Bug 1416578 - Source zones with rich rules requiring helper do not start
Summary: Source zones with rich rules requiring helper do not start
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 25
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-25 21:51 UTC by Peter "Pessoft" Kolínek
Modified: 2017-07-24 20:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-07-24 20:12:20 UTC
Type: Bug


Attachments (Terms of Use)

Description Peter "Pessoft" Kolínek 2017-01-25 21:51:27 UTC
Description of problem:
When there is a zone with source specified and in this zone is a service, which requires helper, firewalld creates chain for it in raw table and puts there helper's firewall rule. For example: if service samba is added to home zone, chain PRE_home_allow is created, where rule for helper netbios-ns is later added.

This however does not work, when service is added using rich rule and not using service. In this case, PRE_home_allow chain does not exist and load of the whole zone fails ( all zone rules are removed in the consequence ).

Version-Release number of selected component (if applicable):
firewalld-0.4.4.2-2.fc25.noarch

How reproducible:

Steps to Reproduce:
1.  firewall-cmd --permanent --new-zone=bugzone01
    firewall-cmd --permanent --zone=bugzone01 --add-source=10.20.30.40/32
    firewall-cmd --permanent --zone=bugzone01 --add-rich-rule='rule service name="samba" accept'
2.  systemctl restart firewalld

Actual results:
Zone bugzone01 is not applied in iptables, samba is not allowed from the source.

DEBUG2: <class 'firewall.core.ipXtables.ip4tables'>: /usr/sbin/iptables -w2 -A PRE_bugzone01_allow -t raw -p udp --dport 137 -j CT --helper netbios-ns
ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
ERROR: '/usr/sbin/iptables -w2 -A PRE_bugzone01_allow -t raw -p udp --dport 137 -j CT --helper netbios-ns' failed:

Expected results:
Necessary chains (PRE_bugzone01_allow in this case) to be created during the zone's start, so rules can be successfully added. Zone bugzone01 is applied in iptables, samba is allowed from the source.

Comment 2 Peter "Pessoft" Kolínek 2017-02-21 22:09:46 UTC
I've tested updated package firewalld-0.4.4.3-1.fc25.noarch, which includes the upstream fix. Solves the problem for me.

Thanks.


Note You need to log in before you can comment on or make changes to this bug.