1739415 – Firewalld starts with errors and with no predefined rules when ipv6 is disabled in kernel after update

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1739415 - Firewalld starts with errors and with no predefined rules when ipv6 is disabled in kernel after update

Summary: Firewalld starts with errors and with no predefined rules when ipv6 is disabl...

Keywords:
Status:	CLOSED DUPLICATE of bug 1738785
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Eric Garver
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-08-09 09:21 UTC by Marcin Rucinski
Modified:	2019-08-09 12:29 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-08-09 12:29:51 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Marcin Rucinski 2019-08-09 09:21:35 UTC

After updgrading form RHEL7.6 to 7.7 firewalld 0.6.3 starts with errors and with no predefined rules present when ipv6 is disabled in kernel (ipv6.disable=1)


# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-08-08 13:39:03 CEST; 1h 19min ago
     Docs: man:firewalld(1)
Main PID: 1429 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─1429 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid

Aug 08 13:39:01 systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 08 13:39:03 systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 08 13:39:04 firewalld[1429]: WARNING: ip6tables not usable, disabling IPv6 firewall.
Aug 08 13:39:04 firewalld[1429]: ERROR: UNKNOWN_ERROR: 'ip6tables' backend does not exist
Aug 08 13:39:04 firewalld[1429]: ERROR: COMMAND_FAILED: UNKNOWN_ERROR: 'ip6tables' backend does not exist
Aug 08 13:39:04 firewalld[1429]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain

                                  Error occurred at line: 2...
Aug 08 13:39:04  firewalld[1429]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain

# firewall-cmd --state
failed

# iptables -nvL
Chain INPUT (policy ACCEPT 1031 packets, 455K bytes)
pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 853 packets, 294K bytes)
pkts bytes target     prot opt in     out     source               destination

# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=sys/root rd.lvm.lv=sys/swap ipv6.disable=1 rhgb quiet transparent_hugepage=never"
GRUB_DISABLE_RECOVERY="true"

Comment 2 Marcin Rucinski 2019-08-09 09:35:05 UTC

kernel 3.10.0-1062.el7.x86_64

Comment 3 Eric Garver 2019-08-09 12:29:51 UTC


*** This bug has been marked as a duplicate of bug 1738785 ***

Note You need to log in before you can comment on or make changes to this bug.