Bug 614818

Summary:	net-firewall/firewalld-0.,4.3.3 fails to apply several rules.
Product:	Gentoo Linux	Reporter:	Renich Bon Ciric <renich>
Component:	Current packages	Assignee:	Virtualization Team <virtualization>
Status:	RESOLVED NEEDINFO
Severity:	normal
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	firewalld logs

Description Renich Bon Ciric 2017-04-05 22:26:22 UTC

Created attachment 469296 [details]
firewalld logs

I will include the logs as an attachment. Here's my system info.

# emerge --info
Portage 2.3.5 (python 3.4.6-final-0, default/linux/amd64/13.0/desktop/gnome/systemd, gcc-5.4.0, glibc-2.24-r1, 4.10.8-gentoo x86_64)
=================================================================
System uname: Linux-4.10.8-gentoo-x86_64-AMD_Phenom-tm-_II_X6_1100T_Processor-with-gentoo-2.3
KiB Mem:    16461468 total,   7606160 free
KiB Swap:    8264768 total,   7706300 free
Timestamp of repository gentoo: Tue, 04 Apr 2017 13:42:22 +0000
sh bash 4.4_p12
ld GNU ld (Gentoo 2.27 p1.0) 2.27
ccache version 3.3.4 [disabled]
app-shells/bash:          4.4_p12::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.24.1-r1::gentoo
dev-lang/python:          2.7.13::gentoo, 3.4.6::gentoo
dev-util/ccache:          3.3.4::gentoo
dev-util/cmake:           3.7.2-r1::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.24.2::gentoo
sys-apps/sandbox:         2.10-r4::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69-r2::gentoo
sys-devel/automake:       1.11.6-r2::gentoo, 1.12.6-r1::gentoo, 1.13.4-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.27::gentoo
sys-devel/gcc:            5.4.0-r3::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r4::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.10::gentoo (virtual/os-headers)
sys-libs/glibc:           2.24-r1::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/gentoo.git
    priority: -1000

bitwig-overlay
    location: /usr/local/portage/bitwig-overlay
    sync-type: git
    sync-uri: https://github.com/renich/bitwig-overlay.git
    masters: gentoo

local-overlay
    location: /usr/local/portage/local
    masters: gentoo

bliss-overlay
    location: /var/lib/layman/bliss-overlay
    masters: gentoo
    priority: 50

crossdev
    location: /var/lib/layman/crossdev
    sync-type: laymansync
    sync-uri: git://github.com/alphallc/crossdev
    masters: gentoo
    priority: 50

gamerlay
    location: /var/lib/layman/gamerlay
    sync-type: laymansync
    sync-uri: git://anongit.gentoo.org/proj/gamerlay.git
    masters: gentoo
    priority: 50

sabayon
    location: /var/lib/layman/sabayon
    sync-type: laymansync
    sync-uri: git://github.com/Sabayon/for-gentoo.git
    masters: gentoo
    priority: 50

tengine-overlay
    location: /var/lib/layman/tengine-overlay
    masters: gentoo
    priority: 50

