Bug 967376 - Don't fail the configuration if unused iptables feature can't be used
Summary: Don't fail the configuration if unused iptables feature can't be used
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 926055 951059 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-26 22:38 UTC by David Jaša
Modified: 2019-01-09 12:33 UTC (History)
9 users (show)

Fixed In Version: firewalld-0.3.7-1.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-22 04:57:11 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
dmesg (38.44 KB, text/plain)
2013-08-27 11:50 UTC, Richard W.M. Jones
no flags Details
ts1 (1.27 KB, text/plain)
2013-10-21 03:23 UTC, lnie
no flags Details
iptables -save (7.34 KB, text/plain)
2013-10-21 03:25 UTC, lnie
no flags Details
dmesg (35.29 KB, text/plain)
2013-10-21 03:27 UTC, lnie
no flags Details

Description David Jaša 2013-05-26 22:38:11 UTC
Description of problem:
I needed to upgrade just userspace to F19 on one arm box while keeping the older kernel (kernel upgrade is not an option till the board support makes it way to upstream which will take a couple of kernel releases at least).

If I don't turn off the firewalld on that box, the box becomes inaccessible because ipv6 nat table - not used in configuration at all - can not be initialized. This kind of fault-intolerance is not a good trait of firewall-managing software as it can cut the administrator off without after an upgrade.

Version-Release number of selected component (if applicable):
firewalld-0.3.2-1.fc19.noarch
3.4.29.sun4i

How reproducible:
always

Steps to Reproduce:
1. install f18 with 3.4 kernel, make sure that firewalld services is enabled
2. upgrade the box while keeping (3.4) kernel
3. reboot, log in to the system remotely

Actual results:
1. admin can ssh to the box
3. admin can't ssh to the box anymore

Expected results:
admin can ssh to the host without any issues

Additional info:
the error:
[root@www ~]# firewall-cmd --reload
Error: '/sbin/ip6tables -t nat -N PREROUTING_direct' failed: ip6tables v1.4.18: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.

Comment 1 Jiri Popelka 2013-06-17 14:56:24 UTC
*** Bug 926055 has been marked as a duplicate of this bug. ***

Comment 2 Jiri Popelka 2013-06-17 15:03:17 UTC
*** Bug 951059 has been marked as a duplicate of this bug. ***

Comment 3 Richard W.M. Jones 2013-07-31 14:31:42 UTC
Is there at least a workaround for this bug?  It completely
prevents me from using an arm box remotely (again, kernel
upgrade is NOT an option).

Comment 4 Jiri Popelka 2013-07-31 14:58:32 UTC
None that I know of (if you don't count turning firewalld off and using iptables service).

Comment 5 Jiri Popelka 2013-07-31 16:00:43 UTC
Hopefully
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=fa84adec494df873a4c0a127412db7b14c77e982
will work-around this specific IPv6 NAT problem.

Comment 6 Jiri Kastner 2013-08-27 11:08:07 UTC
on arm soc running f19 on top of 3.4 kernel i'm not able to login using ssh.

[root@localhost ~]#  systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Thu 2009-12-31 19:12:05 EST; 46s ago
 Main PID: 191 (firewalld)
   CGroup: name=systemd:/system/firewalld.service
           └─191 /usr/bin/python /usr/sbin/firewalld --nofork --nopid

Dec 31 19:12:05 localhost systemd[1]: Started firewalld - dynamic firewall ...n.
[root@localhost ~]# firewall-cmd --add-service=ssh --permanent
Error: INVALID_ZONE
[root@localhost ~]# firewall-cmd --list-all-zones
[root@localhost ~]#

Comment 7 Thomas Woerner 2013-08-27 11:43:50 UTC
Please attach the output of 

1) firewall-cmd --get-default-zone
2) firewall-cmd --list-all-zones
3) iptables-save
4) dmesg

Comment 8 Jiri Popelka 2013-08-27 11:50:43 UTC
Thomas, we had already identified Jiri Kastner's problem as this bug and I pointed him here to leave a comment.

