[Users] firewalld in vz 7 CT doesn't work anymore
Jehan Procaccia
jehan.procaccia at tem-tsp.eu
Wed May 3 01:23:08 PDT 2017
Hello
since last update (apparently) my CT with firewalld doesn't work anymore
CT-db256406 ~# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled;
vendor preset: enabled)
Active: active (running) since Wed 2017-05-03 08:16:42 UTC; 7s ago
Docs: man:firewalld(1)
Main PID: 759 (firewalld)
CGroup: /system.slice/firewalld.service
└─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork
--nopid --debug=8
May 03 08:16:41 smtpe systemd[1]: Starting firewalld - dynamic firewall
daemon...
May 03 08:16:42 smtpe systemd[1]: Started firewalld - dynamic firewall
daemon.
May 03 08:16:42 smtpe firewalld[759]: WARNING:
'/usr/sbin/ebtables-restore --noflush' failed:
May 03 08:16:42 smtpe firewalld[759]: ERROR: COMMAND_FAILED
I did set prlctl set CTname --netfilter stateful on the host, it worked
fine for the last 6 mounths , but now it fails
# rpm -q firewalld
firewalld-0.4.3.2-8.1.el7_3.2.noarch
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
# uname -a
Linux smtpe 3.10.0 #1 SMP Tue Dec 20 13:52:43 MSK 2016 x86_64 x86_64
x86_64 GNU/Linux
these are the last hundred of lines in /var/log/firewalld in debug=4 mode
# grep debug /etc/sysconfig/firewalld
# possible values: --debug
FIREWALLD_ARGS='--debug=4'
...
2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ebtables.ebtables'>:
/usr/sbin/ebtables-restore /run/firewalld/temp.aC9x_O: 411
1: *filter
2: -F
3: -X
4: -Z
5: -N INPUT_direct -P RETURN
6: -I INPUT 1 -j INPUT_direct
7: -N OUTPUT_direct -P RETURN
8: -I OUTPUT 1 -j OUTPUT_direct
9: -N FORWARD_direct -P RETURN
10: -I FORWARD 1 -j FORWARD_direct
11: *broute
12: -F
13: -X
14: -Z
15: *nat
16: -F
17: -X
18: -Z
19: -N PREROUTING_direct -P RETURN
20: -I PREROUTING 1 -j PREROUTING_direct
21: -N POSTROUTING_direct -P RETURN
22: -I POSTROUTING 1 -j POSTROUTING_direct
23: -N OUTPUT_direct -P RETURN
24: -I OUTPUT 1 -j OUTPUT_direct
2017-05-03 07:53:22 WARNING: '*/usr/sbin/ebtables-restore --noflush'
failed: *
2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>:
/usr/sbin/iptables-restore /run/firewalld/temp.MDuwzR: 1384
1: *filter
2: -D OUTPUT -j OUTPUT_direct
3: -X OUTPUT_direct
4: -D FORWARD -j REJECT --reject-with icmp-host-prohibited
5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
6: -D FORWARD -j FORWARD_OUT_ZONES
7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
8: -D FORWARD -j FORWARD_IN_ZONES
9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
10: -D FORWARD -j FORWARD_direct
11: -D FORWARD -i lo -j ACCEPT
12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
13: -X FORWARD_OUT_ZONES
14: -X FORWARD_OUT_ZONES_SOURCE
15: -X FORWARD_IN_ZONES
16: -X FORWARD_IN_ZONES_SOURCE
17: -X FORWARD_direct
18: -D INPUT -j REJECT --reject-with icmp-host-prohibited
19: -D INPUT -m conntrack --ctstate INVALID -j DROP
20: -D INPUT -j INPUT_ZONES
21: -D INPUT -j INPUT_ZONES_SOURCE
22: -D INPUT -j INPUT_direct
23: -D INPUT -i lo -j ACCEPT
24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
25: -X INPUT_ZONES
26: -X INPUT_ZONES_SOURCE
27: -X INPUT_direct
28: -Z
29: -X
30: -F
31: COMMIT
32: *raw
33: -D OUTPUT -j OUTPUT_direct
34: -X OUTPUT_direct
35: -D PREROUTING -j PREROUTING_direct
36: -X PREROUTING_direct
37: -Z
38: -X
39: -F
40: COMMIT
41: *mangle
42: -D FORWARD -j FORWARD_direct
43: -X FORWARD_direct
44: -D OUTPUT -j OUTPUT_direct
45: -X OUTPUT_direct
46: -D INPUT -j INPUT_direct
47: -X INPUT_direct
48: -D POSTROUTING -j POSTROUTING_direct
49: -X POSTROUTING_direct
50: -D PREROUTING -j PREROUTING_ZONES
51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
52: -X PREROUTING_ZONES
53: -X PREROUTING_ZONES_SOURCE
54: -D PREROUTING -j PREROUTING_direct
55: -X PREROUTING_direct
56: -Z
57: -X
58: -F
59: COMMIT
2017-05-03 07:53:22 DEBUG2: <class
'firewall.core.ipXtables.ip6tables'>:*/usr/sbin/ip6tables-restore
/run/firewalld/temp.xFcRvF:* 1384
1: *filter
2: -D OUTPUT -j OUTPUT_direct
3: -X OUTPUT_direct
4: -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
6: -D FORWARD -j FORWARD_OUT_ZONES
7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
8: -D FORWARD -j FORWARD_IN_ZONES
9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
10: -D FORWARD -j FORWARD_direct
11: -D FORWARD -i lo -j ACCEPT
12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
13: -X FORWARD_OUT_ZONES
14: -X FORWARD_OUT_ZONES_SOURCE
15: -X FORWARD_IN_ZONES
16: -X FORWARD_IN_ZONES_SOURCE
17: -X FORWARD_direct
18: -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
19: -D INPUT -m conntrack --ctstate INVALID -j DROP
20: -D INPUT -j INPUT_ZONES
21: -D INPUT -j INPUT_ZONES_SOURCE
22: -D INPUT -j INPUT_direct
23: -D INPUT -i lo -j ACCEPT
24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
25: -X INPUT_ZONES
26: -X INPUT_ZONES_SOURCE
27: -X INPUT_direct
28: -Z
29: -X
30: -F
31: COMMIT
32: *raw
33: -D OUTPUT -j OUTPUT_direct
34: -X OUTPUT_direct
35: -D PREROUTING -j PREROUTING_direct
36: -X PREROUTING_direct
37: -Z
38: -X
39: -F
40: COMMIT
41: *mangle
42: -D FORWARD -j FORWARD_direct
43: -X FORWARD_direct
44: -D OUTPUT -j OUTPUT_direct
45: -X OUTPUT_direct
46: -D INPUT -j INPUT_direct
47: -X INPUT_direct
48: -D POSTROUTING -j POSTROUTING_direct
49: -X POSTROUTING_direct
50: -D PREROUTING -j PREROUTING_ZONES
51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
52: -X PREROUTING_ZONES
53: -X PREROUTING_ZONES_SOURCE
54: -D PREROUTING -j PREROUTING_direct
55: -X PREROUTING_direct
56: -Z
57: -X
58: -F
59: COMMIT
2017-05-03 07:53:22*ERROR: COMMAND_FAILED*
2017-05-03 07:53:22 DEBUG1: GetAll('org.fedoraproject.FirewallD1')
....
any help greatly appreciated !
Thanks
PS: perhaps related : https://bugs.centos.org/view.php?id=12450 ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openvz.org/pipermail/users/attachments/20170503/31e9f72b/attachment.html>
More information about the Users
mailing list