Description of problem: I did debugging of unrelated issue and found errors in journald Version-Release number of selected component (if applicable): sh$ rpm -q NetworkManager firewalld NetworkManager-1.16.0-0.3.fc31.x86_64 firewalld-0.6.3-2.fc30.noarch How reproducible: Deterministic on my laptop Steps to Reproduce: 1. systemctl restart NetworkManager Actual results: Mar 13 11:45:17 host.example.com nm-dispatcher[22358]: req:2 'connectivity-change': start running ordered scripts... Mar 13 11:45:18 host.example.com kernel: IPv6: ADDRCONF(NETDEV_UP): wlp3s0: link is not ready Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1746] device (enp0s25): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'assume') Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1750] supplicant: wpa_supplicant running Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1751] device (wlp3s0): supplicant interface state: init -> starting Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1752] device (enp0s25): state change: prepare -> config (reason 'none', sys-iface-state: 'assume') Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1956] sup-iface[0x55e5303850e0,wlp3s0]: supports 5 scan SSIDs Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1960] device (wlp3s0): supplicant interface state: starting -> ready Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1960] Wi-Fi P2P device controlled by interface wlp3s0 created Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1962] manager: (p2p-dev-wlp3s0): new 802.11 Wi-Fi P2P device (/org/freedesktop/NetworkManager/Devices/5) Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1965] device (p2p-dev-wlp3s0): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'exte rnal') Mar 13 11:45:18 host.example.com NetworkManager[22350]: <warn> [1552473918.1971] sup-iface: failed to cancel p2p connect: P2P cancel failed Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1972] device (p2p-dev-wlp3s0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'mana ged') Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1976] device (wlp3s0): state change: unavailable -> disconnected (reason 'supplicant-available', sys-iface-stat e: 'managed') Mar 13 11:45:18 host.example.com kernel: IPv6: ADDRCONF(NETDEV_UP): wlp3s0: link is not ready Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.1986] agent-manager: req[0x55e53045ced0, :1.1642/org.freedesktop.nm-applet/1000]: agent registered Mar 13 11:45:18 host.example.com firewalld[4623]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Mar 13 11:45:18 host.example.com firewalld[4623]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chai n Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. Mar 13 11:45:18 host.example.com NetworkManager[22350]: <warn> [1552473918.2039] firewall: [0x7f3754005940,change:"enp0s25"]: complete: request failed (COMMAND_FAILED: '/usr/sbin/iptable s-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. ) Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.2040] device (enp0s25): state change: config -> ip-config (reason 'none', sys-iface-state: 'assume') Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.2047] dhcp4 (enp0s25): activation: beginning transaction (timeout in 45 seconds) Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info> [1552473918.2063] dhcp4 (enp0s25): dhclient started with pid 22380 Expected results: No errors in journald Additional info:
Errors come from firewalld, reassigning...
There is currently a rawhide selinx-policy bug, bug 1686660, that prevents firewalld from functioning. This is probably a duplicate of that. Lukas, can you verify?
(In reply to Eric Garver from comment #2) > There is currently a rawhide selinx-policy bug, bug 1686660, that prevents > firewalld from functioning. This is probably a duplicate of that. > > Lukas, can you verify? I can see error even in permissive mode.
(In reply to Lukas Slebodnik from comment #3) > (In reply to Eric Garver from comment #2) > > There is currently a rawhide selinx-policy bug, bug 1686660, that prevents > > firewalld from functioning. This is probably a duplicate of that. > > > > Lukas, can you verify? > > I can see error even in permissive mode. Please check the firewalld logs. # systemctl status firewalld You can also attach /var/log/firewalld. Please double check you're not looking at the old instances of the errors in journalctl.
[root@host ~]# systemctl status firewalld | cat | sed -e 's/graviton.brq.red hat.com/host.example.com/' ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr eset: enabled) Active: active (running) since Wed 2019-03-13 09:49:06 CET; 5h 41min ago Docs: man:firewalld(1) Main PID: 4623 (firewalld) Tasks: 2 (limit: 4915) Memory: 25.1M CGroup: /system.slice/firewalld.service └─4623 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid Mar 13 11:43:57 host.example.com firewalld[4623]: ERROR: COMMAND_FAILED: '/usr/s bin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_ FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore - h' or 'iptables-restore --help' for more information. Mar 13 11:44:42 host.example.com firewalld[4623]: ERROR: UNKNOWN_INTERFACE: 'vet h744c327' is not in any zone Mar 13 11:44:42 host.example.com firewalld[4623]: ERROR: '/usr/sbin/iptables-res tore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore - h' or 'iptables-restore --help' for more information. Mar 13 11:44:42 host.example.com firewalld[4623]: ERROR: COMMAND_FAILED: '/usr/s bin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_ FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information.
sh# tail /var/log/firewalld 2019-03-13 11:44:42 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 11:45:18 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 11:45:18 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 14:51:51 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 14:51:51 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 14:52:37 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. 2019-03-13 14:52:37 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. sh# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-ISOLATION all -- anywhere anywhere DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (1 references) target prot opt source destination Chain DOCKER-ISOLATION (1 references) target prot opt source destination RETURN all -- anywhere anywhere
comment 6 is not enough of the log to indicate the issue. Please do the following # setenforce 0 # systemctl restart firewalld # firewall-cmd --state Then attach the full log (/var/log/firewalld).
(In reply to Eric Garver from comment #7) > comment 6 is not enough of the log to indicate the issue. > > Please do the following > > # setenforce 0 > # systemctl restart firewalld > # firewall-cmd --state > > Then attach the full log (/var/log/firewalld). Restarting firewalld helped. Previously, I restarted just NM. [root@host ~]# > /var/log/firewalld [root@host ~]# setenforce 0 [root@host ~]# systemctl restart firewalld [root@host ~]# firewall-cmd --state running [root@host ~]# setenforce 1 [root@host ~]# cat /var/log/firewalld 2019-03-13 16:40:48 ERROR: Failed to load zone file '/usr/lib/firewalld/zones/libvirt.xml': PARSE_ERROR: rule: Unexpected attribute priority 2019-03-13 16:40:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
(In reply to Lukas Slebodnik from comment #8) > (In reply to Eric Garver from comment #7) > > comment 6 is not enough of the log to indicate the issue. > > > > Please do the following > > > > # setenforce 0 > > # systemctl restart firewalld > > # firewall-cmd --state > > > > Then attach the full log (/var/log/firewalld). > > Restarting firewalld helped. Previously, I restarted just NM. > > [root@host ~]# > /var/log/firewalld > [root@host ~]# setenforce 0 > [root@host ~]# systemctl restart firewalld > > [root@host ~]# firewall-cmd --state > running Marking this as a duplicate of the policy issue. > [root@host ~]# setenforce 1 > [root@host ~]# cat /var/log/firewalld > 2019-03-13 16:40:48 ERROR: Failed to load zone file > '/usr/lib/firewalld/zones/libvirt.xml': PARSE_ERROR: rule: Unexpected > attribute priority > 2019-03-13 16:40:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D > FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a > matching rule exist in that chain?). This is a separate issue. libvirt is attempting to use firewalld's rich rule priority support, which is not yet in Fedora nor an upstream release. Please file a ticket against libvirt for this. *** This bug has been marked as a duplicate of bug 1686660 ***