|
 |
136e2c |
From 5c873d88bceaf3bbaf2d781a812cbc4415c8b26a Mon Sep 17 00:00:00 2001
|
|
|
136e2c |
From: Eric Garver <eric@garver.life>
|
|
|
136e2c |
Date: Wed, 30 Oct 2019 08:24:46 -0400
|
|
|
136e2c |
Subject: [PATCH 115/122] fix: failure to load modules no longer fatal
|
|
|
136e2c |
|
|
|
136e2c |
There are many cases in which module loading may fail:
|
|
|
136e2c |
- builtin modules, but corrupt/missing modules.builtin database
|
|
|
136e2c |
- CONFIG_MODULES=n
|
|
|
136e2c |
- inside unprivileged container
|
|
|
136e2c |
|
|
|
136e2c |
Unfortunately, we have no way to detect these scenarios. The only thing
|
|
|
136e2c |
we can do is attempt to load the module and hope for the best.
|
|
|
136e2c |
|
|
|
136e2c |
Fixes: #430
|
|
|
136e2c |
Fixes: #519
|
|
|
136e2c |
(cherry picked from commit 88e76ddfed6fe348975bfea9002da0e4627c6e25)
|
|
|
136e2c |
(cherry picked from commit 407af3a6d2f5f0ca6e8a354a8cbfdb3228ad04bf)
|
|
|
136e2c |
---
|
|
|
136e2c |
src/firewall/core/fw.py | 17 +++++++++--------
|
|
|
136e2c |
src/firewall/core/fw_transaction.py | 13 ++++++++-----
|
|
|
136e2c |
src/tests/functions.at | 1 +
|
|
|
136e2c |
3 files changed, 18 insertions(+), 13 deletions(-)
|
|
|
136e2c |
|
|
|
136e2c |
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
|
|
|
136e2c |
index 3e639f83d1f4..2c4325966a19 100644
|
|
|
136e2c |
--- a/src/firewall/core/fw.py
|
|
|
136e2c |
+++ b/src/firewall/core/fw.py
|
|
|
136e2c |
@@ -385,10 +385,9 @@ class Firewall(object):
|
|
|
136e2c |
#
|
|
|
136e2c |
# NOTE: must force loading of nf_conntrack to make sure the values are
|
|
|
136e2c |
# available in /proc
|
|
|
136e2c |
- module_return = self.handle_modules(["nf_conntrack"], True)
|
|
|
136e2c |
- if module_return:
|
|
|
136e2c |
- log.error("Failed to load nf_conntrack module: %s" % module_return[1])
|
|
|
136e2c |
- sys.exit(1)
|
|
|
136e2c |
+ (status, msg) = self.handle_modules(["nf_conntrack"], True)
|
|
|
136e2c |
+ if status != 0:
|
|
|
136e2c |
+ log.warning("Failed to load nf_conntrack module: %s" % msg)
|
|
|
136e2c |
if self._automatic_helpers != "system":
|
|
|
136e2c |
functions.set_nf_conntrack_helper_setting(self._automatic_helpers == "yes")
|
|
|
136e2c |
self.nf_conntrack_helper_setting = \
|
|
|
136e2c |
@@ -664,6 +663,8 @@ class Firewall(object):
|
|
|
136e2c |
# handle modules
|
|
|
136e2c |
|
|
|
136e2c |
def handle_modules(self, _modules, enable):
|
|
|
136e2c |
+ num_failed = 0
|
|
|
136e2c |
+ error_msgs = ""
|
|
|
136e2c |
for i,module in enumerate(_modules):
|
|
|
136e2c |
if enable:
|
|
|
136e2c |
(status, msg) = self.modules_backend.load_module(module)
|
|
|
136e2c |
@@ -673,9 +674,9 @@ class Firewall(object):
|
|
|
136e2c |
else:
|
|
|
136e2c |
(status, msg) = self.modules_backend.unload_module(module)
|
|
|
136e2c |
if status != 0:
|
|
|
136e2c |
- if enable:
|
|
|
136e2c |
- return (_modules[:i], msg) # cleanup modules and error msg
|
|
|
136e2c |
- # else: ignore cleanup
|
|
|
136e2c |
+ num_failed += 1
|
|
|
136e2c |
+ error_msgs += msg
|
|
|
136e2c |
+ continue
|
|
|
136e2c |
|
|
|
136e2c |
if enable:
|
|
|
136e2c |
self._module_refcount.setdefault(module, 0)
|
|
|
136e2c |
@@ -685,7 +686,7 @@ class Firewall(object):
|
|
|
136e2c |
self._module_refcount[module] -= 1
|
|
|
136e2c |
if self._module_refcount[module] == 0:
|
|
|
136e2c |
del self._module_refcount[module]
|
|
|
136e2c |
- return None
|
|
|
136e2c |
+ return (num_failed, error_msgs)
|
|
|
136e2c |
|
|
|
136e2c |
def _select_firewall_backend(self, backend):
|
|
|
136e2c |
if backend != "nftables":
|
|
|
136e2c |
diff --git a/src/firewall/core/fw_transaction.py b/src/firewall/core/fw_transaction.py
|
|
|
136e2c |
index ad204c1991cf..d5d3e858b6dd 100644
|
|
|
136e2c |
--- a/src/firewall/core/fw_transaction.py
|
|
|
136e2c |
+++ b/src/firewall/core/fw_transaction.py
|
|
|
136e2c |
@@ -113,11 +113,14 @@ class SimpleFirewallTransaction(object):
|
|
|
136e2c |
if not error:
|
|
|
136e2c |
module_return = self.fw.handle_modules(modules, enable)
|
|
|
136e2c |
if module_return:
|
|
|
136e2c |
- (cleanup_modules, msg) = module_return
|
|
|
136e2c |
- if cleanup_modules is not None:
|
|
|
136e2c |
- error = True
|
|
|
136e2c |
- errorMsg = msg
|
|
|
136e2c |
- self.fw.handle_modules(cleanup_modules, not enable)
|
|
|
136e2c |
+ # Debug log about issues loading modules, but don't error. The
|
|
|
136e2c |
+ # modules may be builtin or CONFIG_MODULES=n, in which case
|
|
|
136e2c |
+ # modprobe will fail. Or we may be running inside a container
|
|
|
136e2c |
+ # that doesn't have sufficient privileges. Unfortunately there
|
|
|
136e2c |
+ # is no way for us to know.
|
|
|
136e2c |
+ (status, msg) = module_return
|
|
|
136e2c |
+ if status:
|
|
|
136e2c |
+ log.debug1(msg)
|
|
|
136e2c |
|
|
|
136e2c |
# error case: revert rules
|
|
|
136e2c |
if error:
|
|
|
136e2c |
diff --git a/src/tests/functions.at b/src/tests/functions.at
|
|
|
136e2c |
index 209f0f5d2ea9..17ca6c9fc052 100644
|
|
|
136e2c |
--- a/src/tests/functions.at
|
|
|
136e2c |
+++ b/src/tests/functions.at
|
|
|
136e2c |
@@ -143,6 +143,7 @@ m4_define([FWD_END_TEST], [
|
|
|
136e2c |
IF_IPV6_SUPPORTED([], [
|
|
|
136e2c |
sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
|
|
|
136e2c |
])
|
|
|
136e2c |
+ sed -i "/modprobe: ERROR:/d" ./firewalld.log
|
|
|
136e2c |
if test x"$1" != x"ignore"; then
|
|
|
136e2c |
if test -n "$1"; then
|
|
|
136e2c |
sed -i $1 ./firewalld.log
|
|
|
136e2c |
--
|
|
|
136e2c |
2.23.0
|
|
|
136e2c |
|