<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Le 03/05/2017 à 10:54, Denis Silakov a
écrit :<br>
</div>
<blockquote
cite="mid:aaa87555-3c54-6e58-8621-2daed2ba314d@virtuozzo.com"
type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<p>Try to set "IndividualCalls=yes" in firewalld.conf.</p>
<br>
</blockquote>
with that set I now have more explicit errors inf firewalld logs:<br>
<br>
<br>
2017-05-03 09:31:58 DEBUG2: <class
'firewall.core.ebtables.ebtables'>: /usr/sbin/ebtables
--concurrent -t broute -F<br>
2017-05-03 09:31:58 ERROR: Failed to apply rules. A firewall reload
might solve the issue if the firewall has been modified using
ip*tables or ebtables.<br>
2017-05-03 09:31:58 ERROR: '/usr/sbin/ebtables -t broute -F' failed:
<br>
...<br>
2017-05-03 09:32:00 DEBUG2: <class
'firewall.core.ebtables.ebtables'>: /usr/sbin/ebtables
--concurrent -t broute -P BROUTING ACCEPT<br>
2017-05-03 09:32:00 ERROR: Failed to apply rules. A firewall reload
might solve the issue if the firewall has been modified using
ip*tables or ebtables.<br>
2017-05-03 09:32:00 ERROR: '/usr/sbin/ebtables -t broute -P BROUTING
ACCEPT' failed: <br>
<br>
I ran these broute commands manually and it returns returns; <br>
<br>
# /usr/sbin/ebtables --concurrent -t broute -F<br>
The kernel doesn't support the ebtables 'broute' table.<br>
<br>
So I go check on a second host where firewalld keeps running <br>
# lsmod |grep ebtab<br>
ebtable_nat 12807 2 <br>
<b>ebtable_broute 12731 2 </b><br>
ebtable_filter 12827 2 <br>
ebtables 30905 3
ebtable_broute,ebtable_nat,ebtable_filter<br>
bridge 119601 1 ebtable_broute<br>
<br>
on the one where it fails <br>
<br>
# lsmod |grep ebtab<br>
ebtable_nat 12807 1 <br>
ebtable_filter 12827 3 <br>
ebtables 30905 2 ebtable_nat,ebtable_filter<br>
<br>
indeed it lacks <b>ebtable_broute</b> , so :<br>
# modprobe ebtable_broute<br>
<br>
and now it works fine ;-) , thanks for the tip !<br>
<br>
now why ebtable_broute isn't loaded at boot time is a mystery ,if
you have a idea ? <br>
<br>
Thanks .<br>
<br>
Ps: virtuozzo host :<br>
<br>
# cat /etc/redhat-release <br>
Virtuozzo Linux release 7.3<br>
# uname -a <br>
Linux vz7.int-evry.fr 3.10.0-327.36.1.vz7.20.18 #1 SMP Tue Dec 20
13:52:43 MSK 2016 x86_64 x86_64 x86_64 GNU/Linux<br>
# uptime<br>
11:58:27 up 12 days, 17:59, 4 users, load average: 0,05, 0,20,
0,25<br>
<br>
<br>
<blockquote
cite="mid:aaa87555-3c54-6e58-8621-2daed2ba314d@virtuozzo.com"
type="cite">
<div class="moz-cite-prefix">On 05/03/2017 11:23 AM, Jehan
Procaccia wrote:<br>
</div>
<blockquote
cite="mid:8bf42da8-c30b-3cd8-9450-4a871a6d8a5a@tem-tsp.eu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<p>Hello</p>
<p>since last update (apparently) my CT with firewalld doesn't
work anymore <br>
</p>
<p>CT-db256406 ~# systemctl status firewalld.service <br>
● firewalld.service - firewalld - dynamic firewall daemon<br>
Loaded: loaded (/usr/lib/systemd/system/firewalld.service;
enabled; vendor preset: enabled)<br>
Active: active (running) since Wed 2017-05-03 08:16:42 UTC;
7s ago<br>
Docs: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="man:firewalld%281%29">man:firewalld(1)</a><br>
Main PID: 759 (firewalld)<br>
CGroup: /system.slice/firewalld.service<br>
└─759 /usr/bin/python -Es /usr/sbin/firewalld
--nofork --nopid --debug=8<br>
<br>
May 03 08:16:41 smtpe systemd[1]: Starting firewalld - dynamic
firewall daemon...<br>
May 03 08:16:42 smtpe systemd[1]: Started firewalld - dynamic
firewall daemon.<br>
May 03 08:16:42 smtpe firewalld[759]: WARNING:
'/usr/sbin/ebtables-restore --noflush' failed:<br>
May 03 08:16:42 smtpe firewalld[759]: ERROR: COMMAND_FAILED<br>
</p>
<p>I did set prlctl set CTname --netfilter stateful on the host,
it worked fine for the last 6 mounths , but now it fails<br>
</p>
<p># rpm -q firewalld<br>
firewalld-0.4.3.2-8.1.el7_3.2.noarch<br>
# cat /etc/redhat-release <br>
CentOS Linux release 7.3.1611 (Core) <br>
# uname -a <br>
Linux smtpe 3.10.0 #1 SMP Tue Dec 20 13:52:43 MSK 2016 x86_64
x86_64 x86_64 GNU/Linux<br>
<br>
</p>
<p>these are the last hundred of lines in /var/log/firewalld in
debug=4 mode<br>
</p>
<p># grep debug /etc/sysconfig/firewalld <br>
# possible values: --debug<br>
FIREWALLD_ARGS='--debug=4'<br>
</p>
<p>...<br>
</p>
<p>2017-05-03 07:53:22 DEBUG2: <class
'firewall.core.ebtables.ebtables'>:
/usr/sbin/ebtables-restore /run/firewalld/temp.aC9x_O: 411<br>
1: *filter<br>
2: -F<br>
3: -X<br>
4: -Z<br>
5: -N INPUT_direct -P RETURN<br>
6: -I INPUT 1 -j INPUT_direct<br>
7: -N OUTPUT_direct -P RETURN<br>
8: -I OUTPUT 1 -j OUTPUT_direct<br>
9: -N FORWARD_direct -P RETURN<br>
10: -I FORWARD 1 -j FORWARD_direct<br>
11: *broute<br>
12: -F<br>
13: -X<br>
14: -Z<br>
15: *nat<br>
16: -F<br>
17: -X<br>
18: -Z<br>
19: -N PREROUTING_direct -P RETURN<br>
20: -I PREROUTING 1 -j PREROUTING_direct<br>
21: -N POSTROUTING_direct -P RETURN<br>
22: -I POSTROUTING 1 -j POSTROUTING_direct<br>
23: -N OUTPUT_direct -P RETURN<br>
24: -I OUTPUT 1 -j OUTPUT_direct<br>
2017-05-03 07:53:22 WARNING: '<b>/usr/sbin/ebtables-restore
--noflush' failed: </b><br>
2017-05-03 07:53:22 DEBUG2: <class
'firewall.core.ipXtables.ip4tables'>:
/usr/sbin/iptables-restore /run/firewalld/temp.MDuwzR: 1384<br>
1: *filter<br>
2: -D OUTPUT -j OUTPUT_direct<br>
3: -X OUTPUT_direct<br>
4: -D FORWARD -j REJECT --reject-with
icmp-host-prohibited<br>
5: -D FORWARD -m conntrack --ctstate INVALID -j DROP<br>
6: -D FORWARD -j FORWARD_OUT_ZONES<br>
7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE<br>
8: -D FORWARD -j FORWARD_IN_ZONES<br>
9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE<br>
10: -D FORWARD -j FORWARD_direct<br>
11: -D FORWARD -i lo -j ACCEPT<br>
12: -D FORWARD -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT<br>
13: -X FORWARD_OUT_ZONES<br>
14: -X FORWARD_OUT_ZONES_SOURCE<br>
15: -X FORWARD_IN_ZONES<br>
16: -X FORWARD_IN_ZONES_SOURCE<br>
17: -X FORWARD_direct<br>
18: -D INPUT -j REJECT --reject-with
icmp-host-prohibited<br>
19: -D INPUT -m conntrack --ctstate INVALID -j DROP<br>
20: -D INPUT -j INPUT_ZONES<br>
21: -D INPUT -j INPUT_ZONES_SOURCE<br>
22: -D INPUT -j INPUT_direct<br>
23: -D INPUT -i lo -j ACCEPT<br>
24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT<br>
25: -X INPUT_ZONES<br>
26: -X INPUT_ZONES_SOURCE<br>
27: -X INPUT_direct<br>
28: -Z<br>
29: -X<br>
30: -F<br>
31: COMMIT<br>
32: *raw<br>
33: -D OUTPUT -j OUTPUT_direct<br>
34: -X OUTPUT_direct<br>
35: -D PREROUTING -j PREROUTING_direct<br>
36: -X PREROUTING_direct<br>
37: -Z<br>
38: -X<br>
39: -F<br>
40: COMMIT<br>
41: *mangle<br>
42: -D FORWARD -j FORWARD_direct<br>
43: -X FORWARD_direct<br>
44: -D OUTPUT -j OUTPUT_direct<br>
45: -X OUTPUT_direct<br>
46: -D INPUT -j INPUT_direct<br>
47: -X INPUT_direct<br>
