1159215 – firewalld filters ports to LXC container on bridge despite being allowed

Bug 1159215 - firewalld filters ports to LXC container on bridge despite being allowed

Summary: firewalld filters ports to LXC container on bridge despite being allowed

Status:	RESOLVED DUPLICATE of bug 1158817

Alias:	None

Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Containers (show other bugs)
Version:	Leap 15.1
Hardware:	x86-64 Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Containers Team
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2019-12-13 17:42 UTC by Richard Farthing
Modified:	2019-12-18 13:30 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Internal rules on br0, eth0 (994 bytes, text/xml) 2019-12-13 17:42 UTC, Richard Farthing	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Richard Farthing 2019-12-13 17:42:19 UTC

Created attachment 826135 [details]
Internal rules on br0, eth0

Environment: Server running 15.1 with separate mail server running in LXC container (on centos), interconnected via a bridge br0. Container gets IP via DHCP.  This config has been running 6+ months, no issues.

Container is still accessible via br0 (other machines and server itself) via http. But mail and some other protocols fail.

Some auto update since 2019-12-05 (last reboot), causes firewalld on the server to reject connections on br0 to the container port 993, and ssh port 22 even though specifically enabled in the rules (attached).

Enabled firewall logging: 10.0.0.62 = machine on network, 10.0.0.110=container running mail (vethQV8JUR), eth3 is the DMZ

Mail client on private net tries to connect:

Dec 13 14:57:23 ha-server kernel: FINAL_REJECT: IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=vethQV8JUR MAC=00:16:3e:f3:83:5f:64:51:06:4f:b9:c9:08:00 SRC=10.0.0.62 DST=10.0.0.110 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=14030 DF PROTO=TCP SPT=64692 DPT=993 WINDOW=8192 RES=0x00 SYN URGP=0 

Mail server in LXC attempts pickup from a remote server via br0

Dec 13 17:08:55 ha-server kernel: FINAL_REJECT: IN=br0 OUT=br0 PHYSIN=vethQV8JUR PHYSOUT=eth3 MAC=00:14:7f:22:c4:ac:00:16:3e:f3:83:5f:08:00 SRC=10.0.0.110 DST=94.126.40.131 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36503 DF PROTO=TCP SPT=59680 DPT=143 WINDOW=29200 RES=0x00 SYN URGP=0

Tests :
- Stopping firewalld = all OK.
- Reversion from today's kernel update 4.12.14-lp151.28.36 to the former 4.12.14-lp151.28.32 doesn't fix it

I'm probably missing something, but I also don't understand the garbled MAC addresses listed in the log.  The LXC MAC is 00:16:3e:f3:83:5f

Comment 1 Richard Farthing 2019-12-15 10:44:47 UTC

I can confirm it's not just the LXC container that's affected. The local network on eth0 is also being filtered too.

Comment 2 David Kronlid 2019-12-16 09:28:25 UTC

This might be related to this bug:
https://bugzilla.opensuse.org/show_bug.cgi?id=1158817

See if the problem disappears if you revert back to suse-module-tools version 15.1.13-lp151.1.1

Comment 3 Richard Farthing 2019-12-16 09:58:51 UTC

Thanks so much - that fixed it for me. I reverted back to suse-module-tools version 15.1.13-lp151.1.1 plus the package lock.

Comment 4 Richard Farthing 2019-12-18 13:30:51 UTC

A different artefact of the same problem with suse-module-tools

*** This bug has been marked as a duplicate of bug 1158817 ***