Hello Eric, Eric Garver [2018-11-26 10:20 -0500]: > No. As far as I can tell, firewalld never uses iptables -R (rule > replace) option. It's possible this is being triggered by something > external via the direct/passthrough interface (e.g. docker, libvirt).
I collected some more info here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694#10 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694#15 In short, these take docker and libvirt out of the game, it happens with pure kernel 4.18 (same version works on Fedora, fails on Debian) + iptables-nft 1.8.2 (F29 uses iptables 1.8.0, and possibly not the -ift version), and firewalld 0.6.3 (again, same as in Fedora 29). > Setting InvividualCalls=yes in /etc/firewalld/firewalld.conf will be > more verbose and help in debugging the cause. Fun, this actually *fixes* the problem: | # firewall-cmd --reload | success Plus, the initial startup noise of unknown tables/bad rules (which ALSO happen on F29!) are entirely gone as well: | # systemctl status firewalld | ● firewalld.service - firewalld - dynamic firewall daemon | Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor preset | Active: active (running) since Mon 2018-11-26 16:49:18 UTC; 23s ago | Docs: man:firewalld(1) | Main PID: 241 (firewalld) | Tasks: 2 (limit: 2365) | Memory: 40.0M | CGroup: /system.slice/firewalld.service | └─241 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid | | Nov 26 16:49:18 debian systemd[1]: Starting firewalld - dynamic firewall daemon. | Nov 26 16:49:18 debian systemd[1]: Started firewalld - dynamic firewall daemon. So this is at least a practical quick workaround for the problem. > I also notice debian-testing is now using iptables-nft instead of > iptables-legacy. We've been finding (and fixing!) a fair amount > compatibility issues in iptables-nft - perhaps you've found another. This indeed smells like the relevant difference. Thanks! Martin
