View Issue Details

IDProjectCategoryView StatusLast Update
0016425CentOS-7firewalldpublic2019-10-26 00:07
Reporterleoje 
PrioritynormalSeveritymajorReproducibilityalways
Status assignedResolutionopen 
Product Version7.7-1908 
Target VersionFixed in Version 
Summary0016425: destination IP in rich rule breaks rule parsing and launch of firewalld
Description
Hello,
i used to run a server under CentOS 7.6, with a working firewalld-configuration that also featured rich rules in the default "public"-zone.
After having upgraded to 7.7 inplace, firewalld refuses to launch, with the following error message:



Sep 17 20:52:26 hostname systemd[1]: Started firewalld - dynamic firewall daemon.
Sep 17 20:52:27 hostname firewalld[13065]: ERROR: argument of type 'Rich_Destination' is not iterable
Sep 17 20:52:27 hostname firewalld[13065]: WARNING: True: COMMAND_FAILED: argument of type 'Rich_Destination' is not iterable
Sep 17 20:52:27 hostname firewalld[13065]: ERROR: argument of type 'Rich_Destination' is not iterable
Sep 17 20:52:27 hostname firewalld[13065]: ERROR: COMMAND_FAILED: argument of type 'Rich_Destination' is not iterable
Sep 17 20:52:27 hostname firewalld[13065]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.4.21: goto 'FWDI_public' is not a chain

                                             Error occurred at line: 2
                                             Try `iptables-restore -h' or 'iptables-restore --help' for more information.


After a lot of digging, i found that the issue can be "resolved" by removing any destination address from the rich rule:


<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <interface name="eno2"/>
  <service name="ssh"/>
  <rule family="ipv4">
    <source address="1.2.0.24/32"/>
    <destination address="1.2.4.10/32"/>
    <service name="ssh"/>
    <log level="warning"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="1.2.0.0/16"/>
    <destination address="1.2.4.10/24"/>
    <service name="dns"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="1.2.0.0/16"/>
    <destination address="1.2.4.10/32"/>
    <service name="nfs"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="1.2.0.0/16"/>
    <destination address="1.2.5.10/32"/>
    <service name="nfs"/>
    <accept/>
  </rule>
</zone>


Assuming that the double quotes or the mask information may cause the issu and altering them did not fix the issue.
Only removing the entire "destination" token helps to make firewalld oberable again.

I face this issue on all my other servers in the exact same manner.
This same unmodified file still worked perfectly on CentOS 7.6.
Steps To ReproduceIndependent option 1: upgrade a CentOS 7.6 to 7.7, whicle having a public-zone featuring a richt rule that features the destination IP.
Independent option 2: add destination address to rich rule of zone public in CentOS 7.7 and try to launch firewalld.
Additional InformationSame issue applies, when upgrading from CentOS 7.6 to 7.7, while the public.xml still worked perfectly fine under CentOS 7.6, but fails under 7.7.
Tags7.7, destination, firewalld, rich rule
abrt_hash
URL

Relationships

has duplicate 0016579 closedpgreco firewalld does not support Rich Rule Priorities 

Activities

tigalch

tigalch

2019-09-19 18:42

manager   ~0035145

As CentOS only rebuilds what RedHat offers in the form of source code, you have to raise this issue at RHs bugzilla against EL7. When/IF RH fixes that issue, CentOS will inherit the fix.
tigalch

tigalch

2019-09-19 19:33

manager   ~0035148

Do you have IPv6 disabled on your host(s)?
tigalch

tigalch

2019-09-19 19:55

manager   ~0035149

And please print the version of firewalld you are using
lfain

lfain

2019-09-20 08:02

reporter   ~0035152

I have the same problem with firewalld-0.6.3-2.el7_7.1.noarch that is automatically installed the latest 7-7.1908.0.el7.centos.
The problem is very serious! The servers are locked after the upgrading!
The problem seems to be not related to IPv6.
For your reference, I've found the following bug in the RedHat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1715977
leoje

leoje

2019-09-20 08:18

reporter   ~0035153

Hello,
thank you for your immediate help.
I had ipv6 disabled initially, then switched to link-local, but both scenarios don't seem to change the situation on my hosts.

