Bug 1628278

Summary: Option --check-config does not check validity of the rich rules inside xml.
Product: Red Hat Enterprise Linux 8 Reporter: Jiri Peska <jpeska>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED WONTFIX QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: rkhan, todoleza
Target Milestone: rc   
Target Release: 8.3   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1477771 Environment:
Last Closed: 2021-01-08 07:35:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1477771    

Description Jiri Peska 2018-09-12 16:00:35 UTC 
Description of problem:
Option --check-config of firewall-cmd should check validity of rules located inside .xml files, but it seems that it is struggling when checking rich rules.
When valid rich rule is added via command and address is invalidated manually inside .xml, --check-config should throw error, when it finds invalid address, but it returns success.
Check should return same error as error returned by command, where invalid address is written directly in the command.

Version-Release number of selected component (if applicable):
firewalld-0.5.3-5.el7

How reproducible:
everytime

Steps to Reproduce:
1. Add valid rule:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.1" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept'
2. Manually change address "192.168.1.1" to something invalid (e.g.: 192.abc.invalid.1 ) inside /etc/firewalld/zone/public.xml
3. Run command:
firewall-cmd --check-config

1. Same for family="ipv6" and providing invalid ipv6 address (e.g.: 3001::2::2::7334)

Actual results:
success

Expected results:
Option --check-config should throw error: INVALID_ADDR, when invalid address exists in rich rule inside xml just as throws error when the rule is added via command (e.g.: 
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="invalid.ipv4.address" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept'
)

Additional info:
Adding invalid rule manually:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv6" source address="2001::8a20::7334" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept'
Error: INVALID_ADDR: 2001::8a20::7334
Throws error as expected.
Comment 3 Eric Garver 2020-05-07 17:28:50 UTC 
This is a minor issue and there are no plans to fix this in RHEL-7. Moving to RHEL-8.
Comment 7 RHEL Program Management 2021-01-08 07:35:45 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.