Description of problem: Using D-Bus API, Firewalld reacts differently to command removeChain when working with ip(6) tables and eb tables. Version-Release number of selected component (if applicable): git upstream How reproducible: deterministic Steps to Reproduce: 1. addChain 2. addRule to above created chain 3. removeChain Actual results: For eb tables: PASS For ip/ip6 tables: FAIL > COMMAND_FAILED: '/sbin/ip6tables -t filter -X INPUT_my_chain' failed: ip6tables: Directory not empty. Expected results: I expect this behavior to be consistent: 1) for ip(6) tables firewalld should remove containing rules and succeed. or 2) for eb tables firewalld should fail and tell user that there are rules and you should call removeRules before. I'd be for the first option, because it is more "friendly", until you remove something important ... This should also be mentioned in documentation, how removeChain treats containing rules.
(In reply to Jakub Jelen from comment #0) > Actual results: > For eb tables: PASS > For ip/ip6 tables: FAIL > > COMMAND_FAILED: '/sbin/ip6tables -t filter -X INPUT_my_chain' failed: ip6tables: Directory not empty. ebtables (the tool) allows to remove non-empty chain while ip(6)tables do not. > Expected results: > 1) for ip(6) tables firewalld should remove containing rules and succeed. > or > 2) for eb tables firewalld should fail and tell user that there are rules > and you should call removeRules before. > > I'd be for the first option, because it is more "friendly", until you remove > something important ... I incline to (2), i.e. fail in both cases the same way the underlying ip(6)tables tools do. Thomas ?
firewalld could remove own added rules in the ip*tables case. But it does not know about rules that are created maybe by the user/admin in a chain. In this case firewalld would not be able to remove the chain. I am not sure how to fix this. The issue here is that ebtables is based on very old iptables code and has not been fixed/developed in the same way as iptables. Removing non empty chains in ebtables in the current way should be fixed in my opinion. But this might lead into issues with current users of ebtables.
I think that removal of OWN rules would be enough to fulfil the world "friendly" and "consistent". This would cover all the problems connected with using ONLY firewalld. When someone starts using firewalld and direct ip*tables, he should count with some problems especially when he is trying to touch something made in the other tool. Even that it is complicated, firewalld can still list all the rules in chain and remove them one by one even if it was not added by firewalld, but this is not much elegant. But there is still the second possibility: When working with ebtables through firewalld, enforce same behaviour as ip*tables - if we have some rules known to Firewalld in chain, do not allow to remove it. This is also partly valid solution, because user can make some changes. This can be the first step on the way to push these things into ebtables.
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
firewalld-0.4.0-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7
firewalld-0.4.0-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7
firewalld-0.4.0-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7
firewalld-0.4.0-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7
firewalld-0.4.0-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.