: Error: Could not process rule: No such file or dire>
                                             insert rule inet firewalld raw_PREROUTING_ZONES iifname eno2 goto raw_PRE_internal
                                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Update from FC28 to FC29
2.
3.

Actual results:
Firewalld no longer works

Expected results:
Firewalld shouldn't break

Additional info:

Comment 1 David Hill 2018-08-08 21:51:16 UTC

Created attachment 1474539 [details]
dnf.rpm.log

Comment 2 David Hill 2018-08-08 21:54:41 UTC

Aug  8 16:49:29 zappa firewalld[26753]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 7 failed
Aug  8 16:49:29 zappa firewalld[26753]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 7 failed
Aug  8 16:49:32 zappa audit: NETFILTER_CFG table=nat family=2 entries=6
Aug  8 16:49:32 zappa audit: NETFILTER_CFG table=filter family=2 entries=4
Aug  8 16:49:32 zappa audit: NETFILTER_CFG table=filter family=10 entries=4
Aug  8 16:49:32 zappa audit: NETFILTER_CFG table=broute family=7 entries=0
Aug  8 16:49:32 zappa audit: NETFILTER_CFG table=nat family=7 entries=0
Aug  8 16:49:32 zappa audit: NETFILTER_CFG table=filter family=7 entries=0
Aug  8 16:49:34 zappa audit: NETFILTER_CFG table=nat family=2 entries=5
Aug  8 16:49:34 zappa firewalld[26753]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 7 failed
Aug  8 16:49:34 zappa firewalld[26753]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 7 failed
Aug  8 16:49:35 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-o', 'eno1', '-j', 'MASQUERADE']' already is in 'ipv4:nat:POSTROUTING'
Aug  8 16:49:36 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'eno2', '-o', 'eno1', '-j', 'ACCEPT']' already is in 'ipv4:filter:FORWARD'
Aug  8 16:49:36 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'eno1', '-o', 'eno2', '-m', 'state', '--state', 'RELATED,ESTABLISHED', '-j', 'ACCEPT']' already is in 'ipv4:filter:FORWARD'
Aug  8 16:49:37 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'virbr0', '-o', 'tun0', '-m', 'udp', '-p', 'udp', '--dport', '53', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'
Aug  8 16:49:37 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'virbr0', '-o', 'tun0', '-m', 'tcp', '-p', 'tcp', '--dport', '53', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'
Aug  8 16:49:38 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'virbr0', '-m', 'udp', '-p', 'udp', '--dport', '123', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'
Aug  8 16:49:39 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'virbr0', '-m', 'tcp', '-p', 'tcp', '--dport', '123', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'
Aug  8 16:49:39 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'virbr0', '-o', 'tun0', '-m', 'udp', '-p', 'udp', '--dport', '123', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'
Aug  8 16:49:40 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'virbr0', '-o', 'tun0', '-m', 'tcp', '-p', 'tcp', '--dport', '123', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'
Aug  8 16:49:41 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'virbr0', '-o', 'tun0', '-m', 'tcp', '-p', 'tcp', '--dport', '80', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'
Aug  8 16:49:41 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'virbr0', '-m', 'tcp', '-p', 'tcp', '--dport', '80', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'
Aug  8 16:49:42 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'virbr0', '-m', 'tcp', '-p', 'tcp', '--dport', '623', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'
Aug  8 16:49:43 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'virbr0', '-m', 'udp', '-p', 'udp', '--dport', '623', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'
Aug  8 16:49:43 zappa firewalld[26753]: WARNING: ALREADY_ENABLED: rule '['-i', 'eno1', '-m', 'udp', '-p', 'udp', '--source', '10.0.0.0/8', '--dport', '68', '-j', 'ACCEPT']' already is in 'ipv4:filter:INPUT_direct'

Comment 3 David Hill 2018-08-08 22:01:22 UTC

Non updated system:
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)
Chain FORWARD_IN_ZONES (1 references)
Chain FORWARD_IN_ZONES_SOURCE (1 references)
Chain FORWARD_OUT_ZONES (1 references)
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
Chain FORWARD_direct (1 references)
Chain FWDI_FedoraWorkstation (2 references)
Chain FWDI_FedoraWorkstation_allow (1 references)
Chain FWDI_FedoraWorkstation_deny (1 references)
Chain FWDI_FedoraWorkstation_log (1 references)
Chain FWDO_FedoraWorkstation (2 references)
Chain FWDO_FedoraWorkstation_allow (1 references)
Chain FWDO_FedoraWorkstation_deny (1 references)
Chain FWDO_FedoraWorkstation_log (1 references)
Chain INPUT_ZONES (1 references)
Chain INPUT_ZONES_SOURCE (1 references)
Chain INPUT_direct (1 references)
Chain IN_FedoraWorkstation (2 references)
Chain IN_FedoraWorkstation_allow (1 references)
Chain IN_FedoraWorkstation_deny (1 references)
Chain IN_FedoraWorkstation_log (1 references)
Chain OUTPUT_direct (1 references)

