Description of problem: In a fresh Mageia 9 installation done with the netinstall iso, the firewall is not starting. The follwing can be found in file /var/log/shorewall-init.log: Nov 27 13:23:59 Processing /etc/shorewall/params ... Nov 27 13:23:59 Processing /etc/shorewall/shorewall.conf... Nov 27 13:23:59 Loading Modules... Nov 27 13:23:59 ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system /usr/share/shorewall/helpers (EOF) If I do the installation using the Live Media, it works properly. Some package might be missing during netinstall. Version-Release number of selected component (if applicable): Shorewall 5.2.8-4 The following bug report might be related: https://bugs.mageia.org/show_bug.cgi?id=11127 How reproducible: Always when I use the netinstall iso. I tried it in a physical computer and also in a VirtualBox environment. Steps to Reproduce: 1. Install Mageia 9 using Mageia-9-netinstall-nonfree-x86_64.iso with Plasma desktop in a VirtualBox 2. Open file /var/log/shorewall-init.log 3. See the logs 4. Appart from that, you can install openssh-server and connect to the computer without opening any ports in the firewall.
Thank you for the report.
CC: (none) => lewyssmithComponent: RPM Packages => Installer
continuing... Do not know whether this is down to the installer or the package, assigning for the former. The /var/log/shorewall-init.log extract shown in comment 0 is very definite.
Source RPM: shorewall-5.2.8-4.mga9.src.rpm => shorewall-5.2.8-4.mga9.src.rpm, netinstallCC: lewyssmith => (none)Assignee: bugsquad => mageiatools
I have run the following command as root: /usr/libexec/iptables.init start And afterwards I can start shorewall and it seems to be working properly. Even after restarting the computer, the firewall works, so the above command has to be run only once. This command might be missing from the post installation when using netinstall?
Hello, I have installed MGA9 on ACER Aspire ONE with netinstall. I found the same problem with shorewall. I applied the command /usr/libexec/iptables.init start and it works again.
CC: (none) => guillaume.royer
As both have netinstall, can you provide /root/drakx/report.bug.xz which should be related to your installation phase.
CC: (none) => kernel, yvesbrungardSeverity: normal => major
Created attachment 14194 [details] Requested file report.bug.xz
As this is an installer we try to fix it at least until next Mageia release. That said, I see no reason netinstaller.iso could not be updated for mga9.
CC: (none) => friTarget Milestone: --- => Mageia 10
Maybe this should be added to the Errata while it is fixed.
Keywords: (none) => FOR_ERRATA9
https://wiki.mageia.org/en/Mageia_9_Errata#Firewall
Keywords: FOR_ERRATA9 => IN_ERRATA9
It seems not to be bug in installer as shorewall service fails to start on boot also evert boot.... Iptables seems to be main problem as it complains: ERROR: Your kernel/iptables do not include state match support. No version of Shorewall will run on this system
CC: (none) => ottoleipala1
So the problem appear also when system is installed using classic installer? If so please adjust bug header accordingly, and errata to be adjusted too.
The problem does not appear when using the classic installer on its own. It does appear if you enable additional online media at the start of installation. This indicates the problem stems from an updated package. Looking at the iptables package, the release version (iptables-1.8.9-2.mga9) contains a call to /usr/libexec/iptables.init check in its postinstall scriptlet. That has been removed in the updated version (iptables-1.8.9-2.2.mga9). This is almost certainly the cause of this bug. Reassigning appropriately and CC'ing Marc, who made that change.
CC: (none) => mageia, mageiaAssignee: mageiatools => pkg-bugsComponent: Installer => RPM PackagesTarget Milestone: Mageia 10 => ---Source RPM: shorewall-5.2.8-4.mga9.src.rpm, netinstall => iptables-1.8.9-2.2.mga9
Summary: Firewall not starting when Mageia is installed using the netinstall iso => Firewall not starting when Mageia is installed using online repositories, pulling updated iptables
These commands seems to fix it: /usr/libexec/iptables.init check /usr/libexec/iptables.init start then sudo systemctl start shorewall/shorewall6, no any issues starts fine...
