Bug 1125851 - Zone x Sources conflicts are handled differently than mentioned in documentation
Summary: Zone x Sources conflicts are handled differently than mentioned in documentation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1017034
TreeView+ depends on / blocked
 
Reported: 2014-08-01 09:06 UTC by Jakub Jelen
Modified: 2014-09-13 06:52 UTC (History)
2 users (show)

Fixed In Version: firewalld-0.3.11-3.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-13 06:52:17 UTC


Attachments (Terms of Use)

Description Jakub Jelen 2014-08-01 09:06:16 UTC
Description of problem:
According to documentation (both dbus api and man) empty zone parameter should result in selection of DEFAULT zone. But there is a difference when removing sources. Example:
> [root@localhost firewalld]# firewall-cmd --get-default-zone
> public
> [root@localhost firewalld]# firewall-cmd --zone="home" --add-source="192.168.0.1"
> success
> [root@localhost firewalld]# firewall-cmd --zone="" --remove-source="192.168.0.1"
> success
> [root@localhost firewalld]# firewall-cmd --zone="home" --add-source="192.168.0.1"
> success
> [root@localhost firewalld]# firewall-cmd --zone="public" --remove-source="192.168.0.1"
> Error: ZONE_CONFLICT

According to documentation, both cases should result in same way, but they don't.
When I'm removing source with empty zone, it is selected the correct zone which contains this source and not the default zone.

It doesn't apply for other methods in zone interface, because they can be added to every zone without restriction, but source is unique and it is handled other ways.

Version-Release number of selected component (if applicable):
firewalld-0.3.10-4.fc21.noarch

How reproducible:
deterministic

Comment 1 Jiri Popelka 2014-08-01 15:20:41 UTC
This aplies to --remove-interface too and the reason is this commit:
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=cc3101ab70a3997228be7bc9f45a069c7fccfa36

Will it be OK if I explain it in firewall-cmd/firewalld.dbus man pages ?
like:
If zone is omitted (empty), the interface is removed from zone it belongs to.

Comment 2 Jiri Popelka 2014-08-01 15:43:51 UTC
(In reply to Jiri Popelka from comment #1)
> like:
> If zone is omitted (empty), the interface is removed from zone it belongs to.

Or perhaps remove the [--zone=zone] from man page at all. It'll still be possible for backward compatibility, but will be undocumented, because it's not needed.
like:
[--permanent] --remove-interface=interface
    Remove binding of interface interface from zone it was previously added to.

Comment 4 Jakub Jelen 2014-08-04 05:58:52 UTC
This sounds reasonable and much less confusing, than it was before.
Thank you.

Comment 5 Jakub Jelen 2014-08-04 06:18:59 UTC
But still in D-Bus interface it looks strange because methods are like

> removeInterface(s: zone, s: interface) → s
> removeSource(s: zone, s: source) → s

where first argument doesn't mean anything. But this can't be simply fixed without change in interface.

Comment 6 Fedora Update System 2014-08-20 17:19:35 UTC
firewalld-0.3.11-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firewalld-0.3.11-1.fc20

Comment 7 Fedora Update System 2014-08-21 09:43:13 UTC
Package firewalld-0.3.11-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.11-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-9609/firewalld-0.3.11-1.fc20
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2014-08-27 01:30:59 UTC
Package firewalld-0.3.11-2.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.11-2.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-9609/firewalld-0.3.11-2.fc20
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2014-08-28 15:33:30 UTC
Package firewalld-0.3.11-3.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.11-3.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-9609/firewalld-0.3.11-3.fc20
then log in and leave karma (feedback).

Comment 10 Fedora Update System 2014-09-13 06:52:17 UTC
firewalld-0.3.11-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.