Bug 804814

Summary: firewall-cmd --reload should trigger NetworkManager to update the default zone
Product: [Fedora] Fedora Reporter: Stephen Gallagher <sgallagh>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 17CC: jpopelka, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firewalld-0.2.5-1.fc17 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-24 04:26:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
update interfaces in default zone after reload
none
update interfaces in default zone after reload none

Description Stephen Gallagher 2012-03-19 20:16:30 UTC 
Description of problem:
If the default zone is changed and firewalld is reloaded, it would be useful to signal NM via D-BUS to update itself.

Version-Release number of selected component (if applicable):
firewalld-0.2.4-1.fc17
NetworkManager-0.9.3.995-0.6.git20120314.fc17

How reproducible:
Every time

Steps to Reproduce:
1. Change the default zone in firewalld.conf
2. Issue firewall-cmd --reload
  
Actual results:
firewalld is updated, but existing NM connections remain on the old default zone.

Expected results:
All interfaces that are relying on the default zone should be updated automatically.

Additional info:
Comment 1 Jiri Popelka 2012-03-20 12:32:58 UTC 
Good point, thanks.

However I don't think we need to inform NM about this change because for NM nothing changes. NM only tracks that an interface is in "default" zone but doesn't care which zone is this "default", see 'nmcli -f NAME,ZONE con status'.

I think firewalld itself should take care of this, i.e. when it is reloaded it should should change the zone the interface belongs to if it has been the default one.
Comment 2 Jiri Popelka 2012-04-04 17:32:14 UTC 
Created attachment 575187 [details]
update interfaces in default zone after reload

(In reply to comment #1)
> I think firewalld itself should take care of this, i.e. when it is reloaded it
> should change the zone the interface belongs to if it has been the
> default one.

With this patch if the default zone changes, the interfaces from old default zone are moved to the new one. It's not perfect (see the comment inside), but I've had no other idea so far.
Comment 3 Jiri Popelka 2012-04-10 18:04:26 UTC 
Created attachment 576536 [details]
update interfaces in default zone after reload

(In reply to comment #2)
> With this patch if the default zone changes, the interfaces from old default
> zone are moved to the new one. It's not perfect (see the comment inside), but
> I've had no other idea so far.

This one seems to be OK.
Comment 4 Jiri Popelka 2012-04-19 09:59:28 UTC 
Fixed upstream:
http://git.fedorahosted.org/git/?p=firewalld.git;a=commitdiff;h=8d9af943cf227a6bbff996ba44654077e719b9ad
Comment 5 Fedora Update System 2012-04-20 19:54:20 UTC 
firewalld-0.2.5-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/firewalld-0.2.5-1.fc17
Comment 6 Fedora Update System 2012-04-21 21:04:08 UTC 
Package firewalld-0.2.5-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.2.5-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-6323/firewalld-0.2.5-1.fc17
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-04-24 04:26:11 UTC 
firewalld-0.2.5-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.