Bug 907375

Summary:	RFE: Do not create empty chains for unused zones
Product:	[Fedora] Fedora	Reporter:	Marian Ganisin <mganisin>
Component:	firewalld	Assignee:	Thomas Woerner <twoerner>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	amessina, david.m.highley, jpopelka, mattdm, pahan, twoerner
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	firewalld-0.3.9.3-1.fc19	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-01-15 05:54:18 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Marian Ganisin 2013-02-04 08:54:46 UTC

Description of problem:

In Fedora 18 I see many empty chains or collections of empty chains in output of iptables -L

firewalld could create all necessary chains and super-chains just in case that particular zone/chain is used. This will make iptables output easier to read/track.

Example of empty chains and chains containing empty chains only:

Chain FORWARD_ZONES (1 references)
target     prot opt source               destination         
FWDO_ZONE_public  all  --  anywhere             anywhere            
FWDI_ZONE_public  all  --  anywhere             anywhere            

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_ZONE_public (1 references)
target     prot opt source               destination         
FWDI_ZONE_public_deny  all  --  anywhere             anywhere            
FWDI_ZONE_public_allow  all  --  anywhere             anywhere            

Chain FWDI_ZONE_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_ZONE_public_deny (1 references)
target     prot opt source               destination

Comment 1 Thomas Woerner 2013-04-26 12:48:24 UTC

Without creating the chains and rules for unused zones, it would take some time to add an interface to a zone, that has been unused before.

Comment 2 Jiri Popelka 2013-04-26 13:03:59 UTC

... which does not happen so often - in most cases only once per boot or when user changes the zone of interface.

I had already been thinking about it before Marian filled the request, but haven't had time yet to investigate it more.

Comment 3 Jiri Popelka 2014-01-13 16:39:02 UTC

Should be AFAICT fixed upstream with
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=1236770365336e2cffe01035910fe50bc311bd85

Comment 4 Fedora Update System 2014-01-13 16:46:55 UTC

firewalld-0.3.9-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firewalld-0.3.9-1.fc20

Comment 5 Fedora Update System 2014-01-13 16:49:45 UTC

firewalld-0.3.9-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/firewalld-0.3.9-1.fc19

Comment 6 Fedora Update System 2014-01-14 08:39:14 UTC

Package firewalld-0.3.9-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.9-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0738/firewalld-0.3.9-1.fc20
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-01-15 05:54:18 UTC

firewalld-0.3.9-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-03-09 04:42:44 UTC

firewalld-0.3.9.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.