Bug 1070683

Summary:	firewall-cmd: --delete option for iptables no longer works with --direct --passthrough
Product:	Red Hat Enterprise Linux 7	Reporter:	Alex Jia <ajia>
Component:	firewalld	Assignee:	Thomas Woerner <twoerner>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Tomas Dolezal <todoleza>
Severity:	medium	Docs Contact:
Priority:	high
Version:	7.0	CC:	acathrow, dyuan, jdenemar, jpopelka, jscotka, jtomko, mzhan, ovasik, praiskup, psklenar, todoleza, weizhan
Target Milestone:	rc	Keywords:	Patch, Regression
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	firewalld-0.3.9-7.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-13 12:55:44 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Alex Jia 2014-02-27 11:05:41 UTC

Description of problem:
The new /usr/bin/firewall-cmd cmdline hasn't a '--delete' option for deleting firewall rules, however, the iptablesCommandNew() only sets 'action' as "--insert" or "--delete" in src/util/viriptables.c.

Version-Release number of selected component (if applicable):
# rpm -q libvirt firewalld kernel
libvirt-1.1.1-25.el7.x86_64
firewalld-0.3.9-6.el7.noarch
kernel-3.10.0-86.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. # tail -2 /etc/libvirt/libvirtd.conf
log_outputs="1:file:/tmp/libvirtd.log"
log_filters="3:remote 4:event 1:libvirt 1:conf"

2. # service libvirtd restart

3. # grep firewall-cmd /tmp/libvirtd.log | head -1

Actual results:
# grep firewall-cmd /tmp/libvirtd.log | head -1
2014-02-27 10:57:45.070+0000: 12036: error : virCommandWait:2399 : internal error: Child process (/usr/bin/firewall-cmd --direct --passthrough ipv4 --table nat --delete POSTROUTING --source 192.168.122.0/24 -p tcp '!' --destination 192.168.122.0/24 --jump MASQUERADE --to-ports 1024-65535) unexpected exit status 2: usage: see firewall-cmd man page

Expected results:
Fix it.

Additional info:

# firewall-cmd -h|grep -E '(delete|remove)'
  --delete-zone=<zone> Delete an existing zone [P only]
  --delete-icmptype=<icmptype>
  --delete-service=<service>
  --remove-service=<service>
  --remove-port=<portid>[-<portid>]/<protocol>
  --remove-icmp-block=<icmptype>
  --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
  --remove-masquerade  Disable IPv4 masquerade for a zone [P] [Z]
  --remove-rich-rule=<rule>
  --remove-interface=<interface>
  --remove-source=<source>[/<mask>]
  --remove-chain {ipv4|ipv6|eb} <table> <chain>
  --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
  --remove-rules {ipv4|ipv6|eb} <table> <chain>
  --remove-passthrough {ipv4|ipv6|eb} <arg>...
  --remove-lockdown-whitelist-command=<command>
  --remove-lockdown-whitelist-context=<context>
  --remove-lockdown-whitelist-uid=<uid>
  --remove-lockdown-whitelist-user=<user>


# pwd
/root/rpmbuild/BUILD/libvirt-1.1.1

[root@rhel7 libvirt-1.1.1]# grep -A 20 "iptablesCommandNew(const" ./src/util/viriptables.c
iptablesCommandNew(const char *table, const char *chain, int family, int action)
{
    virCommandPtr cmd = NULL;
#if HAVE_FIREWALLD
    virIpTablesInitialize();
    if (firewall_cmd_path) {
        cmd = virCommandNew(firewall_cmd_path);
        virCommandAddArgList(cmd, "--direct", "--passthrough",
                             (family == AF_INET6) ? "ipv6" : "ipv4", NULL);
    }
#endif

    if (cmd == NULL) {
        cmd = virCommandNew((family == AF_INET6)
                        ? IP6TABLES_PATH : IPTABLES_PATH);
    }

    virCommandAddArgList(cmd, "--table", table,
                         action == ADD ? "--insert" : "--delete",
                         chain, NULL);
    return cmd;
}

NOTE: if the 'action' isn't ADD(or it's REMOVE), the 'action' will be '--delete', which is not a option for latest firewall-cmd command.

Comment 2 Ján Tomko 2014-02-27 11:56:02 UTC

The untruncated error message is:
usage: see firewall-cmd man page
firewall-cmd: error: ambiguous option: --delete could match --delete-icmptype, --delete-service, --delete-zone

It seems that the --delete option for iptables via --direct --passthrough no longer works.

This worked fine with firewalld-0.3.9-3.el7

Comment 4 Jiri Popelka 2014-02-27 17:45:09 UTC

Should be fixed upstream with
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=80d94d02341b0e772873a3f03dbc813e8e1b47cc

Comment 5 Alex Jia 2014-02-28 03:06:48 UTC

(In reply to Jiri Popelka from comment #4)
> Should be fixed upstream with
> https://git.fedorahosted.org/cgit/firewalld.git/commit/
> ?id=80d94d02341b0e772873a3f03dbc813e8e1b47cc

BTW, also no any documents about --delete-{zone|icmptype|service} options in the firewall-cmd man page.

Comment 6 Jiri Popelka 2014-02-28 09:40:18 UTC

(In reply to Alex Jia from comment #5)
> BTW, also no any documents about --delete-{zone|icmptype|service} options in
> the firewall-cmd man page.

thanks (bug #1064386, comment #4)

Comment 11 Ludek Smid 2014-06-13 12:55:44 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.