[RESOLVED] - Warning in /var/log/firewalld from default config

Issues related to configuring your network
Post Reply
User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

[RESOLVED] - Warning in /var/log/firewalld from default config

Post by warron.french » 2020/02/17 06:32:04

A few days ago I built a laptop with CentOS 8.1, and updated it to latest kernel (4.18.0-147.5.1).

Anyway, in /var/log/firewalld I found the following:

Code: Select all

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table mangle --delete POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 --destination 255.255.255.255/32 --jump RETURN' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 -p tcp ! --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 -p udp ! --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table nat --delete POSTROUTING --source 192.168.122.0/24 ! --destination 192.168.122.0/24 --jump MASQUERADE' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete FORWARD --out-interface virbr0 --jump REJECT' failed: iptables: Bad rule (does a matching rule exist in that chain?).

2020-02-12 00:42:12 WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -w --table filter --delete FORWARD --in-interface virbr0 --jump REJECT' failed: iptables: Bad rule (does a matching rule exist in that chain?).
I don't know what file to check or what command to execute to determine why this is happening.
I don't even see iptables listed as a service when I execute systemctl.
There are several other lines in the log file.
Last edited by warron.french on 2020/02/25 01:21:31, edited 1 time in total.
Thanks,
War

sml
Posts: 305
Joined: 2020/01/17 09:01:44

Re: Warning in /var/log/firewalld from default config

Post by sml » 2020/02/17 08:39:19

They seem to be harmless. From the Firewall and network filtering in libvirt:
If firewalld is active on the host, libvirt will attempt to place the bridge interface of a libvirt virtual network into the firewalld zone named "libvirt" (thus making all guest->host traffic on that network subject to the rules of the "libvirt" zone). This is done because, if firewalld is using its nftables backend (available since firewalld 0.6.0) the default firewalld zone (which would be used if libvirt didn't explicitly set the zone) prevents forwarding traffic from guests through the bridge, as well as preventing DHCP, DNS, and most other traffic from guests to host.

The zone named "libvirt" is installed into the firewalld configuration by libvirt (not by firewalld), and allows forwarded traffic through the bridge as well as DHCP, DNS, TFTP, and SSH traffic to the host - depending on firewalld's backend this will be implemented via either iptables or nftables rules. libvirt's own rules outlined above will *always* be iptables rules regardless of which backend is in use by firewalld.

NB: It is possible to manually set the firewalld zone for a network's interface with the "zone" attribute of the network's "bridge" element.

See also issue #397 in firewalld's GitHub.

A simple solution is reverting to iptables as firewall backend:

Code: Select all

sudo sed -i '/^FirewallBackend/s/=.*/=iptables/' /etc/firewalld/firewalld.conf
But it is actually unnecessary as the libvirt zone is backported to the libvirt in CentOS 8:

Code: Select all

$ sudo firewall-cmd --info-zone=libvirt
libvirt (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: virbr0
  sources:
  services: dhcp dhcpv6 dns ssh tftp
  ports:
  protocols: icmp ipv6-icmp
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
	rule priority="32767" reject

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: Warning in /var/log/firewalld from default config

Post by warron.french » 2020/02/21 05:08:03

@sml, thanks.

So, in reality, for me, it's nothing to be concerned about at all, yes?

Also, this is less important, but is the refernce to nftables a reference to the ol' NetFilters firewall implementation? I think I have also seen references to nf_conntrack (sp?), is it for the same reason (NetFilters)?
Thanks,
War

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Warning in /var/log/firewalld from default config

Post by TrevorH » 2020/02/21 11:31:04

nftables is the new shiny in-kernel replacement for iptables. In RHEL/CentSO 8, iptables is gone and nftables is the new thing. There is an iptables wrapper around nftables that allows those of us who know iptables to use it without having to relearn everything we ever knew straight away. If you run nft list ruleset alongside iptables-save you can see the nftables equivalent of y our iptables rules.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: Warning in /var/log/firewalld from default config

Post by warron.french » 2020/02/22 09:44:20

TrevorH wrote:
2020/02/21 11:31:04
nftables is the new shiny in-kernel replacement for iptables. In RHEL/CentSO 8, iptables is gone and nftables is the new thing. There is an iptables wrapper around nftables that allows those of us who know iptables to use it without having to relearn everything we ever knew straight away. If you run nft list ruleset alongside iptables-save you can see the nftables equivalent of y our iptables rules.
TrevorH, you are the man... as usual you educate me, and I appreciate it. Thanks.

Is firewalld still the tool to use to manipulate firewall rules?
Thanks,
War

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Warning in /var/log/firewalld from default config

Post by TrevorH » 2020/02/22 10:15:08

You have a choice of 3 ways to do it in el8. You can use firewalld which seems to be RH's preferred method though many of think it's an appalling bloated pig of a thing that shouldn't be let near anything worth protecting! Or you can use nftables directly and use the systemd nftables.service that comes with it. Or you can install iptables and iptables-services and enable the iptables service and use that. Be aware that the iptables wrapper is not 100% coverage of everything that iptables used to do in el7 (and no, I don't know what's missing, it's done everything I asked of it so far but my rules are static and unchanging and fairly simple).
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
warron.french
Posts: 616
Joined: 2014/03/27 20:21:58

Re: Warning in /var/log/firewalld from default config

Post by warron.french » 2020/02/23 04:25:38

Sorry, Trevor, my question was poorly worded. I meant to ask, should I continue to use firewall-cmd to get rules into place?

I know that you think firewalld is a bloated pig (because of the XML I am guessing).

Is there a newer more appropriate method to ensure no corruption? That should have been my actual question, thanks.
Thanks,
War

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Warning in /var/log/firewalld from default config

Post by TrevorH » 2020/02/23 13:49:39

If you use firewalld then you must use the tools that it provides like firewall-cmd or its GUI equivalent. If you try to use nft or iptables then the changes you make with those tools will be unknown by firewalld and it will back them out.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Warning in /var/log/firewalld from default config

Post by hunter86_bg » 2020/02/24 00:47:25

warron.french wrote:
2020/02/23 04:25:38
Sorry, Trevor, my question was poorly worded. I meant to ask, should I continue to use firewall-cmd to get rules into place?

I know that you think firewalld is a bloated pig (because of the XML I am guessing).

Is there a newer more appropriate method to ensure no corruption? That should have been my actual question, thanks.
For simple tasks firewalld is enough.
I'm not planning to learn nftables in the near future - so firewalld is acceptable.

Post Reply