FS#67309 - [firewalld] Creating a direct rule with the log-prefix opt throws iptables-restore error

Attached to Project: Community Packages
Opened by Erik Nelson (eriknelson) - Friday, 17 July 2020, 16:27 GMT
Last edited by freswa (frederik) - Friday, 17 July 2020, 23:17 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Maxime Gauduin (Alucryd)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
Creating a direct rule via firewall-cmd with a jump target of LOG and a --log-prefix option throws an error from iptables-restore with "unknown option":

[root@<hostname> ~]# firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -p icmp -s 192.168.100.0/24 -j LOG --log-prefix TEST
Error: COMMAND_FAILED: '/usr/bin/iptables-restore -w -n' failed: iptables-restore v1.8.5 (legacy): unknown option "--log-prefix"
Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

The same cmd is accepted and works fine in CentOS8. One notable difference is the iptables-restore reported version:

[Arch]
[root@<hostname> ~]# iptables-restore --version
iptables-restore v1.8.5 (legacy)

[CentOS8]
[root@<hostname> ~]# iptables-restore --version
iptables-restore v1.8.4 (nf_tables)

Additional info:
* package version(s)

# pacman -Q | grep -i iptables
iptables 1:1.8.5-2

Steps to reproduce:
Attempt to run the above command, it errors out and fails to be created.
This task depends upon

Closed by  freswa (frederik)
Friday, 17 July 2020, 23:17 GMT
Reason for closing:  Not a bug
Additional comments about closing:  "Not sure what changed about my environment, but a reboot resolved this issue."
Comment by Erik Nelson (eriknelson) - Friday, 17 July 2020, 16:51 GMT
It actually doesn't look like the LOG extension has been loaded by iptables?

[root@<hostname> ~]# iptables -A FORWARD -p icmp -j LOG
iptables v1.8.5 (legacy): Couldn't load target `LOG':No such file or directory

Is this expected?
Comment by Erik Nelson (eriknelson) - Friday, 17 July 2020, 16:58 GMT
If this is helpful as well, the log related nf mods appear to be loaded:

[root@<hostname> ~]# lsmod | grep nf_log
nf_log_ipv6 16384 0
nf_log_ipv4 16384 0
nf_log_common 16384 2 nf_log_ipv4,nf_log_ipv6
Comment by Erik Nelson (eriknelson) - Friday, 17 July 2020, 18:43 GMT
If this is helpful as well, the log related nf mods appear to be loaded:

[root@<hostname> ~]# lsmod | grep nf_log
nf_log_ipv6 16384 0
nf_log_ipv4 16384 0
nf_log_common 16384 2 nf_log_ipv4,nf_log_ipv6
Comment by Erik Nelson (eriknelson) - Friday, 17 July 2020, 18:43 GMT
If this is helpful as well, the log related nf mods appear to be loaded:

[root@<hostname> ~]# lsmod | grep nf_log
nf_log_ipv6 16384 0
nf_log_ipv4 16384 0
nf_log_common 16384 2 nf_log_ipv4,nf_log_ipv6

Loading...