Hi Eric, I recently switched firewalld back to iptables given the feedback in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909574
This seems to have caused a regression. Does this specific problem ring a bell? Regards, Michael Am 26.11.18 um 12:30 schrieb Martin Pitt: > Package: firewalld > Version: 0.6.3-3 > Severity: important > > A recent regression in Debian testing broke firewalld. This is on a stock > Debian-testing system, without a custom kernel, custom firewall configs, etc. > -- just a plain "apt install firewalld". However, it does have libvirt and > docker.io installed, which might complicate things (e. g. > https://bugs.debian.org/909574). > > At boot, these errors already show up in the journal: > > | # systemctl status firewalld > | ● firewalld.service - firewalld - dynamic firewall daemon > | Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; vendor > preset: enabled) > | Active: active (running) since Mon 2018-11-26 06:23:25 EST; 42s ago > | Docs: man:firewalld(1) > | Main PID: 409 (firewalld) > | Tasks: 2 (limit: 1151) > | Memory: 35.6M > | CGroup: /system.slice/firewalld.service > | └─409 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid > | > | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: > COMMAND_FAILED: '/sbin/iptables -w10 -t nat -D OUTPUT -m addrtype --dst-type > LOCAL -j DOCKER' failed: iptables v1.8.2 (nf_tables): Chain 'DOCKER' does not > exist > | Try `iptables -h' or > 'iptables --help' for more information. > | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: > COMMAND_FAILED: '/sbin/iptables -w10 -t nat -D PREROUTING' failed: iptables: > Bad rule (does a matching rule exist in that chain?). > | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: > COMMAND_FAILED: '/sbin/iptables -w10 -t nat -D OUTPUT' failed: iptables: Bad > rule (does a matching rule exist in that chain?). > | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: > COMMAND_FAILED: '/sbin/iptables -w10 -t nat -X DOCKER' failed: iptables: No > chain/target/match by that name. > | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: > COMMAND_FAILED: '/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: > No chain/target/match by that name. > | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: > COMMAND_FAILED: '/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' > failed: iptables: No chain/target/match by that name. > | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: > COMMAND_FAILED: '/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' > failed: iptables: No chain/target/match by that name. > | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: > COMMAND_FAILED: '/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: > iptables: No chain/target/match by that name. > | Nov 26 06:23:33 unassigned-hostname firewalld[409]: WARNING: > COMMAND_FAILED: '/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j > DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?). > | Nov 26 06:23:34 unassigned-hostname firewalld[409]: WARNING: > COMMAND_FAILED: '/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j > DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?). > > But they really get exposed when reloading: > > | # firewall-cmd --reload > | Error: COMMAND_FAILED: '/sbin/ip6tables-restore -w -n' failed: > ip6tables-restore v1.8.2 (nf_tables): > | line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT > | line 4: RULE_REPLACE failed (No such file or directory): rule in chain > OUTPUT > | > | # echo $? > | 13 > > The default ip{,6}tables config is quite large, but dumping it here just in > case: > > | # iptables -L > | Chain INPUT (policy ACCEPT) > | target prot opt source destination > | ACCEPT udp -- anywhere anywhere udp dpt:domain > | ACCEPT tcp -- anywhere anywhere tcp dpt:domain > | ACCEPT udp -- anywhere anywhere udp dpt:bootps > | ACCEPT tcp -- anywhere anywhere tcp dpt:bootps > | ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED > | ACCEPT all -- anywhere anywhere > | INPUT_direct all -- anywhere anywhere > | INPUT_ZONES_SOURCE all -- anywhere anywhere > | INPUT_ZONES all -- anywhere anywhere > | DROP all -- anywhere anywhere ctstate > INVALID > | REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > | > | Chain FORWARD (policy ACCEPT) > | target prot opt source destination > | DOCKER-USER all -- anywhere anywhere > | DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere > | ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED > | DOCKER all -- anywhere anywhere > | ACCEPT all -- anywhere anywhere > | ACCEPT all -- anywhere anywhere > | ACCEPT all -- anywhere 192.168.122.0/24 ctstate > RELATED,ESTABLISHED > | ACCEPT all -- 192.168.122.0/24 anywhere > | ACCEPT all -- anywhere anywhere > | REJECT all -- anywhere anywhere reject-with > icmp-port-unreachable > | REJECT all -- anywhere anywhere reject-with > icmp-port-unreachable > | ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED > | ACCEPT all -- anywhere anywhere > | FORWARD_direct all -- anywhere anywhere > | FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere > | FORWARD_IN_ZONES all -- anywhere anywhere > | FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere > | FORWARD_OUT_ZONES all -- anywhere anywhere > | DROP all -- anywhere anywhere ctstate > INVALID > | REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > | > | Chain OUTPUT (policy ACCEPT) > | target prot opt source destination > | ACCEPT udp -- anywhere anywhere udp dpt:bootpc > | OUTPUT_direct all -- anywhere anywhere > | > | Chain INPUT_direct (1 references) > | target prot opt source destination > | > | Chain INPUT_ZONES_SOURCE (1 references) > | target prot opt source destination > | > | Chain INPUT_ZONES (1 references) > | target prot opt source destination > | IN_public all -- anywhere anywhere [goto] > | IN_public all -- anywhere anywhere [goto] > | > | Chain FORWARD_direct (1 references) > | target prot opt source destination > | > | Chain FORWARD_IN_ZONES_SOURCE (1 references) > | target prot opt source destination > | > | Chain FORWARD_IN_ZONES (1 references) > | target prot opt source destination > | FWDI_public all -- anywhere anywhere [goto] > | FWDI_public all -- anywhere anywhere [goto] > | > | Chain FORWARD_OUT_ZONES_SOURCE (1 references) > | target prot opt source destination > | > | Chain FORWARD_OUT_ZONES (1 references) > | target prot opt source destination > | FWDO_public all -- anywhere anywhere [goto] > | FWDO_public all -- anywhere anywhere [goto] > | > | Chain OUTPUT_direct (1 references) > | target prot opt source destination > | > | Chain IN_public (2 references) > | target prot opt source destination > | IN_public_log all -- anywhere anywhere > | IN_public_deny all -- anywhere anywhere > | IN_public_allow all -- anywhere anywhere > | ACCEPT icmp -- anywhere anywhere > | > | Chain IN_public_log (1 references) > | target prot opt source destination > | > | Chain IN_public_deny (1 references) > | target prot opt source destination > | > | Chain IN_public_allow (1 references) > | target prot opt source destination > | ACCEPT tcp -- anywhere anywhere tcp dpt:ssh > ctstate NEW,UNTRACKED > | > | Chain FWDI_public (2 references) > | target prot opt source destination > | FWDI_public_log all -- anywhere anywhere > | FWDI_public_deny all -- anywhere anywhere > | FWDI_public_allow all -- anywhere anywhere > | ACCEPT icmp -- anywhere anywhere > | > | Chain FWDI_public_log (1 references) > | target prot opt source destination > | > | Chain FWDI_public_deny (1 references) > | target prot opt source destination > | > | Chain FWDI_public_allow (1 references) > | target prot opt source destination > | > | Chain FWDO_public (2 references) > | target prot opt source destination > | FWDO_public_log all -- anywhere anywhere > | FWDO_public_deny all -- anywhere anywhere > | FWDO_public_allow all -- anywhere anywhere > | > | Chain FWDO_public_log (1 references) > | target prot opt source destination > | > | Chain FWDO_public_deny (1 references) > | target prot opt source destination > | > | Chain FWDO_public_allow (1 references) > | target prot opt source destination > | > | Chain DOCKER (1 references) > | target prot opt source destination > | > | Chain DOCKER-ISOLATION-STAGE-1 (1 references) > | target prot opt source destination > | DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere > | RETURN all -- anywhere anywhere > | > | Chain DOCKER-ISOLATION-STAGE-2 (1 references) > | target prot opt source destination > | DROP all -- anywhere anywhere > | RETURN all -- anywhere anywhere > | > | Chain DOCKER-USER (1 references) > | target prot opt source destination > | RETURN all -- anywhere anywhere > > > | # ip6tables -L > | Chain INPUT (policy ACCEPT) > | target prot opt source destination > | ACCEPT all anywhere anywhere ctstate > RELATED,ESTABLISHED > | ACCEPT all anywhere anywhere > | INPUT_direct all anywhere anywhere > | INPUT_ZONES_SOURCE all anywhere anywhere > | INPUT_ZONES all anywhere anywhere > | DROP all anywhere anywhere ctstate > INVALID > | REJECT all anywhere anywhere reject-with > icmp6-adm-prohibited > | > | Chain FORWARD (policy ACCEPT) > | target prot opt source destination > | ACCEPT all anywhere anywhere ctstate > RELATED,ESTABLISHED > | ACCEPT all anywhere anywhere > | FORWARD_direct all anywhere anywhere > | FORWARD_IN_ZONES_SOURCE all anywhere anywhere > | FORWARD_IN_ZONES all anywhere anywhere > | FORWARD_OUT_ZONES_SOURCE all anywhere anywhere > | FORWARD_OUT_ZONES all anywhere anywhere > | DROP all anywhere anywhere ctstate > INVALID > | REJECT all anywhere anywhere reject-with > icmp6-adm-prohibited > | > | Chain OUTPUT (policy ACCEPT) > | target prot opt source destination > | OUTPUT_direct all anywhere anywhere > | > | Chain INPUT_direct (1 references) > | target prot opt source destination > | > | Chain INPUT_ZONES_SOURCE (1 references) > | target prot opt source destination > | > | Chain INPUT_ZONES (1 references) > | target prot opt source destination > | IN_public all anywhere anywhere [goto] > | IN_public all anywhere anywhere [goto] > | > | Chain FORWARD_direct (1 references) > | target prot opt source destination > | > | Chain FORWARD_IN_ZONES_SOURCE (1 references) > | target prot opt source destination > | > | Chain FORWARD_IN_ZONES (1 references) > | target prot opt source destination > | FWDI_public all anywhere anywhere [goto] > | FWDI_public all anywhere anywhere [goto] > | > | Chain FORWARD_OUT_ZONES_SOURCE (1 references) > | target prot opt source destination > | > | Chain FORWARD_OUT_ZONES (1 references) > | target prot opt source destination > | FWDO_public all anywhere anywhere [goto] > | FWDO_public all anywhere anywhere [goto] > | > | Chain OUTPUT_direct (1 references) > | target prot opt source destination > | > | Chain IN_public (2 references) > | target prot opt source destination > | IN_public_log all anywhere anywhere > | IN_public_deny all anywhere anywhere > | IN_public_allow all anywhere anywhere > | ACCEPT ipv6-icmp anywhere anywhere > | > | Chain IN_public_log (1 references) > | target prot opt source destination > | > | Chain IN_public_deny (1 references) > | target prot opt source destination > | > | Chain IN_public_allow (1 references) > | target prot opt source destination > | ACCEPT tcp anywhere anywhere tcp dpt:ssh > ctstate NEW,UNTRACKED > | ACCEPT udp anywhere fe80::/64 udp > dpt:dhcpv6-client ctstate NEW,UNTRACKED > | > | Chain FWDI_public (2 references) > | target prot opt source destination > | FWDI_public_log all anywhere anywhere > | FWDI_public_deny all anywhere anywhere > | FWDI_public_allow all anywhere anywhere > | ACCEPT ipv6-icmp anywhere anywhere > | > | Chain FWDI_public_log (1 references) > | target prot opt source destination > | > | Chain FWDI_public_deny (1 references) > | target prot opt source destination > | > | Chain FWDI_public_allow (1 references) > | target prot opt source destination > | > | Chain FWDO_public (2 references) > | target prot opt source destination > | FWDO_public_log all anywhere anywhere > | FWDO_public_deny all anywhere anywhere > | FWDO_public_allow all anywhere anywhere > | > | Chain FWDO_public_log (1 references) > | target prot opt source destination > | > | Chain FWDO_public_deny (1 references) > | target prot opt source destination > | > | Chain FWDO_public_allow (1 references) > | target