Dan Mossor
2015-05-05 02:24:45 UTC
Is there any work underway to get the libvirt firewall tools ported to
firewalld? I've been seeing this since F21, but it seems to have gotten
worse on F22. Every time I boot the system or restart firewalld.service,
I get a lot of errors from the libvirt rules pumped into the journal.
These errors imply that the firewall isn't really being configured
properly for virtual machines on the host.
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table mangle --delete
POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68
--jump CHECKSUM --checksum-fill' failed: iptables: No chain/target/match
by that name.
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete
POSTROUTING --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump
RETURN' failed: iptables: Bad rule (does a matching rule exist in that
chain?).
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete
POSTROUTING --source 192.168.122.0/24 --destination 255.255.255.255/32
--jump RETURN' failed: iptables: Bad rule (does a matching rule exist in
that chain?).
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete
POSTROUTING --source 192.168.122.0/24 -p tcp ! --destination
192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed:
iptables: No chain/target/match by that name.
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete
POSTROUTING --source 192.168.122.0/24 -p udp ! --destination
192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed:
iptables: No chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete
POSTROUTING --source 192.168.122.0/24 ! --destination 192.168.122.0/24
--jump MASQUERADE' failed: iptables: No chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match
conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables:
Bad rule (does a matching rule exist in that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT'
failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT'
failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
FORWARD --out-interface virbr0 --jump REJECT' failed: iptables: No
chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
FORWARD --in-interface virbr0 --jump REJECT' failed: iptables: No
chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that
chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that
chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
OUTPUT --out-interface virbr0 --protocol udp --destination-port 68
--jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in
that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that
chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that
chain?).
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=186
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=187
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=188
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=189
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=190
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=191
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=192
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=193
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=194
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=195
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2
entries=100
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2
entries=101
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2
entries=102
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2
entries=103
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2
entries=104
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=mangle
family=2 entries=64
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-mac-broadcast' already exists with uuid
a90d22ad-d651-4083-97b9-882f7e9e02c2
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'clean-traffic' already exists with uuid
d448932f-37a3-4637-887b-6f06dd0f00b1
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'allow-dhcp' already exists with uuid
1dba0fbf-31d6-4358-89c3-47dd080aac6f
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'allow-incoming-ipv4' already exists with uuid
69065cb6-28c8-4003-a661-2f4ffe1134a4
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-ip-spoofing' already exists with uuid
2522180a-157e-453a-ab91-262c447f4259
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'allow-dhcp-server' already exists with uuid
d8ea5311-ca8f-4b38-8526-de9dbacbc4f4
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-ip-multicast' already exists with uuid
a6d8e013-76f4-454a-b72a-d814055c0063
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-mac-spoofing' already exists with uuid
cb7df7ac-b12e-49d3-b0fc-c801d3d87a4d
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-arp-ip-spoofing' already exists with uuid
f96bf60d-f29a-41e5-a266-85610941fea9
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'allow-arp' already exists with uuid
abaf1910-3d79-4610-a49e-188fe7750196
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-other-l2-traffic' already exists with uuid
abc4f827-3683-48f7-ba2a-bb1c1be86d6b
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-other-rarp-traffic' already exists with uuid
c428a138-4fc7-4d06-94fb-a838eaf8faa4
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'qemu-announce-self-rarp' already exists with uuid
392de4e1-d8ec-4b60-8c26-56c310994508
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'qemu-announce-self' already exists with uuid
157f7aaf-7c75-458f-92a0-e4c4067d3383
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'allow-ipv4' already exists with uuid
de9add69-c8af-444f-b9f2-d07d0791b4bc
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-arp-mac-spoofing' already exists with uuid
44b534cf-d057-427c-a880-74524aa51338
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-arp-spoofing' already exists with uuid
c66f6c9d-6a35-4751-8c4e-a6c296ff2388
firewalld? I've been seeing this since F21, but it seems to have gotten
worse on F22. Every time I boot the system or restart firewalld.service,
I get a lot of errors from the libvirt rules pumped into the journal.
These errors imply that the firewall isn't really being configured
properly for virtual machines on the host.
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table mangle --delete
POSTROUTING --out-interface virbr0 --protocol udp --destination-port 68
--jump CHECKSUM --checksum-fill' failed: iptables: No chain/target/match
by that name.
