Package: firewalld
Version: 0.6.3-3
Severity: important
A recent regression in Debian testing broke firewalld. This is on a stock
Debian-testing system, without a custom kernel, custom firewall configs, etc.
-- just a plain "apt install firewalld". However, it does have libvirt and
docker.io installed, which might complicate things (e. g.
https://bugs.debian.org/909574).
At boot, these errors already show up in the journal:
| # systemctl status firewalld
| ● firewalld.service - firewalld - dynamic firewall daemon
| Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor
preset: enabled)
| Active: active (running) since Mon 2018-11-26 06:23:25 EST; 42s ago
| Docs: man:firewalld(1)
| Main PID: 409 (firewalld)
| Tasks: 2 (limit: 1151)
| Memory: 35.6M
| CGroup: /system.slice/firewalld.service
| └─409 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid
|
| Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED:
'/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type LOCAL -j DOCKER'
failed: iptables v1.8.2 (nf_tables): Chain 'DOCKER' does not exist
| Try `iptables -h' or
'iptables --help' for more information.
| Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED:
'/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: Bad rule (does a
matching rule exist in that chain?).
| Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED:
'/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad rule (does a
matching rule exist in that chain?).
| Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED:
'/sbin/iptables -w10 -t nat -X DOCKER' failed: iptables: No chain/target/match
by that name.
| Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED:
'/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No
chain/target/match by that name.
| Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED:
'/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables:
No chain/target/match by that name.
| Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED:
'/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables:
No chain/target/match by that name.
| Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED:
'/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No
chain/target/match by that name.
| Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED:
'/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed:
iptables: Bad rule (does a matching rule exist in that chain?).
| Nov 26 06:23:34 unassigned-hostname firewalld[409]: WARNING: COMMAND_FAILED:
'/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed:
iptables: Bad rule (does a matching rule exist in that chain?).
But they really get exposed when reloading:
| # firewall-cmd --reload
| Error: COMMAND_FAILED: '/sbin/ip6tables-restore -w -n' failed:
ip6tables-restore v1.8.2 (nf_tables):
| line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
| line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT
|
| # echo $?
| 13
The default ip{,6}tables config is quite large, but dumping it here just in
case:
| # iptables -L
| Chain INPUT (policy ACCEPT)
| target prot opt source destination
| ACCEPT udp -- anywhere anywhere udp dpt:domain
| ACCEPT tcp -- anywhere anywhere tcp dpt:domain
| ACCEPT udp -- anywhere anywhere udp dpt:bootps
| ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
| ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
| ACCEPT all -- anywhere anywhere
| INPUT_direct all -- anywhere anywhere
| INPUT_ZONES_SOURCE all -- anywhere anywhere
| INPUT_ZONES all -- anywhere anywhere
| DROP all -- anywhere anywhere ctstate INVALID
| REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
|
| Chain FORWARD (policy ACCEPT)
| target prot opt source destination
| DOCKER-USER all -- anywhere anywhere
| DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
| ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
| DOCKER all -- anywhere anywhere
| ACCEPT all -- anywhere anywhere
| ACCEPT all -- anywhere anywhere
| ACCEPT all -- anywhere 192.168.122.0/24 ctstate
RELATED,ESTABLISHED
| ACCEPT all -- 192.168.122.0/24 anywhere
| ACCEPT all -- anywhere anywhere
| REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
| REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable
| ACCEPT all -- anywhere anywhere ctstate
RELATED,ESTABLISHED
| ACCEPT all -- anywhere anywhere
| FORWARD_direct all -- anywhere anywhere
| FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
| FORWARD_IN_ZONES all -- anywhere anywhere
| FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
| FORWARD_OUT_ZONES all -- anywhere anywhere
| DROP all -- anywhere anywhere ctstate INVALID
| REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
|
| Chain OUTPUT (policy ACCEPT)
| target prot opt source destination
| ACCEPT udp -- anywhere anywhere udp dpt:bootpc
| OUTPUT_direct all -- anywhere anywhere
|
| Chain INPUT_direct (1 references)
| target prot opt source destination
|
| Chain INPUT_ZONES_SOURCE (1 references)
| target prot opt source destination
|
| Chain INPUT_ZONES (1 references)
| target prot opt source destination
| IN_public all -- anywhere anywhere [goto]
| IN_public all -- anywhere anywhere [goto]
|
| Chain FORWARD_direct (1 references)
| target prot opt source destination
|
| Chain FORWARD_IN_ZONES_SOURCE (1 references)
| target prot opt source destination
|
| Chain FORWARD_IN_ZONES (1 references)
| target prot opt source destination
| FWDI_public all -- anywhere anywhere [goto]
| FWDI_public all -- anywhere anywhere [goto]
|
| Chain FORWARD_OUT_ZONES_SOURCE (1 references)
| target prot opt source destination
|
| Chain FORWARD_OUT_ZONES (1 references)
| target prot opt source destination
| FWDO_public all -- anywhere anywhere [goto]
| FWDO_public all -- anywhere anywhere [goto]
|
| Chain OUTPUT_direct (1 references)
| target prot opt source destination
|
| Chain IN_public (2 references)
| target prot opt source destination
| IN_public_log all -- anywhere anywhere
| IN_public_deny all -- anywhere anywhere
| IN_public_allow all -- anywhere anywhere
| ACCEPT icmp -- anywhere anywhere
|
| Chain IN_public_log (1 references)
| target prot opt source destination
|
| Chain IN_public_deny (1 references)
| target prot opt source destination
|
| Chain IN_public_allow (1 references)
| target prot opt source destination
| ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ctstate NEW,UNTRACKED
|
| Chain FWDI_public (2 references)
| target prot opt source destination
| FWDI_public_log all -- anywhere anywhere
| FWDI_public_deny all -- anywhere anywhere
| FWDI_public_allow all -- anywhere anywhere
| ACCEPT icmp -- anywhere anywhere
|
| Chain FWDI_public_log (1 references)
| target prot opt source destination
|
| Chain FWDI_public_deny (1 references)
| target prot opt source destination
|
| Chain FWDI_public_allow (1 references)
| target prot opt source destination
|
| Chain FWDO_public (2 references)
| target prot opt source destination
| FWDO_public_log all -- anywhere anywhere
| FWDO_public_deny all -- anywhere anywhere
| FWDO_public_allow all -- anywhere anywhere
|
| Chain FWDO_public_log (1 references)
| target prot opt source destination
|
| Chain FWDO_public_deny (1 references)
| target prot opt source destination
|
| Chain FWDO_public_allow (1 references)
| target prot opt source destination
|
| Chain DOCKER (1 references)
| target prot opt source destination
|
| Chain DOCKER-ISOLATION-STAGE-1 (1 references)
| target prot opt source destination
| DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