Comment 9 Richard W.M. Jones 2013-08-27 11:50:48 UTC
Created attachment 790928 [details]
dmesg

(In reply to Thomas Woerner from comment #7)
> Please attach the output of 
> 
> 1) firewall-cmd --get-default-zone
> 2) firewall-cmd --list-all-zones

I have removed firewalld to work around this bug.

> 3) iptables-save

# Generated by iptables-save v1.4.18 on Tue Aug 27 12:48:08 2013
*mangle
:PREROUTING ACCEPT [462:38099]
:INPUT ACCEPT [456:36643]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [411:157303]
:POSTROUTING ACCEPT [442:162070]
COMMIT
# Completed on Tue Aug 27 12:48:08 2013
# Generated by iptables-save v1.4.18 on Tue Aug 27 12:48:08 2013
*filter
:INPUT ACCEPT [456:36643]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [411:157303]
COMMIT
# Completed on Tue Aug 27 12:48:08 2013

> 4) dmesg

Attached.

Comment 10 Fedora Update System 2013-09-30 12:36:11 UTC
firewalld-0.3.5-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firewalld-0.3.5-1.fc20

Comment 11 Fedora Update System 2013-09-30 12:39:48 UTC
firewalld-0.3.5-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/firewalld-0.3.5-1.fc19

Comment 12 Fedora Update System 2013-10-01 02:02:18 UTC
Package firewalld-0.3.5-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.5-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17984/firewalld-0.3.5-1.fc20
then log in and leave karma (feedback).

Comment 13 Jiri Kastner 2013-10-01 08:26:35 UTC
on chromebook (chromeos 3.4.0 kernel):

Error: '/sbin/iptables -t raw -N PREROUTING_direct' failed: iptables v1.4.18: can't initialize iptables table 'raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Comment 14 Jiri Kastner 2013-10-01 08:27:11 UTC
(In reply to Jiri Kastner from comment #13)
> on chromebook (chromeos 3.4.0 kernel):
> 
> Error: '/sbin/iptables -t raw -N PREROUTING_direct' failed: iptables
> v1.4.18: can't initialize iptables table 'raw': Table does not exist (do you
> need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.

with firewalld-0.3.5-1.fc19

Comment 15 Fedora Update System 2013-10-02 06:48:06 UTC
firewalld-0.3.5-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2013-10-03 01:15:18 UTC
firewalld-0.3.5-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 17 Richard W.M. Jones 2013-10-03 07:52:46 UTC
Reopening based on comment 14.

Comment 18 Dan 2013-10-08 14:29:50 UTC
Problems still persist in firewalld-0.3.5-1.fc19.noarch and also in firewalld-0.3.6.2-1.fc19.noarch from the updates-testing repo.

Almost any firewall-cmd command returns Error: INVALID_ZONE

Comment 20 Fedora Update System 2013-10-17 15:57:01 UTC
firewalld-0.3.7-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firewalld-0.3.7-1.fc20

Comment 21 Fedora Update System 2013-10-17 15:59:26 UTC
firewalld-0.3.7-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/firewalld-0.3.7-1.fc19

Comment 22 Fedora Update System 2013-10-17 20:29:25 UTC
Package firewalld-0.3.7-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.7-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-19184/firewalld-0.3.7-1.fc20
then log in and leave karma (feedback).

Comment 23 lnie 2013-10-21 03:10:00 UTC
seems fine with the firewalld-0.3.7-1.fc20

Comment 24 lnie 2013-10-21 03:22:18 UTC
#firewall-cmd --add-service=ssh --permanent
 success
#firewall-cmd --get-default-zone
 public
#firewall-cmd --list-all-zones
 attached
#iptables-save
 attached
#dmesg
 attached

Comment 25 lnie 2013-10-21 03:23:12 UTC
Created attachment 814389 [details]
ts1

Comment 26 lnie 2013-10-21 03:25:54 UTC
Created attachment 814390 [details]
iptables -save

Comment 27 lnie 2013-10-21 03:27:06 UTC
Created attachment 814391 [details]
dmesg

Comment 28 Fedora Update System 2013-10-22 04:57:11 UTC
firewalld-0.3.7-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2013-11-10 07:14:25 UTC
firewalld-0.3.7-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.