[Users] firewalld in vz 7 CT doesn't work anymore
Konstantin Khorenko
khorenko at virtuozzo.com
Thu May 18 04:34:23 PDT 2017
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 05/03/2017 12:59 PM, Jehan Procaccia wrote:
> Le 03/05/2017 à 10:54, Denis Silakov a écrit :
>>
>> Try to set "IndividualCalls=yes" in firewalld.conf.
>>
>>
> with that set I now have more explicit errors inf firewalld logs:
>
>
> 2017-05-03 09:31:58 DEBUG2: <class 'firewall.core.ebtables.ebtables'>: /usr/sbin/ebtables --concurrent -t broute -F
> 2017-05-03 09:31:58 ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
> 2017-05-03 09:31:58 ERROR: '/usr/sbin/ebtables -t broute -F' failed:
> ...
> 2017-05-03 09:32:00 DEBUG2: <class 'firewall.core.ebtables.ebtables'>: /usr/sbin/ebtables --concurrent -t broute -P BROUTING ACCEPT
> 2017-05-03 09:32:00 ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
> 2017-05-03 09:32:00 ERROR: '/usr/sbin/ebtables -t broute -P BROUTING ACCEPT' failed:
>
> I ran these broute commands manually and it returns returns;
>
> # /usr/sbin/ebtables --concurrent -t broute -F
> The kernel doesn't support the ebtables 'broute' table.
>
> So I go check on a second host where firewalld keeps running
> # lsmod |grep ebtab
> ebtable_nat 12807 2
> *ebtable_broute 12731 2 *
> ebtable_filter 12827 2
> ebtables 30905 3 ebtable_broute,ebtable_nat,ebtable_filter
> bridge 119601 1 ebtable_broute
>
> on the one where it fails
>
> # lsmod |grep ebtab
> ebtable_nat 12807 1
> ebtable_filter 12827 3
> ebtables 30905 2 ebtable_nat,ebtable_filter
>
> indeed it lacks *ebtable_broute* , so :
> # modprobe ebtable_broute
>
> and now it works fine ;-) , thanks for the tip !
>
> now why ebtable_broute isn't loaded at boot time is a mystery ,if you have a idea ?
You probably don't have "firewalld" service running on the host => ebtable_broute module can be easily unloaded.
Fixed, now the module will be autoloaded upon request from inside a Container:
https://lists.openvz.org/pipermail/devel/2017-May/070268.html
>
> Thanks .
>
> Ps: virtuozzo host :
>
> # cat /etc/redhat-release
> Virtuozzo Linux release 7.3
> # uname -a
> Linux vz7.int-evry.fr 3.10.0-327.36.1.vz7.20.18 #1 SMP Tue Dec 20 13:52:43 MSK 2016 x86_64 x86_64 x86_64 GNU/Linux
> # uptime
> 11:58:27 up 12 days, 17:59, 4 users, load average: 0,05, 0,20, 0,25
>
>
>> On 05/03/2017 11:23 AM, Jehan Procaccia wrote:
>>>
>>> Hello
>>>
>>> since last update (apparently) my CT with firewalld doesn't work anymore
>>>
>>> CT-db256406 ~# systemctl status firewalld.service
>>> ● firewalld.service - firewalld - dynamic firewall daemon
>>> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
>>> Active: active (running) since Wed 2017-05-03 08:16:42 UTC; 7s ago
>>> Docs: man:firewalld(1)
>>> Main PID: 759 (firewalld)
>>> CGroup: /system.slice/firewalld.service
>>> └─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid --debug=8
>>>
>>> May 03 08:16:41 smtpe systemd[1]: Starting firewalld - dynamic firewall daemon...
>>> May 03 08:16:42 smtpe systemd[1]: Started firewalld - dynamic firewall daemon.
>>> May 03 08:16:42 smtpe firewalld[759]: WARNING: '/usr/sbin/ebtables-restore --noflush' failed:
>>> May 03 08:16:42 smtpe firewalld[759]: ERROR: COMMAND_FAILED
>>>
>>> I did set prlctl set CTname --netfilter stateful on the host, it worked fine for the last 6 mounths , but now it fails
>>>
>>> # rpm -q firewalld
>>> firewalld-0.4.3.2-8.1.el7_3.2.noarch
>>> # cat /etc/redhat-release
>>> CentOS Linux release 7.3.1611 (Core)
>>> # uname -a
>>> Linux smtpe 3.10.0 #1 SMP Tue Dec 20 13:52:43 MSK 2016 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> these are the last hundred of lines in /var/log/firewalld in debug=4 mode
>>>
>>> # grep debug /etc/sysconfig/firewalld
>>> # possible values: --debug
>>> FIREWALLD_ARGS='--debug=4'
>>>
>>> ...
