On Mon, Nov 26, 2018 at 05:50:56PM +0100, Martin Pitt wrote: > Hello Eric, > > Eric Garver [2018-11-26 10:20 -0500]: > > No. As far as I can tell, firewalld never uses iptables -R (rule > > replace) option. It's possible this is being triggered by something > > external via the direct/passthrough interface (e.g. docker, libvirt). > > I collected some more info here: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694#10 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914694#15 > > In short, these take docker and libvirt out of the game, it happens with pure > kernel 4.18 (same version works on Fedora, fails on Debian) + iptables-nft > 1.8.2 (F29 uses iptables 1.8.0, and possibly not the -ift version), and > firewalld 0.6.3 (again, same as in Fedora 29).
Fedora uses iptables-legacy. # iptables -V iptables v1.8.0 (legacy) > > > Setting InvividualCalls=yes in /etc/firewalld/firewalld.conf will be > > more verbose and help in debugging the cause. > > Fun, this actually *fixes* the problem: That makes it smell like an iptables-restore issue in the nftables backed version of iptables. It would be great if we could reproduce without firewalld using iptables-restore. > > | # firewall-cmd --reload > | success > > Plus, the initial startup noise of unknown tables/bad rules (which ALSO happen > on F29!) are entirely gone as well: That went away because you disabled docker. See here: https://bugzilla.redhat.com/show_bug.cgi?id=1594657
