当前位置:   article > 正文

Linux故障-CentOS7系统firewall报错"Error: INVALID_ZONE"

error: invalid_zone

系统版本

CentOS Linux release 7.1.1503 (Core)
  • 1

故障现象

[root@server1 ~]$firewall-cmd --list-all
Error: INVALID_ZONE
[root@server1 ~]$systemctl status firewalld.service 
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
   Active: active (running) since 一 2019-05-27 14:33:00 CST; 23h ago
 Main PID: 5483 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─5483 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

5月 27 14:33:00 server1 systemd[1]: Started firewalld - dynamic firewall daemon.
5月 27 14:33:00 server1 firewalld[5483]: 2019-05-27 14:33:00 ERROR: INVALID_ZONE
5月 27 14:33:31 server1 firewalld[5483]: 2019-05-27 14:33:31 ERROR: INVALID_ZONE
5月 28 13:49:53 server1 firewalld[5483]: 2019-05-28 13:49:53 ERROR: INVALID_ZONE
[root@server1 ~]$
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15

系统日志

May 28 13:54:21 server1 systemd: Stopping firewalld - dynamic firewall daemon...
May 28 13:54:22 server1 kernel: Ebtables v2.0 unregistered
May 28 13:54:23 server1 systemd: Starting firewalld - dynamic firewall daemon...
May 28 13:54:23 server1 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
May 28 13:54:23 server1 kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
May 28 13:54:23 server1 journal: 内部错误:Failed to apply firewall rules /usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' --destination 192.168.122.0/24 --jump MASQUERADE: Another app is currently holding the xtables lock. Perh
aps you want to use the -w option?
May 28 13:54:23 server1 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-arp' already exists with uuid 8e3d7588-5a51-400a-aa02-406c025fafcb
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp-server' already exists with uuid f13e537b-f769-4a3d-8929-7e7ae01414ba
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp' already exists with uuid a89b87e5-1f29-49d3-9ef0-da6d0952349b
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-incoming-ipv4' already exists with uuid ee2eb2be-8ee5-41e4-9c6f-007cc2835fb6
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-ipv4' already exists with uuid 74dd230c-3006-4cf5-9c40-70cdd62702de
May 28 13:54:23 server1 journal: 操作失败: filter 'clean-traffic' already exists with uuid ba2c8d7c-27f2-4b44-b3a9-5e5851cb90ed
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-ip-spoofing' already exists with uuid 36c17e60-b2e0-4a19-8344-b61ae5739635
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
May 28 13:54:23 server1 kernel: Ebtables v2.0 registered
May 28 13:54:23 server1 systemd: Started firewalld - dynamic firewall daemon.
May 28 13:54:23 server1 firewalld: 2019-05-28 13:54:23 ERROR: INVALID_ZONE
May 28 13:54:23 server1 NetworkManager[985]: <warn>  (eno49) firewall zone add/change failed [3]: (32) INVALID_ZONE
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-arp' already exists with uuid 8e3d7588-5a51-400a-aa02-406c025fafcb
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp-server' already exists with uuid f13e537b-f769-4a3d-8929-7e7ae01414ba
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp' already exists with uuid a89b87e5-1f29-49d3-9ef0-da6d0952349b
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-incoming-ipv4' already exists with uuid ee2eb2be-8ee5-41e4-9c6f-007cc2835fb6
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-ipv4' already exists with uuid 74dd230c-3006-4cf5-9c40-70cdd62702de
May 28 13:54:23 server1 journal: 操作失败: filter 'clean-traffic' already exists with uuid ba2c8d7c-27f2-4b44-b3a9-5e5851cb90ed
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-ip-spoofing' already exists with uuid 36c17e60-b2e0-4a19-8344-b61ae5739635
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46

分析

从日志看出是虚拟化libvirtd与firewall不兼容导致的。

[root@server1 ~]$systemctl status libvirtd.service
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running) since 五 2019-05-17 16:22:49 CST; 1 weeks 3 days ago
     Docs: man:libvirtd(8)
           http://libvirt.org
 Main PID: 1362 (libvirtd)
   CGroup: /system.slice/libvirtd.service
           ├─1362 /usr/sbin/libvirtd
           ├─2822 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper
           └─2825 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper

5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
[root@server1 ~]$
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23

相关软件版本

[root@server1 network-scripts]$rpm -q libvirt firewalld NetworkManager
libvirt-1.2.8-16.el7.x86_64
firewalld-0.3.9-11.el7.noarch
NetworkManager-1.0.0-14.git20150121.b4ea599c.el7.x86_64
  • 1
  • 2
  • 3
  • 4

解决办法

最新版本中,开发者已经解决libvirt、firewalld的兼容文件,建议升级新版本。
如果虚拟化服务无需使用的话,可以考虑停止虚拟化服务并重启firewalld,重启后firewall恢复正常。

systemctl stop libvirtd.service
systemctl restart firewalld.service
  • 1
  • 2

可选办法

[root@server1 ~]$firewall-cmd --permanent --zone=internal --change-interface=virbr0
success
[root@server1 ~]$firewall-cmd --permanent --zone=internal --add-source="192.168.122.0/24"
success
[root@server1 ~]$firewall-cmd --reload 
success
[root@server1 ~]$firewall-cmd --permanent --zone=internal --list-all 
internal (active)
  interfaces: virbr0
  sources: 192.168.122.0/24
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小丑西瓜9/article/detail/282478
推荐阅读
相关标签
  

闽ICP备14008679号