1645370 – Firewalld gives "Error: COMMAND_FAILED: UNKNOWN_ERROR: 'ip4tables' backend does not exist"

Bug 1645370 - Firewalld gives "Error: COMMAND_FAILED: UNKNOWN_ERROR: 'ip4tables' backend does not exist"

Summary: Firewalld gives "Error: COMMAND_FAILED: UNKNOWN_ERROR: 'ip4tables' backend do...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firewalld
Sub Component:
Version:	29
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Eric Garver
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-02 04:14 UTC by Devin Henderson
Modified:	2019-08-23 18:03 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-11-03 21:03:45 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Devin Henderson 2018-11-02 04:14:01 UTC

After upgrading from F28 to F29, when trying to add a service with firewall-cmd I get:

Error: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 2 failed

Trying to remove an existing rich rule I get:

Error: COMMAND_FAILED: UNKNOWN_ERROR: 'ip4tables' backend does not exist

I have ipv6 completely disabled on this machine.

iptables and iptables-libs packages are installed. I've tried installing the iptables-nft and iptables-utils packages which didn't help.

Adding FirewallBackend=iptables and restarting firewalld as mentioned in #1614048 doesn't help.

Let me know what other info I can provide.

Thanks

Comment 1 Devin Henderson 2018-11-02 04:18:40 UTC

There error messages from systemctl status firewalld:

Nov 01 22:17:12 localhost firewalld[2559]: WARNING: iptables not usable, disabling IPv4 firewall.
Nov 01 22:17:12 localhost firewalld[2559]: ERROR: UNKNOWN_ERROR: 'ip4tables' backend does not exist
Nov 01 22:17:12 localhost firewalld[2559]: ERROR: COMMAND_FAILED: UNKNOWN_ERROR: 'ip4tables' backend does not exist
Nov 01 22:17:12 localhost firewalld[2559]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.0 (legacy): goto 'PRE_FedoraWorkstation' is not a chain
                                          
                                          Error occurred at line: 2
                                          Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Nov 01 22:17:12 localhost firewalld[2559]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.0 (legacy): goto 'PRE_FedoraWorkstation' is not a chain
                                          
                                          Error occurred at line: 2
                                          Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Comment 2 Devin Henderson 2018-11-02 05:01:43 UTC

iptables -L gives:

iptables v1.8.0 (legacy): can't initialize iptables table `filter': No child processes
Perhaps iptables or your kernel needs to be upgraded.

Comment 3 Devin Henderson 2018-11-02 05:43:05 UTC

Just tired firewalld 0.6.3 which is currently in updates-testing and the problem persists.

https://bodhi.fedoraproject.org/updates/FEDORA-2018-77c401b989

Comment 4 Eric Garver 2018-11-02 12:53:26 UTC

(In reply to Devin Henderson from comment #2)
> iptables -L gives:
> 
> iptables v1.8.0 (legacy): can't initialize iptables table `filter': No child
> processes
> Perhaps iptables or your kernel needs to be upgraded.

This implies iptables is not functional - this means the problem is outside of firewalld.

Are you using a custom built kernel? It's possible the kernel doesn't have iptables support built-in. In the Description you said you disabled IPv6.. how?

Are the iptables modules there? Try "sudo modprobe iptable_filter".

Comment 5 John M. Harris, Jr. 2018-11-02 13:37:23 UTC

I have the same issue both using a custom kernel and using Fedora's kernel.

Comment 6 Devin Henderson 2018-11-02 22:59:03 UTC

@Eric, yes, I'm on a custom kernel. I rebooted into the standard kernel today and sure enough that fixes it for me. Strange that @John is still having the issue on the standard kernel, though.

I changed all of my iptables-related kernel configs to match Fedora's but that didn't help. What fixed it in the end was disabling CONFIG_BPFILTER in my custom kernel.

Its working now for me. Thanks!

Comment 7 John M. Harris, Jr. 2018-11-03 14:33:35 UTC

I have been able to determine that the issue on my end was unrelated to this issue, and was related to libvirtd.

Comment 8 Devin Henderson 2018-11-03 21:03:45 UTC

I'll go ahead and close this. Thanks for the help!

Comment 9 RobbieTheK 2019-08-22 18:51:37 UTC

Restarting firewalld in Fedora 30 results in this log spam, is this related?

Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table mangle --delete LIBVIRT_PRT --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' failed: iptables: No chain/target/match by that name.
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed: iptables: No chain/target/match by that name.
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed: iptables: No chain/target/match by that name.
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE' failed: iptables: No chain/target/match by that name.
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWX --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI --out-interface virbr0 --jump REJECT' failed: iptables: No chain/target/match by that name.
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --in-interface virbr0 --jump REJECT' failed: iptables: No chain/target/match by that name.
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Aug 22 14:49:17 storm firewalld[41236]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all' specified#012Error occurred at line: 2#012Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Aug 22 14:49:17 storm firewalld[41236]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all' specified#012Error occurred at line: 2#012Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Comment 10 Eric Garver 2019-08-22 20:12:42 UTC

(In reply to RobbieTheK from comment #9)
> Restarting firewalld in Fedora 30 results in this log spam, is this related?

No.

> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table mangle --delete LIBVIRT_PRT
> --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM
> --checksum-fill' failed: iptables: No chain/target/match by that name.
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source
> 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN' failed: iptables:
> Bad rule (does a matching rule exist in that chain?).
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source
> 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN' failed:
> iptables: Bad rule (does a matching rule exist in that chain?).
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source
> 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQUERADE
> --to-ports 1024-65535' failed: iptables: No chain/target/match by that name.
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source
> 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQUERADE
> --to-ports 1024-65535' failed: iptables: No chain/target/match by that name.
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table nat --delete LIBVIRT_PRT --source
> 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE' failed:
> iptables: No chain/target/match by that name.
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI
> --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack
> --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: Bad rule
> (does a matching rule exist in that chain?).
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO --source
> 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: iptables: Bad
> rule (does a matching rule exist in that chain?).
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWX
> --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed:
> iptables: Bad rule (does a matching rule exist in that chain?).
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWI
> --out-interface virbr0 --jump REJECT' failed: iptables: No
> chain/target/match by that name.
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_FWO
> --in-interface virbr0 --jump REJECT' failed: iptables: No chain/target/match
> by that name.
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP
> --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT'
> failed: iptables: Bad rule (does a matching rule exist in that chain?).
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP
> --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT'
> failed: iptables: Bad rule (does a matching rule exist in that chain?).
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_OUT
> --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT'
> failed: iptables: Bad rule (does a matching rule exist in that chain?).
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP
> --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT'
> failed: iptables: Bad rule (does a matching rule exist in that chain?).
> Aug 22 14:49:17 storm firewalld[41236]: WARNING: COMMAND_FAILED:
> '/usr/sbin/iptables -w10 -w --table filter --delete LIBVIRT_INP
> --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT'
> failed: iptables: Bad rule (does a matching rule exist in that chain?).

These warnings are "normal". libvirt is attempting to remove rules that don't exist. I think libvirt tries to delete any pre-existing rules before adding them again.

> Aug 22 14:49:17 storm firewalld[41236]: ERROR: '/usr/sbin/iptables-restore
> -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all'
> specified#012Error occurred at line: 2#012Try `iptables-restore -h' or
> 'iptables-restore --help' for more information.
> Aug 22 14:49:17 storm firewalld[41236]: ERROR: COMMAND_FAILED:
> '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy):
> invalid port/service `all' specified#012Error occurred at line: 2#012Try
> `iptables-restore -h' or 'iptables-restore --help' for more information.

This looks like broken config. Are you using any direct rules?

Comment 11 RobbieTheK 2019-08-22 20:19:44 UTC

> > Aug 22 14:49:17 storm firewalld[41236]: ERROR: '/usr/sbin/iptables-restore
> > -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all'
> > specified#012Error occurred at line: 2#012Try `iptables-restore -h' or
> > 'iptables-restore --help' for more information.
> > Aug 22 14:49:17 storm firewalld[41236]: ERROR: COMMAND_FAILED:
> > '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy):
> > invalid port/service `all' specified#012Error occurred at line: 2#012Try
> > `iptables-restore -h' or 'iptables-restore --help' for more information.
> 
> This looks like broken config. Are you using any direct rules?

No I just used firewall-cmd rules. But here is iptables -nL

iptables -nL
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_INP  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
INPUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_FWX  all  --  0.0.0.0/0            0.0.0.0/0           
LIBVIRT_FWI  all  --  0.0.0.0/0            0.0.0.0/0           
LIBVIRT_FWO  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_direct  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_IN_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES_SOURCE  all  --  0.0.0.0/0            0.0.0.0/0           
FORWARD_OUT_ZONES  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
LIBVIRT_OUT  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
OUTPUT_direct  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination         
FWDI_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDI_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDI_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDI_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination         
FWDO_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDO_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDO_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
FWDO_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_FedoraServer (4 references)
target     prot opt source               destination         
FWDI_FedoraServer_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_FedoraServer_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDI_FedoraServer_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain FWDI_FedoraServer_allow (1 references)
target     prot opt source               destination         

Chain FWDI_FedoraServer_deny (1 references)
target     prot opt source               destination         

Chain FWDI_FedoraServer_log (1 references)
target     prot opt source               destination         

Chain FWDO_FedoraServer (4 references)
target     prot opt source               destination         
FWDO_FedoraServer_log  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_FedoraServer_deny  all  --  0.0.0.0/0            0.0.0.0/0           
FWDO_FedoraServer_allow  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FWDO_FedoraServer_allow (1 references)
target     prot opt source               destination         

Chain FWDO_FedoraServer_deny (1 references)
target     prot opt source               destination         

Chain FWDO_FedoraServer_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (1 references)
target     prot opt source               destination         
IN_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
IN_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
IN_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 
IN_FedoraServer  all  --  0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination         

Chain INPUT_direct (1 references)
target     prot opt source               destination         
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 22 match-set f2b-sshd src reject-with icmp-port-unreachable
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 1:65535 match-set f2b-recidive src reject-with icmp-port-unreachable

Chain IN_FedoraServer (4 references)
target     prot opt source               destination         
IN_FedoraServer_log  all  --  0.0.0.0/0            0.0.0.0/0           
IN_FedoraServer_deny  all  --  0.0.0.0/0            0.0.0.0/0           
IN_FedoraServer_allow  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           

Chain IN_FedoraServer_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:631 ctstate NEW,UNTRACKED
ACCEPT     udp  --  0.0.0.0/0            224.0.0.251          udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:631 ctstate NEW,UNTRACKED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:631 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW,UNTRACKED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW,UNTRACKED

Chain IN_FedoraServer_deny (1 references)
target     prot opt source               destination         

Chain IN_FedoraServer_log (1 references)
target     prot opt source               destination         

Chain LIBVIRT_FWI (1 references)
target     prot opt source               destination         

Chain LIBVIRT_FWO (1 references)
target     prot opt source               destination         

Chain LIBVIRT_FWX (1 references)
target     prot opt source               destination         

Chain LIBVIRT_INP (1 references)
target     prot opt source               destination         

Chain LIBVIRT_OUT (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

Comment 12 Eric Garver 2019-08-22 20:37:45 UTC

(In reply to RobbieTheK from comment #11)
> > > Aug 22 14:49:17 storm firewalld[41236]: ERROR: '/usr/sbin/iptables-restore
> > > -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all'
> > > specified#012Error occurred at line: 2#012Try `iptables-restore -h' or
> > > 'iptables-restore --help' for more information.
> > > Aug 22 14:49:17 storm firewalld[41236]: ERROR: COMMAND_FAILED:
> > > '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy):
> > > invalid port/service `all' specified#012Error occurred at line: 2#012Try
> > > `iptables-restore -h' or 'iptables-restore --help' for more information.
> > 
> > This looks like broken config. Are you using any direct rules?
> 
> No I just used firewall-cmd rules. But here is iptables -nL

Someone or something (fail2ban ?) added direct rules. See below.
It's possible that's the source of the bad rule.

[..]
> Chain INPUT_direct (1 references)
> target     prot opt source               destination         
> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport
> dports 22 match-set f2b-sshd src reject-with icmp-port-unreachable
> REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport
> dports 1:65535 match-set f2b-recidive src reject-with icmp-port-unreachable

Comment 13 RobbieTheK 2019-08-23 18:03:41 UTC

(In reply to Eric Garver from comment #12)
> (In reply to RobbieTheK from comment #11)
> > > > Aug 22 14:49:17 storm firewalld[41236]: ERROR: '/usr/sbin/iptables-restore
> > > > -w -n' failed: iptables-restore v1.8.2 (legacy): invalid port/service `all'
> > > > specified#012Error occurred at line: 2#012Try `iptables-restore -h' or
> > > > 'iptables-restore --help' for more information.
> > > > Aug 22 14:49:17 storm firewalld[41236]: ERROR: COMMAND_FAILED:
> > > > '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (legacy):
> > > > invalid port/service `all' specified#012Error occurred at line: 2#012Try
> > > > `iptables-restore -h' or 'iptables-restore --help' for more information.
> > > 
> > > This looks like broken config. Are you using any direct rules?
> > 
> > No I just used firewall-cmd rules. But here is iptables -nL
> 
> Someone or something (fail2ban ?) added direct rules. See below.
> It's possible that's the source of the bad rule.
> 
> [..]
> > Chain INPUT_direct (1 references)
> > target     prot opt source               destination         
> > REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport
> > dports 22 match-set f2b-sshd src reject-with icmp-port-unreachable
> > REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport
> > dports 1:65535 match-set f2b-recidive src reject-with icmp-port-unreachable

Yes indeed it was Fail2ban and a setting with the pam-generic jail. If anyone comes across this thread it was because banaction_allports = firewallcmd-ipset and removing that and just using the default fixed the issue.

Note You need to log in before you can comment on or make changes to this bug.