Updated system:
[root@knox ~]# iptables -nL | grep Chain
Chain INPUT (policy ACCEPT)
Chain FORWARD (policy ACCEPT)
Chain OUTPUT (policy ACCEPT)

Comment 4 David Hill 2018-08-09 00:30:44 UTC

2018-08-08 20:29:36 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables-restore /run/firewalld/temp.zvilfikf: 940
       1: *nat
       2: -I POSTROUTING 1 -o eno1 -j MASQUERADE
       3: COMMIT
       4: *filter
       5: -I FORWARD 1 -i eno2 -o eno1 -j ACCEPT
       6: -I FORWARD 2 -i eno1 -o eno2 -m state --state RELATED,ESTABLISHED -j ACCEPT
       7: -I INPUT_direct 1 -i virbr0 -o tun0 -m udp -p udp --dport 53 -j ACCEPT
       8: -I INPUT_direct 2 -i virbr0 -o tun0 -m tcp -p tcp --dport 53 -j ACCEPT
       9: -I INPUT_direct 3 -i virbr0 -m udp -p udp --dport 123 -j ACCEPT
      10: -I INPUT_direct 4 -i virbr0 -m tcp -p tcp --dport 123 -j ACCEPT
      11: -I INPUT_direct 5 -i virbr0 -o tun0 -m udp -p udp --dport 123 -j ACCEPT
      12: -I INPUT_direct 6 -i virbr0 -o tun0 -m tcp -p tcp --dport 123 -j ACCEPT
      13: -I INPUT_direct 7 -i virbr0 -o tun0 -m tcp -p tcp --dport 80 -j ACCEPT
      14: -I INPUT_direct 8 -i virbr0 -m tcp -p tcp --dport 80 -j ACCEPT
      15: -I INPUT_direct 9 -i virbr0 -m tcp -p tcp --dport 623 -j ACCEPT
      16: -I INPUT_direct 10 -i virbr0 -m udp -p udp --dport 623 -j ACCEPT
      17: -I INPUT_direct 11 -i eno1 -m udp -p udp --source 10.0.0.0/8 --dport 68 -j ACCEPT
      18: COMMIT
2018-08-08 20:29:36 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 7 failed

Comment 5 David Hill 2018-08-09 03:37:54 UTC

So it looks like we're going away from iptables and migrating to nftables ... there're some bugs here and there like this one where if you used INPUT_direct previously, it's no longer valid ...

Comment 6 David Hill 2018-08-09 03:43:53 UTC

Meanwhile, adding "FirewallBackend=iptables" to /etc/firewalld/firewalld.conf reverted to the previous behavior which is using iptables instead of nftables ...

Comment 7 Eric Garver 2018-08-09 12:30:58 UTC

(In reply to David Hill from comment #5)
> So it looks like we're going away from iptables and migrating to nftables
> ... there're some bugs here and there like this one where if you used
> INPUT_direct previously, it's no longer valid ...

The intention was for iptables direct rules to still work. Can you post your /etc/firewalld/direct.xml ?

Comment 8 Eric Garver 2018-08-09 12:42:43 UTC

This occurs when explicitly adding the "_direct" suffix to the builtin chain names. e.g. "INPUT_direct" instead of "INPUT". With the iptables backend firewalld will implicitly change "INPUT" to "INPUT_direct" - so the convention was to simply use "INPUT".

For nftables we'll have to strip the "_direct" suffix from chain names.

I think your rule examples are from libvirt. If not, you can work around this by replacing instances of "INPUT_direct" with "INPUT" in your /etc/firewalld/direct.xml.

Comment 9 Eric Garver 2018-08-09 13:09:17 UTC

Fixed upstream:


  066c4195b598 ("tests/firewalld-cmd: add test for direct interface with _direct chain suffix")
  c03a3ddf38ea ("fw_direct: strip _direct chain suffix if using nftables")

Comment 10 Jan Kurik 2018-08-14 11:21:01 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.

Comment 11 Eric Garver 2018-09-20 17:48:38 UTC

Manually closing as this was fixed in rawhide before the f29 branch.

Comment 12 Devin Henderson 2018-11-02 03:58:24 UTC

I'm getting this after upgrading from F28 to F29. Adding FirewallBackend=iptables and restarting firewalld doesn't help. When trying to add a service with firewall-cmd I get:

Error: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 2 failed

Trying to remove an existing rich rule I get:

Error: COMMAND_FAILED: UNKNOWN_ERROR: 'ip4tables' backend does not exist

I have ipv6 completely disabled on this machine.

iptables and iptables-libs packages are installed. I've tried installing the iptables-nft and iptables-utils packages which didn't help.

Comment 13 Devin Henderson 2018-11-02 04:15:41 UTC

Actually, it looks like my issue is different from the one originally reported with this bug. I created a new bug report here: BZ#1645370

Note You need to log in before you can comment on or make changes to this bug.