Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-5790

regression: undefined service causes firewalld load failure in RHEL8.5

XMLWordPrintable

    • firewalld-0.9.11-8.el8_10
    • None
    • Moderate
    • rhel-sst-networking-core
    • ssg_networking
    • 20
    • 2
    • False
    • No
    • None
    • If docs needed, set a value
    • None

      Description of problem:
      Firewalld fails to load config when zone contains rich rule with undefined service

      Version-Release number of selected component (if applicable):
      firewalld-0.9.3-7.el8

      How reproducible:
      Every time.

      Steps to Reproduce:
      1. RHEL8.5 VM

      1. systemctl start firewalld
      2. firewall-cmd --state
        running

      2.Add a rich rule using an undefined service:

      1. /usr/bin/firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent
      2. /usr/bin/firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.11" service name="ssh" accept' --permanent

      3. Reload config:

      1. firewall-cmd --reload

      Actual results: Firewalld state becomes not-running, and "failed" when attempted to start with systemd.

      Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory

      internal:0:0-0: Error: Could not process rule: No such file or directory

      internal:0:0-0: Error: Could not process rule: No such file or directory

      internal:0:0-0: Error: Could not process rule: No such file or directory

      internal:0:0-0: Error: Could not process rule: No such file or directory

      internal:0:0-0: Error: Could not process rule: No such file or directory

      internal:0:0-0: Error: Could not process rule: No such file or directory

      internal:0:0-0: Error: Could not process rule: No such file or directory

      JSON blob:
      {"nftables": [{"metainfo": {"json_schema_version": 1}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_INPUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_IN_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_OUT_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_FWDO_public"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_POSTROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "oifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_POST_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "filter_FORWARD_IN_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "filter_FWDI_public"}}]}}}, {"insert": {"rule": {"family": "ip", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_PRE_public"}}]}}}, {"insert": {"rule": {"family": "ip6", "table": "firewalld", "chain": "nat_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "nat_PRE_public"}}]}}}, {"insert": {"rule": {"family": "inet", "table": "firewalld", "chain": "mangle_PREROUTING_ZONES", "expr": [{"match": {"left": {"meta": {"key": "iifname"}}, "op": "==", "right": "eth0"}}, {"goto": {"target": "mangle_PRE_public"}}]}}}]}
      [root@rhel8u5-1 zones]# firewall-cmd --state
      not running
      [root@rhel8u5-1 zones]# systemctl stop firewalld
      [root@rhel8u5-1 zones]# systemctl start firewalld
      [root@rhel8u5-1 zones]# systemctl status firewalld
      ● firewalld.service - firewalld - dynamic firewall daemon
      Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor p>
      Active: active (running) since Thu 2021-12-09 13:59:17 EST; 9s ago
      Docs: man:firewalld(1)
      Main PID: 3070 (firewalld)
      Tasks: 2 (limit: 4976)
      Memory: 23.6M
      CGroup: /system.slice/firewalld.service
      └─3070 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork >

      Dec 09 13:59:17 rhel8u5-1.example.com systemd[1]: Starting firewalld - dynamic >
      Dec 09 13:59:17 rhel8u5-1.example.com systemd[1]: Started firewalld - dynamic f>
      Dec 09 13:59:17 rhel8u5-1.example.com firewalld[3070]: WARNING: AllowZoneDrifti>
      Dec 09 13:59:17 rhel8u5-1.example.com firewalld[3070]: ERROR: INVALID_SERVICE: >
      Dec 09 13:59:17 rhel8u5-1.example.com firewalld[3070]: ERROR: 'python-nftables'>

      internal:0:0-0: Error: C>

      internal:0:0-0: Error: C>

      internal:0:0-0: Error: C>

      internal:0:0-0: Error: C>

      1. firewall-cmd --state
        failed

      Expected results: Firewalld state running.

      1. firewall-cmd --state
        running

      Additional info:
      similar to bz 1852133, but now on RHEL8.5

      In RHEL8.4, the same configuration leaves firewalld running with a working configuration.

              egarver Eric Garver
              rhn-support-cutaylor Curtis Taylor
              Thomas Haller Thomas Haller
              Jiri Peska Jiri Peska
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: