Bug 1738785 - Firewalld shows ip6tables error when IPv6 is disabled.
Summary: Firewalld shows ip6tables error when IPv6 is disabled.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld
Version: 7.7
Hardware: Unspecified
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Eric Garver
QA Contact: Tomas Dolezal
Marc Muehlfeld
URL:
Whiteboard:
: 1739415 (view as bug list)
Depends On:
Blocks: 1744441
TreeView+ depends on / blocked
 
Reported: 2019-08-08 07:35 UTC by Akhil John
Modified: 2023-03-24 15:11 UTC (History)
17 users (show)

Fixed In Version: firewalld-0.6.3-3.el7
Doc Type: Bug Fix
Doc Text:
.`firewalld` no longer attempts to create IPv6 rules if the IPv6 protocol is disabled Previously, if the IPv6 protocol was disabled, the `firewalld` service incorrectly attempted to create rules using the `ip6tables` utility, even though `ip6tables` should not be usable. As a consequence, when `firewalld` initialized the firewall, the service logged error messages. This update fixes the problem, and `firewalld` now only initializes IPv4 rules if IPv6 is disabled.
Clone Of:
: 1744441 (view as bug list)
Environment:
Last Closed: 2020-03-31 20:00:54 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 4347281 0 None None None 2019-08-22 18:10:56 UTC
Red Hat Product Errata RHBA-2020:1109 0 None None None 2020-03-31 20:01:39 UTC

Description Akhil John 2019-08-08 07:35:37 UTC 
Description of problem:
Firewalld shows "UNKNOWN_ERROR: 'ip6tables' backend does not exist" when IPv6 is disabled.

Version-Release number of selected component (if applicable):
firewalld-0.6.3-2.el7.noarch


How reproducible:
Always

Steps to Reproduce:
1.Disable IPv6 and reboot

2. Check firewalld status.


Actual results:
 WARNING: ip6tables not usable, disabling IPv6 firewall.
 ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
 ERROR: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not exist
 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 10 failed

 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 10 failed

 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.


Expected results:
SHould have NO errors

Additional info:
This issue is only with firewalld-0.6.3-2.el7.noarch when IPv6 is disabled.
Comment 2 Andreas Mohr 2019-08-08 07:44:07 UTC 
hi,
we can confirm this issue.

current firewalld-0.6.3-2.el7.noarch will work with kernel boot parameter ipv6.disable=0
current firewalld-0.6.3-2.el7.noarch will NOT work with kernel boot parameter ipv6.disable=1

previous firewalld-0.5.3-5.el7.noarch will work with kernel boot parameter ipv6.disable=0
previous firewalld-0.5.3-5.el7.noarch will work with kernel boot parameter ipv6.disable=1
Comment 3 Eric Garver 2019-08-08 12:45:16 UTC 
This has already been fixed upstream:

  bcb33e448abb ("fix: tests: guard occurrences of IPv6")
  3ac719c1908d ("fix: tests/functions: ignore warnings about missing ip6tables")
  d569d7239f23 ("test: add macro IF_IPV6_SUPPORTED")
  4d5c3f190dc3 ("test: add macro HOST_SUPPORTS_IP6TABLES")
  8533c488a30d ("test: pass IPTABLES make variables down to autotest")
  3fdffa76be42 ("fix: avoid calling backends that aren't available")
Comment 6 Eric Garver 2019-08-09 12:29:51 UTC 
*** Bug 1739415 has been marked as a duplicate of this bug. ***
Comment 21 errata-xmlrpc 2020-03-31 20:00:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1109
Note You need to log in before you can comment on or make changes to this bug.