Bug 355561 - RFE: s-c-f: don't give configuration failed in lokkit if ipv6 is disabled
RFE: s-c-f: don't give configuration failed in lokkit if ipv6 is disabled
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: system-config-firewall (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-27 21:36 EDT by David Timms
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-06 05:56:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Timms 2007-10-27 21:36:56 EDT
Description of problem:
Adding a new port to firewall is accepted. When Apply is clicked the UI says it
failed. However, it did actually config iptables.

Version-Release number of selected component (if applicable):
rpm -qa|grep -E 'kernel|lok|fire|sel|iptab'|sort
iptables-1.3.8-5.fc8
iptables-ipv6-1.3.8-5.fc8
kernel-2.6.23.1-23.fc8
kernel-2.6.23.1-31.fc8
kernel-headers-2.6.23.1-31.fc8
libselinux-2.0.37-1.fc8
libselinux-python-2.0.37-1.fc8
selinux-policy-3.0.8-32.fc8
selinux-policy-targeted-3.0.8-32.fc8
system-config-firewall-1.0.8-1.fc8
system-config-firewall-tui-1.0.8-1.fc8

How reproducible:
Will try shortly from rawhide-2007-10-24-dvd

Steps to Reproduce:
1. s-c-f
2. other ports|add
3. user-defined 5903 tcp|ok
4. entry is added to list {by the way: even if it is a duplicate!}
5. apply|yes
 
Actual results:
gui dialog: configuration failed
/usr/sbin/lokkit --quiet -f --enabled --no-mdns --port=22:tcp
--removemodule=nf_conntrack_ftp --removemodule=nf_conntrack_netbios_ns
--port=56888:tcp --port=56888:udp --port=5901:tcp --port=5903:tcp

iptables --list shows that the new port 5903 is actually allowed.

Expected results:
iptables --list shows that the new port 5903 is actually allowed.
No error dialog.

Additional info:
Occurs with other port nums and UDP ports - both actually config the firewall.

Clicking close after this occurs:
  There are unapplied changes do you really want to quit, yes no.

Perhaps the lokkit result is not being read properly.

Unlike bug 334851 the settings do save to the firewall config; it just looks
like it hasn't. The versions mentioned there are applied on this machine
{current rawhide} and it has been rebooted, without resolution.
Comment 1 David Timms 2007-10-28 00:11:21 EDT
Copy / pasting the lokkit command in a root terminal returns without error. No
error if --quiet is removed.

Modified fw_gui.py to print the return status from lokkit: 256
  This triggers the error message since >0

Added -v to the lokkit command: 
Failed to start ip6tables.

# service ip6tables status
ip6tables: Firewall is not running.

# chkconfig --list ip6tables
ip6tables       0:off   1:off   2:off   3:off   4:off   5:off   6:off

In fact I run with ipv6 disabled using: /etc/modprobe.conf:
install ipv6 /bin/true

and I hence if I: service ip6tables start
Applying ip6tables firewall rules: ip6tables-restore v1.3.8: ip6tables-restore:
unable to initialize table 'filter'

Error occurred at line: 3
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
                                                           [FAILED]
The error is generated in /usr/sbin/lokkit [line 152 or so]:
        ip6tables.write(config)
        ip6t_status = ip6tables.restart()
        if config.verbose and ip6t_status != 0:
            print _("Failed to start %s.") % "ip6tables"

In this case ip6t_status=1

So: it would be nice to detect whether ipv4 or ipv6 kernel module is actually
loaded before erroring that the firewall config couldn't be applied at all.

I guess it would be nice {for tech user} to see ip6table could not be loaded
because ip6 has been disabled, but that might be too much information for
average user ?
Comment 2 David Timms 2007-10-28 00:15:50 EDT
oops: read the resolution items, and left the resolve bug item selected. doh.
Comment 3 Thomas Woerner 2007-11-06 05:56:36 EST
Fixed in rawhide and F-8 in packages:

system-config-firewall-1.0.9-1
iptables-1.3.8-6
Comment 4 Fedora Update System 2007-11-08 01:03:09 EST
system-config-firewall-1.0.9-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update system-config-firewall'
Comment 5 Thomas Woerner 2007-11-08 07:06:28 EST
Fixed in rawhide and F-8 in packages system-config-firewall-1.0.9-1 and
iptables-1.3.8-6.

Note You need to log in before you can comment on or make changes to this bug.