赞
踩
CentOS Linux release 7.1.1503 (Core)
[root@server1 ~]$firewall-cmd --list-all
Error: INVALID_ZONE
[root@server1 ~]$systemctl status firewalld.service
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
Active: active (running) since 一 2019-05-27 14:33:00 CST; 23h ago
Main PID: 5483 (firewalld)
CGroup: /system.slice/firewalld.service
└─5483 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
5月 27 14:33:00 server1 systemd[1]: Started firewalld - dynamic firewall daemon.
5月 27 14:33:00 server1 firewalld[5483]: 2019-05-27 14:33:00 ERROR: INVALID_ZONE
5月 27 14:33:31 server1 firewalld[5483]: 2019-05-27 14:33:31 ERROR: INVALID_ZONE
5月 28 13:49:53 server1 firewalld[5483]: 2019-05-28 13:49:53 ERROR: INVALID_ZONE
[root@server1 ~]$
May 28 13:54:21 server1 systemd: Stopping firewalld - dynamic firewall daemon... May 28 13:54:22 server1 kernel: Ebtables v2.0 unregistered May 28 13:54:23 server1 systemd: Starting firewalld - dynamic firewall daemon... May 28 13:54:23 server1 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team May 28 13:54:23 server1 kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max) May 28 13:54:23 server1 journal: 内部错误:Failed to apply firewall rules /usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' --destination 192.168.122.0/24 --jump MASQUERADE: Another app is currently holding the xtables lock. Perh aps you want to use the -w option? May 28 13:54:23 server1 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team May 28 13:54:23 server1 journal: 操作失败: filter 'allow-arp' already exists with uuid 8e3d7588-5a51-400a-aa02-406c025fafcb May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp-server' already exists with uuid f13e537b-f769-4a3d-8929-7e7ae01414ba May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp' already exists with uuid a89b87e5-1f29-49d3-9ef0-da6d0952349b May 28 13:54:23 server1 journal: 操作失败: filter 'allow-incoming-ipv4' already exists with uuid ee2eb2be-8ee5-41e4-9c6f-007cc2835fb6 May 28 13:54:23 server1 journal: 操作失败: filter 'allow-ipv4' already exists with uuid 74dd230c-3006-4cf5-9c40-70cdd62702de May 28 13:54:23 server1 journal: 操作失败: filter 'clean-traffic' already exists with uuid ba2c8d7c-27f2-4b44-b3a9-5e5851cb90ed May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-ip-spoofing' already exists with uuid 36c17e60-b2e0-4a19-8344-b61ae5739635 May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86 May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96 May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2 May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4 May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9 May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059 May 28 13:54:23 server1 kernel: Ebtables v2.0 registered May 28 13:54:23 server1 systemd: Started firewalld - dynamic firewall daemon. May 28 13:54:23 server1 firewalld: 2019-05-28 13:54:23 ERROR: INVALID_ZONE May 28 13:54:23 server1 NetworkManager[985]: <warn> (eno49) firewall zone add/change failed [3]: (32) INVALID_ZONE May 28 13:54:23 server1 journal: 操作失败: filter 'allow-arp' already exists with uuid 8e3d7588-5a51-400a-aa02-406c025fafcb May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp-server' already exists with uuid f13e537b-f769-4a3d-8929-7e7ae01414ba May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp' already exists with uuid a89b87e5-1f29-49d3-9ef0-da6d0952349b May 28 13:54:23 server1 journal: 操作失败: filter 'allow-incoming-ipv4' already exists with uuid ee2eb2be-8ee5-41e4-9c6f-007cc2835fb6 May 28 13:54:23 server1 journal: 操作失败: filter 'allow-ipv4' already exists with uuid 74dd230c-3006-4cf5-9c40-70cdd62702de May 28 13:54:23 server1 journal: 操作失败: filter 'clean-traffic' already exists with uuid ba2c8d7c-27f2-4b44-b3a9-5e5851cb90ed May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-ip-spoofing' already exists with uuid 36c17e60-b2e0-4a19-8344-b61ae5739635 May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86 May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96 May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2 May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4 May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9 May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
从日志看出是虚拟化libvirtd与firewall不兼容导致的。
[root@server1 ~]$systemctl status libvirtd.service libvirtd.service - Virtualization daemon Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled) Active: active (running) since 五 2019-05-17 16:22:49 CST; 1 weeks 3 days ago Docs: man:libvirtd(8) http://libvirt.org Main PID: 1362 (libvirtd) CGroup: /system.slice/libvirtd.service ├─1362 /usr/sbin/libvirtd ├─2822 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper └─2825 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper 5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc 5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a 5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86 5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96 5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2 5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4 5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9 5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef 5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a 5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059 [root@server1 ~]$
[root@server1 network-scripts]$rpm -q libvirt firewalld NetworkManager
libvirt-1.2.8-16.el7.x86_64
firewalld-0.3.9-11.el7.noarch
NetworkManager-1.0.0-14.git20150121.b4ea599c.el7.x86_64
最新版本中,开发者已经解决libvirt、firewalld的兼容文件,建议升级新版本。
如果虚拟化服务无需使用的话,可以考虑停止虚拟化服务并重启firewalld,重启后firewall恢复正常。
systemctl stop libvirtd.service
systemctl restart firewalld.service
[root@server1 ~]$firewall-cmd --permanent --zone=internal --change-interface=virbr0 success [root@server1 ~]$firewall-cmd --permanent --zone=internal --add-source="192.168.122.0/24" success [root@server1 ~]$firewall-cmd --reload success [root@server1 ~]$firewall-cmd --permanent --zone=internal --list-all internal (active) interfaces: virbr0 sources: 192.168.122.0/24 services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。