prot opt source destination > | root@unassigned-hostname:~# > | root@unassigned-hostname:~# ip6tables -L > | Chain INPUT (policy ACCEPT) > | target prot opt source destination > | ACCEPT all anywhere anywhere ctstate > RELATED,ESTABLISHED > | ACCEPT all anywhere anywhere > | INPUT_direct all anywhere anywhere > | INPUT_ZONES_SOURCE all anywhere anywhere > | INPUT_ZONES all anywhere anywhere > | DROP all anywhere anywhere ctstate > INVALID > | REJECT all anywhere anywhere reject-with > icmp6-adm-prohibited > | > | Chain FORWARD (policy ACCEPT) > | target prot opt source destination > | ACCEPT all anywhere anywhere ctstate > RELATED,ESTABLISHED > | ACCEPT all anywhere anywhere > | FORWARD_direct all anywhere anywhere > | FORWARD_IN_ZONES_SOURCE all anywhere anywhere > | FORWARD_IN_ZONES all anywhere anywhere > | FORWARD_OUT_ZONES_SOURCE all anywhere anywhere > | FORWARD_OUT_ZONES all anywhere anywhere > | DROP all anywhere anywhere ctstate > INVALID > | REJECT all anywhere anywhere reject-with > icmp6-adm-prohibited > | > | Chain OUTPUT (policy ACCEPT) > | target prot opt source destination > | OUTPUT_direct all anywhere anywhere > | > | Chain INPUT_direct (1 references) > | target prot opt source destination > | > | Chain INPUT_ZONES_SOURCE (1 references) > | target prot opt source destination > | > | Chain INPUT_ZONES (1 references) > | target prot opt source destination > | IN_public all anywhere anywhere [goto] > | IN_public all anywhere anywhere [goto] > | > | Chain FORWARD_direct (1 references) > | target prot opt source destination > | > | Chain FORWARD_IN_ZONES_SOURCE (1 references) > | target prot opt source destination > | > | Chain FORWARD_IN_ZONES (1 references) > | target prot opt source destination > | FWDI_public all anywhere anywhere [goto] > | FWDI_public all anywhere anywhere [goto] > | > | Chain FORWARD_OUT_ZONES_SOURCE (1 references) > | target prot opt source destination > | > | Chain FORWARD_OUT_ZONES (1 references) > | target prot opt source destination > | FWDO_public all anywhere anywhere [goto] > | FWDO_public all anywhere anywhere [goto] > | > | Chain OUTPUT_direct (1 references) > | target prot opt source destination > | > | Chain IN_public (2 references) > | target prot opt source destination > | IN_public_log all anywhere anywhere > | IN_public_deny all anywhere anywhere > | IN_public_allow all anywhere anywhere > | ACCEPT ipv6-icmp anywhere anywhere > | > | Chain IN_public_log (1 references) > | target prot opt source destination > | > | Chain IN_public_deny (1 references) > | target prot opt source destination > | > | Chain IN_public_allow (1 references) > | target prot opt source destination > | ACCEPT tcp anywhere anywhere tcp dpt:ssh > ctstate NEW,UNTRACKED > | ACCEPT udp anywhere fe80::/64 udp > dpt:dhcpv6-client ctstate NEW,UNTRACKED > | > | Chain FWDI_public (2 references) > | target prot opt source destination > | FWDI_public_log all anywhere anywhere > | FWDI_public_deny all anywhere anywhere > | FWDI_public_allow all anywhere anywhere > | ACCEPT ipv6-icmp anywhere anywhere > | > | Chain FWDI_public_log (1 references) > | target prot opt source destination > | > | Chain FWDI_public_deny (1 references) > | target prot opt source destination > | > | Chain FWDI_public_allow (1 references) > | target prot opt source destination > | > | Chain FWDO_public (2 references) > | target prot opt source destination > | FWDO_public_log all anywhere anywhere > | FWDO_public_deny all anywhere anywhere > | FWDO_public_allow all anywhere anywhere > | > | Chain FWDO_public_log (1 references) > | target prot opt source destination > | > | Chain FWDO_public_deny (1 references) > | target prot opt source destination > | > | Chain FWDO_public_allow (1 references) > | target prot opt source destination > > Related package versions: > - linux-image-4.18.0-2-amd64 4.18.10-2+b1 > - docker.io 18.06.1+dfsg1-2 > - libvirt-daemon 4.7.0-1+b1 > > Thanks, > -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pkg-utopia-maintainers mailing list Pkg-utopia-maintainers@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-utopia-maintainers
