--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 05/03/2017 12:59 PM, Jehan Procaccia wrote:
Le 03/05/2017 à 10:54, Denis Silakov a écrit :
Try to set "IndividualCalls=yes" in firewalld.conf.
with that set I now have more explicit errors inf firewalld logs:
2017-05-03 09:31:58 DEBUG2: <class 'firewall.core.ebtables.ebtables'>:
/usr/sbin/ebtables --concurrent -t broute -F
2017-05-03 09:31:58 ERROR: Failed to apply rules. A firewall reload might solve
the issue if the firewall has been modified using ip*tables or ebtables.
2017-05-03 09:31:58 ERROR: '/usr/sbin/ebtables -t broute -F' failed:
...
2017-05-03 09:32:00 DEBUG2: <class 'firewall.core.ebtables.ebtables'>:
/usr/sbin/ebtables --concurrent -t broute -P BROUTING ACCEPT
2017-05-03 09:32:00 ERROR: Failed to apply rules. A firewall reload might solve
the issue if the firewall has been modified using ip*tables or ebtables.
2017-05-03 09:32:00 ERROR: '/usr/sbin/ebtables -t broute -P BROUTING ACCEPT'
failed:
I ran these broute commands manually and it returns returns;
# /usr/sbin/ebtables --concurrent -t broute -F
The kernel doesn't support the ebtables 'broute' table.
So I go check on a second host where firewalld keeps running
# lsmod |grep ebtab
ebtable_nat 12807 2
*ebtable_broute 12731 2 *
ebtable_filter 12827 2
ebtables 30905 3 ebtable_broute,ebtable_nat,ebtable_filter
bridge 119601 1 ebtable_broute
on the one where it fails
# lsmod |grep ebtab
ebtable_nat 12807 1
ebtable_filter 12827 3
ebtables 30905 2 ebtable_nat,ebtable_filter
indeed it lacks *ebtable_broute* , so :
# modprobe ebtable_broute
and now it works fine ;-) , thanks for the tip !
now why ebtable_broute isn't loaded at boot time is a mystery ,if you have a
idea ?
You probably don't have "firewalld" service running on the host =>
ebtable_broute module can be easily unloaded.
Fixed, now the module will be autoloaded upon request from inside a Container:
https://lists.openvz.org/pipermail/devel/2017-May/070268.html
Thanks .
Ps: virtuozzo host :
# cat /etc/redhat-release
Virtuozzo Linux release 7.3
# uname -a
Linux vz7.int-evry.fr 3.10.0-327.36.1.vz7.20.18 #1 SMP Tue Dec 20 13:52:43 MSK
2016 x86_64 x86_64 x86_64 GNU/Linux
# uptime
11:58:27 up 12 days, 17:59, 4 users, load average: 0,05, 0,20, 0,25
On 05/03/2017 11:23 AM, Jehan Procaccia wrote:
Hello
since last update (apparently) my CT with firewalld doesn't work anymore
CT-db256406 ~# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor
preset: enabled)
Active: active (running) since Wed 2017-05-03 08:16:42 UTC; 7s ago
Docs: man:firewalld(1)
Main PID: 759 (firewalld)
CGroup: /system.slice/firewalld.service
└─759 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
--debug=8
May 03 08:16:41 smtpe systemd[1]: Starting firewalld - dynamic firewall
daemon...
May 03 08:16:42 smtpe systemd[1]: Started firewalld - dynamic firewall daemon.
May 03 08:16:42 smtpe firewalld[759]: WARNING: '/usr/sbin/ebtables-restore
--noflush' failed:
May 03 08:16:42 smtpe firewalld[759]: ERROR: COMMAND_FAILED
I did set prlctl set CTname --netfilter stateful on the host, it worked fine
for the last 6 mounths , but now it fails
# rpm -q firewalld
firewalld-0.4.3.2-8.1.el7_3.2.noarch
# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
# uname -a
Linux smtpe 3.10.0 #1 SMP Tue Dec 20 13:52:43 MSK 2016 x86_64 x86_64 x86_64
GNU/Linux
these are the last hundred of lines in /var/log/firewalld in debug=4 mode
# grep debug /etc/sysconfig/firewalld
# possible values: --debug
FIREWALLD_ARGS='--debug=4'
...
