On Mon, Feb 23, 2015 at 9:23 AM, Trent Hampton <[email protected]>
wrote:
> Greetings,
>
Hello Trent,
>
> After getting the most recent code from githup I removed the perl legacy
> spec files, tarred up the source, and ran an "rpmbuild -ta
> fwknop-2.6.5.tar.gz" to create the rpms with which I installed fwknop on
> two centos7 servers. From the log messages below I believe that you can see
> that the fwknopd server is configured to use firewalld. However, it appears
> that when fwknopd receives an SPA packet it tries to write iptables rules
> and fails.
>
> Is there something else I need to do to use firewalld?
>
> Feb 20 17:10:10 server7 fwknopd[2209]: Run directory: /var/run/fwknop does
> not exist. Attempting to create it.
> Feb 20 17:10:10 server7 fwknopd[2209]: Successfully created Run directory:
> /var/run/fwknop
> Feb 20 17:10:10 server7 fwknopd: Starting fwknopd: [ OK ]
> Feb 20 17:10:10 server7 fwknopd[2210]: Starting fwknopd
> Feb 20 17:10:10 server7 fwknopd[2210]: Using Digest Cache:
> '/var/run/fwknop/digest.cache' (entry count = 0)
> Feb 20 17:10:10 server7 systemd: Started LSB: start and stop fwknopd.
> Feb 20 17:10:10 server7 firewalld: 2015-02-20 17:10:10 ERROR:
> COMMAND_FAILED: '/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' failed:
> iptables v1.4.21: Couldn't load target `FWKNOP_INPUT':No such file or
> directory
> Try `iptables -h' or 'iptables --help' for more information.
>
The "COMMAND_FAILED" string is actually returned by the
/usr/bin/firewall-cmd interface to firewalld, so I believe the fwknopd is
executing iptables commands via firewall-cmd as it should. However, what I
need to verify is that fwknopd correctly detects error conditions (some of
which are expected such as when fwknopd is testing whether the FWKNOP_INPUT
chain exists before it is created, etc.), and the COMMAND_FAILED string is
printed on stdout by firewall-cmd. I was recently working on the
IPTables-Parse module and noticed this as well:
https://github.com/mrash/IPTables-Parse/commit/44afb31b6eea7ef20814a54e9939976e63a7af06
More soon on this...
Thanks,
--Mike
> Feb 20 17:10:10 server7 firewalld: 2015-02-20 17:10:10 ERROR:
> COMMAND_FAILED: '/sbin/iptables -t filter -F FWKNOP_INPUT' failed:
> iptables: No chain/target/match by that name.
> Feb 20 17:10:11 server7 firewalld: 2015-02-20 17:10:11 ERROR:
> COMMAND_FAILED: '/sbin/iptables -t filter -X FWKNOP_INPUT' failed:
> iptables: No chain/target/match by that name.
> Feb 20 17:10:11 server7 firewalld: 2015-02-20 17:10:11 ERROR:
> COMMAND_FAILED: '/sbin/iptables -t filter -L FWKNOP_INPUT -n' failed:
> iptables: No chain/target/match by that name.
> Feb 20 17:10:11 server7 firewalld: 2015-02-20 17:10:11 ERROR:
> COMMAND_FAILED: '/sbin/iptables -C INPUT -t filter -j FWKNOP_INPUT' failed:
> iptables: No chain/target/match by that name.
> Feb 20 17:10:11 server7 fwknopd[2210]: Added jump rule from chain: INPUT
> to chain: FWKNOP_INPUT
> Feb 20 17:10:12 server7 fwknopd[2210]: firewalld 'comment' match is
> available
> Feb 20 17:10:12 server7 fwknopd[2210]: Sniffing interface: ens3
> Feb 20 17:10:12 server7 fwknopd[2210]: PCAP filter is: 'udp port 62201'
> Feb 20 17:10:12 server7 fwknopd[2210]: Starting fwknopd main event loop.
> Feb 20 17:10:15 server7 fwknopd[2210]: (stanza #1) SPA Packet from IP:
> 135.72.227.124 received with access source match
> Feb 20 17:10:15 server7 firewalld: 2015-02-20 17:10:15 ERROR:
> COMMAND_FAILED: '/sbin/iptables -t filter -N FWKNOP_INPUT' failed:
> iptables: Chain already exists.
> Feb 20 17:10:15 server7 firewalld: 2015-02-20 17:10:15 ERROR:
> COMMAND_FAILED: '/sbin/iptables -C FWKNOP_INPUT -t filter -p 6 -s
> 135.72.227.124 -d 0.0.0.0/0 --dport 22 -m comment --comment
> _exp_1424481045 -j ACCEPT' failed: iptables: Bad rule (does a matching rule
> exist in that chain?).
> Feb 20 17:10:15 server7 fwknopd[2210]: Added Rule to FWKNOP_INPUT for
> 135.72.227.124, tcp/22 expires at 1424481045
>
> Trent
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
