[Pkg-utopia-maintainers] Bug#914694: Bug#914694: firewall-cmd --reload fails: RULE_REPLACE failed (No such file or directory): rule in chain {INPUT, OUTPUT}
Michael Biebl
biebl at debian.org
Mon Nov 26 14:49:36 GMT 2018
Hi Eric,
I recently switched firewalld back to iptables given the feedback in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909574
This seems to have caused a regression.
Does this specific problem ring a bell?
Regards,
Michael
Am 26.11.18 um 12:30 schrieb Martin Pitt:
> Package: firewalld
> Version: 0.6.3-3
> Severity: important
>
> A recent regression in Debian testing broke firewalld. This is on a stock
> Debian-testing system, without a custom kernel, custom firewall configs, etc.
> -- just a plain "apt install firewalld". However, it does have libvirt and
> docker.io installed, which might complicate things (e. g.
> https://bugs.debian.org/909574).
>
> At boot, these errors already show up in the journal:
>
> | # systemctl status firewalld
> | ● firewalld.service - firewalld - dynamic firewall daemon
> | Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
> | Active: active (running) since Mon 2018-11-26 06:23:25 EST; 42s ago
> | Docs: man:firewalld(1)
> | Main PID: 409 (firewalld)
> | Tasks: 2 (limit: 1151)
> | Memory: 35.6M
> | CGroup: /system.slice/firewalld.service
> | └─409 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
> |
> | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED: '/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER' failed: iptables v1.8.2 (nf_tables): Chain 'DOCKER' does not exist
> | Try `iptables -h' or 'iptables --help' for more information.
> | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED: '/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a matching rule exist in that chain?).
> | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED: '/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
> | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED: '/sbin/iptables -w10 -t nat -X DOCKER' failed: iptables: No chain/target/match by that name.
> | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED: '/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
> | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED: '/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
> | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED: '/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
> | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED: '/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
> | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED: '/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
> | Nov 26 06:23:34 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED: '/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
>
> But they really get exposed when reloading:
>
> | # firewall-cmd --reload
> | Error: COMMAND_FAILED: '/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.2 (nf_tables):
> | line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
> | line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT
> |
> | # echo $?
> | 13
>
> The default ip{,6}tables config is quite large, but dumping it here just in case:
>
> | # iptables -L
> | Chain INPUT (policy ACCEPT)
> | target prot opt source destination
> | ACCEPT udp -- anywhere anywhere udp dpt:domain
> | ACCEPT tcp -- anywhere anywhere tcp dpt:domain
> | ACCEPT udp -- anywhere anywhere udp dpt:bootps
> | ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
> | ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
> | ACCEPT all -- anywhere anywhere
> | INPUT_direct all -- anywhere anywhere
> | INPUT_ZONES_SOURCE all -- anywhere anywhere
> | INPUT_ZONES all -- anywhere anywhere
> | DROP all -- anywhere anywhere ctstate INVALID
> | REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
> |
> | Chain FORWARD (policy ACCEPT)
> | target prot opt source destination
> | DOCKER-USER all -- anywhere anywhere
> | DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
> | ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
> | DOCKER all -- anywhere anywhere
> | ACCEPT all -- anywhere anywhere
> | ACCEPT all -- anywhere anywhere
> | ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
> | ACCEPT all -- 192.168.122.0/24 anywhere
> | ACCEPT all -- anywhere anywhere
> | REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
> | REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
> | ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
> | ACCEPT all -- anywhere anywhere
> | FORWARD_direct all -- anywhere anywhere
> | FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
> | FORWARD_IN_ZONES all -- anywhere anywhere
> | FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
> | FORWARD_OUT_ZONES all -- anywhere anywhere
> | DROP all -- anywhere anywhere ctstate INVALID
> | REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
> |
> | Chain OUTPUT (policy ACCEPT)
> | target prot opt source destination
> | ACCEPT udp -- anywhere anywhere udp dpt:bootpc
> | OUTPUT_direct all -- anywhere anywhere
> |
> | Chain INPUT_direct (1 references)
> | target prot opt source destination
> |
> | Chain INPUT_ZONES_SOURCE (1 references)
> | target prot opt source destination
> |
> | Chain INPUT_ZONES (1 references)
> | target prot opt source destination
> | IN_public all -- anywhere anywhere [goto]
> | IN_public all -- anywhere anywhere [goto]
> |
> | Chain FORWARD_direct (1 references)
> | target prot opt source destination
> |
> | Chain FORWARD_IN_ZONES_SOURCE (1 references)
> | target prot opt source destination
> |
> | Chain FORWARD_IN_ZONES (1 references)
> | target prot opt source destination
> | FWDI_public all -- anywhere anywhere [goto]
> | FWDI_public all -- anywhere anywhere [goto]
> |
> | Chain FORWARD_OUT_ZONES_SOURCE (1 references)
> | target prot opt source destination
> |
> | Chain FORWARD_OUT_ZONES (1 references)
> | target prot opt source destination
> | FWDO_public all -- anywhere anywhere [goto]
> | FWDO_public all -- anywhere anywhere [goto]
> |
> | Chain OUTPUT_direct (1 references)
> | target prot opt source destination
> |
> | Chain IN_public (2 references)
> | target prot opt source destination
> | IN_public_log all -- anywhere anywhere
> | IN_public_deny all -- anywhere anywhere
> | IN_public_allow all -- anywhere anywhere
> | ACCEPT icmp -- anywhere anywhere
> |
> | Chain IN_public_log (1 references)
> | target prot opt source destination
> |
> | Chain IN_public_deny (1 references)
> | target prot opt source destination
> |
> | Chain IN_public_allow (1 references)
> | target prot opt source destination
> | ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
> |
> | Chain FWDI_public (2 references)
> | target prot opt source destination
> | FWDI_public_log all -- anywhere anywhere
> | FWDI_public_deny all -- anywhere anywhere
> | FWDI_public_allow all -- anywhere anywhere
> | ACCEPT icmp -- anywhere anywhere
> |
> | Chain FWDI_public_log (1 references)
> | target prot opt source destination
> |
> | Chain FWDI_public_deny (1 references)
> | target prot opt source destination
> |
> | Chain FWDI_public_allow (1 references)
> | target prot opt source destination
> |
> | Chain FWDO_public (2 references)
> | target prot opt source destination
> | FWDO_public_log all -- anywhere anywhere
> | FWDO_public_deny all -- anywhere anywhere
> | FWDO_public_allow all -- anywhere anywhere
> |
> | Chain FWDO_public_log (1 references)
> | target prot opt source destination
> |
> | Chain FWDO_public_deny (1 references)
> | target prot opt source destination
> |
> | Chain FWDO_public_allow (1 references)
> | target prot opt source destination
> |
> | Chain DOCKER (1 references)
> | target prot opt source destination
> |
> | Chain DOCKER-ISOLATION-STAGE-1 (1 references)
> | target prot opt source destination
> | DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
> | RETURN all -- anywhere anywhere
> |
> | Chain DOCKER-ISOLATION-STAGE-2 (1 references)
