Description of problem: Adding a new port to firewall is accepted. When Apply is clicked the UI says it failed. However, it did actually config iptables. Version-Release number of selected component (if applicable): rpm -qa|grep -E 'kernel|lok|fire|sel|iptab'|sort iptables-1.3.8-5.fc8 iptables-ipv6-1.3.8-5.fc8 kernel-2.6.23.1-23.fc8 kernel-2.6.23.1-31.fc8 kernel-headers-2.6.23.1-31.fc8 libselinux-2.0.37-1.fc8 libselinux-python-2.0.37-1.fc8 selinux-policy-3.0.8-32.fc8 selinux-policy-targeted-3.0.8-32.fc8 system-config-firewall-1.0.8-1.fc8 system-config-firewall-tui-1.0.8-1.fc8 How reproducible: Will try shortly from rawhide-2007-10-24-dvd Steps to Reproduce: 1. s-c-f 2. other ports|add 3. user-defined 5903 tcp|ok 4. entry is added to list {by the way: even if it is a duplicate!} 5. apply|yes Actual results: gui dialog: configuration failed /usr/sbin/lokkit --quiet -f --enabled --no-mdns --port=22:tcp --removemodule=nf_conntrack_ftp --removemodule=nf_conntrack_netbios_ns --port=56888:tcp --port=56888:udp --port=5901:tcp --port=5903:tcp iptables --list shows that the new port 5903 is actually allowed. Expected results: iptables --list shows that the new port 5903 is actually allowed. No error dialog. Additional info: Occurs with other port nums and UDP ports - both actually config the firewall. Clicking close after this occurs: There are unapplied changes do you really want to quit, yes no. Perhaps the lokkit result is not being read properly. Unlike bug 334851 the settings do save to the firewall config; it just looks like it hasn't. The versions mentioned there are applied on this machine {current rawhide} and it has been rebooted, without resolution.
Copy / pasting the lokkit command in a root terminal returns without error. No error if --quiet is removed. Modified fw_gui.py to print the return status from lokkit: 256 This triggers the error message since >0 Added -v to the lokkit command: Failed to start ip6tables. # service ip6tables status ip6tables: Firewall is not running. # chkconfig --list ip6tables ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off In fact I run with ipv6 disabled using: /etc/modprobe.conf: install ipv6 /bin/true and I hence if I: service ip6tables start Applying ip6tables firewall rules: ip6tables-restore v1.3.8: ip6tables-restore: unable to initialize table 'filter' Error occurred at line: 3 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. [FAILED] The error is generated in /usr/sbin/lokkit [line 152 or so]: ip6tables.write(config) ip6t_status = ip6tables.restart() if config.verbose and ip6t_status != 0: print _("Failed to start %s.") % "ip6tables" In this case ip6t_status=1 So: it would be nice to detect whether ipv4 or ipv6 kernel module is actually loaded before erroring that the firewall config couldn't be applied at all. I guess it would be nice {for tech user} to see ip6table could not be loaded because ip6 has been disabled, but that might be too much information for average user ?
oops: read the resolution items, and left the resolve bug item selected. doh.
Fixed in rawhide and F-8 in packages: system-config-firewall-1.0.9-1 iptables-1.3.8-6
system-config-firewall-1.0.9-1.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update system-config-firewall'
Fixed in rawhide and F-8 in packages system-config-firewall-1.0.9-1 and iptables-1.3.8-6.