View Issue Details

IDProjectCategoryView StatusLast Update
0016203CentOS-7firewalldpublic2019-06-20 21:50
Reportermdione-cloudian 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformOSCentOSOS Version
Product Version7.6.1810 
Target VersionFixed in Version 
Summary0016203: Firewalld fails when trying to rollback a change transaction
Descriptionfirewalld seems to have a protection system where, if for some reason a change fails to be applied, the configuration is rolled back to where it was before the change.

We're running CentOS 7.6 on containers, and firewalld fails to apply changes. This issue is not about that, but if you're interested, here's what the log say:

2019-06-20 07:53:23 ERROR: Failed to read file "/proc/sys/net/netfilter/nf_conntrack_helper": [Errno 2] No such file or directory: '/proc/sys/net/netfilter/nf_conntrack_helper'
2019-06-20 07:53:23 WARNING: Failed to get and parse nf_conntrack_helper setting
2019-06-20 07:53:23 ERROR: Failed to flush ipv4 firewall: [Errno 13] Permission denied: '/proc/net/ip_tables_names'
2019-06-20 07:53:23 ERROR: Failed to flush ipv6 firewall: [Errno 13] Permission denied: '/proc/net/ip6_tables_names'
2019-06-20 07:53:23 ERROR: Failed to destroy ipset 'hyperstoreNodes'
2019-06-20 07:53:23 ERROR: '/usr/sbin/ipset destroy hyperstoreNodes' failed: ipset v6.38: Set cannot be destroyed: it is in use by a kernel component
2019-06-20 07:53:27 ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 2 failed
2019-06-20 07:53:27 ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed
2019-06-20 07:53:27 ERROR: Failed to set policy of ipv4 firewall: [Errno 13] Permission denied: '/proc/net/ip_tables_names'
2019-06-20 07:53:27 ERROR: Failed to set policy of ipv6 firewall: [Errno 13] Permission denied: '/proc/net/ip6_tables_names'

This issue is actually about this error:

# firewall-cmd --reload
Error: reverse_rule() takes exactly 2 arguments (1 given)

I checked firewalld's source code (it's python) and the culprit seems to be this definition in /usr/lib/python2.7/site-packages/firewall/core/ipXtables.py:

# ipv ebtables also uses this
#
def reverse_rule(self, args):
    """ Inverse valid rule """

This definition looks like a method definition, but it's actually a function. All calls are giving only one parameter, so any of these calls should trigger the same error:

# grep -rin reverse_rule /usr/lib/python2.7/site-packages/firewall
/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.py:30:from firewall.core.ipXtables import reverse_rule
/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.py:79: rules.setdefault(ipv, [ ]).append(reverse_rule(rule))
/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.py:124: undo_rules[ipv].append(reverse_rule(rule))
/usr/lib/python2.7/site-packages/firewall/core/fw.py:847: backend.set_rule(ipXtables.reverse_rule(rule))

The bug is present upstream, I opened thsi: https://github.com/firewalld/firewalld/issues/495

I hope you can backport any fix that comes out of that (I would say it's justa a matter of removing the spurious 'self').
TagsNo tags attached.
abrt_hash
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-06-20 21:50 mdione-cloudian New Issue