Public bug reported: firewalld from Ubuntu 18.04 LTS sometimes attempts to use the `--wait` option to iptables-restore, which is only valid on iptables 1.8.x and newer and not on 1.6.1, as bundled with bionic. (At least according to the man page, the comments in the firewalld code implies that it was supported on an older version, but that might be with Fedora patches)
This seems to originate from firewalld-0.4.4.6/src/firewall/core/ipXtables.py, line 337. If this runs firewalld fails to create the rules when starting, resulting in wither no rules loaded, or the policies loaded, without any rules, which blocks SSH. It is not clear when this gets triggered, with several servers deployed with the same Ansible script, some have this issue, some work fine. The unit file was overwriten as per this to get it to start in the first place: https://github.com/firewalld/firewalld/issues/414 The warning that accompanies the failed rule loading is: ``` WARNING: '/sbin/iptables-restore --wait=2 -n' failed: /sbin/iptables-restore: unrecognized option '--wait=2'#012iptables-restore: line 93 failed ``` iptables version: 1.6.1-2ubuntu2 firewalld version: 0.4.4.6-1 ** Affects: firewalld (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1835188 Title: firewalld attempts to use parameter that requires a newer iptables version To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firewalld/+bug/1835188/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs