Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1688185 - iptables related errors in journald
Summary: iptables related errors in journald
Keywords:
Status: CLOSED DUPLICATE of bug 1686660
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Eric Garver
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-13 10:51 UTC by Lukas Slebodnik
Modified: 2019-03-13 16:29 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-03-13 16:29:54 UTC


Attachments (Terms of Use)

Description Lukas Slebodnik 2019-03-13 10:51:02 UTC
Description of problem:
I did debugging of unrelated issue and found errors in journald

Version-Release number of selected component (if applicable):
sh$ rpm -q NetworkManager firewalld
NetworkManager-1.16.0-0.3.fc31.x86_64
firewalld-0.6.3-2.fc30.noarch

How reproducible:
Deterministic on my laptop

Steps to Reproduce:
1. systemctl restart NetworkManager

Actual results:
Mar 13 11:45:17 host.example.com nm-dispatcher[22358]: req:2 'connectivity-change': start running ordered scripts...
Mar 13 11:45:18 host.example.com kernel: IPv6: ADDRCONF(NETDEV_UP): wlp3s0: link is not ready
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1746] device (enp0s25): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'assume')
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1750] supplicant: wpa_supplicant running
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1751] device (wlp3s0): supplicant interface state: init -> starting
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1752] device (enp0s25): state change: prepare -> config (reason 'none', sys-iface-state: 'assume')
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1956] sup-iface[0x55e5303850e0,wlp3s0]: supports 5 scan SSIDs
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1960] device (wlp3s0): supplicant interface state: starting -> ready
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1960] Wi-Fi P2P device controlled by interface wlp3s0 created
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1962] manager: (p2p-dev-wlp3s0): new 802.11 Wi-Fi P2P device (/org/freedesktop/NetworkManager/Devices/5)
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1965] device (p2p-dev-wlp3s0): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'exte
rnal')
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <warn>  [1552473918.1971] sup-iface: failed to cancel p2p connect: P2P cancel failed
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1972] device (p2p-dev-wlp3s0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'mana
ged')
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1976] device (wlp3s0): state change: unavailable -> disconnected (reason 'supplicant-available', sys-iface-stat
e: 'managed')
Mar 13 11:45:18 host.example.com kernel: IPv6: ADDRCONF(NETDEV_UP): wlp3s0: link is not ready
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.1986] agent-manager: req[0x55e53045ced0, :1.1642/org.freedesktop.nm-applet/1000]: agent registered
Mar 13 11:45:18 host.example.com firewalld[4623]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain
                                                         
                                                         Error occurred at line: 2
                                                         Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Mar 13 11:45:18 host.example.com firewalld[4623]: ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chai
n
                                                         
                                                         Error occurred at line: 2
                                                         Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <warn>  [1552473918.2039] firewall: [0x7f3754005940,change:"enp0s25"]: complete: request failed (COMMAND_FAILED: '/usr/sbin/iptable
s-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain
                                                               
                                                               Error occurred at line: 2
                                                               Try `iptables-restore -h' or 'iptables-restore --help' for more information.
                                                               )
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.2040] device (enp0s25): state change: config -> ip-config (reason 'none', sys-iface-state: 'assume')
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.2047] dhcp4 (enp0s25): activation: beginning transaction (timeout in 45 seconds)
Mar 13 11:45:18 host.example.com NetworkManager[22350]: <info>  [1552473918.2063] dhcp4 (enp0s25): dhclient started with pid 22380

Expected results:
No errors in journald

Additional info:

Comment 1 Beniamino Galvani 2019-03-13 11:04:53 UTC
Errors come from firewalld, reassigning...

Comment 2 Eric Garver 2019-03-13 12:38:28 UTC
There is currently a rawhide selinx-policy bug, bug 1686660, that prevents firewalld from functioning. This is probably a duplicate of that.

Lukas, can you verify?

Comment 3 Lukas Slebodnik 2019-03-13 13:55:10 UTC
(In reply to Eric Garver from comment #2)
> There is currently a rawhide selinx-policy bug, bug 1686660, that prevents
> firewalld from functioning. This is probably a duplicate of that.
> 
> Lukas, can you verify?

I can see error even in permissive mode.

Comment 4 Eric Garver 2019-03-13 14:15:19 UTC
(In reply to Lukas Slebodnik from comment #3)
> (In reply to Eric Garver from comment #2)
> > There is currently a rawhide selinx-policy bug, bug 1686660, that prevents
> > firewalld from functioning. This is probably a duplicate of that.
> > 
> > Lukas, can you verify?
> 
> I can see error even in permissive mode.

Please check the firewalld logs.

  # systemctl status firewalld

You can also attach /var/log/firewalld.

Please double check you're not looking at the old instances of the errors in journalctl.

