Description of problem: Reloading or stopping nftables wipes firewalld's rules Version-Release number of selected component (if applicable): firewalld-0.7.2-1.fc31.noarch How reproducible: Whenever nftables is reloaded or stopped Steps to Reproduce: 1. Configure firewalld.conf with FirewallBackend=nftables 1. Enable and activate firewalld 1. Enable and activate nftables 3. Reload or stop nftables Actual results: All netfilter rules are wiped Expected results: All netfilter rules except firewalld rules should be wiped Additional info: firewalld.service currently has: Conflicts=iptables.service ip6tables.service ebtables.service ipset.service That list should probably include nftables... Alternatively, the services could be bound is such a way that reload or stop of nftables triggers a reload of firewalld... but that's more complicated.
FEDORA-2020-e6ecb21a28 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e6ecb21a28
I'm on F32 now, so can't test the build - but the service file includes the nftables conflicts line, so this appears fixed :)
FEDORA-2020-e6ecb21a28 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e6ecb21a28` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e6ecb21a28 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
This update switches default backend from iptables to nftables on F31, is it wanted ? In my case, it conflicts with NetworkManager connection sharing feature. I have the connection for enp0s20f0u3u3 interface having IPv4 configured as "shared to other computers". NetworkManager calls : iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol tcp --destination-port 53 --jump ACCEPT iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol udp --destination-port 53 --jump ACCEPT iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol tcp --destination-port 67 --jump ACCEPT iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol udp --destination-port 67 --jump ACCEPT iptables --table filter --insert FORWARD --in-interface enp0s20f0u3u3 --jump REJECT iptables --table filter --insert FORWARD --out-interface enp0s20f0u3u3 --jump REJECT iptables --table filter --insert FORWARD --in-interface enp0s20f0u3u3 --out-interface enp0s20f0u3u3 --jump ACCEPT iptables --table filter --insert FORWARD --source 10.42.0.0/255.255.255.0 --in-interface enp0s20f0u3u3 --jump ACCEPT iptables --table filter --insert FORWARD --destination 10.42.0.0/255.255.255.0 --out-interface enp0s20f0u3u3 --match state --state ESTABLISHED,RELATED --jump ACCEPT iptables --table nat --insert POSTROUTING --source 10.42.0.0/255.255.255.0 ! --destination 10.42.0.0/255.255.255.0 --jump MASQUERADE But after the firewalld update, I had to : - allow dhcp/dns with firewalld (else the dnsmasq started by NetworkManager didn't receive anything) - enable masquerading in firewalld (but this is on the destination zone, not the source with NetworkManager did, so this is not restricted to an interface)
(In reply to Loïc Yhuel from comment #4) > This update switches default backend from iptables to nftables on F31, is it > wanted ? Yikes! You're right. I accidentally dropped the patch to change the default backend to iptables. Working on a new build now. Thanks for testing! :)
FEDORA-2020-1f26a8f191 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-1f26a8f191
FEDORA-2020-1f26a8f191 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-1f26a8f191` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-1f26a8f191 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-1f26a8f191 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report.