[Users] firewalld in vz 7 CT doesn't work anymore
Konstantin Khorenko
khorenko at virtuozzo.com
Wed May 3 02:05:48 PDT 2017
Hi Jehan,
please clarify - what exactly did you update?
Did you perform "yum update" inside a CentOS 7 Container?
Thank you.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 05/03/2017 11:23 AM, Jehan Procaccia wrote:
> Hello
>
> since last update (apparently) my CT with firewalld doesn't work anymore
>
> CT-db256406 ~# systemctl status firewalld.service
> ● firewalld.service - firewalld - dynamic firewall daemon
> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
> Active: active (running) since Wed 2017-05-03 08:16:42 UTC; 7s ago
> Docs: man:firewalld(1)
> Main PID: 759 (firewalld)
> CGroup: /system.slice/firewalld.service
> └─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid --debug=8
>
> May 03 08:16:41 smtpe systemd[1]: Starting firewalld - dynamic firewall daemon...
> May 03 08:16:42 smtpe systemd[1]: Started firewalld - dynamic firewall daemon.
> May 03 08:16:42 smtpe firewalld[759]: WARNING: '/usr/sbin/ebtables-restore --noflush' failed:
> May 03 08:16:42 smtpe firewalld[759]: ERROR: COMMAND_FAILED
>
> I did set prlctl set CTname --netfilter stateful on the host, it worked fine for the last 6 mounths , but now it fails
>
> # rpm -q firewalld
> firewalld-0.4.3.2-8.1.el7_3.2.noarch
> # cat /etc/redhat-release
> CentOS Linux release 7.3.1611 (Core)
> # uname -a
> Linux smtpe 3.10.0 #1 SMP Tue Dec 20 13:52:43 MSK 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> these are the last hundred of lines in /var/log/firewalld in debug=4 mode
>
> # grep debug /etc/sysconfig/firewalld
> # possible values: --debug
> FIREWALLD_ARGS='--debug=4'
>
> ...
>
> 2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ebtables.ebtables'>: /usr/sbin/ebtables-restore /run/firewalld/temp.aC9x_O: 411
> 1: *filter
> 2: -F
> 3: -X
> 4: -Z
> 5: -N INPUT_direct -P RETURN
> 6: -I INPUT 1 -j INPUT_direct
> 7: -N OUTPUT_direct -P RETURN
> 8: -I OUTPUT 1 -j OUTPUT_direct
> 9: -N FORWARD_direct -P RETURN
> 10: -I FORWARD 1 -j FORWARD_direct
> 11: *broute
> 12: -F
> 13: -X
> 14: -Z
> 15: *nat
> 16: -F
> 17: -X
> 18: -Z
> 19: -N PREROUTING_direct -P RETURN
> 20: -I PREROUTING 1 -j PREROUTING_direct
> 21: -N POSTROUTING_direct -P RETURN
> 22: -I POSTROUTING 1 -j POSTROUTING_direct
> 23: -N OUTPUT_direct -P RETURN
> 24: -I OUTPUT 1 -j OUTPUT_direct
> 2017-05-03 07:53:22 WARNING: '*/usr/sbin/ebtables-restore --noflush' failed: *
> 2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables-restore /run/firewalld/temp.MDuwzR: 1384
> 1: *filter
> 2: -D OUTPUT -j OUTPUT_direct
> 3: -X OUTPUT_direct
> 4: -D FORWARD -j REJECT --reject-with icmp-host-prohibited
> 5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
> 6: -D FORWARD -j FORWARD_OUT_ZONES
> 7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
> 8: -D FORWARD -j FORWARD_IN_ZONES
> 9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
> 10: -D FORWARD -j FORWARD_direct
> 11: -D FORWARD -i lo -j ACCEPT
> 12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 13: -X FORWARD_OUT_ZONES
> 14: -X FORWARD_OUT_ZONES_SOURCE
> 15: -X FORWARD_IN_ZONES
> 16: -X FORWARD_IN_ZONES_SOURCE
> 17: -X FORWARD_direct
> 18: -D INPUT -j REJECT --reject-with icmp-host-prohibited
