Bug 2175016 - starting miniupnpd immediately stops all traffic managed by firewalld
Summary: starting miniupnpd immediately stops all traffic managed by firewalld
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: miniupnpd
Version: 37
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Michael Cronenworth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-02 21:06 UTC by steubens
Modified: 2023-08-05 01:37 UTC (History)
1 user (show)

Fixed In Version: miniupnpd-2.3.3-1.fc37 miniupnpd-2.3.3-1.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-05 01:19:10 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description steubens 2023-03-02 21:06:15 UTC 
Description of problem:
a functioning nat/forwarding setup with firewalld breaks when miniupnpd is installed. leading to a very painful upgrade from f35/f36 to f37

Version-Release number of selected component (if applicable):
miniupnpd-2.3.1-1.fc37

How reproducible:
every time. it recovers when stopped too

Steps to Reproduce:
1. have firewalld enabled for the link that reaches the internet
2. ping something on the internet
3. start miniupnpd

Actual results:
the pings stop being replied to, because they're not making it back to where they came from

Expected results:
network to function normally

Additional info:
it's something about the way the nft rules are written that starves the firewalld rules & chain setup

this will be a pain point for every upgrade if it's installed
Comment 1 Michael Cronenworth 2023-03-02 22:12:52 UTC 
Unfortunately upstream does not gracefully handle nftables. The way they handle it now is to use command line calls through a script created in /tmp. This has all sorts of security problems and problems with SELinux. I feel a bug report with upstream is necessary to find a solution.
Comment 2 Fedora Update System 2023-07-27 03:41:42 UTC 
FEDORA-2023-501a729cf2 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-501a729cf2
Comment 3 Fedora Update System 2023-07-27 03:43:54 UTC 
FEDORA-2023-829ba95ee2 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-829ba95ee2
Comment 4 Michael Cronenworth 2023-07-27 03:44:42 UTC 
Please try the update. I updated the default firewall policy that miniupnpd uses to try and not have it block if you use an alternative firewall manager.
Comment 5 Fedora Update System 2023-07-28 01:43:16 UTC 
FEDORA-2023-829ba95ee2 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-829ba95ee2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-829ba95ee2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2023-07-28 01:43:25 UTC 
FEDORA-2023-501a729cf2 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-501a729cf2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-501a729cf2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2023-08-05 01:19:10 UTC 
FEDORA-2023-829ba95ee2 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2023-08-05 01:37:49 UTC 
FEDORA-2023-501a729cf2 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.