firewalld has made a major change to the backend in Fedora 29 and hasn't filed appropriate change details although they managed to blog about it. It's broken default virtual networking and probably a lot of other things.
https://developers.redhat.com/blog/2018/08/10/firewalld-the-future-is-nftables/ https://firewalld.org/2018/07/nftables-backend
I propose that we ask the firewalld maintainers to revert back to using iptables instead of nftables for F-29, and revisit using nftables for F-30, once folks have had some time to make sure it doesn't break other things.
The Change process should be the appropriate mechanism to make sure there were no surprises. Unfortunately, the change seems to have caught a lot of dependent services by surprise here.
And it wasn't easy to locate because there wasn't a change to note, I worked it out when I vaguely noted a blog from the planet had gone past
Do we have bugs for the issues?
Yes, already filed as a blocker https://bugzilla.redhat.com/show_bug.cgi?id=1623868
FWIW, the firewalld nftables backend has been in rawhide since July 25th.
That's my fault. I missed that step somehow.
The Change process should be the appropriate mechanism to make sure there were no surprises. > Unfortunately, the change seems to have caught a lot of dependent services by surprise here.
To be fair, libvirt has known of firewalld's desire to use nft, we just didn't realize it was happening in F29. Libvirt has run significant automated testing to validate operation with nft, which detected multiple bugs in the iptables shims for nft. Unfortunately all our testing was focused on our NIC filtering feature, and not on the DHCP/DNS virtual net so we've missed detection of this firewalld bug which is impacting networking.
IOW, it would have been nice to have a Change notice, but we probably would still have ended up with this bug - at most it might have helped people more quickly identify the cause
https://bugzilla.redhat.com/show_bug.cgi?id=1623868#c22
firewalld-0.6.1-2.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-379c39d97c
So this should be resolved when the update goes to stable. Nothing to do for FESCo.
Metadata Update from @zbyszek: - Issue status updated to: Closed (was: Open)
Well - nothing to do for FESCo so long as that's intended to be the status for F29 permanently and not just a temporary change. We should ensure that firewalld folks don't intend to switch back to nftables for F29 later on.
Login to comment on this ticket.