On Fri, Dec 14, 2018 at 03:14:12PM -0700, Warren Young wrote:> On Dec 14, 2018, at 2:30 PM, Jon LaBadie <jcu at labadie.us> wrote: > > > > After a recent large update, firewalld's status contains > > many lines of the form: > > > > WARNING: COMMAND_FAILED: '/usr/sbin/iptables? > > What?s the rest of the command?Well, there are about 20 of them and several screen widths long. However they all end with one of two reasons: : No chain/target/match by that name. : Bad rule (does a matching rule exist in that chain?).> > > Checking iptables.service status shows it to be masked. > > That?s probably from package iptables-services, which isn?t installed by default on purpose. It?s the legacy service from before firewalld was made the default. Use one or the other, not both. >After the update I got email from "ckservices" that firewalld was down. I saw the above mentioned iptable errors and checked the iptables.service to find it masked. I shutdown firewalld, unmasked, enabled, and started iptables.service and then firewalld. Same errors. So I shutdown iptables service, masked it, and restarted firewalld.> I strongly recommend that you use firewalld ... >Never planned to do otherwise. Just was uncertain if iptables.service had to run also. Thanks, Jon -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
On Dec 14, 2018, at 3:57 PM, Jon LaBadie <jcu at labadie.us> wrote:> > : Bad rule (does a matching rule exist in that chain?).That makes sense: the old iptables service installed several default chains, and firewalld does as well, but they?re not named the same, and I doubt there?s a 1:1 mapping between them. That?s part of why I advised you to use one or the other, not both. Another reason is that their persistent rule stores use entirely different file formats, in different locations.
--On Friday, December 14, 2018 5:57 PM -0500 Jon LaBadie <jcu at labadie.us> wrote:> Well, there are about 20 of them and several screen widths > long. However they all end with one of two reasons: > > : No chain/target/match by that name. > : Bad rule (does a matching rule exist in that chain?).Put them on a pastebin so we can see them at full width. The chain names should tell us what's responsible for them.> After the update I got email from "ckservices" that firewalld was down. > I saw the above mentioned iptable errors and checked the iptables.service > to find it masked. I shutdown firewalld, unmasked, enabled, and started > iptables.service and then firewalld. Same errors. So I shutdown iptables > service, masked it, and restarted firewalld.Note that the iptables utilities and the iptables service are distinct. I install the utilities so that I can inspect the kernel chains that filterd creates. But I don't install the iptables service.
On 12/14/18 2:57 PM, Jon LaBadie wrote:> Well, there are about 20 of them and several screen widths > long. However they all end with one of two reasons: > > : No chain/target/match by that name. > : Bad rule (does a matching rule exist in that chain?).If you don't include the errors, all we can do is guess.? The name of the chain that doesn't exist is probably key to explaining the error. Docker is one possible reason for such errors: https://support.plesk.com/hc/en-us/articles/360007029113-Docker-startup-on-firewalld-Warning-COMMAND-FAILED-No-chain-target-match-by-that-name
On Fri, Dec 14, 2018 at 04:55:33PM -0800, Kenneth Porter wrote:> --On Friday, December 14, 2018 5:57 PM -0500 Jon LaBadie <jcu at labadie.us> > wrote: > > > Well, there are about 20 of them and several screen widths > > long. However they all end with one of two reasons: > > > > : No chain/target/match by that name. > > : Bad rule (does a matching rule exist in that chain?). > > Put them on a pastebin so we can see them at full width. The chain names > should tell us what's responsible for them. >https://pastebin.com/njaqR87f> > Note that the iptables utilities and the iptables service are distinct. I > install the utilities so that I can inspect the kernel chains that filterd > creates. But I don't install the iptables service.I don't play with iptables, so I assume it is a legacy continued from CentOS 6.x. I'll gladly remove the iptables service package. Jon -- Jon H. LaBadie jon at jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)