1958246 – virsh net-start default failing with weird python-nftables error message

Bug 1958246 - virsh net-start default failing with weird python-nftables error message

Summary: virsh net-start default failing with weird python-nftables error message

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libvirt
Sub Component:
Version:	34
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Libvirt Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-07 13:57 UTC by Christophe de Dinechin
Modified:	2022-06-07 23:00 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-06-07 23:00:55 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Christophe de Dinechin 2021-05-07 13:57:19 UTC

Description of problem:

Running `virsh net-start default` right after doing a `virsh net-define  /usr/share/libvirt/networks/default.xml` gives me an error from python-nftables


Version-Release number of selected component (if applicable):
libvirt-7.2.0-1.fc34.x86_64
python3-nftables-0.9.8-2.fc34.x86_64



How reproducible: Always


Steps to Reproduce:
1. virsh net-undefine default
2. virsh net-define /usr/share/libvirt/networks/default.xml
3. virsh net-start default

Actual results:

error: Failed to start network default
error: error from service: GDBus.Error:org.fedoraproject.FirewallD1.Exception: COMMAND_FAILED: 'python-nftables' failed: 
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_IN_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDO_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDI_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "mangle_PRE_libvirt"}}]}}}]

Expected results:

Either 
Network default started

or a sensible error message

Additional info:

This machine has the following networks defined:

---------------------------------------------------
 crc            inactive   yes         yes
 default        inactive   yes         yes
 minikube-net   inactive   yes         yes


Another machine with the same software versions and only the default network seems to be doing fine.

Comment 1 Christophe de Dinechin 2021-05-10 13:48:44 UTC

If I disable firewalld I get:

error: Failed to start network default
error: internal error: Failed to apply firewall rules /usr/sbin/iptables -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT: iptables: No chain/target/match by that name.

Comment 2 Christophe de Dinechin 2021-05-10 13:49:55 UTC

After restarting firewalld, the output becomes much longer

error: Failed to start network default
error: error from service: GDBus.Error:org.fedoraproject.FirewallD1.Exception: COMMAND_FAILED: 'python-nftables' failed: 
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_IN_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"jump": {"target": "filter_IN_libvirt_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt", "expr": [{"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 67}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 547}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 53}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 53}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "tcp", "field": "dport"}}, "op": "==", "right": 22}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"ct helper": {"family": "inet", "table": "firewalld", "name": "helper-tftp-udp", "type": "tftp", "protocol": "udp"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 69}}, {"ct helper": "helper-tftp-udp"}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"payload": {"protocol": "udp", "field": "dport"}}, "op": "==", "right": 69}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_post", "expr": [{"reject": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": "icmp"}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_IN_libvirt_allow", "expr": [{"match": {"left": {"meta": {"key": "l4proto"}}, "op": "==", "right": "ipv6-icmp"}}, {"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["new", "untracked"]}}}, {"accept": null}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDO_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"jump": {"target": "filter_FWDO_libvirt_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDO_libvirt", "expr": [{"accept": null}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_POST_libvirt_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_POST_libvirt_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POST_libvirt", "expr": [{"jump": {"target": "nat_POST_libvirt_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "filter_FWDI_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"jump": {"target": "filter_FWDI_libvirt_post"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FWDI_libvirt", "expr": [{"accept": null}]}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_pre"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_log"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_deny"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_allow"}}}, {"add": {"chain": {"family": "ip", "table": "firewalld", "name": "nat_PRE_libvirt_post"}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_post"}}]}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_pre"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_log"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_deny"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_allow"}}}, {"add": {"chain": {"family": "ip6", "table": "firewalld", "name": "nat_PRE_libvirt_post"}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_log"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PRE_libvirt", "expr": [{"jump": {"target": "nat_PRE_libvirt_post"}}]}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_pre"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_log"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_deny"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_allow"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld", "name": "mangle_PRE_libvirt_post"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_pre"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_log"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_deny"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_allow"}}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PRE_libvirt", "expr": [{"jump": {"target": "mangle_PRE_libvirt_post"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_IN_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDO_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_POST_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "filter_FWDI_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "nat_PRE_libvirt"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "virbr0"}}, {"goto": {"target": "mangle_PRE_libvirt"}}]}}}]}

Comment 3 Christophe de Dinechin 2021-05-10 13:51:44 UTC

If I stop firewalld and restart libvirtd, then it seems to work. Not sure I can reproduce anymore :-(

Comment 4 Eric Garver 2021-05-10 14:17:30 UTC

Please check firewalld logs (/var/log/firewalld) for earlier errors in firewalld. It may be worth truncating the log file to remove any really old errors, then reproduce the issue. I would guess the libvirt failure is actually a symptom of earlier failures.