The releases involved:
CentOS Linux release 7.7.1908 (Core)
firewalld.noarch 0.6.3-2.el7_7.1 @updates
firewalld-filesystem.noarch 0.6.3-2.el7_7.1 @updates

I also found that "1715977", but guessed it might have adifferent root, since "1715977" is deemed fixed?
Should i still then file it at bugzilla.redhat.com, and would my developer account suffice, not requiring a subscription?
tigalch

tigalch

2019-09-20 08:28

manager   ~0035154

Your developer account is sufficient for filing the bug. If you de, please cross reference the ID here.
pgreco

pgreco

2019-09-20 21:39

developer   ~0035171

I have a possible fix candidate here https://people.centos.org/pgreco/testbuilds/bug16425/
@leoje @lfain can you test?
Even if this works, as @tigalch said, this has to be reported in RH's bugzilla.
lfain

lfain

2019-09-22 09:20

reporter   ~0035187

I've tested the proposed fix. It works well. Thank you @pgreco.
There is the corresponding open bug at RedHat:
https://bugzilla.redhat.com/show_bug.cgi?id=1729097
pgreco

pgreco

2019-09-22 15:21

developer   ~0035191

@lfain good thing that it worked, and thanks for the bugzilla.
According to that link, it is already fixed internally, so it will show up "eventually".
If "eventually" takes too long, I'll try to generate a fasttrack version of what you're using right now
leoje

leoje

2019-09-26 08:09

reporter   ~0035228

i just wanted to feed back that [https://people.centos.org/pgreco/testbuilds/bug16425/] also works for me as well.
Thank you all for your great help!
pgreco

pgreco

2019-09-26 17:00

developer   ~0035239

ok, fasttrack version of this will be in the mirrors shortly
yum update firewalld --enablerepo=fasttrack
lfain

lfain

2019-10-16 06:42

reporter   ~0035497

Is there any estimation when the fixed firewalld will be available in the regular, not only in the fasttrack, repository? The problem is serious...
tigalch

tigalch

2019-10-16 06:45

manager   ~0035498

Depends on when RedHat will release the fix.
lfain

lfain

2019-10-22 06:09

reporter   ~0035551

I see that new firewalld v.0.6.3-2.el7_7.2 was released yesterday. Unfortunately, without the fix included. The new package version number is greater than the package version in the fasttrack... Nightmare continues.

Issue History

Date Modified Username Field Change
2019-09-19 18:37 leoje New Issue
2019-09-19 18:37 leoje Tag Attached: 7.7
2019-09-19 18:37 leoje Tag Attached: destination
2019-09-19 18:37 leoje Tag Attached: firewalld
2019-09-19 18:37 leoje Tag Attached: rich rule
2019-09-19 18:42 tigalch Note Added: 0035145
2019-09-19 19:33 tigalch Note Added: 0035148
2019-09-19 19:55 tigalch Note Added: 0035149
2019-09-20 08:02 lfain Note Added: 0035152
2019-09-20 08:18 leoje Note Added: 0035153
2019-09-20 08:28 tigalch Note Added: 0035154
2019-09-20 21:39 pgreco Status new => feedback
2019-09-20 21:39 pgreco Note Added: 0035171
2019-09-22 09:20 lfain Note Added: 0035187
2019-09-22 15:21 pgreco Note Added: 0035191
2019-09-26 08:09 leoje Note Added: 0035228
2019-09-26 08:09 leoje Status feedback => assigned
2019-09-26 17:00 pgreco Note Added: 0035239
2019-10-11 17:23 pgreco Relationship added has duplicate 0016579
2019-10-16 06:42 lfain Note Added: 0035497
2019-10-16 06:45 tigalch Note Added: 0035498
2019-10-22 06:09 lfain Note Added: 0035551