48: -D POSTROUTING -j POSTROUTING_direct<br>
49: -X POSTROUTING_direct<br>
50: -D PREROUTING -j PREROUTING_ZONES<br>
51: -D PREROUTING -j PREROUTING_ZONES_SOURCE<br>
52: -X PREROUTING_ZONES<br>
53: -X PREROUTING_ZONES_SOURCE<br>
54: -D PREROUTING -j PREROUTING_direct<br>
55: -X PREROUTING_direct<br>
56: -Z<br>
57: -X<br>
58: -F<br>
59: COMMIT<br>
<br>
</p>
<p>2017-05-03 07:53:22 DEBUG2: <class
'firewall.core.ipXtables.ip6tables'>:<b>
/usr/sbin/ip6tables-restore /run/firewalld/temp.xFcRvF:</b>
1384<br>
1: *filter<br>
2: -D OUTPUT -j OUTPUT_direct<br>
3: -X OUTPUT_direct<br>
4: -D FORWARD -j REJECT --reject-with
icmp6-adm-prohibited<br>
5: -D FORWARD -m conntrack --ctstate INVALID -j DROP<br>
6: -D FORWARD -j FORWARD_OUT_ZONES<br>
7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE<br>
8: -D FORWARD -j FORWARD_IN_ZONES<br>
9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE<br>
10: -D FORWARD -j FORWARD_direct<br>
11: -D FORWARD -i lo -j ACCEPT<br>
12: -D FORWARD -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT<br>
13: -X FORWARD_OUT_ZONES<br>
14: -X FORWARD_OUT_ZONES_SOURCE<br>
15: -X FORWARD_IN_ZONES<br>
16: -X FORWARD_IN_ZONES_SOURCE<br>
17: -X FORWARD_direct<br>
18: -D INPUT -j REJECT --reject-with
icmp6-adm-prohibited<br>
19: -D INPUT -m conntrack --ctstate INVALID -j DROP<br>
20: -D INPUT -j INPUT_ZONES<br>
21: -D INPUT -j INPUT_ZONES_SOURCE<br>
22: -D INPUT -j INPUT_direct<br>
23: -D INPUT -i lo -j ACCEPT<br>
24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT<br>
25: -X INPUT_ZONES<br>
26: -X INPUT_ZONES_SOURCE<br>
27: -X INPUT_direct<br>
28: -Z<br>
29: -X<br>
30: -F<br>
31: COMMIT<br>
32: *raw<br>
33: -D OUTPUT -j OUTPUT_direct<br>
34: -X OUTPUT_direct<br>
35: -D PREROUTING -j PREROUTING_direct<br>
36: -X PREROUTING_direct<br>
37: -Z<br>
38: -X<br>
39: -F<br>
40: COMMIT<br>
41: *mangle<br>
42: -D FORWARD -j FORWARD_direct<br>
43: -X FORWARD_direct<br>
44: -D OUTPUT -j OUTPUT_direct<br>
45: -X OUTPUT_direct<br>
46: -D INPUT -j INPUT_direct<br>
47: -X INPUT_direct<br>
48: -D POSTROUTING -j POSTROUTING_direct<br>
49: -X POSTROUTING_direct<br>
50: -D PREROUTING -j PREROUTING_ZONES<br>
51: -D PREROUTING -j PREROUTING_ZONES_SOURCE<br>
52: -X PREROUTING_ZONES<br>
53: -X PREROUTING_ZONES_SOURCE<br>
54: -D PREROUTING -j PREROUTING_direct<br>
55: -X PREROUTING_direct<br>
56: -Z<br>
57: -X<br>
58: -F<br>
59: COMMIT<br>
2017-05-03 07:53:22<b> ERROR: COMMAND_FAILED</b><br>
2017-05-03 07:53:22 DEBUG1:
GetAll('org.fedoraproject.FirewallD1')<br>
....</p>
<p>any help greatly appreciated !</p>
<p>Thanks</p>
<p>PS: perhaps related : <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://bugs.centos.org/view.php?id=12450">https://bugs.centos.org/view.php?id=12450</a>
? <br>
</p>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Regards,
Denis Silakov | Sr. Software Architect, Virtuozzo Linux Team Lead
Otradnaya street 2B/9, “Otradnoye” Business Center | Moscow | Russia
Phone: +7 916-222-9437 | <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:dsilakov@virtuozzo.com">dsilakov@virtuozzo.com</a>
Skype: denis.silakov
Virtuozzo.com</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openvz.org">Users@openvz.org</a>
<a class="moz-txt-link-freetext" href="https://lists.openvz.org/mailman/listinfo/users">https://lists.openvz.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>