| RETURN all -- anywhere anywhere
|
| Chain DOCKER-ISOLATION-STAGE-2 (1 references)
| target prot opt source destination
| DROP all -- anywhere anywhere
| RETURN all -- anywhere anywhere
|
| Chain DOCKER-USER (1 references)
| target prot opt source destination
| RETURN all -- anywhere anywhere
| # ip6tables -L
| Chain INPUT (policy ACCEPT)
| target prot opt source destination
| ACCEPT all anywhere anywhere ctstate
RELATED,ESTABLISHED
| ACCEPT all anywhere anywhere
| INPUT_direct all anywhere anywhere
| INPUT_ZONES_SOURCE all anywhere anywhere
| INPUT_ZONES all anywhere anywhere
| DROP all anywhere anywhere ctstate INVALID
| REJECT all anywhere anywhere reject-with
icmp6-adm-prohibited
|
| Chain FORWARD (policy ACCEPT)
| target prot opt source destination
| ACCEPT all anywhere anywhere ctstate
RELATED,ESTABLISHED
| ACCEPT all anywhere anywhere
| FORWARD_direct all anywhere anywhere
| FORWARD_IN_ZONES_SOURCE all anywhere anywhere
| FORWARD_IN_ZONES all anywhere anywhere
| FORWARD_OUT_ZONES_SOURCE all anywhere anywhere
| FORWARD_OUT_ZONES all anywhere anywhere
| DROP all anywhere anywhere ctstate INVALID
| REJECT all anywhere anywhere reject-with
icmp6-adm-prohibited
|
| Chain OUTPUT (policy ACCEPT)
| target prot opt source destination
| OUTPUT_direct all anywhere anywhere
|
| Chain INPUT_direct (1 references)
| target prot opt source destination
|
| Chain INPUT_ZONES_SOURCE (1 references)
| target prot opt source destination
|
| Chain INPUT_ZONES (1 references)
| target prot opt source destination
| IN_public all anywhere anywhere [goto]
| IN_public all anywhere anywhere [goto]
|
| Chain FORWARD_direct (1 references)
| target prot opt source destination
|
| Chain FORWARD_IN_ZONES_SOURCE (1 references)
| target prot opt source destination
|
| Chain FORWARD_IN_ZONES (1 references)
| target prot opt source destination
| FWDI_public all anywhere anywhere [goto]
| FWDI_public all anywhere anywhere [goto]
|
| Chain FORWARD_OUT_ZONES_SOURCE (1 references)
| target prot opt source destination
|
| Chain FORWARD_OUT_ZONES (1 references)
| target prot opt source destination
| FWDO_public all anywhere anywhere [goto]
| FWDO_public all anywhere anywhere [goto]
|
| Chain OUTPUT_direct (1 references)
| target prot opt source destination
|
| Chain IN_public (2 references)
| target prot opt source destination
| IN_public_log all anywhere anywhere
| IN_public_deny all anywhere anywhere
| IN_public_allow all anywhere anywhere
| ACCEPT ipv6-icmp anywhere anywhere
|
| Chain IN_public_log (1 references)
| target prot opt source destination
|
| Chain IN_public_deny (1 references)
| target prot opt source destination
|
| Chain IN_public_allow (1 references)
| target prot opt source destination
| ACCEPT tcp anywhere anywhere tcp dpt:ssh
ctstate NEW,UNTRACKED
| ACCEPT udp anywhere fe80::/64 udp
dpt:dhcpv6-client ctstate NEW,UNTRACKED
|
| Chain FWDI_public (2 references)
| target prot opt source destination
| FWDI_public_log all anywhere anywhere
| FWDI_public_deny all anywhere anywhere
| FWDI_public_allow all anywhere anywhere
| ACCEPT ipv6-icmp anywhere anywhere
|
| Chain FWDI_public_log (1 references)
| target prot opt source destination
|
| Chain FWDI_public_deny (1 references)
| target prot opt source destination
|
| Chain FWDI_public_allow (1 references)
| target prot opt source destination
|
| Chain FWDO_public (2 references)
| target prot opt source destination
| FWDO_public_log all anywhere anywhere
| FWDO_public_deny all anywhere anywhere
| FWDO_public_allow all anywhere anywhere
|
| Chain FWDO_public_log (1 references)
| target prot opt source destination
|
| Chain FWDO_public_deny (1 references)
| target prot opt source destination
|
