[Pkg-utopia-maintainers] Bug#914694: Bug#914694: firewall-cmd --reload fails: RULE_REPLACE failed (No such file or directory): rule in chain {INPUT, OUTPUT}
Eric Garver
eric at garver.life
Tue Nov 27 19:29:40 GMT 2018
On Mon, Nov 26, 2018 at 05:50:56PM +0100, Martin Pitt wrote:
> Hello Eric,
>
> Eric Garver [2018-11-26 10:20 -0500]:
> > No. As far as I can tell, firewalld never uses iptables -R (rule
> > replace) option. It's possible this is being triggered by something
> > external via the direct/passthrough interface (e.g. docker, libvirt).
>
> I collected some more info here:
>
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694#10
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694#15
>
> In short, these take docker and libvirt out of the game, it happens with pure
> kernel 4.18 (same version works on Fedora, fails on Debian) + iptables-nft
> 1.8.2 (F29 uses iptables 1.8.0, and possibly not the -ift version), and
> firewalld 0.6.3 (again, same as in Fedora 29).
Fedora uses iptables-legacy.
# iptables -V
iptables v1.8.0 (legacy)
>
> > Setting InvividualCalls=yes in /etc/firewalld/firewalld.conf will be
> > more verbose and help in debugging the cause.
>
> Fun, this actually *fixes* the problem:
That makes it smell like an iptables-restore issue in the nftables
backed version of iptables. It would be great if we could reproduce
without firewalld using iptables-restore.
>
> | # firewall-cmd --reload
> | success
>
> Plus, the initial startup noise of unknown tables/bad rules (which ALSO happen
> on F29!) are entirely gone as well:
That went away because you disabled docker. See here:
https://bugzilla.redhat.com/show_bug.cgi?id=1594657
More information about the Pkg-utopia-maintainers
mailing list