Description of problem: The whole point of firewalld is to allow multiple processes to coordinate their modifications to iptables. If I run the following command twice, the second time it fails: [stef@stef-rawhide ~]$ firewall-cmd --service=mdns --add [stef@stef-rawhide ~]$ firewall-cmd --service=mdns --add Error: ALREADY_ENABLED [stef@stef-rawhide ~]$ echo $? 255 This means I cannot use the firewall-cmd from a systemd service file or scripting language without masking all failures by doing: firewall-cmd --service=mdns --add || true IMO, ALREADY_ENABLED should not be an error. In addition if callers have to --query before --add then this is racy. Version-Release number of selected component (if applicable): Installed Packages Name : firewalld Arch : noarch Version : 0.2.5 Release : 2.fc18 Size : 522 k How reproducible: Every time. Steps to Reproduce: 1. See above. Actual results: Failure. Expected results: Success.
Oh, and ditto for --remove: [stef@stef-rawhide ~]$ firewall-cmd --service=mdns --remove [stef@stef-rawhide ~]$ firewall-cmd --service=mdns --remove Error: NOT_ENABLED [stef@stef-rawhide ~]$ echo $? 254
Created attachment 621016 [details] patch I actually tend to agree with Stef that re-adding and re-removing of services/ports etc. shouldn't be considered as error. Thomas, can you check the attached patch ? With the patch the ALREADY_ENABLED and NOT_ENABLED errors are not sent over D-Bus to whoever tries to re-add or re-remove a service/port etc. They are now used for internal indication only. Or if you don't like the patch we can simply change firewall-cmd to ignore these errors, like: diff --git a/src/firewall-cmd b/src/firewall-cmd @@ -573,7 +573,11 @@ except dbus.DBusException as e: code = UNKNOWN_ERROR print("Error: %s" % e) else: - print("Error: %s" % e.message) + if code == ALREADY_ENABLED or code == NOT_ENABLED: + print("Warning: %s" % e.message) + sys.exit(0) + else: + print("Error: %s" % e.message) sys.exit(code)
Created attachment 621020 [details] the same should apply to re-adding / re-removing interface to/from zone
Fixed in GIT: http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=c7748d4a6becda325bd4986cb0315d43ed28f73e
Did this somehow come back? # /usr/bin/firewall-cmd --add-port=123/udp Error: ALREADY_ENABLED: '123:udp' already in 'public' # echo $? 11 # rpm -q firewalld firewalld-0.4.3.2-3.el7.noarch
Doesn't seem to happen on RHEL 7.2: # /usr/bin/firewall-cmd --add-port=123/udp success # /usr/bin/firewall-cmd --add-port=123/udp Warning: ALREADY_ENABLED # rpm -q firewalld firewalld-0.3.9-14.el7.noarch