New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Module/Helper loading broken in Centos 7.4 for conntrack_proto_gre #263
Comments
IIIRC, all the other nf_conntrack_proto_* (e.g. sctp) are now built directly into the nf_conntrack module for newer kernels. I don't think firewalld currently handles nf_conntrack_proto_gre properly. I believe it's checking for the "helper" string in the modinfo output, but that does not present for nf_conntrack_proto_gre. Try any of the following as a workaround:
|
Thanks for the suggestions.
|
Hi,
|
Hi, |
There is currently no one working on this bug. |
It works until firewalld is restarted and that might happen implicitly at reboot or through chef-runs (which are applied in the environment I am working) so this is not an option for me. Is there a specific reason why the modules are verified so extensively before considering them conntrack modules in firewalld? If not, why not just rely on the name or at least don't reject the module if some fields are not set in modinfo? |
Unfortunately I don't know the history, but I'll look into it. It's possible these checks are no longer necessary. |
Hi, There. I have found a "workaround" for this issue, which will automaticaly load module nf_conntrack_proto_gre in a rather "system" manner: |
Please see #242 on why this is not a valid workaround. |
So, is http://www.firewalld.org/documentation/howto/add-a-service.html valid way to add module loading? |
For additional modules to load it is required to define a http://www.firewalld.org/documentation/helper/ and add a This works for most conntrack modules, but not for gre as you can see in the original issue description. The problem is that firewalld is validating the available modules to see if they are conntrack modules before loading and this validation fails for conntrack_gre. All of this has already been discussed in this thread. |
In which way nf_conntrack modules are validated in firewalld? |
Oooookay, that was simple. I took a function get_nf_conntrack_helpers() from from the firewalld code and made a copy in my test script with all nessesary import header, then added a little debug output. [root@pbx-01 ~]# modinfo nf_conntrack_proto_gre Adn whre is an alias string???? Right you - it's absent. So, all we need is to find out just how to set this alias for this module. |
I have analyzed binary files of modules and found out thet nf_conntrack_proto_gre module is broken! |
Or not check the alias at all. I don't understand the reasin behind checking it. Name of the module could be enough to check before loading |
Agree. I think, there was no nf_conntrack_proto_gre at the time this function was added. And Mr. Developer found an easy way to get the final internal module name from an alias. |
Work fine like this:
Result list:
|
In my firewalld on CentOS Linux release 7.4.1708 (Core) this path work just fine!!! |
Some software like firewalld depend on kernel module meta-data. This patch will help to fix: firewalld/firewalld#263
Thanks for the fix. Do you know if the next release of firewalld will be in 7.5, or EPEL? |
@sll552, RHEL 7.5 released today. So this fix definitely won't make 7.5, but should make 7.6. I'm in progress of backporting this fix to the stable-0.5 branch. I expect RHEL 7.6 will use the latest 0.5.x version of firewalld. |
Thanks for the info , I just read the announcement of 7.5 after posting 😄. |
Since there is no port, we don't create a rule and these modules are not implicitly loaded. So load them explicitly. Fixes: firewalld#263
Since there is no port, we don't create a rule and these modules are not implicitly loaded. So load them explicitly. Fixes: firewalld#263
Since there is no port, we don't create a rule and these modules are not implicitly loaded. So load them explicitly. Fixes: firewalld#263
Hi,
I encountered an error in a previous release (CentOS 7.3) documented in #242. As recommended in this Issue, I created a service and it worked until I upgraded to CentOS 7.4.
I have the following service defined:
This was enough to get firewalld to load the required module.
After the upgrade I received the following error when trying to add the service to a zone:
I figured that I need to create a helper module which looks like this:
But now I get different error:
By looking at https://github.com/firewalld/firewalld/blob/master/src/firewall/functions.py and the
get_nf_conntrack_helpers()
function, it seems like only conntrack modules which have an alias defined are considered.But unfortunately the conntrack module for gre doesn't have an alias as
modinfo
shows:Is it possible to work around this issue somehow, or is this a Centos issue?
Best regards
The text was updated successfully, but these errors were encountered: