[Pkg-utopia-maintainers] Bug#914694: Bug#914694: firewall-cmd --reload fails: RULE_REPLACE failed (No such file or directory): rule in chain {INPUT, OUTPUT}
Martin Pitt
mpitt at debian.org
Mon Nov 26 16:50:56 GMT 2018
Hello Eric,
Eric Garver [2018-11-26 10:20 -0500]:
> No. As far as I can tell, firewalld never uses iptables -R (rule
> replace) option. It's possible this is being triggered by something
> external via the direct/passthrough interface (e.g. docker, libvirt).
I collected some more info here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694#10
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694#15
In short, these take docker and libvirt out of the game, it happens with pure
kernel 4.18 (same version works on Fedora, fails on Debian) + iptables-nft
1.8.2 (F29 uses iptables 1.8.0, and possibly not the -ift version), and
firewalld 0.6.3 (again, same as in Fedora 29).
> Setting InvividualCalls=yes in /etc/firewalld/firewalld.conf will be
> more verbose and help in debugging the cause.
Fun, this actually *fixes* the problem:
| # firewall-cmd --reload
| success
Plus, the initial startup noise of unknown tables/bad rules (which ALSO happen
on F29!) are entirely gone as well:
| # systemctl status firewalld
| ● firewalld.service - firewalld - dynamic firewall daemon
| Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset
| Active: active (running) since Mon 2018-11-26 16:49:18 UTC; 23s ago
| Docs: man:firewalld(1)
| Main PID: 241 (firewalld)
| Tasks: 2 (limit: 2365)
| Memory: 40.0M
| CGroup: /system.slice/firewalld.service
| └─241 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
|
| Nov 26 16:49:18 debian systemd[1]: Starting firewalld - dynamic firewall daemon.
| Nov 26 16:49:18 debian systemd[1]: Started firewalld - dynamic firewall daemon.
So this is at least a practical quick workaround for the problem.
> I also notice debian-testing is now using iptables-nft instead of
> iptables-legacy. We've been finding (and fixing!) a fair amount
> compatibility issues in iptables-nft - perhaps you've found another.
This indeed smells like the relevant difference.
Thanks!
Martin
More information about the Pkg-utopia-maintainers
mailing list