> 19: -D INPUT -m conntrack --ctstate INVALID -j DROP
> 20: -D INPUT -j INPUT_ZONES
> 21: -D INPUT -j INPUT_ZONES_SOURCE
> 22: -D INPUT -j INPUT_direct
> 23: -D INPUT -i lo -j ACCEPT
> 24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 25: -X INPUT_ZONES
> 26: -X INPUT_ZONES_SOURCE
> 27: -X INPUT_direct
> 28: -Z
> 29: -X
> 30: -F
> 31: COMMIT
> 32: *raw
> 33: -D OUTPUT -j OUTPUT_direct
> 34: -X OUTPUT_direct
> 35: -D PREROUTING -j PREROUTING_direct
> 36: -X PREROUTING_direct
> 37: -Z
> 38: -X
> 39: -F
> 40: COMMIT
> 41: *mangle
> 42: -D FORWARD -j FORWARD_direct
> 43: -X FORWARD_direct
> 44: -D OUTPUT -j OUTPUT_direct
> 45: -X OUTPUT_direct
> 46: -D INPUT -j INPUT_direct
> 47: -X INPUT_direct
> 48: -D POSTROUTING -j POSTROUTING_direct
> 49: -X POSTROUTING_direct
> 50: -D PREROUTING -j PREROUTING_ZONES
> 51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
> 52: -X PREROUTING_ZONES
> 53: -X PREROUTING_ZONES_SOURCE
> 54: -D PREROUTING -j PREROUTING_direct
> 55: -X PREROUTING_direct
> 56: -Z
> 57: -X
> 58: -F
> 59: COMMIT
>
> 2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ipXtables.ip6tables'>:*/usr/sbin/ip6tables-restore /run/firewalld/temp.xFcRvF:* 1384
> 1: *filter
> 2: -D OUTPUT -j OUTPUT_direct
> 3: -X OUTPUT_direct
> 4: -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
> 5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
> 6: -D FORWARD -j FORWARD_OUT_ZONES
> 7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
> 8: -D FORWARD -j FORWARD_IN_ZONES
> 9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
> 10: -D FORWARD -j FORWARD_direct
> 11: -D FORWARD -i lo -j ACCEPT
> 12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 13: -X FORWARD_OUT_ZONES
> 14: -X FORWARD_OUT_ZONES_SOURCE
> 15: -X FORWARD_IN_ZONES
> 16: -X FORWARD_IN_ZONES_SOURCE
> 17: -X FORWARD_direct
> 18: -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
> 19: -D INPUT -m conntrack --ctstate INVALID -j DROP
> 20: -D INPUT -j INPUT_ZONES
> 21: -D INPUT -j INPUT_ZONES_SOURCE
> 22: -D INPUT -j INPUT_direct
> 23: -D INPUT -i lo -j ACCEPT
> 24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> 25: -X INPUT_ZONES
> 26: -X INPUT_ZONES_SOURCE
> 27: -X INPUT_direct
> 28: -Z
> 29: -X
> 30: -F
> 31: COMMIT
> 32: *raw
> 33: -D OUTPUT -j OUTPUT_direct
> 34: -X OUTPUT_direct
> 35: -D PREROUTING -j PREROUTING_direct
> 36: -X PREROUTING_direct
> 37: -Z
> 38: -X
> 39: -F
> 40: COMMIT
> 41: *mangle
> 42: -D FORWARD -j FORWARD_direct
> 43: -X FORWARD_direct
> 44: -D OUTPUT -j OUTPUT_direct
> 45: -X OUTPUT_direct
> 46: -D INPUT -j INPUT_direct
> 47: -X INPUT_direct
> 48: -D POSTROUTING -j POSTROUTING_direct
> 49: -X POSTROUTING_direct
> 50: -D PREROUTING -j PREROUTING_ZONES
> 51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
> 52: -X PREROUTING_ZONES
> 53: -X PREROUTING_ZONES_SOURCE
> 54: -D PREROUTING -j PREROUTING_direct
> 55: -X PREROUTING_direct
> 56: -Z
> 57: -X
> 58: -F
> 59: COMMIT
> 2017-05-03 07:53:22*ERROR: COMMAND_FAILED*
> 2017-05-03 07:53:22 DEBUG1: GetAll('org.fedoraproject.FirewallD1')
> ....
>
> any help greatly appreciated !
>
> Thanks
>
> PS: perhaps related : https://bugs.centos.org/view.php?id=12450 ?
>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
>
More information about the Users
mailing list