系统版本
CentOS Linux release 7.1.1503 (Core)
故障现象
[root@server1 ~]$firewall-cmd --list-all
Error: INVALID_ZONE
[root@server1 ~]$systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
Active: active (running) since 一 2019-05-27 14:33:00 CST; 23h ago
Main PID: 5483 (firewalld)
CGroup: /system.slice/firewalld.service
└─5483 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
5月 27 14:33:00 server1 systemd[1]: Started firewalld - dynamic firewall daemon.
5月 27 14:33:00 server1 firewalld[5483]: 2019-05-27 14:33:00 ERROR: INVALID_ZONE
5月 27 14:33:31 server1 firewalld[5483]: 2019-05-27 14:33:31 ERROR: INVALID_ZONE
5月 28 13:49:53 server1 firewalld[5483]: 2019-05-28 13:49:53 ERROR: INVALID_ZONE
[root@server1 ~]$
系统日志
May 28 13:54:21 server1 systemd: Stopping firewalld - dynamic firewall daemon...
May 28 13:54:22 server1 kernel: Ebtables v2.0 unregistered
May 28 13:54:23 server1 systemd: Starting firewalld - dynamic firewall daemon...
May 28 13:54:23 server1 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
May 28 13:54:23 server1 kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
May 28 13:54:23 server1 journal: 内部错误:Failed to apply firewall rules /usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' --destination 192.168.122.0/24 --jump MASQUERADE: Another app is currently holding the xtables lock. Perh
aps you want to use the -w option?
May 28 13:54:23 server1 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-arp' already exists with uuid 8e3d7588-5a51-400a-aa02-406c025fafcb
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp-server' already exists with uuid f13e537b-f769-4a3d-8929-7e7ae01414ba
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp' already exists with uuid a89b87e5-1f29-49d3-9ef0-da6d0952349b
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-incoming-ipv4' already exists with uuid ee2eb2be-8ee5-41e4-9c6f-007cc2835fb6
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-ipv4' already exists with uuid 74dd230c-3006-4cf5-9c40-70cdd62702de
May 28 13:54:23 server1 journal: 操作失败: filter 'clean-traffic' already exists with uuid ba2c8d7c-27f2-4b44-b3a9-5e5851cb90ed
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-ip-spoofing' already exists with uuid 36c17e60-b2e0-4a19-8344-b61ae5739635
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
May 28 13:54:23 server1 kernel: Ebtables v2.0 registered
May 28 13:54:23 server1 systemd: Started firewalld - dynamic firewall daemon.
May 28 13:54:23 server1 firewalld: 2019-05-28 13:54:23 ERROR: INVALID_ZONE
May 28 13:54:23 server1 NetworkManager[985]: <warn> (eno49) firewall zone add/change failed [3]: (32) INVALID_ZONE
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-arp' already exists with uuid 8e3d7588-5a51-400a-aa02-406c025fafcb
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp-server' already exists with uuid f13e537b-f769-4a3d-8929-7e7ae01414ba
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp' already exists with uuid a89b87e5-1f29-49d3-9ef0-da6d0952349b
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-incoming-ipv4' already exists with uuid ee2eb2be-8ee5-41e4-9c6f-007cc2835fb6
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-ipv4' already exists with uuid 74dd230c-3006-4cf5-9c40-70cdd62702de
May 28 13:54:23 server1 journal: 操作失败: filter 'clean-traffic' already exists with uuid ba2c8d7c-27f2-4b44-b3a9-5e5851cb90ed
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-ip-spoofing' already exists with uuid 36c17e60-b2e0-4a19-8344-b61ae5739635
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
分析
从日志看出是虚拟化libvirtd与firewall不兼容导致的。
[root@server1 ~]$systemctl status libvirtd.service
libvirtd.service - Virtualization daemon
Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
Active: active (running) since 五 2019-05-17 16:22:49 CST; 1 weeks 3 days ago
Docs: man:libvirtd(8)
http://libvirt.org
Main PID: 1362 (libvirtd)
CGroup: /system.slice/libvirtd.service
├─1362 /usr/sbin/libvirtd
├─2822 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper
└─2825 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
[root@server1 ~]$
相关软件版本
[root@server1 network-scripts]$rpm -q libvirt firewalld NetworkManager
libvirt-1.2.8-16.el7.x86_64
firewalld-0.3.9-11.el7.noarch
NetworkManager-1.0.0-14.git20150121.b4ea599c.el7.x86_64
解决办法
最新版本中,开发者已经解决libvirt、firewalld的兼容文件,建议升级新版本。
如果虚拟化服务无需使用的话,可以考虑停止虚拟化服务并重启firewalld,重启后firewall恢复正常。
systemctl stop libvirtd.service
systemctl restart firewalld.service
可选办法
[root@server1 ~]$firewall-cmd --permanent --zone=internal --change-interface=virbr0
success
[root@server1 ~]$firewall-cmd --permanent --zone=internal --add-source="192.168.122.0/24"
success
[root@server1 ~]$firewall-cmd --reload
success
[root@server1 ~]$firewall-cmd --permanent --zone=internal --list-all
internal (active)
interfaces: virbr0
sources: 192.168.122.0/24
services: dhcpv6-client ipp-client mdns samba-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules: