http://bugzilla.suse.com/show_bug.cgi?id=1109302
http://bugzilla.suse.com/show_bug.cgi?id=1109302#c12
--- Comment #12 from Thomas Blume
I just noticed that you are using ipv6 to connect to iscsi target and the iptables rules we are looking at are just for ipv4. Any chance you paste the ip6tables -L -v output?
I haven't configured any ipv6 rules: --> kvm133:~ # ip6tables -L -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination --<
Could the IPv6_rpfilter=yes option in firewalld.conf possibly affect your system?
I also see the following warning
bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
maybe worth checking that your initrd loads this module?
Ah, looks like you are on the right track. I've enabled LogDenied logging and found this when starting firewalld: --> Okt 02 16:05:30 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=120 TC=0 HOPLIMIT=64 FLOWLBL=222566 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK PSH URGP=0 Okt 02 16:05:30 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=84 TC=0 HOPLIMIT=64 FLOWLBL=222566 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK URGP=0 Okt 02 16:05:31 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=120 TC=0 HOPLIMIT=64 FLOWLBL=150315 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK PSH URGP=0 Okt 02 16:05:31 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=84 TC=0 HOPLIMIT=64 FLOWLBL=150315 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK URGP=0 Okt 02 16:05:31 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:42:8a:0e:05:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 Okt 02 16:05:32 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=120 TC=0 HOPLIMIT=64 FLOWLBL=1017940 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK PSH URGP=0 Okt 02 16:05:33 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0c:42:8a:0e:05:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 Okt 02 16:05:33 kvm133 kernel: rpfilter_DROP: IN=ibft0 OUT= MAC=52:54:00:be:37:42:00:08:02:ed:8f:15:86:dd SRC=2620:0113:80c0:8000:0010:0161:0063:0045 DST=2620:0113:80c0:8080:0010:0160:0068:0246 LEN=84 TC=0 HOPLIMIT=64 FLOWLBL=1017940 PROTO=TCP SPT=3260 DPT=57784 WINDOW=5183 RES=0x00 ACK URGP=0 Okt 02 16:05:35 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:b7:11:14:77:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556 Okt 02 16:05:36 kvm133 kernel: FINAL_REJECT: IN=ibft1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0f:b7:11:18:64:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=576 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=556 --< So, it is obviously rpfilter that drops it. But if I change the rpfilter setting: --> kvm133:~ # grep IPv6_rpfilter /etc/firewalld/firewalld.conf # IPv6_rpfilter IPv6_rpfilter=no --< I get a nasty error messages are firewalld start: --> Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore: line 2 failed Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 2 failed Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/ebtables -t broute -N BROUTING_direct -P RETURN' failed: Chain BROUTING_direct already exists. Okt 02 16:11:16 kvm133 audit: NETFILTER_CFG table=filter family=7 entries=2 Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables. Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: '/usr/sbin/ebtables -t filter -X FORWARD_direct -P RETURN' failed: No extra options allowed with -X. Okt 02 16:11:16 kvm133 firewalld[3923]: ERROR: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore: line 2 failed --< and the session from where I've started firewalld freezes. -- You are receiving this mail because: You are on the CC list for the bug.