Installed sets: @steam
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-mtune=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/chromium/policies/managed/chrome-gnome-shell.json /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/opt/chrome/policies/managed/chrome-gnome-shell.json /etc/php/apache2-php7.1/ext-active/ /etc/php/cgi-php7.1/ext-active/ /etc/php/cli-php7.1/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-mtune=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j7 -l7.0"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi aio alsa amd64 ao apm atm audiofile audit bash-completion bcmath berkdb bluetooth branding bzip2 cairo calendar caps cdda cdr cleartype cli colord corefonts cracklib crypt css cups cxx dbus dga dhclient dri dri3 dts dv dvd dvdr eds egl emboss encode evdev evo exif fam fastcgi firefox flac fortran gd gdbm geoip geolocation ggi gif git glamor gles gmp gnome gnome-keyring gnome-online-accounts gnutls gpm gps gstreamer gtk gzip hddtemp iconv icu idn imagick inotify introspection ipv6 jemalloc jit jpeg jpeg2k ladspa lame lapack lash lcms ldap libffi libnotify libsecret lv2 lzma lzo mad matroska memlimit mhash mikmod mime mmap mng modplug modules mp3 mp4 mpeg mpi mtp multilib musicbrainz nas nautilus ncurses networkmanager nls nptl offensive ogg openal openexr opengl openmp orc osc pam pango pcntl pcre pdf png policykit posix postscript ppds pulseaudio python qt3support qt4 quicktime raw rdesktop readline realtime rss ruby savedconfig sdl seccomp session sharedmem shorten simplexml smbclient smp sockets socks5 sound sox speex spell sqlite ssh ssl startup-notification suid svg symlink systemd szip taglib tcmalloc tcpd theora threads tidy tiff timidity tracker truetype type1 udev udisks unicode upnp upnp-av upower usb v4l vaapi vdpau vim-syntax virbis vnc vorbis wavpack wayland wddx webkit wifi wmf wxwidgets x264 xa xattr xcb xft xinerama xml xmlrpc xmp xpm xv xvid xvmc yaz zeroconf zlib" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext popcnt sse sse2 sse3 sse4a" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en es en-US es-MX es-LA" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en es en_US es_MX es_LA" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby22 ruby23 ruby24" USERLAND="GNU" VIDEO_CARDS="radeon radeonsi" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Comment 1 Renich Bon Ciric 2017-10-09 22:07:53 UTC

It's been some time since this bug was reported. The problem continues:

introdesk ~ # journalctl --no-pager -au firewalld
-- Logs begin at Mon 2017-09-25 01:55:01 CDT, end at Mon 2017-10-09 17:06:15 CDT. --
Oct 09 16:56:18 introdesk.g02.org systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 09 16:56:18 introdesk.g02.org systemd[1]: Started firewalld - dynamic firewall daemon.
Oct 09 16:56:19 introdesk.g02.org /firewalld[2225]: WARNING: '/sbin/ip6tables-restore -n' failed:
Oct 09 16:56:19 introdesk.g02.org /firewalld[2225]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
Oct 09 16:56:19 introdesk.g02.org /firewalld[2225]: ERROR: '/sbin/ebtables -t nat -X OUTPUT_direct -P RETURN' failed:
Oct 09 16:56:19 introdesk.g02.org /firewalld[2225]: ERROR: '/sbin/iptables-restore -n' failed:
Oct 09 16:56:19 introdesk.g02.org /firewalld[2225]: ERROR: COMMAND_FAILED
Oct 09 17:02:47 introdesk.g02.org systemd[1]: Stopping firewalld - dynamic firewall daemon...
Oct 09 17:02:48 introdesk.g02.org systemd[1]: Stopped firewalld - dynamic firewall daemon.
Oct 09 17:02:48 introdesk.g02.org systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 09 17:02:49 introdesk.g02.org systemd[1]: Started firewalld - dynamic firewall daemon.
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: '/sbin/ip6tables-restore -n' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: ERROR: '/sbin/ebtables -t nat -X OUTPUT_direct -P RETURN' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: ERROR: '/sbin/iptables-restore -n' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: ERROR: COMMAND_FAILED
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: '/sbin/ip6tables-restore -n' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: ERROR: '/sbin/iptables-restore -n' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: ERROR: COMMAND_FAILED
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --out-interface virbr0 --jump REJECT' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete FORWARD --in-interface virbr0 --jump REJECT' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT' failed:
Oct 09 17:02:49 introdesk.g02.org /firewalld[5118]: WARNING: COMMAND_FAILED: '/sbin/iptables -w2 -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed:

Comment 2 Matthias Maier gentoo-dev

2018-02-12 02:46:11 UTC

Please test 0.5.1 and reopen with problem persists.