Comment 5 Christophe de Dinechin 2021-05-10 14:26:46 UTC

The firewalld log shows message like:

ERROR: Failed to load zone file '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '6443:tcp' already in 'FedoraWorkstation'
ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory internal:0:0-0: Error: No such file or directory

Comment 6 Christophe de Dinechin 2021-05-10 14:29:52 UTC

@Eric Garver: The first message like the above are dated April 29. I would guess this is when I tried to install CRC last.

Comment 7 Eric Garver 2021-05-10 14:44:57 UTC

(In reply to Christophe de Dinechin from comment #5)
> The firewalld log shows message like:
> 
> ERROR: Failed to load zone file
> '/etc/firewalld/zones/FedoraWorkstation.xml': ALREADY_ENABLED: '6443:tcp'
> already in 'FedoraWorkstation'
> ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or
> directory internal:0:0-0: Error: No such file or directory

Yup. That would do it. Does `firewall-cmd --check-config` also complain?

Comment 8 Christophe de Dinechin 2021-05-10 14:50:32 UTC

Does not seem to:

# firewall-cmd --check-config
success

Comment 9 Eric Garver 2021-05-10 15:02:54 UTC

Does /etc/firewalld/zones/FedoraWorkstation.xml have two entries for port 6443:tcp ?

Comment 10 Christophe de Dinechin 2021-05-10 15:11:20 UTC

No, but it has an overlap:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Fedora Workstation</short>
  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
  <service name="mdns"/>
  <service name="ssh"/>
  <service name="samba-client"/>
  <service name="dhcpv6-client"/>
  <service name="samba"/>
  <service name="rsyncd"/>
  <service name="vnc-server"/>
  <service name="nfs"/>
  <service name="rpc-bind"/>
  <service name="mountd"/>
  <port port="1025-65535" protocol="udp"/>
  <port port="1025-65535" protocol="tcp"/>
  <port port="80" protocol="tcp"/>
  <port port="6443" protocol="tcp"/>
  <port port="443" protocol="tcp"/>
</zone>

I wonder why there is the whole range open like this? Sort of defeats the purpose of a firewall, no?

Comment 11 Christophe de Dinechin 2021-05-10 15:18:18 UTC

I checked on 4 other machines, including a fresh install of f34. They all look quite similar, and in particular they all have the same port range. So I guess that is normal.

Comment 12 Christophe de Dinechin 2021-05-10 15:24:19 UTC

# firewall-cmd --state
failed

# firewall-cmd --reload
Error: COMMAND_FAILED: 'python-nftables' failed: 
JSON blob:
{"nftables": [{"metainfo": {"json_schema_version": 1}}, {"add": {"table": {"family": "inet", "name": "firewalld_policy_drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_input", "type": "filter", "hook": "input", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_forward", "type": "filter", "hook": "forward", "prio": 9, "policy": "drop"}}}, {"add": {"chain": {"family": "inet", "table": "firewalld_policy_drop", "name": "filter_output", "type": "filter", "hook": "output", "prio": 9, "policy": "drop"}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_input", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_forward", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}, {"add": {"rule": {"family": "inet", "table": "firewalld_policy_drop", "chain": "filter_output", "expr": [{"match": {"left": {"ct": {"key": "state"}}, "op": "in", "right": {"set": ["established", "related"]}}}, {"accept": null}]}}}]}

Same with --complete-reload.

Comment 13 Eric Garver 2021-05-10 15:43:50 UTC

(In reply to Christophe de Dinechin from comment #10)
> I wonder why there is the whole range open like this? Sort of defeats the
> purpose of a firewall, no?

Yes. Yes it does. Fedora workstation does this. IIRC, it was a decision long ago by the workstation SIG.

Comment 14 Eric Garver 2021-05-10 15:44:55 UTC

(In reply to Christophe de Dinechin from comment #10)
> No, but it has an overlap:
> 
> <?xml version="1.0" encoding="utf-8"?>
> <zone>
>   <short>Fedora Workstation</short>
>   <description>Unsolicited incoming network packets are rejected from port 1
> to 1024, except for select network services. Incoming packets that are
> related to outgoing network connections are accepted. Outgoing network
> connections are allowed.</description>
>   <service name="mdns"/>
>   <service name="ssh"/>
>   <service name="samba-client"/>
>   <service name="dhcpv6-client"/>
>   <service name="samba"/>
>   <service name="rsyncd"/>
>   <service name="vnc-server"/>
>   <service name="nfs"/>
>   <service name="rpc-bind"/>
>   <service name="mountd"/>
>   <port port="1025-65535" protocol="udp"/>
>   <port port="1025-65535" protocol="tcp"/>
>   <port port="80" protocol="tcp"/>
>   <port port="6443" protocol="tcp"/>
>   <port port="443" protocol="tcp"/>
> </zone>

Did you manually add 6443? Or was that does by automagically by installing CRC?

Comment 15 Laine Stump 2021-05-11 18:43:02 UTC

So is there a bug in firewalld here wrt logging an error when two rules overlap? Or should this be considered configuration error? Based on the answer to that we can either close this or reassign to firewalld.

Comment 16 Eric Garver 2021-05-12 12:25:04 UTC

(In reply to Laine Stump from comment #15)
> So is there a bug in firewalld here wrt logging an error when two rules
> overlap? Or should this be considered configuration error? Based on the
> answer to that we can either close this or reassign to firewalld.

Configuration error.

Firewalld could do a better job at handling the error, but the root cause is that the config is invalid.

Comment 17 Laine Stump 2021-05-12 17:32:21 UTC

Based on Comment 16, closing as NOTABUG

Comment 18 Christophe de Dinechin 2021-05-12 17:40:07 UTC

Sorry, reopening. If you look at the original bug description filed against libvirt, it states:

Expected results:

Either 
Network default started

or a sensible error message


I don't consider the error message I received to be sensible. It may be at the lower level, but at a higher level like virsh, I really expect at least a mention that this is a firewall misconfiguration.

For example, having some message like:


Firewall configuration failed. Your existing firewall configuration is probably invalid. Check if journalctl -u firewalld reports errors.


(And yes, another issue against firewalld itself is probably in order here)

Comment 19 Laine Stump 2021-05-17 20:22:49 UTC

Bug 1914935 (originally opened and then soon-after closed by rjones, but re-opened just today) seems like the same thing but assigned to firewalld.

While I agree that the message logged is very cryptic, and doesn't point toward any solution, I am hesitant to parse/attempt to interpret the text of any error message from external software in order to provide a better message.

Although we know in this case it is caused by a configuration problem in firewalld, it could potentially be caused by anything else - it's out of our control. Also, anything based on interpreting the text of a log message will be broken as soon as the system language is changed from English.

If anything, firewalld is in a better position to determine if a more descriptive message is possible.

Comment 20 Christophe de Dinechin 2021-05-18 13:09:30 UTC

I completely agree that you should not even attempt to parse the output of the firewall command.

What you can do, however, is point the user to the firewall to start with. In that case, the command does a number of things, and the message does not even suggest that the problem happens during firewall configuration.

This is why my suggestion was to leave the original message as is (and hope that firewalld emits a better message at some point), but add a libvirt message indicating that this happened during firewall configuration.

I suggested something like:

Firewall configuration failed. Your existing firewall configuration is probably invalid. Check if journalctl -u firewalld reports errors.

Any message that points to the firewall will be helpful. I guess you only need to check the exit code for that, and don't need to care about the output of the external tool.

Comment 21 Ben Cotton 2022-05-12 16:04:00 UTC

This message is a reminder that Fedora Linux 34 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 34 on 2022-06-07.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '34'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 34 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 22 Ben Cotton 2022-06-07 23:00:55 UTC

Fedora Linux 34 entered end-of-life (EOL) status on 2022-06-07.

Fedora Linux 34 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.