Bug 2100939
| Summary: | RFE: firewall-system-role: add ability to add interface to zone by PCI device ID | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Brennan Paciorek <bpaciore> | |
| Component: | rhel-system-roles | Assignee: | Rich Megginson <rmeggins> | |
| Status: | CLOSED ERRATA | QA Contact: | David Jež <djez> | |
| Severity: | unspecified | Docs Contact: | Gabi Fialová <gfialova> | |
| Priority: | unspecified | |||
| Version: | 8.7 | CC: | djez, egarver, gfialova, maypatil, nhosoi, spetrosi | |
| Target Milestone: | rc | Keywords: | FutureFeature, Triaged | |
| Target Release: | 8.7 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | role:firewall | |||
| Fixed In Version: | rhel-system-roles-1.20.0-1.el8 | Doc Type: | Enhancement | |
| Doc Text: |
.The `firewall` system role can add or remove an interface to the zone using PCI device ID
Using the PCI device ID, the `firewall` system role can now assign or remove a network interface to or from a zone. Previously, if only the PCI device ID was known instead of the interface name, users had to first identify the corresponding interface name to use the `firewall` system role. With this update, the `firewall` system role can now use the PCI device ID to manage a network interface in a zone.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2100942 (view as bug list) | Environment: | ||
| Last Closed: | 2022-11-08 09:41:52 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Deadline: | 2022-08-15 | |||
|
Description
Brennan Paciorek
2022-06-24 18:12:23 UTC
*** Bug 1850744 has been marked as a duplicate of this bug. *** This feature appears to already be supported by the firewall system role. For example, the following options work in the firewall system role as it is currently:
firewall:
- interface: 8086:15d7 # Intel Corporation Ethernet Connection PCI id
state: enabled
If the D-bus interface supports adding by PCI device ID, then the system role should as well.
@egarver - Are we certain that this feature is not already supported by the system role? For interfaces, we only really restrict user actions with errors that the D-bus interface will raise.
(In reply to Brennan Paciorek from comment #3) > This feature appears to already be supported by the firewall system role. > For example, the following options work in the firewall system role as it is > currently: > firewall: > - interface: 8086:15d7 # Intel Corporation Ethernet Connection PCI id > state: enabled > > If the D-bus interface supports adding by PCI device ID, then the system > role should as well. > > @egarver - Are we certain that this feature is not already > supported by the system role? For interfaces, we only really restrict user > actions with errors that the D-bus interface will raise. Yes. We're certain it is NOT supported. The above is accepted by firewalld, but it doesn't work. The PCI ID is passed directly to firewalld which treats it like a plain interface name. So you end up with rules like this: `iifname "8086:15d7" goto filter_IN_public`. But that should be translated by the role to a real interface name. The NetworkManager integration is done in the UIs. See calls to nm_*() and try_set_zone_of_interface(). The role will have to do something similar. Note: Ideally this magic would be done in the daemon. I don't know the history of why it is not. Maybe it has something to do with user privileges and polkit (authorization). Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:7568 |