> | target prot opt source destination
> | DROP all -- anywhere anywhere
> | RETURN all -- anywhere anywhere
> |
> | Chain DOCKER-USER (1 references)
> | target prot opt source destination
> | RETURN all -- anywhere anywhere
>
>
> | # ip6tables -L
> | Chain INPUT (policy ACCEPT)
> | target prot opt source destination
> | ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
> | ACCEPT all anywhere anywhere
> | INPUT_direct all anywhere anywhere
> | INPUT_ZONES_SOURCE all anywhere anywhere
> | INPUT_ZONES all anywhere anywhere
> | DROP all anywhere anywhere ctstate INVALID
> | REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
> |
> | Chain FORWARD (policy ACCEPT)
> | target prot opt source destination
> | ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
> | ACCEPT all anywhere anywhere
> | FORWARD_direct all anywhere anywhere
> | FORWARD_IN_ZONES_SOURCE all anywhere anywhere
> | FORWARD_IN_ZONES all anywhere anywhere
> | FORWARD_OUT_ZONES_SOURCE all anywhere anywhere
> | FORWARD_OUT_ZONES all anywhere anywhere
> | DROP all anywhere anywhere ctstate INVALID
> | REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
> |
> | Chain OUTPUT (policy ACCEPT)
> | target prot opt source destination
> | OUTPUT_direct all anywhere anywhere
> |
> | Chain INPUT_direct (1 references)
> | target prot opt source destination
> |
> | Chain INPUT_ZONES_SOURCE (1 references)
> | target prot opt source destination
> |
> | Chain INPUT_ZONES (1 references)
> | target prot opt source destination
> | IN_public all anywhere anywhere [goto]
> | IN_public all anywhere anywhere [goto]
> |
> | Chain FORWARD_direct (1 references)
> | target prot opt source destination
> |
> | Chain FORWARD_IN_ZONES_SOURCE (1 references)
> | target prot opt source destination
> |
> | Chain FORWARD_IN_ZONES (1 references)
> | target prot opt source destination
> | FWDI_public all anywhere anywhere [goto]
> | FWDI_public all anywhere anywhere [goto]
> |
> | Chain FORWARD_OUT_ZONES_SOURCE (1 references)
> | target prot opt source destination
> |
> | Chain FORWARD_OUT_ZONES (1 references)
> | target prot opt source destination
> | FWDO_public all anywhere anywhere [goto]
> | FWDO_public all anywhere anywhere [goto]
> |
> | Chain OUTPUT_direct (1 references)
> | target prot opt source destination
> |
> | Chain IN_public (2 references)
> | target prot opt source destination
> | IN_public_log all anywhere anywhere
> | IN_public_deny all anywhere anywhere
> | IN_public_allow all anywhere anywhere
> | ACCEPT ipv6-icmp anywhere anywhere
> |
> | Chain IN_public_log (1 references)
> | target prot opt source destination
> |
> | Chain IN_public_deny (1 references)
> | target prot opt source destination
> |
> | Chain IN_public_allow (1 references)
> | target prot opt source destination
> | ACCEPT tcp anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
> | ACCEPT udp anywhere fe80::/64 udp dpt:dhcpv6-client ctstate NEW,UNTRACKED
> |
> | Chain FWDI_public (2 references)
> | target prot opt source destination
> | FWDI_public_log all anywhere anywhere
> | FWDI_public_deny all anywhere anywhere
> | FWDI_public_allow all anywhere anywhere
> | ACCEPT ipv6-icmp anywhere anywhere
> |
> | Chain FWDI_public_log (1 references)
> | target prot opt source destination
> |
> | Chain FWDI_public_deny (1 references)
> | target prot opt source destination
> |
> | Chain FWDI_public_allow (1 references)
> | target prot opt source destination
> |
> | Chain FWDO_public (2 references)
> | target prot opt source destination
> | FWDO_public_log all anywhere anywhere
> | FWDO_public_deny all anywhere anywhere
> | FWDO_public_allow all anywhere anywhere
> |
> | Chain FWDO_public_log (1 references)
> | target prot opt source destination
> |
> | Chain FWDO_public_deny (1 references)
> | target prot opt source destination
> |
> | Chain FWDO_public_allow (1 references)
> | target prot opt source destination
> | root at unassigned-hostname:~#
> | root at unassigned-hostname:~# ip6tables -L
> | Chain INPUT (policy ACCEPT)
> | target prot opt source destination
> | ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
> | ACCEPT all anywhere anywhere
> | INPUT_direct all anywhere anywhere
> | INPUT_ZONES_SOURCE all anywhere anywhere
> | INPUT_ZONES all anywhere anywhere
> | DROP all anywhere anywhere ctstate INVALID
> | REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
> |
> | Chain FORWARD (policy ACCEPT)
> | target prot opt source destination
> | ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
> | ACCEPT all anywhere anywhere
> | FORWARD_direct all anywhere anywhere
> | FORWARD_IN_ZONES_SOURCE all anywhere anywhere
> | FORWARD_IN_ZONES all anywhere anywhere
> | FORWARD_OUT_ZONES_SOURCE all anywhere anywhere
> | FORWARD_OUT_ZONES all anywhere anywhere
> | DROP all anywhere anywhere ctstate INVALID
> | REJECT all anywhere anywhere reject-with icmp6-adm-prohibited
> |
> | Chain OUTPUT (policy ACCEPT)
> | target prot opt source destination
> | OUTPUT_direct all anywhere anywhere
> |
> | Chain INPUT_direct (1 references)
> | target prot opt source destination
> |
> | Chain INPUT_ZONES_SOURCE (1 references)
> | target prot opt source destination
> |
> | Chain INPUT_ZONES (1 references)
> | target prot opt source destination
> | IN_public all anywhere anywhere [goto]
> | IN_public all anywhere anywhere [goto]
> |
> | Chain FORWARD_direct (1 references)
> | target prot opt source destination
> |
> | Chain FORWARD_IN_ZONES_SOURCE (1 references)
> | target prot opt source destination
> |
> | Chain FORWARD_IN_ZONES (1 references)
> | target prot opt source destination
> | FWDI_public all anywhere anywhere [goto]
> | FWDI_public all anywhere anywhere [goto]
> |
> | Chain FORWARD_OUT_ZONES_SOURCE (1 references)
> | target prot opt source destination
> |
> | Chain FORWARD_OUT_ZONES (1 references)
> | target prot opt source destination
> | FWDO_public all anywhere anywhere [goto]
> | FWDO_public all anywhere anywhere [goto]
> |
> | Chain OUTPUT_direct (1 references)
> | target prot opt source destination
> |
> | Chain IN_public (2 references)
> | target prot opt source destination
> | IN_public_log all anywhere anywhere
> | IN_public_deny all anywhere anywhere
> | IN_public_allow all anywhere anywhere
> | ACCEPT ipv6-icmp anywhere anywhere
> |
> | Chain IN_public_log (1 references)
> | target prot opt source destination
> |
> | Chain IN_public_deny (1 references)
> | target prot opt source destination
> |
> | Chain IN_public_allow (1 references)
> | target prot opt source destination
> | ACCEPT tcp anywhere anywhere tcp dpt:ssh ctstate NEW,UNTRACKED
> | ACCEPT udp anywhere fe80::/64 udp dpt:dhcpv6-client ctstate NEW,UNTRACKED
> |
> | Chain FWDI_public (2 references)
> | target prot opt source destination
> | FWDI_public_log all anywhere anywhere
> | FWDI_public_deny all anywhere anywhere
> | FWDI_public_allow all anywhere anywhere
> | ACCEPT ipv6-icmp anywhere anywhere
> |
> | Chain FWDI_public_log (1 references)
> | target prot opt source destination
> |
> | Chain FWDI_public_deny (1 references)
> | target prot opt source destination
> |
> | Chain FWDI_public_allow (1 references)
> | target prot opt source destination
> |
> | Chain FWDO_public (2 references)
> | target prot opt source destination
> | FWDO_public_log all anywhere anywhere
> | FWDO_public_deny all anywhere anywhere
> | FWDO_public_allow all anywhere anywhere
> |
> | Chain FWDO_public_log (1 references)
> | target prot opt source destination
> |
> | Chain FWDO_public_deny (1 references)
> | target prot opt source destination
> |
> | Chain FWDO_public_allow (1 references)
> | target prot opt source destination
>
> Related package versions:
> - linux-image-4.18.0-2-amd64 4.18.10-2+b1
> - docker.io 18.06.1+dfsg1-2
> - libvirt-daemon 4.7.0-1+b1
>
> Thanks,
>
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20181126/cd8fccf9/attachment-0001.sig>
More information about the Pkg-utopia-maintainers
mailing list