Bug 1715977 - firewall throw error: "'Rich_Destination' is not iterable" when services and destination address is provided rich rule.
Summary: firewall throw error: "'Rich_Destination' is not iterable" when services and ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: firewalld
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Eric Garver
QA Contact: Jiri Peska
URL:
Whiteboard:
Depends On:
Blocks: 1729097
TreeView+ depends on / blocked
 
Reported: 2019-05-31 20:37 UTC by Akhil John
Modified: 2019-11-05 22:31 UTC (History)
5 users (show)

Fixed In Version: firewalld-0.7.0-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1729097 (view as bug list)
Environment:
Last Closed: 2019-11-05 22:31:34 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:3635 None None None 2019-11-05 22:31:49 UTC
Red Hat Bugzilla 1729097 None VERIFIED firewall throw error: "'Rich_Destination' is not iterable" when services and destination address is provided rich rule. 2019-11-08 16:35:56 UTC

Description Akhil John 2019-05-31 20:37:09 UTC
Description of problem:
firewalld complete reload throw an error: "'Rich_Destination' is not iterable" when services and destination address is provided rich rule.

Version-Release number of selected component (if applicable):
firewalld-0.6.3-7.el8.noarch

How reproducible:
Always

Steps to Reproduce:

1) Create a rich rule in zone with destination and service provided:
# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <service name="cockpit"/>
  <rule family="ipv4">
    <source address="192.168.122.170/32"/>
    <destination address="192.168.122.235/32"/>
  <service name="ssh"/>
    <accept/>
  </rule>

</zone>


2) Now perform complete reload.



Actual results:
[root@rhel8 ~]# firewall-cmd --complete-reload
Error: argument of type 'Rich_Destination' is not iterable


Expected results:
[root@rhel8 ~]# firewall-cmd --complete-reload
success

Additional info:
Bugzilla which could be related: https://bugzilla.redhat.com/show_bug.cgi?id=1644432

Comment 1 Eric Garver 2019-06-07 15:02:18 UTC
Fixed upstream:

  3fb02f8d6648 ("test: coverage for rhbz 1715977")
  d3bd517c7deb ("fix: rich rule destination with services")

Comment 5 leonid.fainshtein 2019-10-22 06:08:44 UTC
Any plans to backport the fix to REL7/CentOS7?

Comment 6 Eric Garver 2019-10-22 12:22:29 UTC
(In reply to leonid.fainshtein from comment #5)
> Any plans to backport the fix to REL7/CentOS7?

It will be fixed in the next RHEL-7 minor release (RHEL 7.8).

Comment 7 leonid.fainshtein 2019-10-22 12:40:49 UTC
When v.7.8 is expected? Actually, the fixed bug in firewalld is pretty serious...

Comment 8 Eric Garver 2019-10-22 13:41:54 UTC
(In reply to leonid.fainshtein from comment #7)
> When v.7.8 is expected? Actually, the fixed bug in firewalld is pretty
> serious...

See bug 1729097.

Comment 10 errata-xmlrpc 2019-11-05 22:31:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3635


Note You need to log in before you can comment on or make changes to this bug.