Here is systemctl status when commands up i did and then started shorewall... sudo systemctl status shorewall ● shorewall.service - Shorewall IPv4 firewall Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled; preset: enabled) Active: active (exited) since Wed 2023-12-13 13:09:18 EET; 1h 8min ago Process: 102524 ExecStart=/sbin/shorewall $OPTIONS start $STARTOPTIONS (code=exited, status=0/SUCCESS) Main PID: 102524 (code=exited, status=0/SUCCESS) CPU: 591ms joulu 13 13:09:18 ozky-pc shorewall[102703]: Processing /etc/shorewall/tcclear ... joulu 13 13:09:18 ozky-pc shorewall[102703]: Setting up Route Filtering... joulu 13 13:09:18 ozky-pc shorewall[102703]: Setting up Martian Logging... joulu 13 13:09:18 ozky-pc shorewall[102703]: Setting up Proxy ARP... joulu 13 13:09:18 ozky-pc shorewall[102703]: Preparing iptables-restore input... joulu 13 13:09:18 ozky-pc shorewall[102703]: Running /sbin/iptables-restore --wait 60... joulu 13 13:09:18 ozky-pc shorewall[102703]: Processing /etc/shorewall/start ... joulu 13 13:09:18 ozky-pc shorewall[102703]: Processing /etc/shorewall/started ... joulu 13 13:09:18 ozky-pc shorewall[102703]: done. joulu 13 13:09:18 ozky-pc systemd[1]: Finished shorewall.service.
I have to look into this. /usr/libexec/iptables.init really is an very old init script. This is and should be removed. It should be transformed to systemctl start iptables - this will do the things that needs to be done.
we really should remove these old initscripts barely converted into new systemd units. this is a very odd behaviour.
iptables check does some very wired stuff. And clearly stuff that should be done in postinstall: linking /lib64/iptables.d/xx to /lib64/iptables or setting nat rules.
Yes you so right.... Systemd can do these very much more better... i'm not very pro with initscripts or very deep in systemd.... Only know how to write basic systemd service...
Updated iptables packages to fix an error on new installations: A missing symlink prevented loading of modules for iptables. Due to this bug shorewall did not start anymore. Additonally the reload mechanism of iptables was fixed. Updated packages in core/updates_testing: ======================== lib64ip4tc2-1.8.9-2.3.mga9 lib64iptables-devel-1.8.9-2.3.mga9 lib64ip6tc2-1.8.9-2.3.mga9 lib64ipq0-debuginfo-1.8.9-2.3.mga9 lib64iptables12-1.8.9-2.3.mga9 lib64ip4tc2-debuginfo-1.8.9-2.3.mga9 lib64ip6tc2-debuginfo-1.8.9-2.3.mga9 lib64ip4tc-devel-1.8.9-2.3.mga9 lib64ip6tc-devel-1.8.9-2.3.mga9 iptables-nft-1.8.9-2.3.mga9 lib64ipq0-1.8.9-2.3.mga9 lib64ipq-devel-1.8.9-2.3.mga9 lib64iptables12-debuginfo-1.8.9-2.3.mga9 lib64iptc-devel-1.8.9-2.3.mga9 iptables-1.8.9-2.3.mga9 iptables-debugsource-1.8.9-2.3.mga9 iptables-debuginfo-1.8.9-2.3.mga9 SRPM: iptables-1.8.9-2.3.mga9.src.rpm
Assignee: pkg-bugs => qa-bugs
Advisory from comment 19 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"
CC: (none) => marja11Keywords: (none) => advisory
(In reply to Marc Krämer from comment #19) > Updated iptables packages to fix an error on new installations: > > A missing symlink prevented loading of modules for iptables. Due to this bug > shorewall did not start anymore. > Additonally the reload mechanism of iptables was fixed. > > > Updated packages in core/updates_testing: > ======================== > lib64ip4tc2-1.8.9-2.3.mga9 > lib64iptables-devel-1.8.9-2.3.mga9 > lib64ip6tc2-1.8.9-2.3.mga9 > lib64ipq0-debuginfo-1.8.9-2.3.mga9 > lib64iptables12-1.8.9-2.3.mga9 > lib64ip4tc2-debuginfo-1.8.9-2.3.mga9 > lib64ip6tc2-debuginfo-1.8.9-2.3.mga9 > lib64ip4tc-devel-1.8.9-2.3.mga9 > lib64ip6tc-devel-1.8.9-2.3.mga9 > iptables-nft-1.8.9-2.3.mga9 > lib64ipq0-1.8.9-2.3.mga9 > lib64ipq-devel-1.8.9-2.3.mga9 > lib64iptables12-debuginfo-1.8.9-2.3.mga9 > lib64iptc-devel-1.8.9-2.3.mga9 > iptables-1.8.9-2.3.mga9 > iptables-debugsource-1.8.9-2.3.mga9 > iptables-debuginfo-1.8.9-2.3.mga9 > > > SRPM: > iptables-1.8.9-2.3.mga9.src.rpm Thanks i did tested it in Virtualbox install of Mageia9 x86_64 and x86....both arch fine,,,, Btw should Cauldron make change some point to port to systemd fully from legacy initscript?
Whiteboard: (none) => MGA9-64-OK MGA9-32-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2023-0146.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED