Bug 2100939 - RFE: firewall-system-role: add ability to add interface to zone by PCI device ID
Summary: RFE: firewall-system-role: add ability to add interface to zone by PCI device ID
Keywords:
Status: CLOSED ERRATA
Alias: None
Deadline: 2022-08-15
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: rhel-system-roles
Version: 8.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.7
Assignee: Rich Megginson
QA Contact: David Jež
Gabi Fialová
URL:
Whiteboard: role:firewall
: 1850744 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-24 18:12 UTC by Brennan Paciorek
Modified: 2023-02-10 07:18 UTC (History)
6 users (show)

Fixed In Version: rhel-system-roles-1.20.0-1.el8
Doc Type: Enhancement
Doc Text:
.The `firewall` system role can add or remove an interface to the zone using PCI device ID Using the PCI device ID, the `firewall` system role can now assign or remove a network interface to or from a zone. Previously, if only the PCI device ID was known instead of the interface name, users had to first identify the corresponding interface name to use the `firewall` system role. With this update, the `firewall` system role can now use the PCI device ID to manage a network interface in a zone.
Clone Of:
: 2100942 (view as bug list)
Environment:
Last Closed: 2022-11-08 09:41:52 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github linux-system-roles firewall pull 89 0 None Merged Add/remove interfaces to zone using PCI device ID 2022-08-09 15:47:25 UTC
Red Hat Bugzilla 1850744 0 unspecified CLOSED RFE: firewall-system-role: add ability to add interface to zone by PCI device ID 2022-06-24 18:23:22 UTC
Red Hat Issue Tracker RHELPLAN-126263 0 None None None 2023-02-10 07:18:12 UTC
Red Hat Product Errata RHEA-2022:7568 0 None None None 2022-11-08 09:42:09 UTC

Description Brennan Paciorek 2022-06-24 18:12:23 UTC 
Need the ability to add/remove an interface by PCI device ID to a zone.
Comment 2 Rich Megginson 2022-06-24 18:19:41 UTC 
*** Bug 1850744 has been marked as a duplicate of this bug. ***
Comment 3 Brennan Paciorek 2022-06-27 18:49:47 UTC 
This feature appears to already be supported by the firewall system role. For example, the following options work in the firewall system role as it is currently:
firewall:
  - interface: 8086:15d7 # Intel Corporation Ethernet Connection PCI id
    state: enabled

If the D-bus interface supports adding by PCI device ID, then the system role should as well.

@egarver - Are we certain that this feature is not already supported by the system role? For interfaces, we only really restrict user actions with errors that the D-bus interface will raise.
Comment 4 Eric Garver 2022-06-28 15:30:07 UTC 
(In reply to Brennan Paciorek from comment #3)
> This feature appears to already be supported by the firewall system role.
> For example, the following options work in the firewall system role as it is
> currently:
> firewall:
>   - interface: 8086:15d7 # Intel Corporation Ethernet Connection PCI id
>     state: enabled
> 
> If the D-bus interface supports adding by PCI device ID, then the system
> role should as well.
> 
> @egarver - Are we certain that this feature is not already
> supported by the system role? For interfaces, we only really restrict user
> actions with errors that the D-bus interface will raise.

Yes. We're certain it is NOT supported.

The above is accepted by firewalld, but it doesn't work. The PCI ID is passed directly to firewalld which treats it like a plain interface name.
So you end up with rules like this: `iifname "8086:15d7" goto filter_IN_public`. But that should be translated by the role to a real interface name.

The NetworkManager integration is done in the UIs. See calls to nm_*() and try_set_zone_of_interface(). The role will have to do something similar.

Note: Ideally this magic would be done in the daemon. I don't know the history of why it is not. Maybe it has something to do with user privileges and polkit (authorization).
Comment 14 errata-xmlrpc 2022-11-08 09:41:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rhel-system-roles bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:7568
Note You need to log in before you can comment on or make changes to this bug.