Linux故障-CentOS7系统firewall报错"Error: INVALID_ZONE"

最新推荐文章于 2024-06-08 10:02:18 发布

印冲

最新推荐文章于 2024-06-08 10:02:18 发布

阅读量2w

点赞数 1

分类专栏： Linux

本文链接：https://blog.csdn.net/baidu_39459954/article/details/90641191

版权

Linux 专栏收录该内容

9 篇文章 1 订阅

订阅专栏

文章目录

系统版本
故障现象
系统日志
分析
相关软件版本
解决办法
可选办法

系统版本

CentOS Linux release 7.1.1503 (Core)

故障现象

[root@server1 ~]$firewall-cmd --list-all
Error: INVALID_ZONE
[root@server1 ~]$systemctl status firewalld.service 
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
   Active: active (running) since 一 2019-05-27 14:33:00 CST; 23h ago
 Main PID: 5483 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─5483 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

5月 27 14:33:00 server1 systemd[1]: Started firewalld - dynamic firewall daemon.
5月 27 14:33:00 server1 firewalld[5483]: 2019-05-27 14:33:00 ERROR: INVALID_ZONE
5月 27 14:33:31 server1 firewalld[5483]: 2019-05-27 14:33:31 ERROR: INVALID_ZONE
5月 28 13:49:53 server1 firewalld[5483]: 2019-05-28 13:49:53 ERROR: INVALID_ZONE
[root@server1 ~]$

系统日志

May 28 13:54:21 server1 systemd: Stopping firewalld - dynamic firewall daemon...
May 28 13:54:22 server1 kernel: Ebtables v2.0 unregistered
May 28 13:54:23 server1 systemd: Starting firewalld - dynamic firewall daemon...
May 28 13:54:23 server1 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
May 28 13:54:23 server1 kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
May 28 13:54:23 server1 journal: 内部错误：Failed to apply firewall rules /usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' --destination 192.168.122.0/24 --jump MASQUERADE: Another app is currently holding the xtables lock. Perh
aps you want to use the -w option?
May 28 13:54:23 server1 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-arp' already exists with uuid 8e3d7588-5a51-400a-aa02-406c025fafcb
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp-server' already exists with uuid f13e537b-f769-4a3d-8929-7e7ae01414ba
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp' already exists with uuid a89b87e5-1f29-49d3-9ef0-da6d0952349b
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-incoming-ipv4' already exists with uuid ee2eb2be-8ee5-41e4-9c6f-007cc2835fb6
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-ipv4' already exists with uuid 74dd230c-3006-4cf5-9c40-70cdd62702de
May 28 13:54:23 server1 journal: 操作失败: filter 'clean-traffic' already exists with uuid ba2c8d7c-27f2-4b44-b3a9-5e5851cb90ed
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-ip-spoofing' already exists with uuid 36c17e60-b2e0-4a19-8344-b61ae5739635
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
May 28 13:54:23 server1 kernel: Ebtables v2.0 registered
May 28 13:54:23 server1 systemd: Started firewalld - dynamic firewall daemon.
May 28 13:54:23 server1 firewalld: 2019-05-28 13:54:23 ERROR: INVALID_ZONE
May 28 13:54:23 server1 NetworkManager[985]: <warn>  (eno49) firewall zone add/change failed [3]: (32) INVALID_ZONE
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-arp' already exists with uuid 8e3d7588-5a51-400a-aa02-406c025fafcb
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp-server' already exists with uuid f13e537b-f769-4a3d-8929-7e7ae01414ba
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp' already exists with uuid a89b87e5-1f29-49d3-9ef0-da6d0952349b
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-incoming-ipv4' already exists with uuid ee2eb2be-8ee5-41e4-9c6f-007cc2835fb6
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-ipv4' already exists with uuid 74dd230c-3006-4cf5-9c40-70cdd62702de
May 28 13:54:23 server1 journal: 操作失败: filter 'clean-traffic' already exists with uuid ba2c8d7c-27f2-4b44-b3a9-5e5851cb90ed
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-ip-spoofing' already exists with uuid 36c17e60-b2e0-4a19-8344-b61ae5739635
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059

分析

从日志看出是虚拟化libvirtd与firewall不兼容导致的。

[root@server1 ~]$systemctl status libvirtd.service
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running) since 五 2019-05-17 16:22:49 CST; 1 weeks 3 days ago
     Docs: man:libvirtd(8)
           http://libvirt.org
 Main PID: 1362 (libvirtd)
   CGroup: /system.slice/libvirtd.service
           ├─1362 /usr/sbin/libvirtd
           ├─2822 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper
           └─2825 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper

5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
[root@server1 ~]$

解决办法

最新版本中，开发者已经解决libvirt、firewalld的兼容文件，建议升级新版本。
如果虚拟化服务无需使用的话，可以考虑停止虚拟化服务并重启firewalld，重启后firewall恢复正常。

systemctl stop libvirtd.service
systemctl restart firewalld.service

可选办法

[root@server1 ~]$firewall-cmd --permanent --zone=internal --change-interface=virbr0
success
[root@server1 ~]$firewall-cmd --permanent --zone=internal --add-source="192.168.122.0/24"
success
[root@server1 ~]$firewall-cmd --reload 
success
[root@server1 ~]$firewall-cmd --permanent --zone=internal --list-all 
internal (active)
  interfaces: virbr0
  sources: 192.168.122.0/24
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: