Bug 1296573 – xsd specification nor service daemon checks whether tags are specified more than once if they must not

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1296573 - xsd specification nor service daemon checks whether tags are specified more than once if they must not

Summary:	xsd specification nor service daemon checks whether tags are specified more t...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firewalld (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	Unspecified Unspecified

Priority	medium Severity low
Target Milestone:	rc
Target Release:	---
Assigned To:	Thomas Woerner
QA Contact:	Tomas Dolezal
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2016-01-07 10:20 EST by Tomas Dolezal
Modified:	2016-11-03 17:02 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:	firewalld-0.4.3-1.el7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-11-03 17:02:07 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2597	normal	SHIPPED_LIVE	Moderate: firewalld security, bug fix, and enhancement update	2016-11-03 08:11:47 EDT

Groups: None (edit)

Description Tomas Dolezal 2016-01-07 10:20:05 EST

Description of problem:
specifiying multiple destinations of same protocol (ipv4/v6) results in use only of the latest one. accordingly to documentation and firewall-config it's not possible to specify more. schema check however passes while it should not.

Version-Release number of selected component (if applicable):
firewalld-0.3.9-14.el7.noarch

How reproducible:
always

Actual results:
cat /etc/firewalld/services/amyserv.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <port protocol="tcp" port="20200-20400"/>
  <destination ipv4="10.99.99.88"/>
  <destination ipv4="10.99.99.89"/>
</service>

iptables rule:
-A IN_internal_allow -d 10.99.99.89/32 -p tcp -m tcp --dport 20200:20400 -m conntrack --ctstate NEW -j ACCEPT

firewalld]# /usr/lib/firewalld/xmlschema/check.sh 
Checking zones
  internal.xml validates
  public.xml validates
Checking services
  amyserv.xml validates
Checking icmptypes

`journalctl -b -u firewalld` also does not contain a single relevant complaint

Expected results:
journal contains complaints
schema validation fails

..for all 'use only once' tags in files

Additional info:

Comment 5 Thomas Woerner 2016-01-29 11:10:30 EST

Fixed in service daemon in these commits:

https://github.com/t-woerner/firewalld/commit/fa112ad13327c2bfb46a16c5b22941f904c5a176
https://github.com/t-woerner/firewalld/commit/b165f4e075c4c8c67c46df1851374d1318d9bb52
https://github.com/t-woerner/firewalld/commit/51a47ad6d71eeba0b5b3a1d6c8e3ce315dceb9be

Comment 6 Thomas Woerner 2016-06-22 05:31:08 EDT

Fixed upstream: https://github.com/t-woerner/firewalld/commit/74967ee84b72d9341d99a66443caccd15cbde101

Comment 10 errata-xmlrpc 2016-11-03 17:02:07 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html

Note You need to log in before you can comment on or make changes to this bug.