Bug 1656962

Summary: zone bindings lost on reload with NM active
Product: Red Hat Enterprise Linux 8 Reporter: Tomas Dolezal <todoleza>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED CURRENTRELEASE QA Contact: Tomas Dolezal <todoleza>
Severity: high Docs Contact:
Priority: high    
Version: 8.0CC: todoleza, wchadwic
Target Milestone: rcKeywords: Regression
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firewalld-0.6.3-5.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-14 00:50:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1637664    

Description Tomas Dolezal 2018-12-06 18:19:36 UTC 
Description of problem:
zone bindings are not recreated on reload, if they are managed by NM. This bug was introduced with new option FlushAllOnReload set to default 'yes'.
Interfaces configured to be bound to specific zones internally in firewalld are not impacted. (zone.xml file). This binding type is not default as NM is usually running and let to manage those bindings.

Version-Release number of selected component (if applicable):
firewalld-0.6.3-3.el8.noarch
NetworkManager-1.14.0-7.el8.x86_64

How reproducible:
always

Steps to Reproduce:
(optionally set up 'br' interface and binding in zone.xml)
have NM and firewalld up
firewall-cmd --get-active-zones
public
  interfaces: eth0
work
  interfaces: br


firewall-cmd --reload
firewall-cmd --get-active-zones
work
  interfaces: br

Actual results:
interface 'eth0' is not bound to any zone (default) on reload
interface contained within internal configuration gets loaded

Expected results:
all interfaces NM/non-NM managed that are present on service start are also present after reload

Additional info:
Comment 4 Eric Garver 2018-12-10 22:21:50 UTC 
Upstream:

  cd97204a06f3 ("fw: on reload() retain interfaces from NetworkManager")
Comment 5 Whitney Chadwick 2018-12-13 20:16:06 UTC 
blocker+ per Dec 13th blocker meeting
Comment 9 Eric Garver 2018-12-18 15:28:12 UTC 
Additional upstream commit:

  2c003eefff31 ("fw: On reload, when restoring NM interfaces also consider default zone")