I have several machines still running Fedora 23 but otherwise kept current with all posted updates. The latest kernel, 4.7.10-100.fc23, is causing me several troubles.
1. On these machines, I run iptables but not firewalld. The only reason I need either is to provide a NAT service. With the latest kernel, iptables with NAT refuses to start. From syslog: > (Date elided below for readability) > systemd: Starting IPv4 firewall with iptables... > iptables.init: iptables: Applying firewall rules: iptables-restore v1.4.21: > iptables-restore: unable to initialize table 'nat' > iptables.init: Error occurred at line: 1 > iptables.init: Try `iptables-restore -h' or 'iptables-restore --help' for > more information. > iptables.init: [FAILED] > systemd: iptables.service: Main process exited, code=exited, status=1/FAILURE > audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 > msg='unit=iptables comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? > addr=? terminal=? res=failed' > systemd: Failed to start IPv4 firewall with iptables. > systemd: iptables.service: Unit entered failed state. > systemd: iptables.service: Failed with result 'exit-code'. Downgrading to kernel 4.7.9-100.fc23 resolved this issue. 2. These machines have two network interfaces and act as a bridge between two networks, one public and the other RFC1918. That's why they need the NAT. When performing an SSH connection from one of these machines to one of the other machines on its own RFC1918 network, the source of the connection is reported as the machine's public address, not its RFC1918 address. That violates some of the SSHD rules used on the target machine and prevents the connection. With previous kernels, the reported source address was the machine's RFC1918 address. Downgrading to kernel 4.7.9-100.fc23 did NOT resolve this issue. It may be (should be) possible to resolve it by re-installing with the earlier kernel but I haven't yet tried that. -- Dave Close _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
