[Users] firewalld in vz 7 CT doesn't work anymore

Konstantin Khorenko khorenko at virtuozzo.com
Wed May 3 02:05:48 PDT 2017 

Hi Jehan,

please clarify - what exactly did you update?

Did you perform "yum update" inside a CentOS 7 Container?

Thank you.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 05/03/2017 11:23 AM, Jehan Procaccia wrote:
> Hello
>
> since last update (apparently) my CT with firewalld doesn't work anymore
>
> CT-db256406 ~# systemctl status firewalld.service
> ● firewalld.service - firewalld - dynamic firewall daemon
>    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
>    Active: active (running) since Wed 2017-05-03 08:16:42 UTC; 7s ago
>      Docs: man:firewalld(1)
>  Main PID: 759 (firewalld)
>    CGroup: /system.slice/firewalld.service
>            └─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid --debug=8
>
> May 03 08:16:41 smtpe systemd[1]: Starting firewalld - dynamic firewall daemon...
> May 03 08:16:42 smtpe systemd[1]: Started firewalld - dynamic firewall daemon.
> May 03 08:16:42 smtpe firewalld[759]: WARNING: '/usr/sbin/ebtables-restore --noflush' failed:
> May 03 08:16:42 smtpe firewalld[759]: ERROR: COMMAND_FAILED
>
> I did set prlctl set CTname --netfilter stateful on the host, it worked fine for the last 6 mounths , but now it fails
>
> # rpm -q firewalld
> firewalld-0.4.3.2-8.1.el7_3.2.noarch
> # cat /etc/redhat-release
> CentOS Linux release 7.3.1611 (Core)
> # uname -a
> Linux smtpe 3.10.0 #1 SMP Tue Dec 20 13:52:43 MSK 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> these are the last hundred of lines in /var/log/firewalld in debug=4 mode
>
> # grep debug /etc/sysconfig/firewalld
> # possible values: --debug
> FIREWALLD_ARGS='--debug=4'
>
> ...
>
> 2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ebtables.ebtables'>: /usr/sbin/ebtables-restore /run/firewalld/temp.aC9x_O: 411
>        1: *filter
>        2: -F
>        3: -X
>        4: -Z
>        5: -N INPUT_direct -P RETURN
>        6: -I INPUT 1 -j INPUT_direct
>        7: -N OUTPUT_direct -P RETURN
>        8: -I OUTPUT 1 -j OUTPUT_direct
>        9: -N FORWARD_direct -P RETURN
>       10: -I FORWARD 1 -j FORWARD_direct
>       11: *broute
>       12: -F
>       13: -X
>       14: -Z
>       15: *nat
>       16: -F
>       17: -X
>       18: -Z
>       19: -N PREROUTING_direct -P RETURN
>       20: -I PREROUTING 1 -j PREROUTING_direct
>       21: -N POSTROUTING_direct -P RETURN
>       22: -I POSTROUTING 1 -j POSTROUTING_direct
>       23: -N OUTPUT_direct -P RETURN
>       24: -I OUTPUT 1 -j OUTPUT_direct
> 2017-05-03 07:53:22 WARNING: '*/usr/sbin/ebtables-restore --noflush' failed: *
> 2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables-restore /run/firewalld/temp.MDuwzR: 1384
>        1: *filter
>        2: -D OUTPUT -j OUTPUT_direct
>        3: -X OUTPUT_direct
>        4: -D FORWARD -j REJECT --reject-with icmp-host-prohibited
>        5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
>        6: -D FORWARD -j FORWARD_OUT_ZONES
>        7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
>        8: -D FORWARD -j FORWARD_IN_ZONES
>        9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
>       10: -D FORWARD -j FORWARD_direct
>       11: -D FORWARD -i lo -j ACCEPT
>       12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>       13: -X FORWARD_OUT_ZONES
>       14: -X FORWARD_OUT_ZONES_SOURCE
>       15: -X FORWARD_IN_ZONES
>       16: -X FORWARD_IN_ZONES_SOURCE
>       17: -X FORWARD_direct
>       18: -D INPUT -j REJECT --reject-with icmp-host-prohibited
>       19: -D INPUT -m conntrack --ctstate INVALID -j DROP
>       20: -D INPUT -j INPUT_ZONES
>       21: -D INPUT -j INPUT_ZONES_SOURCE
>       22: -D INPUT -j INPUT_direct
>       23: -D INPUT -i lo -j ACCEPT
>       24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>       25: -X INPUT_ZONES
>       26: -X INPUT_ZONES_SOURCE
>       27: -X INPUT_direct
>       28: -Z
>       29: -X
>       30: -F
>       31: COMMIT
>       32: *raw
>       33: -D OUTPUT -j OUTPUT_direct
>       34: -X OUTPUT_direct
>       35: -D PREROUTING -j PREROUTING_direct
>       36: -X PREROUTING_direct
>       37: -Z
>       38: -X
>       39: -F
>       40: COMMIT
>       41: *mangle
>       42: -D FORWARD -j FORWARD_direct
>       43: -X FORWARD_direct
>       44: -D OUTPUT -j OUTPUT_direct
>       45: -X OUTPUT_direct
>       46: -D INPUT -j INPUT_direct
>       47: -X INPUT_direct
>       48: -D POSTROUTING -j POSTROUTING_direct
>       49: -X POSTROUTING_direct
>       50: -D PREROUTING -j PREROUTING_ZONES
>       51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
>       52: -X PREROUTING_ZONES
>       53: -X PREROUTING_ZONES_SOURCE
>       54: -D PREROUTING -j PREROUTING_direct
>       55: -X PREROUTING_direct
>       56: -Z
>       57: -X
>       58: -F
>       59: COMMIT
>
> 2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ipXtables.ip6tables'>:*/usr/sbin/ip6tables-restore /run/firewalld/temp.xFcRvF:* 1384
>        1: *filter
>        2: -D OUTPUT -j OUTPUT_direct
>        3: -X OUTPUT_direct
>        4: -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
>        5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
>        6: -D FORWARD -j FORWARD_OUT_ZONES
>        7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
>        8: -D FORWARD -j FORWARD_IN_ZONES
>        9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
>       10: -D FORWARD -j FORWARD_direct
>       11: -D FORWARD -i lo -j ACCEPT
>       12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>       13: -X FORWARD_OUT_ZONES
>       14: -X FORWARD_OUT_ZONES_SOURCE
>       15: -X FORWARD_IN_ZONES
>       16: -X FORWARD_IN_ZONES_SOURCE
>       17: -X FORWARD_direct
>       18: -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
>       19: -D INPUT -m conntrack --ctstate INVALID -j DROP
>       20: -D INPUT -j INPUT_ZONES
>       21: -D INPUT -j INPUT_ZONES_SOURCE
>       22: -D INPUT -j INPUT_direct
>       23: -D INPUT -i lo -j ACCEPT
>       24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>       25: -X INPUT_ZONES
>       26: -X INPUT_ZONES_SOURCE
>       27: -X INPUT_direct
>       28: -Z
>       29: -X
>       30: -F
>       31: COMMIT
>       32: *raw
>       33: -D OUTPUT -j OUTPUT_direct
>       34: -X OUTPUT_direct
>       35: -D PREROUTING -j PREROUTING_direct
>       36: -X PREROUTING_direct
>       37: -Z
>       38: -X
>       39: -F
>       40: COMMIT
>       41: *mangle
>       42: -D FORWARD -j FORWARD_direct
>       43: -X FORWARD_direct
>       44: -D OUTPUT -j OUTPUT_direct
>       45: -X OUTPUT_direct
>       46: -D INPUT -j INPUT_direct
>       47: -X INPUT_direct
>       48: -D POSTROUTING -j POSTROUTING_direct
>       49: -X POSTROUTING_direct
>       50: -D PREROUTING -j PREROUTING_ZONES
>       51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
>       52: -X PREROUTING_ZONES
>       53: -X PREROUTING_ZONES_SOURCE
>       54: -D PREROUTING -j PREROUTING_direct
>       55: -X PREROUTING_direct
>       56: -Z
>       57: -X
>       58: -F
>       59: COMMIT
> 2017-05-03 07:53:22*ERROR: COMMAND_FAILED*
> 2017-05-03 07:53:22 DEBUG1: GetAll('org.fedoraproject.FirewallD1')
> ....
>
> any help greatly appreciated !
>
> Thanks
>
> PS: perhaps related : https://bugs.centos.org/view.php?id=12450 ?
>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
>

More information about the Users mailing list