Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1807464 - Firewalld reload fails with fail2ban installed
Summary: Firewalld reload fails with fail2ban installed
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld
Version: 7.7
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Eric Garver
QA Contact: qe-baseos-daemons
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-26 12:19 UTC by Jaroslav Spanko
Modified: 2020-06-10 01:49 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-28 16:22:16 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Jaroslav Spanko 2020-02-26 12:19:57 UTC
Description of problem:
The firewall-cmd --reload fails in case of fail2ban installed
-------
Error: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-sshd doesn't exist.
Error occurred at line: 2
------

Version-Release number of selected component (if applicable):
firewalld-0.6.3-2.el7_7.3  

How reproducible:
100 %

Steps to Reproduce:
1. Install fail2ban
2. Try to reload firewall-cmd 
3. Command failed

Actual results:
Error: COMMAND_FAILED: Direct: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-sshd doesn't exist.

Expected results:
/usr/bin/firewall-cmd --reload
success

Additional info:
This works fine in 0.4.4.4 version

Comment 3 Eric Garver 2020-02-26 13:22:41 UTC
Does the ipset f2b-sshd exist? If not, then this is a valid error. If firewalld still operable? It should enter a "failed" state because something in the permanent configuration failed to apply (i.e. direct rules). But the daemon should be runing and the rest of the configuration active.

Comment 4 Jaroslav Spanko 2020-02-27 11:02:21 UTC
Hi Eric
Yes you are right, firewalld is in failed state but the daemon is running. This actually does not affect the firewalld but RHV installation/upgrade where we are doing firewall-cmd --reload and where installation/upgrade fails due to f2b-sshd doesn't exist message.
I think that ipset f2b-sshd does not exist by default, only the direct rule but wondering why this worked in previous version of firewalld and now --reload fails due to that.
Thanks

Comment 5 Eric Garver 2020-02-27 13:09:42 UTC
(In reply to Jaroslav Spanko from comment #4)
> Hi Eric
> Yes you are right, firewalld is in failed state but the daemon is running.
> This actually does not affect the firewalld but RHV installation/upgrade
> where we are doing firewall-cmd --reload and where installation/upgrade
> fails due to f2b-sshd doesn't exist message.

Would the f2b-sshd ipset exist if you started fail2ban?

> I think that ipset f2b-sshd does not exist by default, only the direct rule
> but wondering why this worked in previous version of firewalld and now
> --reload fails due to that.
> Thanks

See bug 1498923. If a direct rule fails there is a very strong possibility that the following direct rules will fail. As such continuing doesn't make sense. It's best to throw an error and let the user fix the issue. The previous behavior was to warn in the logs and partially apply the direct rules - which IMO is much worse that failing all direct rules and notifying the user.

Comment 6 Jaroslav Spanko 2020-02-28 16:22:16 UTC
> Would the f2b-sshd ipset exist if you started fail2ban?

Nope, already tried that.

> See bug 1498923. If a direct rule fails there is a very strong possibility
> that the following direct rules will fail. As such continuing doesn't make
> sense. It's best to throw an error and let the user fix the issue. The
> previous behavior was to warn in the logs and partially apply the direct
> rules - which IMO is much worse that failing all direct rules and notifying
> the user.

Ok it's clear now so closing as not a bug ... i've create KCS which customer can follow to be able to install/update RHV, i think that's enough.
Thanks for help Eric !

Comment 7 milonroy 2020-06-10 01:49:33 UTC
hi,
i have received the same issue.
2020-06-09 23:57:13 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: Set f2b-sshd doesn't exist
need the solution


Note You need to log in before you can comment on or make changes to this bug.