Bug 1460088 - firewall-cmd --permanent --zone=public --remove-interface="eth0" doesnt remove interface
firewall-cmd --permanent --zone=public --remove-interface="eth0" doesnt remov...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Thomas Woerner
qe-baseos-daemons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-08 23:45 EDT by jnikolak
Modified: 2017-06-11 20:43 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-11 20:16:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jnikolak 2017-06-08 23:45:52 EDT
Reproduced on:

firewalld-0.4.3.2-8.1.el7_3.3.noarch







1) I list all of the rules

firewall-cmd  --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 lo
  sources: 
  services: dhcpv6-client snmp ssh
  ports: 90/udp 888/udp 90/tcp 8080/tcp
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
	

2) I remove the interface lo that I added previously

[root@jnikrhel73 network-scripts]# firewall-cmd --permanent --zone=public --remove-interface="lo"
Warning: NOT_ENABLED: lo
success


3) I remove the interface eth0 that I added previously

[root@jnikrhel73 network-scripts]# firewall-cmd --permanent --zone=public --remove-interface="eth0"
Warning: NOT_ENABLED: eth0
success


4) According to the above its not enabled, but when I reload the rules, its still there.

[root@jnikrhel73 network-scripts]# firewall-cmd  --reload; firewall-cmd  --zone=public --list-all
success
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 lo
  sources: 
  services: dhcpv6-client snmp ssh
  ports: 90/udp 888/udp 90/tcp 8080/tcp
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 



I tried stracing the output but it appears "eth0" is not read from file.
strace  -e trace=read -o /tmp/firewalld-strace2.out firewall-cmd --zone=public --list-all


xml file shows no entry for eth0

cd /etc/firewalld/zones/
[root@jnikrhel73 zones]# ls
public.xml  work.xml  work.xml.old
[root@jnikrhel73 zones]# cat public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="snmp"/>
  <service name="ssh"/>
  <port protocol="udp" port="90"/>
  <port protocol="udp" port="888"/>
  <port protocol="tcp" port="90"/>
  <port protocol="tcp" port="8080"/>
  <masquerade/>
</zone>
Comment 2 jnikolak 2017-06-08 23:53:42 EDT
I resoved this with:

yum remove firewalld;yum install firewalld;systemctl enable firewalld;systemct start firewalld


!1071
 firewall-cmd  --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client snmp ssh
  ports: 90/udp 888/udp 90/tcp 8080/tcp
  protocols: 
  masquerade: yes
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:
Comment 3 Thomas Woerner 2017-06-09 11:56:26 EDT
firewalld has a runtime and a permanent configuration. Please have a look at http://www.firewalld.org/documentation/configuration/runtime-versus-permanent.html

1) firewall-cmd  --zone=public --list-all

Shows the runtime configuration of public zone.

2) firewall-cmd --permanent --zone=public --remove-interface="lo"

Tries to remove the lo interface from public zone in the permanent configuration, which might not be the same as the runtime configuration.

According to 4) the interfaces lo and eth0 are assigned only in the runtime configuration.

Please simply drop the --permanent option from the line and the command will be working as expected.

3) firewall-cmd --permanent --zone=public --remove-interface="eth0"

Is also trying to change the permanent configuration of the public zone where lo and eth0 are not assigned according to 4).

Please simply drop the --permanent option form the line and the command will be working as expected.

firewalld is trying to keep interface assignments to zones as long as they are not conflicting with the permanent configuration that gets applied to fix the most common issues if the network service is in use.
Comment 4 jnikolak 2017-06-11 20:16:59 EDT
thx, that was the issue, closing bugzilla as NOTABUG.
Comment 5 jnikolak 2017-06-11 20:43:01 EDT
Solution Created:
--> https://access.redhat.com/solutions/3076981

Note You need to log in before you can comment on or make changes to this bug.