Bug 821230 - iptables.init fails: "invalid mask 64 specified"
iptables.init fails: "invalid mask 64 specified"
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: systemd (Show other bugs)
17
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: systemd-maint
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-13 06:46 EDT by tuxor
Modified: 2012-05-14 07:59 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-14 06:02:00 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description tuxor 2012-05-13 06:46:34 EDT
Description of problem: While ip6tables.service starts successfully on boot, iptables.service fails. Manually starting it after boot fails as well. In /var/log/boot.log I get the entry "Failed to start IPv4 firewall with iptables".


Version-Release number of selected component (if applicable):
iptables.x86_64   1.4.12.2-5.fc17
systemd.x86_64    44-8.fc17                    


How reproducible: always


Steps to Reproduce:
1. boot/reboot
2. systemctl status iptables
3. systemctl start iptables
4. systemctl status iptables
  
Actual results: iptables.service fails to start on (re)boot as well as after boot.

Expected results: I guess iptables.service should start properly?!

Additional info: 

# systemctl status iptables.service 
iptables.service - IPv4 firewall with iptables
	  Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
	  Active: failed (Result: exit-code) since Sun, 13 May 2012 12:30:54 +0200; 1min 15s ago
	Main PID: 697 (code=exited, status=1/FAILURE)
	  CGroup: name=systemd:/system/iptables.service

# systemctl start iptables.service
Job failed. See system journal and 'systemctl status' for details.

# systemctl status iptables.service 
iptables.service - IPv4 firewall with iptables
	  Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
	  Active: failed (Result: exit-code) since Sun, 13 May 2012 12:34:06 +0200; 16s ago
	 Process: 1724 ExecStart=/usr/libexec/iptables.init start (code=exited, status=1/FAILURE)
	  CGroup: name=systemd:/system/iptables.service

May 13 12:34:06 fedora.thinkpad iptables.init[1724]: iptables: Firewall-Regeln anwenden: iptables-restore v1.4.12.2: invalid mask `64' specified
May 13 12:34:06 fedora.thinkpad iptables.init[1724]: Error occurred at line: 10
May 13 12:34:06 fedora.thinkpad iptables.init[1724]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Comment 1 tuxor 2012-05-13 06:52:47 EDT
You might be interested about the contents of /etc/sysconfig/iptables. Well, this seems to be the critical line 10:

-A INPUT -m state --state NEW -m udp -p udp --dport 546 -d fe80::/64 -j ACCEPT
Comment 2 Piruthiviraj Natarajan 2012-05-13 06:58:15 EDT
I have the same issue. I could not start iptables.

[root@localhost ~]# systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
      Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
      Active: failed (Result: exit-code) since Tue, 08 May 2012 14:18:26 +0530; 1min 31s ago
     Process: 2906 ExecStart=/usr/libexec/iptables.init start (code=exited, status=1/FAILURE)
      CGroup: name=systemd:/system/iptables.service

May 08 14:18:26 localhost.localdomain iptables.init[2906]: iptables: Applying firewall rules: iptables-restore v1.4.12.2: invalid mask `64' specified
May 08 14:18:26 localhost.localdomain iptables.init[2906]: Error occurred at line: 10
May 08 14:18:26 localhost.localdomain iptables.init[2906]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
May 08 14:18:26 localhost.localdomain iptables.init[2906]: [FAILED]
Comment 3 tuxor 2012-05-13 07:19:52 EDT
I had a look at what /64 means in the syntax of iptables' -d option. Obviously it's an abbreviation for the address mask 255.255.255.255.255.255.255.255 which is nonsense. Maybe it's only a type and should be /24 which would correspond to 255.255.255.0 ...
Comment 4 tuxor 2012-05-13 07:33:41 EDT
Ah no, that's wrong.

The problem is, that somebody copy-and-pasted this line from the /etc/sysconfig/ip6tables file. There it's supposed to let through communication with DHCP servers.

With IPv4 an equivalent line would look something like this:

-A INPUT -m state --state NEW -m udp -p udp --dport 68 -j ACCEPT

But I'm not sure, if this line isn't missing something important. And I'm not sure whether port 67 or 68 is desirable.

For now I simply commented out line 10 and iptables.service is starting without error messages.
Comment 5 tuxor 2012-05-14 06:02:00 EDT
Okay, the problematic line has been officially removed from /etc/sysconfig/iptables in TC5. For everybody who is suffering from this problem: The official solution seems to be removing that line 10 posted above. 

For users who install from TC5 or any future release this will already be solved. So I mark this bug as solved. Feel free to reopen if you run into that problem with a more recent version of Fedora 17.
Comment 6 Michal Schmidt 2012-05-14 07:59:35 EDT
OK, I'm glad you found out what the problem was.

I'd like to point out a general rule:
When a specific service is failing, the bug should be first reported against the package the service belongs to, not against systemd. Thanks.

Note You need to log in before you can comment on or make changes to this bug.