2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ebtables.ebtables'>:
/usr/sbin/ebtables-restore /run/firewalld/temp.aC9x_O: 411
1: *filter
2: -F
3: -X
4: -Z
5: -N INPUT_direct -P RETURN
6: -I INPUT 1 -j INPUT_direct
7: -N OUTPUT_direct -P RETURN
8: -I OUTPUT 1 -j OUTPUT_direct
9: -N FORWARD_direct -P RETURN
10: -I FORWARD 1 -j FORWARD_direct
11: *broute
12: -F
13: -X
14: -Z
15: *nat
16: -F
17: -X
18: -Z
19: -N PREROUTING_direct -P RETURN
20: -I PREROUTING 1 -j PREROUTING_direct
21: -N POSTROUTING_direct -P RETURN
22: -I POSTROUTING 1 -j POSTROUTING_direct
23: -N OUTPUT_direct -P RETURN
24: -I OUTPUT 1 -j OUTPUT_direct
2017-05-03 07:53:22 WARNING: '*/usr/sbin/ebtables-restore --noflush' failed: *
2017-05-03 07:53:22 DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>:
/usr/sbin/iptables-restore /run/firewalld/temp.MDuwzR: 1384
1: *filter
2: -D OUTPUT -j OUTPUT_direct
3: -X OUTPUT_direct
4: -D FORWARD -j REJECT --reject-with icmp-host-prohibited
5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
6: -D FORWARD -j FORWARD_OUT_ZONES
7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
8: -D FORWARD -j FORWARD_IN_ZONES
9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
10: -D FORWARD -j FORWARD_direct
11: -D FORWARD -i lo -j ACCEPT
12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
13: -X FORWARD_OUT_ZONES
14: -X FORWARD_OUT_ZONES_SOURCE
15: -X FORWARD_IN_ZONES
16: -X FORWARD_IN_ZONES_SOURCE
17: -X FORWARD_direct
18: -D INPUT -j REJECT --reject-with icmp-host-prohibited
19: -D INPUT -m conntrack --ctstate INVALID -j DROP
20: -D INPUT -j INPUT_ZONES
21: -D INPUT -j INPUT_ZONES_SOURCE
22: -D INPUT -j INPUT_direct
23: -D INPUT -i lo -j ACCEPT
24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
25: -X INPUT_ZONES
26: -X INPUT_ZONES_SOURCE
27: -X INPUT_direct
28: -Z
29: -X
30: -F
31: COMMIT
32: *raw
33: -D OUTPUT -j OUTPUT_direct
34: -X OUTPUT_direct
35: -D PREROUTING -j PREROUTING_direct
36: -X PREROUTING_direct
37: -Z
38: -X
39: -F
40: COMMIT
41: *mangle
42: -D FORWARD -j FORWARD_direct
43: -X FORWARD_direct
44: -D OUTPUT -j OUTPUT_direct
45: -X OUTPUT_direct
46: -D INPUT -j INPUT_direct
47: -X INPUT_direct
48: -D POSTROUTING -j POSTROUTING_direct
49: -X POSTROUTING_direct
50: -D PREROUTING -j PREROUTING_ZONES
51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
52: -X PREROUTING_ZONES
53: -X PREROUTING_ZONES_SOURCE
54: -D PREROUTING -j PREROUTING_direct
55: -X PREROUTING_direct
56: -Z
57: -X
58: -F
59: COMMIT
2017-05-03 07:53:22 DEBUG2: <class
'firewall.core.ipXtables.ip6tables'>:*/usr/sbin/ip6tables-restore
/run/firewalld/temp.xFcRvF:* 1384
1: *filter
2: -D OUTPUT -j OUTPUT_direct
3: -X OUTPUT_direct
4: -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
5: -D FORWARD -m conntrack --ctstate INVALID -j DROP
6: -D FORWARD -j FORWARD_OUT_ZONES
7: -D FORWARD -j FORWARD_OUT_ZONES_SOURCE
8: -D FORWARD -j FORWARD_IN_ZONES
9: -D FORWARD -j FORWARD_IN_ZONES_SOURCE
10: -D FORWARD -j FORWARD_direct
11: -D FORWARD -i lo -j ACCEPT
12: -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
13: -X FORWARD_OUT_ZONES
14: -X FORWARD_OUT_ZONES_SOURCE
15: -X FORWARD_IN_ZONES
16: -X FORWARD_IN_ZONES_SOURCE
17: -X FORWARD_direct
18: -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
19: -D INPUT -m conntrack --ctstate INVALID -j DROP
20: -D INPUT -j INPUT_ZONES
21: -D INPUT -j INPUT_ZONES_SOURCE
22: -D INPUT -j INPUT_direct
23: -D INPUT -i lo -j ACCEPT
24: -D INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
25: -X INPUT_ZONES
26: -X INPUT_ZONES_SOURCE
27: -X INPUT_direct
28: -Z
29: -X
30: -F
31: COMMIT
32: *raw
33: -D OUTPUT -j OUTPUT_direct
34: -X OUTPUT_direct
35: -D PREROUTING -j PREROUTING_direct
36: -X PREROUTING_direct
37: -Z
38: -X
39: -F
40: COMMIT
41: *mangle
42: -D FORWARD -j FORWARD_direct
43: -X FORWARD_direct
44: -D OUTPUT -j OUTPUT_direct
45: -X OUTPUT_direct
46: -D INPUT -j INPUT_direct
47: -X INPUT_direct
48: -D POSTROUTING -j POSTROUTING_direct
49: -X POSTROUTING_direct
50: -D PREROUTING -j PREROUTING_ZONES
51: -D PREROUTING -j PREROUTING_ZONES_SOURCE
52: -X PREROUTING_ZONES
53: -X PREROUTING_ZONES_SOURCE
54: -D PREROUTING -j PREROUTING_direct
55: -X PREROUTING_direct
56: -Z
57: -X
58: -F
59: COMMIT
2017-05-03 07:53:22*ERROR: COMMAND_FAILED*
2017-05-03 07:53:22 DEBUG1: GetAll('org.fedoraproject.FirewallD1')
....
any help greatly appreciated !
Thanks
PS: perhaps related : https://bugs.centos.org/view.php?id=12450 ?
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
--
Regards,
Denis Silakov | Sr. Software Architect, Virtuozzo Linux Team Lead
Otradnaya street 2B/9, “Otradnoye” Business Center | Moscow | Russia
Phone: +7 916-222-9437 | dsila...@virtuozzo.com
Skype: denis.silakov
Virtuozzo.com
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@openvz.org
https://lists.openvz.org/mailman/listinfo/users