>>>
>>> 2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ebtables.ebtables'>: /usr/sbin/ebtables-restore /run/firewalld/temp.aC9x_O: 411
>>> 1: *filter
>>> 2: -F
>>> 3: -X
>>> 4: -Z
>>> 5: -N INPUT_direct -P RETURN
>>> 6: -I INPUT 1 -j INPUT_direct
>>> 7: -N OUTPUT_direct -P RETURN
>>> 8: -I OUTPUT 1 -j OUTPUT_direct
>>> 9: -N FORWARD_direct -P RETURN
>>> 10: -I FORWARD 1 -j FORWARD_direct
>>> 11: *broute
>>> 12: -F
>>> 13: -X
>>> 14: -Z
>>> 15: *nat
>>> 16: -F
>>> 17: -X
>>> 18: -Z
>>> 19: -N PREROUTING_direct -P RETURN
>>> 20: -I PREROUTING 1 -j PREROUTING_direct
>>> 21: -N POSTROUTING_direct -P RETURN
>>> 22: -I POSTROUTING 1 -j POSTROUTING_direct
>>> 23: -N OUTPUT_direct -P RETURN
>>> 24: -I OUTPUT 1 -j OUTPUT_direct
>>> 2017-05-03 07:53:22 WARNING: '*/usr/sbin/ebtables-restore --noflush' failed: *
>>> 2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables-restore /run/firewalld/temp.MDuwzR: 1384
>>> 1: *filter
>>> 2: -D OUTPUT -j OUTPUT_direct
>>> 3: -X OUTPUT_direct
>>> 4: -D FORWARD -j REJECT --reject-with icmp-host-prohibited
>>> 5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
>>> 6: -D FORWARD -j FORWARD_OUT_ZONES
>>> 7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
>>> 8: -D FORWARD -j FORWARD_IN_ZONES
>>> 9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
>>> 10: -D FORWARD -j FORWARD_direct
>>> 11: -D FORWARD -i lo -j ACCEPT
>>> 12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>>> 13: -X FORWARD_OUT_ZONES
>>> 14: -X FORWARD_OUT_ZONES_SOURCE
>>> 15: -X FORWARD_IN_ZONES
>>> 16: -X FORWARD_IN_ZONES_SOURCE
>>> 17: -X FORWARD_direct
>>> 18: -D INPUT -j REJECT --reject-with icmp-host-prohibited
>>> 19: -D INPUT -m conntrack --ctstate INVALID -j DROP
>>> 20: -D INPUT -j INPUT_ZONES
>>> 21: -D INPUT -j INPUT_ZONES_SOURCE
>>> 22: -D INPUT -j INPUT_direct
>>> 23: -D INPUT -i lo -j ACCEPT
>>> 24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>>> 25: -X INPUT_ZONES
>>> 26: -X INPUT_ZONES_SOURCE
>>> 27: -X INPUT_direct
>>> 28: -Z
>>> 29: -X
>>> 30: -F
>>> 31: COMMIT
>>> 32: *raw
>>> 33: -D OUTPUT -j OUTPUT_direct
>>> 34: -X OUTPUT_direct
>>> 35: -D PREROUTING -j PREROUTING_direct
>>> 36: -X PREROUTING_direct
>>> 37: -Z
>>> 38: -X
>>> 39: -F
>>> 40: COMMIT
>>> 41: *mangle
>>> 42: -D FORWARD -j FORWARD_direct
>>> 43: -X FORWARD_direct
>>> 44: -D OUTPUT -j OUTPUT_direct
>>> 45: -X OUTPUT_direct
>>> 46: -D INPUT -j INPUT_direct
>>> 47: -X INPUT_direct
>>> 48: -D POSTROUTING -j POSTROUTING_direct
>>> 49: -X POSTROUTING_direct
>>> 50: -D PREROUTING -j PREROUTING_ZONES
>>> 51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
>>> 52: -X PREROUTING_ZONES
>>> 53: -X PREROUTING_ZONES_SOURCE
>>> 54: -D PREROUTING -j PREROUTING_direct
>>> 55: -X PREROUTING_direct
>>> 56: -Z
>>> 57: -X
>>> 58: -F
>>> 59: COMMIT
>>>
>>> 2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ipXtables.ip6tables'>:*/usr/sbin/ip6tables-restore /run/firewalld/temp.xFcRvF:* 1384
>>> 1: *filter
>>> 2: -D OUTPUT -j OUTPUT_direct
>>> 3: -X OUTPUT_direct
>>> 4: -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
>>> 5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
>>> 6: -D FORWARD -j FORWARD_OUT_ZONES
>>> 7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
>>> 8: -D FORWARD -j FORWARD_IN_ZONES
>>> 9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
>>> 10: -D FORWARD -j FORWARD_direct
>>> 11: -D FORWARD -i lo -j ACCEPT
>>> 12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>>> 13: -X FORWARD_OUT_ZONES
>>> 14: -X FORWARD_OUT_ZONES_SOURCE
>>> 15: -X FORWARD_IN_ZONES
>>> 16: -X FORWARD_IN_ZONES_SOURCE
>>> 17: -X FORWARD_direct
>>> 18: -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
>>> 19: -D INPUT -m conntrack --ctstate INVALID -j DROP
>>> 20: -D INPUT -j INPUT_ZONES
>>> 21: -D INPUT -j INPUT_ZONES_SOURCE
>>> 22: -D INPUT -j INPUT_direct
>>> 23: -D INPUT -i lo -j ACCEPT
>>> 24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
>>> 25: -X INPUT_ZONES
>>> 26: -X INPUT_ZONES_SOURCE
>>> 27: -X INPUT_direct
>>> 28: -Z
>>> 29: -X
>>> 30: -F
>>> 31: COMMIT
>>> 32: *raw
>>> 33: -D OUTPUT -j OUTPUT_direct
>>> 34: -X OUTPUT_direct
>>> 35: -D PREROUTING -j PREROUTING_direct
>>> 36: -X PREROUTING_direct
>>> 37: -Z
>>> 38: -X
>>> 39: -F
>>> 40: COMMIT
>>> 41: *mangle
>>> 42: -D FORWARD -j FORWARD_direct
>>> 43: -X FORWARD_direct
>>> 44: -D OUTPUT -j OUTPUT_direct
>>> 45: -X OUTPUT_direct
>>> 46: -D INPUT -j INPUT_direct
>>> 47: -X INPUT_direct
>>> 48: -D POSTROUTING -j POSTROUTING_direct
>>> 49: -X POSTROUTING_direct
>>> 50: -D PREROUTING -j PREROUTING_ZONES
>>> 51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
>>> 52: -X PREROUTING_ZONES
>>> 53: -X PREROUTING_ZONES_SOURCE
>>> 54: -D PREROUTING -j PREROUTING_direct
>>> 55: -X PREROUTING_direct
>>> 56: -Z
>>> 57: -X
>>> 58: -F
>>> 59: COMMIT
>>> 2017-05-03 07:53:22*ERROR: COMMAND_FAILED*
>>> 2017-05-03 07:53:22 DEBUG1: GetAll('org.fedoraproject.FirewallD1')
>>> ....
>>>
>>> any help greatly appreciated !
>>>
>>> Thanks
>>>
>>> PS: perhaps related : https://bugs.centos.org/view.php?id=12450 ?
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openvz.org
>>> https://lists.openvz.org/mailman/listinfo/users
>>
>> --
>> Regards,
>>
>> Denis Silakov | Sr. Software Architect, Virtuozzo Linux Team Lead
>> Otradnaya street 2B/9, “Otradnoye” Business Center | Moscow | Russia
>> Phone: +7 916-222-9437 | dsilakov at virtuozzo.com
>> Skype: denis.silakov
>>
>> Virtuozzo.com
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openvz.org
>> https://lists.openvz.org/mailman/listinfo/users
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at openvz.org
> https://lists.openvz.org/mailman/listinfo/users
>
More information about the Users
mailing list