Bug 1123890 - Firewalld should react consistently when removing chains with rules inside
Summary: Firewalld should react consistently when removing chains with rules inside
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1017034
TreeView+ depends on / blocked
 
Reported: 2014-07-28 14:50 UTC by Jakub Jelen
Modified: 2016-02-21 16:30 UTC (History)
2 users (show)

Fixed In Version: firewalld-0.4.0-2.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-02-21 16:30:51 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Jakub Jelen 2014-07-28 14:50:38 UTC 
Description of problem:
Using D-Bus API, Firewalld reacts differently to command removeChain when working with ip(6) tables and eb tables.

Version-Release number of selected component (if applicable):
git upstream 

How reproducible:
deterministic

Steps to Reproduce:
1. addChain
2. addRule to above created chain
3. removeChain

Actual results:
For eb tables: PASS
For ip/ip6 tables: FAIL
> COMMAND_FAILED: '/sbin/ip6tables -t filter -X INPUT_my_chain' failed: ip6tables: Directory not empty.


Expected results:
I expect this behavior to be consistent:

1) for ip(6) tables firewalld should remove containing rules and succeed.
 or
2) for eb tables firewalld should fail and tell user that there are rules and you should call removeRules before.

I'd be for the first option, because it is more "friendly", until you remove something important ...

This should also be mentioned in documentation, how removeChain treats containing rules.
Comment 1 Jiri Popelka 2014-07-28 17:38:16 UTC 
(In reply to Jakub Jelen from comment #0)
> Actual results:
> For eb tables: PASS
> For ip/ip6 tables: FAIL
> > COMMAND_FAILED: '/sbin/ip6tables -t filter -X INPUT_my_chain' failed: ip6tables: Directory not empty.

ebtables (the tool) allows to remove non-empty chain while ip(6)tables do not.

> Expected results:
> 1) for ip(6) tables firewalld should remove containing rules and succeed.
>  or
> 2) for eb tables firewalld should fail and tell user that there are rules
> and you should call removeRules before.
> 
> I'd be for the first option, because it is more "friendly", until you remove
> something important ...

I incline to (2), i.e. fail in both cases the same way the underlying ip(6)tables tools do.

Thomas ?
Comment 2 Thomas Woerner 2014-08-21 11:45:15 UTC 
firewalld could remove own added rules in the ip*tables case. But it does not know about rules that are created maybe by the user/admin in a chain. In this case firewalld would not be able to remove the chain.

I am not sure how to fix this. The issue here is that ebtables is based on very old iptables code and has not been fixed/developed in the same way as iptables.

Removing non empty chains in ebtables in the current way should be fixed in my opinion. But this might lead into issues with current users of ebtables.
Comment 3 Jakub Jelen 2014-08-21 12:14:14 UTC 
I think that removal of OWN rules would be enough to fulfil the world "friendly" and "consistent". This would cover all the problems connected with using ONLY firewalld.
When someone starts using firewalld and direct ip*tables, he should count with some problems especially when he is trying to touch something made in the other tool.

Even that it is complicated, firewalld can still list all the rules in chain and remove them one by one even if it was not added by firewalld, but this is not much elegant.


But there is still the second possibility: When working with ebtables through firewalld, enforce same behaviour as ip*tables - if we have some rules known to Firewalld in chain, do not allow to remove it. This is also partly valid solution, because user can make some changes. This can be the first step on the way to push these things into ebtables.
Comment 4 Jaroslav Reznik 2015-03-03 17:03:16 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Comment 5 Fedora Update System 2016-02-04 15:41:21 UTC 
firewalld-0.4.0-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7
Comment 6 Fedora Update System 2016-02-05 01:23:43 UTC 
firewalld-0.4.0-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7
Comment 7 Fedora Update System 2016-02-08 13:29:11 UTC 
firewalld-0.4.0-2.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7
Comment 8 Fedora Update System 2016-02-09 22:27:53 UTC 
firewalld-0.4.0-2.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fc0691e6a7
Comment 9 Fedora Update System 2016-02-21 16:30:22 UTC 
firewalld-0.4.0-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.