----- "David Lutterkort" <lut...@redhat.com> wrote:
> Can you try this again with 'NETCF_DEBUG=1 ncftool', i.e. set
> NETCF_DEBUG in the environment ? That should spew out some more
> details.
>
> David
Thanks for the tip.
[r...@localhost ~]# NETCF_DEBUG=1 ncftool
warning: augeas initialization had errors
please file a bug with the following lines in the bug report:
/augeas/files/etc/sysconfig/iptables/error = "parse_failed"
/augeas/files/etc/sysconfig/iptables/error/pos = "0"
/augeas/files/etc/sysconfig/iptables/error/line = "1"
/augeas/files/etc/sysconfig/iptables/error/char = "0"
/augeas/files/etc/sysconfig/iptables/error/lens =
"/usr/share/augeas/lenses/dist/iptables.aug:59.10-.32"
/augeas/files/etc/sysconfig/iptables/error/message = "Iterated lens matched
less than it should"
Failed to initialize netcf
error: unspecified error
error: errors in loading some config files
[r...@localhost sysconfig]# cat iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m limit --limit-burst 10 --limit 6/minute -j LOG --log-level 6
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT -m comment --comment
"Forwarding for VM bridges"
-A FORWARD -m limit --limit-burst 10 --limit 6/minute -j LOG --log-level 6
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
I also discovered that after no changes to any configurations,
a restart of the network makes ncftool/augeas happy.
[r...@localhost sysconfig]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: net.ipv4.ip_forward = 0
[ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0:
Determining IP information for eth0... done.
[ OK ]
[r...@localhost ~]# iptables -L -n|grep PHYS
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match
--physdev-is-bridged /* Forwarding for VM bridges */
[r...@localhost sysconfig]# NETCF_DEBUG=1 ncftool
ncftool>
If I reboot, ncftool is broken again, with the same error, until a network
restart.
Note the following line in iptables:
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT -m comment --comment
"Forwarding for VM bridges"
If I comment out that entire line with a #, I'm somewhat surprised when I run
ncftool, to see iptables restart and this line is deleted.
[r...@localhost sysconfig]# NETCF_DEBUG=1 ncftool
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: [ OK ]
ncftool> quit
I found that if I remove '-m comment --comment "Forwarding for VM bridges"'
then ncftool is happy, even after a fresh reboot. So, perhaps it's an augeas
bug with the comment module in iptables? It does seem odd that even with this
line present, ncftool does work if I restart the network service.
_______________________________________________
netcf-devel mailing list
netcf-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/netcf-devel
