CentOS

The Community ENTerprise Operating System
https://forums.centos.org/

[RESOLVED] - Warning in /var/log/firewalld from default config

https://forums.centos.org/viewtopic.php?f=56&t=73491

Page 1 of 1

[RESOLVED] - Warning in /var/log/firewalld from default config

Posted: 2020/02/17 06:32:04
by warron.french
A few days ago I built a laptop with CentOS 8.1, and updated it to latest kernel (4.18.0-147.5.1).

Anyway, in /var/log/firewalld I found the following:

Code: Select all

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete FORWARD --out-interface virbr0 --jump REJECT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete FORWARD --in-interface virbr0 --jump REJECT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
I don't know what file to check or what command to execute to determine why this is happening.
I don't even see iptables listed as a service when I execute systemctl.
There are several other lines in the log file.

Re: Warning in /var/log/firewalld from default config

Posted: 2020/02/17 08:39:19
by sml
They seem to be harmless. From the Firewall and network filtering in libvirt:
If firewalld is active on the host, libvirt will attempt to place the bridge interface of a libvirt virtual network into the firewalld zone named "libvirt" (thus making all guest->host traffic on that network subject to the rules of the "libvirt" zone). This is done because, if firewalld is using its nftables backend (available since firewalld 0.6.0) the default firewalld zone (which would be used if libvirt didn't explicitly set the zone) prevents forwarding traffic from guests through the bridge, as well as preventing DHCP, DNS, and most other traffic from guests to host.

The zone named "libvirt" is installed into the firewalld configuration by libvirt (not by firewalld), and allows forwarded traffic through the bridge as well as DHCP, DNS, TFTP, and SSH traffic to the host - depending on firewalld's backend this will be implemented via either iptables or nftables rules. libvirt's own rules outlined above will *always* be iptables rules regardless of which backend is in use by firewalld.

NB: It is possible to manually set the firewalld zone for a network's interface with the "zone" attribute of the network's "bridge" element.

See also issue #397 in firewalld's GitHub.

A simple solution is reverting to iptables as firewall backend:

Code: Select all

sudo sed -i '/^FirewallBackend/s/=.*/=iptables/' /etc/firewalld/firewalld.conf
But it is actually unnecessary as the libvirt zone is backported to the libvirt in CentOS 8:

Code: Select all

$ sudo firewall-cmd --info-zone=libvirt
libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources:
  services: dhcp dhcpv6 dns ssh tftp
  ports:
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
	rule priority="32767" reject

Re: Warning in /var/log/firewalld from default config

Posted: 2020/02/21 05:08:03
by warron.french
@sml, thanks.

So, in reality, for me, it's nothing to be concerned about at all, yes?

Also, this is less important, but is the refernce to nftables a reference to the ol' NetFilters firewall implementation? I think I have also seen references to nf_conntrack (sp?), is it for the same reason (NetFilters)?

Re: Warning in /var/log/firewalld from default config

Posted: 2020/02/21 11:31:04
by TrevorH
nftables is the new shiny in-kernel replacement for iptables. In RHEL/CentSO 8, iptables is gone and nftables is the new thing. There is an iptables wrapper around nftables that allows those of us who know iptables to use it without having to relearn everything we ever knew straight away. If you run nft list ruleset alongside iptables-save you can see the nftables equivalent of y our iptables rules.

Re: Warning in /var/log/firewalld from default config

Posted: 2020/02/22 09:44:20
by warron.french
TrevorH wrote:
2020/02/21 11:31:04
 nftables is the new shiny in-kernel replacement for iptables. In RHEL/CentSO 8, iptables is gone and nftables is the new thing. There is an iptables wrapper around nftables that allows those of us who know iptables to use it without having to relearn everything we ever knew straight away. If you run nft list ruleset alongside iptables-save you can see the nftables equivalent of y our iptables rules.
TrevorH, you are the man... as usual you educate me, and I appreciate it. Thanks.

Is firewalld still the tool to use to manipulate firewall rules?

Re: Warning in /var/log/firewalld from default config

Posted: 2020/02/22 10:15:08
by TrevorH
You have a choice of 3 ways to do it in el8. You can use firewalld which seems to be RH's preferred method though many of think it's an appalling bloated pig of a thing that shouldn't be let near anything worth protecting! Or you can use nftables directly and use the systemd nftables.service that comes with it. Or you can install iptables and iptables-services and enable the iptables service and use that. Be aware that the iptables wrapper is not 100% coverage of everything that iptables used to do in el7 (and no, I don't know what's missing, it's done everything I asked of it so far but my rules are static and unchanging and fairly simple).

Re: Warning in /var/log/firewalld from default config

Posted: 2020/02/23 04:25:38
by warron.french
Sorry, Trevor, my question was poorly worded. I meant to ask, should I continue to use firewall-cmd to get rules into place?

I know that you think firewalld is a bloated pig (because of the XML I am guessing).

Is there a newer more appropriate method to ensure no corruption? That should have been my actual question, thanks.

Re: Warning in /var/log/firewalld from default config

Posted: 2020/02/23 13:49:39
by TrevorH
If you use firewalld then you must use the tools that it provides like firewall-cmd or its GUI equivalent. If you try to use nft or iptables then the changes you make with those tools will be unknown by firewalld and it will back them out.

Re: Warning in /var/log/firewalld from default config

Posted: 2020/02/24 00:47:25
by hunter86_bg
warron.french wrote:
2020/02/23 04:25:38
 Sorry, Trevor, my question was poorly worded. I meant to ask, should I continue to use firewall-cmd to get rules into place?

I know that you think firewalld is a bloated pig (because of the XML I am guessing).

Is there a newer more appropriate method to ensure no corruption? That should have been my actual question, thanks.
For simple tasks firewalld is enough.
I'm not planning to learn nftables in the near future - so firewalld is acceptable.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited