[Pkg-utopia-maintainers] Bug#914694: Bug#914694: firewall-cmd --reload fails: RULE_REPLACE failed (No such file or directory): rule in chain {INPUT, OUTPUT}

Sunil Mohan Adapa sunil at medhas.org
Mon Dec 31 05:26:32 GMT 2018 

Hi,

Thank you for investigating the bug. I have more information:

firewalld
=========

After firewalld's rules are loaded for the first time, flushing them
fails. This happens during shutdown or during startup if the rules are
already present due to unclean shutdown. Output of `firewalld --nofork
--nopid --debug 10` is attached. The following is the stack trace
extracted from it.

2018-12-31 02:31:08 DEBUG1: Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/firewall/server/decorators.py",
line 53, in handle_exceptions
    return func(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/firewall/server/firewalld.py",
line 101, in stop
    return self.fw.stop()
  File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 650,
in stop
    self.flush()
  File "/usr/lib/python3/dist-packages/firewall/core/fw.py", line 838,
in flush
    transaction.execute(True)
  File "/usr/lib/python3/dist-packages/firewall/core/fw_transaction.py",
line 143, in execute
    raise FirewallError(errors.COMMAND_FAILED, errorMsg)

The log further shows that firewalld fails while running iptables-restore.

iptables-restore
================

The command on which firewalld fails is similar to the following session:

# iptables-restore -n rules
iptables-restore v1.8.2 (nf_tables):
line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain
OUTPUT

$ cat rules
*security
-F
-X
-Z
COMMIT
*raw
-F
-X
-Z
COMMIT
*mangle
-F
-X
-Z
COMMIT
*nat
-F
-X
-Z
COMMIT
*filter
-F
-X
-Z
COMMIT

Without the -n (--noflush) option, the command succeeds:
# iptables-restore rules
# echo $?
0

Same problem occurs with ip6tables-restore.

I have saved the state of iptables after starting up firewalld using
iptables-save. This saved state file is sufficient to reproduce the
problem with just iptables-restore without firewalld. It is attached.

# iptables-restore rules
# iptables-restore -n rules
# iptables-restore iptables.save
# iptables-restore -n rules
iptables-restore v1.8.2 (nf_tables):
line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain
OUTPUT

Environment
===========

firewalld      0.6.3-4
iptables       1.8.2-3
nftables       0.9.0-2
linux-image-4.19.0-1-amd64          4.19.12-1

# uname -a
Linux testing 4.19.0-1-amd64 #1 SMP Debian 4.19.12-1 (2018-12-22) x86_64
GNU/Linux

# iptables -V
iptables v1.8.2 (nf_tables)

PS: This bug is currently effecting all FreedomBox machines as firewalld
is the firewall manager. We are switching to nftables backend during
initial setup but 'systemctl restart firewalld' does not provide the
desired results. Users are having to reboot the machine which is a major
hit to first experience of FreedomBox. This bug is not reproducible with
Backend=nftables in /etc/firewalld/firewalld.conf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firewalld-stdout-debug.log
Type: text/x-log
Size: 73261 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20181230/48610ffa/attachment-0001.bin>
-------------- next part --------------
# Generated by xtables-save v1.8.2 on Mon Dec 31 02:45:43 2018
*security
:INPUT ACCEPT [1280:53540]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1219:104756]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:FORWARD_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Mon Dec 31 02:45:43 2018
# Generated by xtables-save v1.8.2 on Mon Dec 31 02:45:43 2018
*raw
:PREROUTING ACCEPT [1280:53540]
:OUTPUT ACCEPT [1219:104756]
:PREROUTING_direct - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_ZONES - [0:0]
:OUTPUT_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_log - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_allow - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Dec 31 02:45:43 2018
# Generated by xtables-save v1.8.2 on Mon Dec 31 02:45:43 2018
*mangle
:PREROUTING ACCEPT [1280:53540]
:INPUT ACCEPT [1280:53540]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1219:104756]
:POSTROUTING ACCEPT [1219:104756]
:PREROUTING_direct - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_ZONES - [0:0]
:POSTROUTING_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:FORWARD_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_log - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_allow - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Dec 31 02:45:43 2018
# Generated by xtables-save v1.8.2 on Mon Dec 31 02:45:43 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING_direct - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_ZONES - [0:0]
:POSTROUTING_direct - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_ZONES - [0:0]
:OUTPUT_direct - [0:0]
:POST_public - [0:0]
:POST_public_log - [0:0]
:POST_public_deny - [0:0]
:POST_public_allow - [0:0]
:PRE_public - [0:0]
:PRE_public_log - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_allow - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -g PRE_public
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Mon Dec 31 02:45:43 2018
# Generated by xtables-save v1.8.2 on Mon Dec 31 02:45:43 2018
*filter
:INPUT ACCEPT [23:920]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1219:104756]
:INPUT_direct - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_ZONES - [0:0]
:FORWARD_direct - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:OUTPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_log - [0:0]
:IN_public_deny - [0:0]
:IN_public_allow - [0:0]
:FWDI_public - [0:0]
:FWDI_public_log - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_allow - [0:0]
:FWDO_public - [0:0]
:FWDO_public_log - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_allow - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A INPUT_ZONES -g IN_public
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
COMMIT
# Completed on Mon Dec 31 02:45:43 2018
-------------- next part --------------
*security
-F
-X
-Z
COMMIT
*raw
-F
-X
-Z
COMMIT
*mangle
-F
-X
-Z
COMMIT
*nat
-F
-X
-Z
COMMIT
*filter
-F
-X
-Z
COMMIT
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20181230/48610ffa/attachment-0001.sig>

More information about the Pkg-utopia-maintainers mailing list