Bug 1374116

Summary: firewall-cmd --list-all-zones does not show default icmp blocks
Product: Red Hat Enterprise Linux 7 Reporter: Jim Wildman <jwildman>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED NOTABUG QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: todoleza
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-18 15:00:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jim Wildman 2016-09-08 02:16:51 UTC 
Description of problem:
firewall-cmd --list-all-zones does not show the default ipv6 icmp blocks that are implemented.  These blocks can be displayed with ip6tables -L -n

Version-Release number of selected component (if applicable):
firewalld-0.3.9-14.el7.noarch


How reproducible:
Build a base RHEL 7.latest
Verify firewalld is active

# firewall-cmd --list-all-zones | grep icmp
  icmp-blocks: 
  icmp-blocks: 
  icmp-blocks: 
  icmp-blocks: 
  icmp-blocks: 
  icmp-blocks: 
  icmp-blocks: 
  icmp-blocks: 
  icmp-blocks: 

# ip6tables -L -n | grep icmp
ACCEPT     icmpv6    ::/0                 ::/0                
REJECT     all      ::/0                 ::/0                 reject-with icmp6-adm-prohibited
ACCEPT     icmpv6    ::/0                 ::/0                
REJECT     all      ::/0                 ::/0                 reject-with icmp6-adm-prohibited

Expected results:
I expected to see the icmpv6 rejects in the icmp-block listings for the default zone

Additional info:
I also have not found how to turn the icmpv6 reject strings off (I will file another bug for that).
Comment 2 Thomas Woerner 2016-09-30 12:03:20 UTC 
This request was very late for 7.3. I am proposing it for 7.4
Comment 3 Thomas Woerner 2017-01-18 15:00:30 UTC 
There is no default reject of ICMP types. The default is to accept all icmp types, which can be limited using icmp-block or icmp-block-inversion. There is no icmp-block by default.

The reject line form your "ip6tables -L" output is the final reject line, which is rejecting everything that has not been allowed. But as all ICMP types are accepted before this does not affect ICMP types.

Closing as NOT A BUG.