| Chain FWDO_public_allow (1 references)
| target prot opt source destination
| root@unassigned-hostname:~#
| root@unassigned-hostname:~# ip6tables -L
| Chain INPUT (policy ACCEPT)
| target prot opt source destination
| ACCEPT all anywhere anywhere ctstate
RELATED,ESTABLISHED
| ACCEPT all anywhere anywhere
| INPUT_direct all anywhere anywhere
| INPUT_ZONES_SOURCE all anywhere anywhere
| INPUT_ZONES all anywhere anywhere
| DROP all anywhere anywhere ctstate INVALID
| REJECT all anywhere anywhere reject-with
icmp6-adm-prohibited
|
| Chain FORWARD (policy ACCEPT)
| target prot opt source destination
| ACCEPT all anywhere anywhere ctstate
RELATED,ESTABLISHED
| ACCEPT all anywhere anywhere
| FORWARD_direct all anywhere anywhere
| FORWARD_IN_ZONES_SOURCE all anywhere anywhere
| FORWARD_IN_ZONES all anywhere anywhere
| FORWARD_OUT_ZONES_SOURCE all anywhere anywhere
| FORWARD_OUT_ZONES all anywhere anywhere
| DROP all anywhere anywhere ctstate INVALID
| REJECT all anywhere anywhere reject-with
icmp6-adm-prohibited
|
| Chain OUTPUT (policy ACCEPT)
| target prot opt source destination
| OUTPUT_direct all anywhere anywhere
|
| Chain INPUT_direct (1 references)
| target prot opt source destination
|
| Chain INPUT_ZONES_SOURCE (1 references)
| target prot opt source destination
|
| Chain INPUT_ZONES (1 references)
| target prot opt source destination
| IN_public all anywhere anywhere [goto]
| IN_public all anywhere anywhere [goto]
|
| Chain FORWARD_direct (1 references)
| target prot opt source destination
|
| Chain FORWARD_IN_ZONES_SOURCE (1 references)
| target prot opt source destination
|
| Chain FORWARD_IN_ZONES (1 references)
| target prot opt source destination
| FWDI_public all anywhere anywhere [goto]
| FWDI_public all anywhere anywhere [goto]
|
| Chain FORWARD_OUT_ZONES_SOURCE (1 references)
| target prot opt source destination
|
| Chain FORWARD_OUT_ZONES (1 references)
| target prot opt source destination
| FWDO_public all anywhere anywhere [goto]
| FWDO_public all anywhere anywhere [goto]
|
| Chain OUTPUT_direct (1 references)
| target prot opt source destination
|
| Chain IN_public (2 references)
| target prot opt source destination
| IN_public_log all anywhere anywhere
| IN_public_deny all anywhere anywhere
| IN_public_allow all anywhere anywhere
| ACCEPT ipv6-icmp anywhere anywhere
|
| Chain IN_public_log (1 references)
| target prot opt source destination
|
| Chain IN_public_deny (1 references)
| target prot opt source destination
|
| Chain IN_public_allow (1 references)
| target prot opt source destination
| ACCEPT tcp anywhere anywhere tcp dpt:ssh
ctstate NEW,UNTRACKED
| ACCEPT udp anywhere fe80::/64 udp
dpt:dhcpv6-client ctstate NEW,UNTRACKED
|
| Chain FWDI_public (2 references)
| target prot opt source destination
| FWDI_public_log all anywhere anywhere
| FWDI_public_deny all anywhere anywhere
| FWDI_public_allow all anywhere anywhere
| ACCEPT ipv6-icmp anywhere anywhere
|
| Chain FWDI_public_log (1 references)
| target prot opt source destination
|
| Chain FWDI_public_deny (1 references)
| target prot opt source destination
|
| Chain FWDI_public_allow (1 references)
| target prot opt source destination
|
| Chain FWDO_public (2 references)
| target prot opt source destination
| FWDO_public_log all anywhere anywhere
| FWDO_public_deny all anywhere anywhere
| FWDO_public_allow all anywhere anywhere
|
| Chain FWDO_public_log (1 references)
| target prot opt source destination
|
| Chain FWDO_public_deny (1 references)
| target prot opt source destination
|
| Chain FWDO_public_allow (1 references)
| target prot opt source destination
Related package versions:
- linux-image-4.18.0-2-amd64 4.18.10-2+b1
- docker.io 18.06.1+dfsg1-2
- libvirt-daemon 4.7.0-1+b1
Thanks,
Martin
