Bug 1296573

Summary: xsd specification nor service daemon checks whether tags are specified more than once if they must not
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Dolezal <todoleza>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: low Docs Contact:
Priority: medium    
Version: 7.2CC: todoleza, vdanek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firewalld-0.4.3-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-03 21:02:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Dolezal 2016-01-07 15:20:05 UTC 
Description of problem:
specifiying multiple destinations of same protocol (ipv4/v6) results in use only of the latest one. accordingly to documentation and firewall-config it's not possible to specify more. schema check however passes while it should not.

Version-Release number of selected component (if applicable):
firewalld-0.3.9-14.el7.noarch

How reproducible:
always

Actual results:
cat /etc/firewalld/services/amyserv.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <port protocol="tcp" port="20200-20400"/>
  <destination ipv4="10.99.99.88"/>
  <destination ipv4="10.99.99.89"/>
</service>

iptables rule:
-A IN_internal_allow -d 10.99.99.89/32 -p tcp -m tcp --dport 20200:20400 -m conntrack --ctstate NEW -j ACCEPT

firewalld]# /usr/lib/firewalld/xmlschema/check.sh 
Checking zones
  internal.xml validates
  public.xml validates
Checking services
  amyserv.xml validates
Checking icmptypes

`journalctl -b -u firewalld` also does not contain a single relevant complaint

Expected results:
journal contains complaints
schema validation fails

..for all 'use only once' tags in files

Additional info:
Comment 5 Thomas Woerner 2016-01-29 16:10:30 UTC 
Fixed in service daemon in these commits:

https://github.com/t-woerner/firewalld/commit/fa112ad13327c2bfb46a16c5b22941f904c5a176
https://github.com/t-woerner/firewalld/commit/b165f4e075c4c8c67c46df1851374d1318d9bb52
https://github.com/t-woerner/firewalld/commit/51a47ad6d71eeba0b5b3a1d6c8e3ce315dceb9be
Comment 6 Thomas Woerner 2016-06-22 09:31:08 UTC 
Fixed upstream: https://github.com/t-woerner/firewalld/commit/74967ee84b72d9341d99a66443caccd15cbde101
Comment 10 errata-xmlrpc 2016-11-03 21:02:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html