Bug 845257 - Enabling service that's already enabled fails with ALREADY_ENABLED
Enabling service that's already enabled fails with ALREADY_ENABLED
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
Depends On:
Blocks: 1366654 1366667 1420457
  Show dependency treegraph
Reported: 2012-08-02 09:30 EDT by Stef Walter
Modified: 2017-02-08 12:22 EST (History)
3 users (show)

See Also:
Fixed In Version: firewalld-0.2.9-1.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1366667 (view as bug list)
Last Closed: 2013-02-15 07:18:38 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch (9.47 KB, patch)
2012-10-03 12:32 EDT, Jiri Popelka
no flags Details | Diff
the same should apply to re-adding / re-removing interface to/from zone (11.23 KB, patch)
2012-10-03 12:58 EDT, Jiri Popelka
no flags Details | Diff

  None (edit)
Description Stef Walter 2012-08-02 09:30:02 EDT
Description of problem:

The whole point of firewalld is to allow multiple processes to coordinate their modifications to iptables.

If I run the following command twice, the second time it fails:

[stef@stef-rawhide ~]$ firewall-cmd --service=mdns --add
[stef@stef-rawhide ~]$ firewall-cmd --service=mdns --add
[stef@stef-rawhide ~]$ echo $?

This means I cannot use the firewall-cmd from a systemd service file or scripting language without masking all failures by doing:

firewall-cmd --service=mdns --add || true

IMO, ALREADY_ENABLED should not be an error. In addition if callers have to --query before --add then this is racy. 

Version-Release number of selected component (if applicable):

Installed Packages
Name        : firewalld
Arch        : noarch
Version     : 0.2.5
Release     : 2.fc18
Size        : 522 k

How reproducible:

Every time.

Steps to Reproduce:
1. See above.
Actual results:


Expected results:

Comment 1 Stef Walter 2012-08-02 09:31:06 EDT
Oh, and ditto for --remove:

[stef@stef-rawhide ~]$ firewall-cmd --service=mdns --remove
[stef@stef-rawhide ~]$ firewall-cmd --service=mdns --remove
[stef@stef-rawhide ~]$ echo $?
Comment 2 Jiri Popelka 2012-10-03 12:32:19 EDT
Created attachment 621016 [details]

I actually tend to agree with Stef that re-adding and re-removing of services/ports etc. shouldn't be considered as error.

Thomas, can you check the attached patch ?
With the patch the ALREADY_ENABLED and NOT_ENABLED errors are not sent over D-Bus to whoever tries to re-add or re-remove a service/port etc.
They are now used for internal indication only.

Or if you don't like the patch we can simply change firewall-cmd to ignore these errors, like:
diff --git a/src/firewall-cmd b/src/firewall-cmd
@@ -573,7 +573,11 @@ except dbus.DBusException as e:
             code = UNKNOWN_ERROR
             print("Error: %s" % e)
-            print("Error: %s" % e.message)
+            if code == ALREADY_ENABLED or code == NOT_ENABLED:
+                print("Warning: %s" % e.message)
+                sys.exit(0)
+            else:
+                print("Error: %s" % e.message)
Comment 3 Jiri Popelka 2012-10-03 12:58:41 EDT
Created attachment 621020 [details]
the same should apply to re-adding / re-removing interface to/from zone
Comment 5 Brian J. Murrell 2016-08-12 10:08:56 EDT
Did this somehow come back?

# /usr/bin/firewall-cmd --add-port=123/udp
Error: ALREADY_ENABLED: '123:udp' already in 'public'
# echo $?
# rpm -q firewalld
Comment 6 Brian J. Murrell 2016-08-12 10:10:59 EDT
Doesn't seem to happen on RHEL 7.2:

# /usr/bin/firewall-cmd --add-port=123/udp
# /usr/bin/firewall-cmd --add-port=123/udp
# rpm -q firewalld

Note You need to log in before you can comment on or make changes to this bug.