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete
POSTROUTING --source 192.168.122.0/24 --destination 224.0.0.0/24 --jump
RETURN' failed: iptables: Bad rule (does a matching rule exist in that
chain?).
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete
POSTROUTING --source 192.168.122.0/24 --destination 255.255.255.255/32
--jump RETURN' failed: iptables: Bad rule (does a matching rule exist in
that chain?).
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete
POSTROUTING --source 192.168.122.0/24 -p tcp ! --destination
192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed:
iptables: No chain/target/match by that name.
May 04 21:18:38 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:38
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete
POSTROUTING --source 192.168.122.0/24 -p udp ! --destination
192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535' failed:
iptables: No chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table nat --delete
POSTROUTING --source 192.168.122.0/24 ! --destination 192.168.122.0/24
--jump MASQUERADE' failed: iptables: No chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match
conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: iptables:
Bad rule (does a matching rule exist in that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT'
failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT'
failed: iptables: Bad rule (does a matching rule exist in that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
FORWARD --out-interface virbr0 --jump REJECT' failed: iptables: No
chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
FORWARD --in-interface virbr0 --jump REJECT' failed: iptables: No
chain/target/match by that name.
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that
chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that
chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
OUTPUT --out-interface virbr0 --protocol udp --destination-port 68
--jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in
that chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that
chain?).
May 04 21:18:39 g55.attlocal.net firewalld[4843]: 2015-05-04 21:18:39
ERROR: COMMAND_FAILED: '/sbin/iptables -w -w --table filter --delete
INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump
ACCEPT' failed: iptables: Bad rule (does a matching rule exist in that
chain?).
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=186
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=187
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=188
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=189
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=190
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=191
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=192
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=193
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=194
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=filter
family=2 entries=195
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2
entries=100
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2
entries=101
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2
entries=102
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2
entries=103
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=nat family=2
entries=104
May 04 21:18:39 g55.attlocal.net audit: <audit-1325> table=mangle
family=2 entries=64
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-mac-broadcast' already exists with uuid
a90d22ad-d651-4083-97b9-882f7e9e02c2
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'clean-traffic' already exists with uuid
d448932f-37a3-4637-887b-6f06dd0f00b1
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'allow-dhcp' already exists with uuid
1dba0fbf-31d6-4358-89c3-47dd080aac6f
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'allow-incoming-ipv4' already exists with uuid
69065cb6-28c8-4003-a661-2f4ffe1134a4
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-ip-spoofing' already exists with uuid
2522180a-157e-453a-ab91-262c447f4259
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'allow-dhcp-server' already exists with uuid
d8ea5311-ca8f-4b38-8526-de9dbacbc4f4
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-ip-multicast' already exists with uuid
a6d8e013-76f4-454a-b72a-d814055c0063
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-mac-spoofing' already exists with uuid
cb7df7ac-b12e-49d3-b0fc-c801d3d87a4d
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-arp-ip-spoofing' already exists with uuid
f96bf60d-f29a-41e5-a266-85610941fea9
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'allow-arp' already exists with uuid
abaf1910-3d79-4610-a49e-188fe7750196
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-other-l2-traffic' already exists with uuid
abc4f827-3683-48f7-ba2a-bb1c1be86d6b
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-other-rarp-traffic' already exists with uuid
c428a138-4fc7-4d06-94fb-a838eaf8faa4
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'qemu-announce-self-rarp' already exists with uuid
392de4e1-d8ec-4b60-8c26-56c310994508
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'qemu-announce-self' already exists with uuid
157f7aaf-7c75-458f-92a0-e4c4067d3383
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'allow-ipv4' already exists with uuid
de9add69-c8af-444f-b9f2-d07d0791b4bc
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-arp-mac-spoofing' already exists with uuid
44b534cf-d057-427c-a880-74524aa51338
May 04 21:18:39 g55.attlocal.net libvirtd[1226]: operation failed:
filter 'no-arp-spoofing' already exists with uuid
c66f6c9d-6a35-4751-8c4e-a6c296ff2388
--
Dan Mossor, RHCSA
Systems Engineer
Fedora Server WG | Fedora KDE WG | Fedora QA Team
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA
Dan Mossor, RHCSA
Systems Engineer
Fedora Server WG | Fedora KDE WG | Fedora QA Team
Fedora Infrastructure Apprentice
FAS: dmossor IRC: danofsatx
San Antonio, Texas, USA