Salt: Firewalld state fails with Debian 10 Buster

Created on 24 Oct 2019  路  1Comment  路  Source: saltstack/salt

Firstly excuse my formatting, I don't spend a lot of time here.

Description of Issue

When applying a firewalld state in Debain 10 it returns first this error:

    ID: Open DNS port
     Function: firewalld.present
       Name: public
       Result: False
      Comment: An exception occurred in this state: Traceback (most recent call last):
                 File "/usr/lib/python3/dist-packages/salt/state.py", line 1933, in call
                   **cdata['kwargs'])
                 File "/usr/lib/python3/dist-packages/salt/loader.py", line 1951, in wrapper
                   return f(*args, **kwargs)
                 File "/usr/lib/python3/dist-packages/salt/states/firewalld.py", line 246, in present
                   __salt__['firewalld.reload_rules']()
                 File "/usr/lib/python3/dist-packages/salt/modules/firewalld.py", line 85, in reload_rules
                   return __firewall_cmd('--reload')
                 File "/usr/lib/python3/dist-packages/salt/modules/firewalld.py", line 44, in __firewall_cmd
                   'firewall-cmd failed: {0}'.format(msg)
               salt.exceptions.CommandExecutionError: firewall-cmd failed: Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (nf_tables): 
               line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
               line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT
      Started: 08:50:24.290569
     Duration: 3882.672 ms
      Changes:

And then on subsequent attempts:
```
Error: firewall-cmd failed: Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (nf_tables): Chain already exists

### Setup
Config in question.

Open DNS port:
firewalld.present:
- name: public
- prune_services: False
- services:
- dns

### Steps to Reproduce Issue
Relevant debug log:

[INFO ] Executing state firewalld.present for [public]
[DEBUG ] LazyLoaded firewalld.get_zones
[DEBUG ] LazyLoaded cmd.run_all
[INFO ] Executing command '/usr/bin/firewall-cmd --get-zones --permanent' in directory '/root'
[DEBUG ] /etc/resolv.conf: The domain and search keywords are mutually exclusive.
[DEBUG ] LazyLoaded config.merge
[DEBUG ] LazyLoaded mine.update
[DEBUG ] stdout: block dmz drop external home internal public trusted work
[INFO ] Executing command '/usr/bin/firewall-cmd --get-default-zone' in directory '/root'
[DEBUG ] stdout: public
[INFO ] Executing command '/usr/bin/firewall-cmd --zone=public --list-all --permanent' in directory '/root'
[DEBUG ] stdout: public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[INFO ] Executing command '/usr/bin/firewall-cmd --zone=public --list-services --permanent' in directory '/root'
[DEBUG ] stdout: dhcpv6-client ssh
[INFO ] Executing command '/usr/bin/firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent' in directory '/root'
[DEBUG ] stdout: success
[INFO ] Executing command '/usr/bin/firewall-cmd --reload' in directory '/root'
[ERROR ] Command '['/usr/bin/firewall-cmd', '--reload']' failed with return code: 13
[ERROR ] stderr: Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (nf_tables):
line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT
[ERROR ] retcode: 13
[DEBUG ] An exception occurred in this state: firewall-cmd failed: Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (nf_tables):
line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/salt/state.py", line 1933, in call
*cdata['kwargs'])
File "/usr/lib/python3/dist-packages/salt/loader.py", line 1951, in wrapper
return f(args, *kwargs)
File "/usr/lib/python3/dist-packages/salt/states/firewalld.py", line 246, in present
__salt__'firewalld.reload_rules'
File "/usr/lib/python3/dist-packages/salt/modules/firewalld.py", line 85, in reload_rules
return __firewall_cmd('--reload')
File "/usr/lib/python3/dist-packages/salt/modules/firewalld.py", line 44, in __firewall_cmd
'firewall-cmd failed: {0}'.format(msg)
salt.exceptions.CommandExecutionError: firewall-cmd failed: Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (nf_tables):
line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT
[ERROR ] An exception occurred in this state: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/salt/state.py", line 1933, in call
*cdata['kwargs'])
File "/usr/lib/python3/dist-packages/salt/loader.py", line 1951, in wrapper
return f(args, *kwargs)
File "/usr/lib/python3/dist-packages/salt/states/firewalld.py", line 246, in present
__salt__'firewalld.reload_rules'
File "/usr/lib/python3/dist-packages/salt/modules/firewalld.py", line 85, in reload_rules
return __firewall_cmd('--reload')
File "/usr/lib/python3/dist-packages/salt/modules/firewalld.py", line 44, in __firewall_cmd
'firewall-cmd failed: {0}'.format(msg)
salt.exceptions.CommandExecutionError: firewall-cmd failed: Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.2 (nf_tables):
line 4: RULE_REPLACE failed (No such file or directory): rule in chain INPUT
line 4: RULE_REPLACE failed (No such file or directory): rule in chain OUTPUT

### Versions Report
Master:

Salt Version:
Salt: 2019.2.0

Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.5.3
docker-py: Not Installed
gitdb: 2.0.0
gitpython: 2.1.1
ioflo: Not Installed
Jinja2: 2.9.4
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.4.8
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: Not Installed
Python: 3.5.3 (default, Sep 27 2018, 17:25:39)
python-gnupg: Not Installed
PyYAML: 3.12
PyZMQ: 16.0.2
RAET: Not Installed
smmap: 2.0.1
timelib: 0.2.4
Tornado: 4.4.3
ZMQ: 4.2.1

System Versions:
dist: debian 9.11
locale: UTF-8
machine: x86_64
release: 4.9.0-11-amd64
system: Linux
version: debian 9.11
```

Minion: 2019.2.2

picture samjhandley

Most helpful comment

Turns out it is an iptables bug in Debian 10.
Version 1.8.2 of iptables in Debian 10 is bugged. It can be fixed by upgrading to 1.8.3 from buster-backports.

picture samjhandley on 27 Oct 2019
👍23 🎉4 🚀1

>All comments

Turns out it is an iptables bug in Debian 10.
Version 1.8.2 of iptables in Debian 10 is bugged. It can be fixed by upgrading to 1.8.3 from buster-backports.

samjhandley picture samjhandley on 27 Oct 2019
👍23 🎉4 🚀1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

commutecat picture commutecat  路  3Comments
seanacais picture seanacais  路  3Comments
lhost picture lhost  路  3Comments
layer3switch picture layer3switch  路  3Comments
sagetherage picture sagetherage  路  3Comments