Bug#919517: firewalld: Failure to start with OpenVPN installed and nftables backend

Sunil Mohan Adapa Wed, 16 Jan 2019 12:39:35 -0800

Package: firewalld
Version: 0.6.3-4
Severity: important
Tags: patch upstream


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Maintainer,

Installing and setting up OpenVPN causes firewalld to fail to start when
nftables backend is being used. The bug can be reproduced as follows:

firewall-cmd --zone=internal --add-interface=tun+

shows:

firewalld[459]: ERROR: Failed to apply rules. A firewall reload might solve the
issue if the firewall has been modified using ip*tables or ebtables.
firewalld[459]: ERROR: '/usr/sbin/nft insert rule inet firewalld
raw_PREROUTING_ZONES iifname tun+ goto raw_PRE_internal' failed: Error: syntax
error, un
                insert rule inet firewalld raw_PREROUTING_ZONES iifname tun+
goto raw_PRE_internal
                                                                           ^

Then adding the rule permanently (as is done during FreedomBox setup of
OpenVPN):

firewall-cmd --zone=internal --add-interface=tun+ --permanent

leads to firewalld not starting properly due to above errors and blocking out
the user from network completely. While this problem is only effecting OpenVPN
there are other problems like functional test suite failing and restoring from
backups (with OpenVPN data) triggering the issue. For FreedomBox this is an RC
issue.

This is a simple fix with nft rules insertion. This is already fixed in
upstream about four weeks ago and that patch is attached. In case, upstream
does not make a release soon, please consider adding this patch to Debian
packaging due to severity of the issue.

Thanks,

- --
Sunil



- -- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_IN.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firewalld depends on:
ii  dbus                 1.12.12-1
ii  gir1.2-glib-2.0      1.58.3-2
ii  init-system-helpers  1.56+nmu1
ii  iptables             1.8.2-3
ii  policykit-1          0.105-23
ii  python3              3.7.1-3
ii  python3-dbus         1.2.8-2+b3
ii  python3-gi           3.30.4-1
ii  python3-slip-dbus    0.6.5-2

Versions of packages firewalld recommends:
ii  ebtables  2.0.10.4+snapshot20181205-1
ii  ipset     6.38-1

firewalld suggests no packages.

- -- Configuration Files:
/etc/firewalld/firewalld.conf [Errno 13] Permission denied: 
'/etc/firewalld/firewalld.conf'
/etc/firewalld/lockdown-whitelist.xml [Errno 13] Permission denied: 
'/etc/firewalld/lockdown-whitelist.xml'

- -- no debconf information

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE5xPDY9ZyWnWupXSBQ+oc/wqnxfIFAlw/k6ARHHN1bmlsQG1l
ZGhhcy5vcmcACgkQQ+oc/wqnxfLZtQ//TWkFhcuX0tQ9HVZv2ltS5MHcBIDr4yMr
uh4ChkvfZJGID0RJBxknlmwjDUHysw9769FWX7jRmci4C2VMjJIQhNm9nhdNzZ3w
ajh+n7NXL58hF1tZx3QjQ7gdVRVSC83pXqn75L1aFghuIoFAADiDM8DgRuhvIdDP
ufMmNgyBbyQ1G3F37FpcObiiMPBr2ibDakUrHD9VjKZk9xT/cltuBP5GPou3zwj2
S/Gs/Q4QamqeIyWMeioGzoDYGOQxCtuI38s8Cf+jbIPASdHRQ+dlfpjepSxjCBmZ
2yX0dBptStV9HH2mmFJkpKQzOnH6TZTYNj1vvD8eh14tZvV83AC618BvlQZC9Joz
r7VbCAylpQf/Pf4WXTVzk/VV4/jXmtYVkASufk3Xj6wVepy+0Eij/gySJOl3b3C5
DCo0GbKkYMkZZxNFee/mm1be9QfVeeSqCvFEIyoQ/sj6Q3UTXkqXybH08OpUiTWY
Rql1VZGUiezsxEh/6vG9XChZEDS0VFRrWAM/u1aO6JbmeJ7kEYaB0+ddlUYLd71R
Y4F2dPAjr6YCQAoeYowMOj1Q1YbDfPhbUHmrhtkO0F3DEz3lpTspAuVVCSNrrB4c
5dkpzoeGdnvjbHqgb/hYez/5ox6VRtn+I5B07L2nd8iV0X/fvqO35Qy1vjDxkHmL
DrRAV0JFIb0=
=yirT
-----END PGP SIGNATURE-----

>From 687953defc201a69e77e8b8f9230cdd34df858db Mon Sep 17 00:00:00 2001
From: Eric Garver <e...@erig.me>
Date: Mon, 17 Dec 2018 12:53:30 -0500
Subject: [PATCH] nftables: Allow interfaces with wildcards

Fixes: rhbz 1644025
(cherry picked from commit aa01eda4c87dd7b5c1f1e884fc7332c6317fed02)
---
 src/firewall/core/nftables.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index a1cb2c47..50303e94 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -475,6 +475,9 @@ class nftables(object):
             "OUTPUT": "oifname",
         }[chain]
 
+        if interface[len(interface)-1] == "+":
+            interface = interface[:len(interface)-1] + "*"
+
         target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
         if zone_target == DEFAULT_ZONE_TARGET:
             action = "goto"
@@ -486,10 +489,10 @@ class nftables(object):
             rule = ["add", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % 
(table, chain)]
         else:
             rule = ["delete", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" 
% (table, chain)]
-        if interface == "+":
+        if interface == "*":
             rule += [action, "%s_%s" % (table, target)]
         else:
-            rule += [opt, interface, action, "%s_%s" % (table, target)]
+            rule += [opt, "\"" + interface + "\"", action, "%s_%s" % (table, 
target)]
         return [rule]
 
     def build_zone_source_address_rules(self, enable, zone, zone_target,
-- 
2.20.1

Bug#919517: firewalld: Failure to start with OpenVPN installed and nftables backend

Reply via email to