Bug 1551078
| Summary: | "firewall-cmd --add-interface" is adding an interface permanently to a zone even if "--permanent" is not mentioned | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Venkatesh Kavtikwar <vkavtikw> |
| Component: | firewalld | Assignee: | Eric Garver <egarver> |
| Status: | CLOSED ERRATA | QA Contact: | Jiri Peska <jpeska> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.4 | CC: | ajohn, jmaxwell, jpeska, sababu, todoleza, vkavtikw |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | firewalld-0.6.3-1.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 12:03:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1637204 | ||
| Bug Blocks: | 1654714 | ||
|
Description
Venkatesh Kavtikwar
2018-03-02 17:10:41 UTC
firewalld deliberately retains some information during a --reload. Examples; interface to zone assignment, direct rules.
I believe this is done for uses cases such as libvirt, which will create temporary interfaces and direct rules depending on VM utilization. Otherwise reloading the firewall would remove those VM interfaces from zones potentially dropping all traffic to the VM.
Perhaps this just needs a documentation update. What do you think?
--->8---
def reload(self, stop=False):
_panic = self._panic
# save zone interfaces
_zone_interfaces = { }
for zone in self.zone.get_zones():
_zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"]
# save direct config
_direct_config = self.direct.get_runtime_config()
_old_dz = self.get_default_zone()
Hello Eric, Thanks for your reply, but I am not able to parse it completely. Could you please help me understand it more why is that? My concern here is that when we add a interface against a zone without enabling "--permanent" flag, the interface stays with that zone even after firewall reload or system reboot. (In reply to Sangam from comment #3) > Hello Eric, > > Thanks for your reply, but I am not able to parse it completely. Could you > please help me understand it more why is that? Some things that use firewalld expect and depend upon this behavior. Virtual machines are one example. > > My concern here is that when we add a interface against a zone without > enabling "--permanent" flag, the interface stays with that zone even after > firewall reload or system reboot. It will stay after a --reload, but not after a reboot or `systemctl restart firewalld`. fixed upstream:
d74304e2ff61 ("firewall-cmd: For non-permanent interface changes don't involve NM")
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2024 |