리눅스 방화벽 시스템 장애 -CentOS7 오류 "오류 : INVALID_ZONE"

면책 조항 :이 문서는 블로거 원본입니다은 허용 블로거없이 복제 할 수 없다. https://blog.csdn.net/baidu_39459954/article/details/90641191

시스템 버전

CentOS Linux release 7.1.1503 (Core)

징후

[root@server1 ~]$firewall-cmd --list-all
Error: INVALID_ZONE
[root@server1 ~]$systemctl status firewalld.service 
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled)
   Active: active (running) since 一 2019-05-27 14:33:00 CST; 23h ago
 Main PID: 5483 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─5483 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

5月 27 14:33:00 server1 systemd[1]: Started firewalld - dynamic firewall daemon.
5月 27 14:33:00 server1 firewalld[5483]: 2019-05-27 14:33:00 ERROR: INVALID_ZONE
5月 27 14:33:31 server1 firewalld[5483]: 2019-05-27 14:33:31 ERROR: INVALID_ZONE
5月 28 13:49:53 server1 firewalld[5483]: 2019-05-28 13:49:53 ERROR: INVALID_ZONE
[root@server1 ~]$

시스템 로그

May 28 13:54:21 server1 systemd: Stopping firewalld - dynamic firewall daemon...
May 28 13:54:22 server1 kernel: Ebtables v2.0 unregistered
May 28 13:54:23 server1 systemd: Starting firewalld - dynamic firewall daemon...
May 28 13:54:23 server1 kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
May 28 13:54:23 server1 kernel: nf_conntrack version 0.5.0 (16384 buckets, 65536 max)
May 28 13:54:23 server1 journal: 内部错误:Failed to apply firewall rules /usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.122.0/24 '!' --destination 192.168.122.0/24 --jump MASQUERADE: Another app is currently holding the xtables lock. Perh
aps you want to use the -w option?
May 28 13:54:23 server1 kernel: ip6_tables: (C) 2000-2006 Netfilter Core Team
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-arp' already exists with uuid 8e3d7588-5a51-400a-aa02-406c025fafcb
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp-server' already exists with uuid f13e537b-f769-4a3d-8929-7e7ae01414ba
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp' already exists with uuid a89b87e5-1f29-49d3-9ef0-da6d0952349b
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-incoming-ipv4' already exists with uuid ee2eb2be-8ee5-41e4-9c6f-007cc2835fb6
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-ipv4' already exists with uuid 74dd230c-3006-4cf5-9c40-70cdd62702de
May 28 13:54:23 server1 journal: 操作失败: filter 'clean-traffic' already exists with uuid ba2c8d7c-27f2-4b44-b3a9-5e5851cb90ed
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-ip-spoofing' already exists with uuid 36c17e60-b2e0-4a19-8344-b61ae5739635
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
May 28 13:54:23 server1 kernel: Ebtables v2.0 registered
May 28 13:54:23 server1 systemd: Started firewalld - dynamic firewall daemon.
May 28 13:54:23 server1 firewalld: 2019-05-28 13:54:23 ERROR: INVALID_ZONE
May 28 13:54:23 server1 NetworkManager[985]: <warn>  (eno49) firewall zone add/change failed [3]: (32) INVALID_ZONE
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-arp' already exists with uuid 8e3d7588-5a51-400a-aa02-406c025fafcb
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp-server' already exists with uuid f13e537b-f769-4a3d-8929-7e7ae01414ba
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-dhcp' already exists with uuid a89b87e5-1f29-49d3-9ef0-da6d0952349b
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-incoming-ipv4' already exists with uuid ee2eb2be-8ee5-41e4-9c6f-007cc2835fb6
May 28 13:54:23 server1 journal: 操作失败: filter 'allow-ipv4' already exists with uuid 74dd230c-3006-4cf5-9c40-70cdd62702de
May 28 13:54:23 server1 journal: 操作失败: filter 'clean-traffic' already exists with uuid ba2c8d7c-27f2-4b44-b3a9-5e5851cb90ed
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-ip-spoofing' already exists with uuid 36c17e60-b2e0-4a19-8344-b61ae5739635
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
May 28 13:54:23 server1 journal: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
May 28 13:54:23 server1 journal: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
May 28 13:54:23 server1 journal: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
May 28 13:54:23 server1 journal: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
May 28 13:54:23 server1 journal: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059

분석

로그에서 가상 방화벽은 libvirtd가 발생와 호환되지이다.

[root@server1 ~]$systemctl status libvirtd.service
libvirtd.service - Virtualization daemon
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled)
   Active: active (running) since 五 2019-05-17 16:22:49 CST; 1 weeks 3 days ago
     Docs: man:libvirtd(8)
           http://libvirt.org
 Main PID: 1362 (libvirtd)
   CGroup: /system.slice/libvirtd.service
           ├─1362 /usr/sbin/libvirtd
           ├─2822 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper
           └─2825 /sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --dhcp-script=/usr/libexec/libvirt_leaseshelper

5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-arp-mac-spoofing' already exists with uuid f84b220b-4643-4450-9116-5026f9d79afc
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-arp-spoofing' already exists with uuid 283f1d74-61c9-4623-96bb-6bedafd2fc2a
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-ip-multicast' already exists with uuid e865464b-654e-464d-bca0-e6a75f720b86
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-ip-spoofing' already exists with uuid 79fc2362-ecb9-426d-b3a7-960ac09d6f96
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-mac-broadcast' already exists with uuid 6efd1551-bb70-47d5-b67b-5febb91b86d2
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-mac-spoofing' already exists with uuid a811bddf-93ab-47a9-8f71-8f0c4743d8c4
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-other-l2-traffic' already exists with uuid 708b6be3-9969-473a-ad74-bcb04a2363f9
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'no-other-rarp-traffic' already exists with uuid a8f74bd4-2fa9-41e1-b5cc-8a0261e3ccef
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'qemu-announce-self-rarp' already exists with uuid fbde1af2-d719-4eff-be5a-f335d910081a
5月 28 13:54:23 server1 libvirtd[1362]: 操作失败: filter 'qemu-announce-self' already exists with uuid 8d9fe3a3-e5c7-45f0-a985-c8266af3b059
[root@server1 ~]$

관련 소프트웨어 버전

[root@server1 network-scripts]$rpm -q libvirt firewalld NetworkManager
libvirt-1.2.8-16.el7.x86_64
firewalld-0.3.9-11.el7.noarch
NetworkManager-1.0.0-14.git20150121.b4ea599c.el7.x86_64

솔루션

최신 버전은 개발자 firewalld 호환 파일, 우리는 새로운 버전의 업그레이드를 권장 libvirt를 해결했다.
당신이 가상화 서비스를 이용해야하는 경우 방화벽은 다시 시작하면 정상으로 돌아, 가상화 서비스를 중지 고려하고 firewalld 다시 시작할 수 있습니다.

systemctl stop libvirtd.service
systemctl restart firewalld.service

에 대한 옵션

[root@server1 ~]$firewall-cmd --permanent --zone=internal --change-interface=virbr0
success
[root@server1 ~]$firewall-cmd --permanent --zone=internal --add-source="192.168.122.0/24"
success
[root@server1 ~]$firewall-cmd --reload 
success
[root@server1 ~]$firewall-cmd --permanent --zone=internal --list-all 
internal (active)
  interfaces: virbr0
  sources: 192.168.122.0/24
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

추천

출처blog.csdn.net/baidu_39459954/article/details/90641191