Bug 1715977

Summary: firewall throw error: "'Rich_Destination' is not iterable" when services and destination address is provided rich rule.
Product: Red Hat Enterprise Linux 8 Reporter: Akhil John <ajohn>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED ERRATA QA Contact: Jiri Peska <jpeska>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: jpeska, leonid.fainshtein, pasik, pasteur, ptalbert, todoleza
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firewalld-0.7.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1729097 (view as bug list) Environment:
Last Closed: 2019-11-05 22:31:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1729097    

Description Akhil John 2019-05-31 20:37:09 UTC
Description of problem:
firewalld complete reload throw an error: "'Rich_Destination' is not iterable" when services and destination address is provided rich rule.

Version-Release number of selected component (if applicable):
firewalld-0.6.3-7.el8.noarch

How reproducible:
Always

Steps to Reproduce:

1) Create a rich rule in zone with destination and service provided:
# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
  <rule family="ipv4">
    <source address="192.168.122.170/32"/>
    <destination address="192.168.122.235/32"/>
  <service name="ssh"/>
    <accept/>
  </rule>

</zone>


2) Now perform complete reload.



Actual results:
[root@rhel8 ~]# firewall-cmd --complete-reload
Error: argument of type 'Rich_Destination' is not iterable


Expected results:
[root@rhel8 ~]# firewall-cmd --complete-reload
success

Additional info:
Bugzilla which could be related: https://bugzilla.redhat.com/show_bug.cgi?id=1644432

Comment 1 Eric Garver 2019-06-07 15:02:18 UTC
Fixed upstream:

  3fb02f8d6648 ("test: coverage for rhbz 1715977")
  d3bd517c7deb ("fix: rich rule destination with services")

Comment 5 leonid.fainshtein 2019-10-22 06:08:44 UTC
Any plans to backport the fix to REL7/CentOS7?

Comment 6 Eric Garver 2019-10-22 12:22:29 UTC
(In reply to leonid.fainshtein from comment #5)
> Any plans to backport the fix to REL7/CentOS7?

It will be fixed in the next RHEL-7 minor release (RHEL 7.8).

Comment 7 leonid.fainshtein 2019-10-22 12:40:49 UTC
When v.7.8 is expected? Actually, the fixed bug in firewalld is pretty serious...

Comment 8 Eric Garver 2019-10-22 13:41:54 UTC
(In reply to leonid.fainshtein from comment #7)
> When v.7.8 is expected? Actually, the fixed bug in firewalld is pretty
> serious...

See bug 1729097.

Comment 10 errata-xmlrpc 2019-11-05 22:31:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3635