IT/TFTP firewalld part broken #101
Description
Once you try to enable the tftp service:
# firewall-cmd --reload
Error: COMMAND_FAILED: '/usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.4 (legacy): unknown option "--helper"
Error occurred at line: 30
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
Works fine in a Hyper-V VM. Tried to diff the packages, and installed all in the Docker instance, still no success. Then digged deeper, and realized that the tftp.xml service is:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>TFTP</short>
<description>The Trivial File Transfer Protocol (TFTP) is a protocol used to transfer files to and from a remote machine in a simple way. It is normally used only for booting diskless workstations and also to transfer data in the Preboot eXecution Environment (PXE).</description>
<port protocol="udp" port="69"/>
<helper name="tftp"/>
</service>Yepp, it calls a "helper". Sooo, let's check that, too:
<?xml version="1.0" encoding="utf-8"?>
<helper module="nf_conntrack_tftp">
<port protocol="udp" port="69"/>
</helper>Duh. Tried to mess arround with those, too.
https://bugzilla.redhat.com/show_bug.cgi?id=1817205
https://bugzilla.redhat.com/show_bug.cgi?id=1836571
https://firewalld.org/documentation/helper/
https://firewalld.org/2016/10/automatic-helper-assignment
https://www.cyberphoton.com/tftp-server-in-rhel7/
Setting AutomaticHelpers to any value won't help either. Checked the sysctl values, it's 0 in both Docker and Hyper-V.
Then stumbled upon this:
Kernel modules, dude! The Hyper-V instance actually has the nf_conntrack_tftp module loaded, while the Docker container doesn't have modules at all. Oof.