IT/TFTP firewalld part broken

[bviktor]

Once you try to enable the tftp service:

# firewall-cmd --reload
Error: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.4 (legacy): unknown option "--helper"
Error occurred at line: 30
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.

Works fine in a Hyper-V VM. Tried to diff the packages, and installed all in the Docker instance, still no success. Then digged deeper, and realized that the tftp.xml service is:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>TFTP</short>
  <description>The Trivial File Transfer Protocol (TFTP) is a protocol used to transfer files to and from a remote machine in a simple way. It is normally used only for booting diskless workstations and also to transfer data in the Preboot eXecution Environment (PXE).</description>
  <port protocol="udp" port="69"/>
  <helper name="tftp"/>
</service>

Yepp, it calls a "helper". Sooo, let's check that, too:

<?xml version="1.0" encoding="utf-8"?>
<helper module="nf_conntrack_tftp">
  <port protocol="udp" port="69"/>
</helper>

Duh. Tried to mess arround with those, too.

https://bugzilla.redhat.com/show_bug.cgi?id=1817205
https://bugzilla.redhat.com/show_bug.cgi?id=1836571
https://firewalld.org/documentation/helper/
https://firewalld.org/2016/10/automatic-helper-assignment
https://www.cyberphoton.com/tftp-server-in-rhel7/

Setting AutomaticHelpers to any value won't help either. Checked the sysctl values, it's 0 in both Docker and Hyper-V.

Then stumbled upon this:

firewalld/firewalld#263

Kernel modules, dude! The Hyper-V instance actually has the nf_conntrack_tftp module loaded, while the Docker container doesn't have modules at all. Oof.

[bviktor]

microsoft/WSL#8149

# cat /proc/config.gz | gunzip | grep -i conntrack
CONFIG_NF_CONNTRACK=y
CONFIG_NF_CONNTRACK_MARK=y
# CONFIG_NF_CONNTRACK_SECMARK is not set
# CONFIG_NF_CONNTRACK_ZONES is not set
# CONFIG_NF_CONNTRACK_PROCFS is not set
CONFIG_NF_CONNTRACK_EVENTS=y
# CONFIG_NF_CONNTRACK_TIMEOUT is not set
# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
# CONFIG_NF_CONNTRACK_LABELS is not set
CONFIG_NF_CONNTRACK_AMANDA=y
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_H323=y
CONFIG_NF_CONNTRACK_IRC=y
CONFIG_NF_CONNTRACK_BROADCAST=y
CONFIG_NF_CONNTRACK_NETBIOS_NS=y
# CONFIG_NF_CONNTRACK_SNMP is not set
CONFIG_NF_CONNTRACK_PPTP=y
CONFIG_NF_CONNTRACK_SANE=y
CONFIG_NF_CONNTRACK_SIP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
# CONFIG_NF_CONNTRACK_BRIDGE is not set

It is there! But maybe firewalld is trying to force the issue and not work if the module is not loaded as a module or something...

[bviktor]

https://unix.stackexchange.com/a/672846/88217

Will try to load it, but... why does it work on 18.04? Or Rocky?

[bviktor]

18.04 service:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>TFTP</short>
  <description>The Trivial File Transfer Protocol (TFTP) is a protocol used to transfer files to and from a remote machine in s simple way. It is normally used only for booting diskless workstations and also to transfer data in the Preboot eXecution Environment (PXE).</description>
  <port protocol="udp" port="69"/>
  <module name="nf_conntrack_tftp"/>
</service>

Helper:

<?xml version="1.0" encoding="utf-8"?>
<helper module="nf_conntrack_tftp">
  <port protocol="udp" port="69"/>
</helper>

[bviktor]

Repro:

apt -y install firewalld
systemctl start firewalld
firewall-cmd --permanent --new-service tftp
firewall-cmd --reload
firewall-cmd --permanent --add-service=tftp
firewall-cmd --reload

[bviktor]

Changing the service xml to the 18.04 won't help. Neither adding conntrack to the modules-load list.

[bviktor]

firewalld/firewalld#440
firewalld/firewalld#430

[bviktor]

Tried to fake the existence of those modules as explained in the issues above, still no joy.

The only workaround that worked so far is this (firewalld.conf):

IPv6_rpfilter=no
FirewallBackend=nftables

[bviktor]

NFT also depends on some kernel modules:

https://forums.gentoo.org/viewtopic-p-8667582.html?sid=a137f7b606e5a61773a02240096a6703

But it's still weird it only errors out if IPv6 is enabled. Also set IndividualCalls=yes for easier debugging.

[bviktor]

If nothing new comes up, I'll have to set those 2 options if in a Docker environment.

Would be great if I could get those "fake" module loads to work, but no success so far.

[bviktor]

Actually, nevermind, still broken on 22.04.

So the process might be similar:

• install 22.04 VM
• see if it works there (I assume it will)
• check list of packages, install anything missing
• check the list of modules loaded, then check if they're present in the WSL kernel, enable anything missing

Don't forget that the default backend on 22.04 is now nftables instead of iptables, so that might also affect things.