Description of problem: I needed to upgrade just userspace to F19 on one arm box while keeping the older kernel (kernel upgrade is not an option till the board support makes it way to upstream which will take a couple of kernel releases at least). If I don't turn off the firewalld on that box, the box becomes inaccessible because ipv6 nat table - not used in configuration at all - can not be initialized. This kind of fault-intolerance is not a good trait of firewall-managing software as it can cut the administrator off without after an upgrade. Version-Release number of selected component (if applicable): firewalld-0.3.2-1.fc19.noarch 3.4.29.sun4i How reproducible: always Steps to Reproduce: 1. install f18 with 3.4 kernel, make sure that firewalld services is enabled 2. upgrade the box while keeping (3.4) kernel 3. reboot, log in to the system remotely Actual results: 1. admin can ssh to the box 3. admin can't ssh to the box anymore Expected results: admin can ssh to the host without any issues Additional info: the error: [root@www ~]# firewall-cmd --reload Error: '/sbin/ip6tables -t nat -N PREROUTING_direct' failed: ip6tables v1.4.18: can't initialize ip6tables table `nat': Table does not exist (do you need to insmod?) Perhaps ip6tables or your kernel needs to be upgraded.
*** Bug 926055 has been marked as a duplicate of this bug. ***
*** Bug 951059 has been marked as a duplicate of this bug. ***
Is there at least a workaround for this bug? It completely prevents me from using an arm box remotely (again, kernel upgrade is NOT an option).
None that I know of (if you don't count turning firewalld off and using iptables service).
Hopefully https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=fa84adec494df873a4c0a127412db7b14c77e982 will work-around this specific IPv6 NAT problem.
on arm soc running f19 on top of 3.4 kernel i'm not able to login using ssh. [root@localhost ~]# systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Thu 2009-12-31 19:12:05 EST; 46s ago Main PID: 191 (firewalld) CGroup: name=systemd:/system/firewalld.service └─191 /usr/bin/python /usr/sbin/firewalld --nofork --nopid Dec 31 19:12:05 localhost systemd[1]: Started firewalld - dynamic firewall ...n. [root@localhost ~]# firewall-cmd --add-service=ssh --permanent Error: INVALID_ZONE [root@localhost ~]# firewall-cmd --list-all-zones [root@localhost ~]#
Please attach the output of 1) firewall-cmd --get-default-zone 2) firewall-cmd --list-all-zones 3) iptables-save 4) dmesg
Thomas, we had already identified Jiri Kastner's problem as this bug and I pointed him here to leave a comment.
Created attachment 790928 [details] dmesg (In reply to Thomas Woerner from comment #7) > Please attach the output of > > 1) firewall-cmd --get-default-zone > 2) firewall-cmd --list-all-zones I have removed firewalld to work around this bug. > 3) iptables-save # Generated by iptables-save v1.4.18 on Tue Aug 27 12:48:08 2013 *mangle :PREROUTING ACCEPT [462:38099] :INPUT ACCEPT [456:36643] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [411:157303] :POSTROUTING ACCEPT [442:162070] COMMIT # Completed on Tue Aug 27 12:48:08 2013 # Generated by iptables-save v1.4.18 on Tue Aug 27 12:48:08 2013 *filter :INPUT ACCEPT [456:36643] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [411:157303] COMMIT # Completed on Tue Aug 27 12:48:08 2013 > 4) dmesg Attached.
firewalld-0.3.5-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/firewalld-0.3.5-1.fc20
firewalld-0.3.5-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/firewalld-0.3.5-1.fc19
Package firewalld-0.3.5-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing firewalld-0.3.5-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-17984/firewalld-0.3.5-1.fc20 then log in and leave karma (feedback).
on chromebook (chromeos 3.4.0 kernel): Error: '/sbin/iptables -t raw -N PREROUTING_direct' failed: iptables v1.4.18: can't initialize iptables table 'raw': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
(In reply to Jiri Kastner from comment #13) > on chromebook (chromeos 3.4.0 kernel): > > Error: '/sbin/iptables -t raw -N PREROUTING_direct' failed: iptables > v1.4.18: can't initialize iptables table 'raw': Table does not exist (do you > need to insmod?) > Perhaps iptables or your kernel needs to be upgraded. with firewalld-0.3.5-1.fc19
firewalld-0.3.5-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
firewalld-0.3.5-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Reopening based on comment 14.
Problems still persist in firewalld-0.3.5-1.fc19.noarch and also in firewalld-0.3.6.2-1.fc19.noarch from the updates-testing repo. Almost any firewall-cmd command returns Error: INVALID_ZONE
I made few commits recently which should finally make this possible. I'll hopefully make a new release soon. https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=43beabb29347bf88e1146a2f139424c1bac6d34e https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=7d8da2c082878ef0ace5bc88b9c7332831622f73 https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=da2218704aebddd4ecb6fd73623f46e6ee6ed414
firewalld-0.3.7-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/firewalld-0.3.7-1.fc20
firewalld-0.3.7-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/firewalld-0.3.7-1.fc19
Package firewalld-0.3.7-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing firewalld-0.3.7-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-19184/firewalld-0.3.7-1.fc20 then log in and leave karma (feedback).
seems fine with the firewalld-0.3.7-1.fc20
#firewall-cmd --add-service=ssh --permanent success #firewall-cmd --get-default-zone public #firewall-cmd --list-all-zones attached #iptables-save attached #dmesg attached
Created attachment 814389 [details] ts1
Created attachment 814390 [details] iptables -save
Created attachment 814391 [details] dmesg
firewalld-0.3.7-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
firewalld-0.3.7-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.