On Fri, 2019-02-15 at 13:05 +0100, Thomas Haller wrote:
On Fri, 2019-02-15 at 12:15 +0200, Berend De Schouwer via networkmanager-list wrote:Hi, I've got a connection setup with NetworkManager on Fedora 29, and sometimes on reboot the firewall rules are re-ordered. The firewall is managed by firewalld. It creates a few zones, and sometimes the rules in the zones are re-ordered. For example, a diff between startups: Chain POSTROUTING_ZONES (1 references) target prot opt source destination -POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] POST_home all -- 0.0.0.0/0 0.0.0.0/0 [goto] +POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] POST_FedoraServer all -- 0.0.0.0/0 0.0.0.0/0 [goto] This can prevent some traffic from flowing, especially if it re- orders a MASQUERADING rule. Note, in this case it actually broke some traffic swapping public & home in both POST and PRE. I can fix it by either re-starting NetworkManager, or by dropping the connection and bringing it up again. I can also break it that way. I'm assuming it's triggered by a race condition. It happens on a Raspberry Pi, which is a little slower. Is there some way to prevent this?Hi, TL;DR: this does not sound like a NetworkManager issue to me. Why do you think it is. I would ask firewalld [1]. [1] https://firewalld.org/community.html
(a) didn't know where to start (b) nmcli connection down & up fixes it (c) the first rule that triggered it was masquerading I'm quite happy to contact the firewalld guys. I just had to pick a place to start.
NetworkManager almost never directly configures iptables. The only place is for enabling MASQUERADING, with "ipv4.method=shared". nftables is not supported here, and optimally this could would be improved to let firewalld handle this. It's ugly that NetworkManager does this, but you are not using "ipv4.method=shared", are you?
Yes, I am.
That aside, all that NetworkManager does regrading iptables/firewalld, is to call "addInterface", "changeZone", and "removeInterface" on the firewalld D-Bus API -- depending on "connection.zone" parameter in NetworkManager's connection profile.
The only change seems to be the order of the rules, which indicates a race condition. So the entire interface and/or zone do get added/removed. So far, I've only seen the nat table trashed (pre/postrouting), not input/forward/output. The order can be wrong in multiple places. It's not always the same place. Does NM both call D-Bus "addInterface" *and* modify iptables manually for masquerading? If so, is there a D-Bus API to find out when FirewallD is done adding the interface?
Note that firewalld may also feed back into NetworkManager, when you modify a zone in Firewalld persistently, then firewalld may update "connection.zone" in NetworkManager's profile. This interaction between the two is rather hairy, because they both might call to each other.
I'm not modifying a zone when this happens. Just booting. Doesn't happen every time. Thanks, Berend
Attachment:
signature.asc
Description: This is a digitally signed message part