Comment # 12 on bug 1109302 from 
(In reply to Markos Chandras from comment #11)
> I just noticed that you are using ipv6 to connect to iscsi target and the
> iptables rules we are looking at are just for ipv4. Any chance you paste the
> ip6tables -L -v output?

I haven't configured any ipv6 rules:

-->
kvm133:~ # ip6tables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
--<

> Could the IPv6_rpfilter=yes option in firewalld.conf possibly affect your
> system?
> 
> I also see the following warning
> 
> bridge: filtering via arp/ip/ip6tables is no longer available by default.
> Update your scripts to load br_netfilter if you need this.
> 
> maybe worth checking that your initrd loads this module?

Ah, looks like you are on the right track.
I've enabled LogDenied logging and found this when starting firewalld:

-->
Okt 02 16:05:30 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT=
MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd
SRC=2620:0113:80c0:8000:0010:0161:0063:0045
DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=120 TC=0 HOPLIMIT=64
FLOWLBL=222566 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK PSH URGP=0 
Okt 02 16:05:30 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT=
MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd
SRC=2620:0113:80c0:8000:0010:0161:0063:0045
DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=84 TC=0 HOPLIMIT=64
FLOWLBL=222566 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK URGP=0 
Okt 02 16:05:31 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT=
MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd
SRC=2620:0113:80c0:8000:0010:0161:0063:0045
DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=120 TC=0 HOPLIMIT=64
FLOWLBL=150315 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK PSH URGP=0 
Okt 02 16:05:31 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT=
MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd
SRC=2620:0113:80c0:8000:0010:0161:0063:0045
DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=84 TC=0 HOPLIMIT=64
FLOWLBL=150315 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK URGP=0 
Okt 02 16:05:31 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0c:42:8a:0e:05:08:00 SRC=0.0.0.0 DST=255.255.255.255
LEN=328 TOS=0x00 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Okt 02 16:05:32 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT=
MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd
SRC=2620:0113:80c0:8000:0010:0161:0063:0045
DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=120 TC=0 HOPLIMIT=64
FLOWLBL=1017940 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK PSH
URGP=0 
Okt 02 16:05:33 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0c:42:8a:0e:05:08:00 SRC=0.0.0.0 DST=255.255.255.255
LEN=328 TOS=0x00 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
Okt 02 16:05:33 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT=
MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd
SRC=2620:0113:80c0:8000:0010:0161:0063:0045
DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=84 TC=0 HOPLIMIT=64
FLOWLBL=1017940 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK URGP=0 
Okt 02 16:05:35 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0f:b7:11:14:77:08:00 SRC=0.0.0.0 DST=255.255.255.255
LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556 
Okt 02 16:05:36 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:0f:b7:11:18:64:08:00 SRC=0.0.0.0 DST=255.255.255.255
LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556 
--<

So, it is obviously rpfilter that drops it.
But if I change the rpfilter setting:

-->
kvm133:~ # grep IPv6_rpfilter /etc/firewalld/firewalld.conf 
# IPv6_rpfilter
IPv6_rpfilter=no
--<

I get a nasty error messages are firewalld start:

-->
Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/iptables-restore -w
-n' failed: iptables-restore: line 2 failed
Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/ip6tables-restore -w
-n' failed: ip6tables-restore: line 2 failed
Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: Failed to apply rules. A
firewall reload might solve the issue if the firewall has been modified using
ip*tables or ebtables.
Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/ebtables -t broute -N
BROUTING_direct -P RETURN' failed: Chain BROUTING_direct already exists.
Okt 02 16:11:16 kvm133 audit: NETFILTER_CFG table=filter family=7 entries=2
Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: Failed to apply rules. A
firewall reload might solve the issue if the firewall has been modified using
ip*tables or ebtables.
Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/ebtables -t filter -X
FORWARD_direct -P RETURN' failed: No extra options allowed with -X.
Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: COMMAND_FAILED:
'/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 2 failed
--<

and the session from where I've started firewalld freezes.

You are receiving this mail because: