On Fri, 2019-02-15 at 13:05 +0100, Thomas Haller wrote: > On Fri, 2019-02-15 at 12:15 +0200, Berend De Schouwer via > networkmanager-list wrote: > > Hi, > > > > I've got a connection setup with NetworkManager on Fedora 29, and > > sometimes on reboot the firewall rules are re-ordered. > > > > The firewall is managed by firewalld. It creates a few zones, and > > sometimes the rules in the zones are re-ordered. For example, a > > diff > > between startups: > > > > Chain POSTROUTING_ZONES (1 references) > > target prot opt source destination > > -POST_public all > > -- 0.0.0.0/0 0.0.0.0/0 [goto] > > POST_home all > > -- 0.0.0.0/0 0.0.0.0/0 [goto] > > +POST_public all > > -- 0.0.0.0/0 0.0.0.0/0 [goto] > > POST_FedoraServer all > > -- 0.0.0.0/0 0.0.0.0/0 [goto] > > > > This can prevent some traffic from flowing, especially if it re- > > orders > > a MASQUERADING rule. > > > > Note, in this case it actually broke some traffic swapping public & > > home in both POST and PRE. > > > > I can fix it by either re-starting NetworkManager, or by dropping > > the > > connection and bringing it up again. I can also break it that way. > > > > I'm assuming it's triggered by a race condition. It happens on a > > Raspberry Pi, which is a little slower. > > > > > > Is there some way to prevent this? > > Hi, > > > TL;DR: this does not sound like a NetworkManager issue to me. Why do > you think it is. I would ask firewalld [1]. > > > [1] https://firewalld.org/community.html
(a) didn't know where to start (b) nmcli connection down & up fixes it (c) the first rule that triggered it was masquerading I'm quite happy to contact the firewalld guys. I just had to pick a place to start. > NetworkManager almost never directly configures iptables. The only > place is for enabling MASQUERADING, with "ipv4.method=shared". > nftables > is not supported here, and optimally this could would be improved to > let firewalld handle this. It's ugly that NetworkManager does this, > but > you are not using "ipv4.method=shared", are you? Yes, I am. > That aside, all that NetworkManager does regrading > iptables/firewalld, > is to call "addInterface", "changeZone", and "removeInterface" on the > firewalld D-Bus API -- depending on "connection.zone" parameter in > NetworkManager's connection profile. The only change seems to be the order of the rules, which indicates a race condition. So the entire interface and/or zone do get added/removed. So far, I've only seen the nat table trashed (pre/postrouting), not input/forward/output. The order can be wrong in multiple places. It's not always the same place. Does NM both call D-Bus "addInterface" *and* modify iptables manually for masquerading? If so, is there a D-Bus API to find out when FirewallD is done adding the interface? > Note that firewalld may also feed back into NetworkManager, when you > modify a zone in Firewalld persistently, then firewalld may update > "connection.zone" in NetworkManager's profile. This interaction > between > the two is rather hairy, because they both might call to each other. I'm not modifying a zone when this happens. Just booting. Doesn't happen every time. Thanks, Berend
signature.asc
Description: This is a digitally signed message part
_______________________________________________ networkmanager-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/networkmanager-list
