Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1785494
Summary: | firewalld.service should conflict with nftables.service | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Scott Shambarger <scott-fedora> |
Component: | firewalld | Assignee: | Eric Garver <egarver> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 31 | CC: | egarver, loic.yhuel, psutter |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | firewalld-0.7.5-2.fc31 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-07-24 02:18:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Scott Shambarger
2019-12-20 02:47:02 UTC
FEDORA-2020-e6ecb21a28 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e6ecb21a28 I'm on F32 now, so can't test the build - but the service file includes the nftables conflicts line, so this appears fixed :) FEDORA-2020-e6ecb21a28 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e6ecb21a28` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e6ecb21a28 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. This update switches default backend from iptables to nftables on F31, is it wanted ? In my case, it conflicts with NetworkManager connection sharing feature. I have the connection for enp0s20f0u3u3 interface having IPv4 configured as "shared to other computers". NetworkManager calls : iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol tcp --destination-port 53 --jump ACCEPT iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol udp --destination-port 53 --jump ACCEPT iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol tcp --destination-port 67 --jump ACCEPT iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol udp --destination-port 67 --jump ACCEPT iptables --table filter --insert FORWARD --in-interface enp0s20f0u3u3 --jump REJECT iptables --table filter --insert FORWARD --out-interface enp0s20f0u3u3 --jump REJECT iptables --table filter --insert FORWARD --in-interface enp0s20f0u3u3 --out-interface enp0s20f0u3u3 --jump ACCEPT iptables --table filter --insert FORWARD --source 10.42.0.0/255.255.255.0 --in-interface enp0s20f0u3u3 --jump ACCEPT iptables --table filter --insert FORWARD --destination 10.42.0.0/255.255.255.0 --out-interface enp0s20f0u3u3 --match state --state ESTABLISHED,RELATED --jump ACCEPT iptables --table nat --insert POSTROUTING --source 10.42.0.0/255.255.255.0 ! --destination 10.42.0.0/255.255.255.0 --jump MASQUERADE But after the firewalld update, I had to : - allow dhcp/dns with firewalld (else the dnsmasq started by NetworkManager didn't receive anything) - enable masquerading in firewalld (but this is on the destination zone, not the source with NetworkManager did, so this is not restricted to an interface) (In reply to Loïc Yhuel from comment #4) > This update switches default backend from iptables to nftables on F31, is it > wanted ? Yikes! You're right. I accidentally dropped the patch to change the default backend to iptables. Working on a new build now. Thanks for testing! :) FEDORA-2020-1f26a8f191 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-1f26a8f191 FEDORA-2020-1f26a8f191 has been pushed to the Fedora 31 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-1f26a8f191` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-1f26a8f191 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2020-1f26a8f191 has been pushed to the Fedora 31 stable repository. If problem still persists, please make note of it in this bug report. |