Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1785494 - firewalld.service should conflict with nftables.service
Summary: firewalld.service should conflict with nftables.service
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Eric Garver
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-20 02:47 UTC by Scott Shambarger
Modified: 2020-07-24 02:18 UTC (History)
3 users (show)

Fixed In Version: firewalld-0.7.5-2.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-24 02:18:09 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Scott Shambarger 2019-12-20 02:47:02 UTC 
Description of problem:
Reloading or stopping nftables wipes firewalld's rules

Version-Release number of selected component (if applicable):
firewalld-0.7.2-1.fc31.noarch

How reproducible:
Whenever nftables is reloaded or stopped

Steps to Reproduce:
1. Configure firewalld.conf with FirewallBackend=nftables
1. Enable and activate firewalld
1. Enable and activate nftables
3. Reload or stop nftables

Actual results:
All netfilter rules are wiped

Expected results:
All netfilter rules except firewalld rules should be wiped

Additional info:
firewalld.service currently has:
Conflicts=iptables.service ip6tables.service ebtables.service ipset.service

That list should probably include nftables...

Alternatively, the services could be bound is such a way that reload or stop of nftables triggers a reload of firewalld... but that's more complicated.
Comment 1 Fedora Update System 2020-07-01 20:39:29 UTC 
FEDORA-2020-e6ecb21a28 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-e6ecb21a28
Comment 2 Scott Shambarger 2020-07-01 23:37:42 UTC 
I'm on F32 now, so can't test the build - but the service file includes the nftables conflicts line, so this appears fixed :)
Comment 3 Fedora Update System 2020-07-02 01:12:28 UTC 
FEDORA-2020-e6ecb21a28 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-e6ecb21a28`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-e6ecb21a28

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Loïc Yhuel 2020-07-08 20:21:54 UTC 
This update switches default backend from iptables to nftables on F31, is it wanted ?

In my case, it conflicts with NetworkManager connection sharing feature.
I have the connection for enp0s20f0u3u3 interface having IPv4 configured as "shared to other computers".
NetworkManager calls :
iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol tcp --destination-port 53 --jump ACCEPT
iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol udp --destination-port 53 --jump ACCEPT
iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol tcp --destination-port 67 --jump ACCEPT
iptables --table filter --insert INPUT --in-interface enp0s20f0u3u3 --protocol udp --destination-port 67 --jump ACCEPT
iptables --table filter --insert FORWARD --in-interface enp0s20f0u3u3 --jump REJECT
iptables --table filter --insert FORWARD --out-interface enp0s20f0u3u3 --jump REJECT
iptables --table filter --insert FORWARD --in-interface enp0s20f0u3u3 --out-interface enp0s20f0u3u3 --jump ACCEPT
iptables --table filter --insert FORWARD --source 10.42.0.0/255.255.255.0 --in-interface enp0s20f0u3u3 --jump ACCEPT
iptables --table filter --insert FORWARD --destination 10.42.0.0/255.255.255.0 --out-interface enp0s20f0u3u3 --match state --state ESTABLISHED,RELATED --jump ACCEPT
iptables --table nat --insert POSTROUTING --source 10.42.0.0/255.255.255.0 ! --destination 10.42.0.0/255.255.255.0 --jump MASQUERADE


But after the firewalld update, I had to :
 - allow dhcp/dns with firewalld (else the dnsmasq started by NetworkManager didn't receive anything)
 - enable masquerading in firewalld (but this is on the destination zone, not the source with NetworkManager did, so this is not restricted to an interface)
Comment 5 Eric Garver 2020-07-08 23:06:34 UTC 
(In reply to Loïc Yhuel from comment #4)
> This update switches default backend from iptables to nftables on F31, is it
> wanted ?

Yikes! You're right. I accidentally dropped the patch to change the default backend to iptables. Working on a new build now.

Thanks for testing! :)
Comment 6 Fedora Update System 2020-07-08 23:13:53 UTC 
FEDORA-2020-1f26a8f191 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-1f26a8f191
Comment 7 Fedora Update System 2020-07-09 01:05:43 UTC 
FEDORA-2020-1f26a8f191 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-1f26a8f191`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-1f26a8f191

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2020-07-24 02:18:09 UTC 
FEDORA-2020-1f26a8f191 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.