Bug 987403

Summary: with 'Lockdown=yes' firewall-cmd --reload does not work (shows warning: ALREADY_ENABLED)
Product: [Fedora] Fedora Reporter: Petr Sklenar <psklenar>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jpopelka, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firewalld-0.3.4-1.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-04 00:09:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Sklenar 2013-07-23 10:55:29 UTC 
Description of problem:
reload of firewall-cmd reports some issue and its hard to recognize whats wrong.

Version-Release number of selected component (if applicable):
firewalld-0.3.3-2.fc19.noarch

How reproducible:
always

Steps to Reproduce:
0. /etc/firewalld/firewalld.conf with 'Lockdown=yes'

1.firewall-cmd --reload
Warning: ALREADY_ENABLED

Actual results:
its due to:
grep Lock /etc/firewalld/firewalld.conf
# Lockdown
Lockdown=yes

and combination with 'firewall-cmd --lockdown-on'

Expected results:
firewall-cmd --reload
Warning: Lockdown ALREADY_ENABLED

Additional info:
anyway it looks somehow strange:
[root@masox ~]# firewall-cmd --lockdown-off
[root@masox ~]# firewall-cmd --reload
Error: ''
## now its completely unknow ^
[root@masox ~]# firewall-cmd --reload
Warning: ALREADY_ENABLED
Comment 1 Petr Sklenar 2013-07-23 11:17:03 UTC 
with the 'Lockdown=yes' in the config file. There is an issue that it stop to show active zone:

[root@masox ~]# service firewalld restart
Redirecting to /bin/systemctl restart  firewalld.service
[root@masox ~]# firewall-cmd --query-lockdown
[root@masox ~]# echo $?
0
[root@masox ~]# firewall-cmd --get-active-zones
home
  interfaces: enp0s25
trusted
  interfaces: br0
[root@masox ~]# firewall-cmd --reload
Warning: ALREADY_ENABLED
[root@masox ~]# firewall-cmd --get-active-zones
[root@masox ~]# firewall-cmd --query-lockdown
[root@masox ~]# echo $?
0
Comment 2 Jiri Popelka 2013-07-23 15:34:31 UTC 
Thanks Peter

(In reply to Petr Sklenar from comment #0)
> [root@masox ~]# firewall-cmd --lockdown-off
> [root@masox ~]# firewall-cmd --reload
> Error: ''

I can't reproduce this with current upstream code so I believe this has already been fixed somehow.

(In reply to Petr Sklenar from comment #1)
> with the 'Lockdown=yes' in the config file. There is an issue that it stop
> to show active zone:

eeek, that's been a nasty bug, but I believe It's been fixed with
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=27da1893bd048643fb72b2e032bdffe27df44660
Comment 3 Fedora Update System 2013-07-30 19:14:00 UTC 
firewalld-0.3.4-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/firewalld-0.3.4-1.fc19
Comment 4 Fedora Update System 2013-08-02 03:48:53 UTC 
Package firewalld-0.3.4-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.4-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14046/firewalld-0.3.4-1.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-08-04 00:09:28 UTC 
firewalld-0.3.4-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.