Comment 5 Lukas Slebodnik 2019-03-13 14:31:24 UTC
[root@host ~]# systemctl status firewalld | cat | sed -e 's/graviton.brq.red                                                                                                           hat.com/host.example.com/'                                                                                                                                                              
● firewalld.service - firewalld - dynamic firewall daemon                                                                                                                                  
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr                                                                                                           eset: enabled)                                                                                                                          
   Active: active (running) since Wed 2019-03-13 09:49:06 CET; 5h 41min ago                                                                                                                
     Docs: man:firewalld(1)                                                                                                                                                                
 Main PID: 4623 (firewalld)                                                                                                                                                                
    Tasks: 2 (limit: 4915)                                                                                                                                                              
   Memory: 25.1M                                                                                                                                
   CGroup: /system.slice/firewalld.service                                                                                                                                                 
           └─4623 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid                                                                                                                    

Mar 13 11:43:57 host.example.com firewalld[4623]: ERROR: COMMAND_FAILED: '/usr/s                                                                                                           bin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_                                                                                                           FedoraServer' is not a chain                                                                                                                                                               
                                                                                                                                                                                           
                                                         Error occurred at line:                                                                                                            2                                                                                      
                                                         Try `iptables-restore -                                                                                                           h' or 'iptables-restore --help' for more information.                                                                                                                                      
Mar 13 11:44:42 host.example.com firewalld[4623]: ERROR: UNKNOWN_INTERFACE: 'vet                                                                                                           h744c327' is not in any zone                                                                                                                                                               
Mar 13 11:44:42 host.example.com firewalld[4623]: ERROR: '/usr/sbin/iptables-res                                                                                                           tore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is                                                                                                            not a chain                                                                                                                    
                                                                                                                                                                                           
                                                         Error occurred at line:                                                                                                            2                                                                                      
                                                         Try `iptables-restore -                                                                                                           h' or 'iptables-restore --help' for more information.                                                                                                                                      
Mar 13 11:44:42 host.example.com firewalld[4623]: ERROR: COMMAND_FAILED: '/usr/s                                                                                                           bin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_                                                                                                           FedoraServer' is not a chain                                                                                                                                                               
                                                                                                                                                                                           
                                                         Error occurred at line:                                                                                                            2
                                                         Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Comment 6 Lukas Slebodnik 2019-03-13 14:33:50 UTC
sh# tail /var/log/firewalld
2019-03-13 11:44:42 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2019-03-13 11:45:18 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2019-03-13 11:45:18 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2019-03-13 14:51:51 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2019-03-13 14:51:51 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2019-03-13 14:52:37 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

2019-03-13 14:52:37 ERROR: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.0 (legacy): goto 'PRE_FedoraServer' is not a chain

Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.



sh# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-ISOLATION  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Comment 7 Eric Garver 2019-03-13 14:46:46 UTC
comment 6 is not enough of the log to indicate the issue.

Please do the following

  # setenforce 0
  # systemctl restart firewalld
  # firewall-cmd --state

Then attach the full log (/var/log/firewalld).

Comment 8 Lukas Slebodnik 2019-03-13 15:45:35 UTC
(In reply to Eric Garver from comment #7)
> comment 6 is not enough of the log to indicate the issue.
> 
> Please do the following
> 
>   # setenforce 0
>   # systemctl restart firewalld
>   # firewall-cmd --state
> 
> Then attach the full log (/var/log/firewalld).

Restarting firewalld helped. Previously, I restarted just NM.

[root@host ~]#  > /var/log/firewalld 
[root@host ~]# setenforce 0
[root@host ~]# systemctl restart firewalld

[root@host ~]# firewall-cmd --state
running
[root@host ~]# setenforce 1
[root@host ~]# cat /var/log/firewalld 
2019-03-13 16:40:48 ERROR: Failed to load zone file '/usr/lib/firewalld/zones/libvirt.xml': PARSE_ERROR: rule: Unexpected attribute priority
2019-03-13 16:40:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).

Comment 9 Eric Garver 2019-03-13 16:29:54 UTC
(In reply to Lukas Slebodnik from comment #8)
> (In reply to Eric Garver from comment #7)
> > comment 6 is not enough of the log to indicate the issue.
> > 
> > Please do the following
> > 
> >   # setenforce 0
> >   # systemctl restart firewalld
> >   # firewall-cmd --state
> > 
> > Then attach the full log (/var/log/firewalld).
> 
> Restarting firewalld helped. Previously, I restarted just NM.
> 
> [root@host ~]#  > /var/log/firewalld 
> [root@host ~]# setenforce 0
> [root@host ~]# systemctl restart firewalld
> 
> [root@host ~]# firewall-cmd --state
> running

Marking this as a duplicate of the policy issue.

> [root@host ~]# setenforce 1
> [root@host ~]# cat /var/log/firewalld 
> 2019-03-13 16:40:48 ERROR: Failed to load zone file
> '/usr/lib/firewalld/zones/libvirt.xml': PARSE_ERROR: rule: Unexpected
> attribute priority
> 2019-03-13 16:40:48 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D
> FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a
> matching rule exist in that chain?).

This is a separate issue. libvirt is attempting to use firewalld's rich rule priority support, which is not yet in Fedora nor an upstream release.
Please file a ticket against libvirt for this.

*** This bug has been marked as a duplicate of bug 1686660 ***


Note You need to log in before you can comment on or make changes to this bug.