Bug 886503 - Several duplicated rules after --zone work --permanent --add-service smtp
Summary: Several duplicated rules after --zone work --permanent --add-service smtp
Keywords:
Status: CLOSED DUPLICATE of bug 886515
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-12 12:57 UTC by Lukáš Zachar
Modified: 2012-12-12 16:36 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-12 16:36:22 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
log_firewalld (183 bytes, text/plain)
2012-12-12 12:57 UTC, Lukáš Zachar 		no flags Details
log_messages (165.11 KB, text/plain)
2012-12-12 12:58 UTC, Lukáš Zachar 		no flags Details
changed_zone_to_work (1.47 KB, text/plain)
2012-12-12 13:02 UTC, Lukáš Zachar 		no flags Details
log_firewald_debug (83.48 KB, text/plain)
2012-12-12 15:28 UTC, Lukáš Zachar 		no flags Details
Show Obsolete (1) View All

Description Lukáš Zachar 2012-12-12 12:57:35 UTC 
Created attachment 662323 [details]
log_firewalld

Description of problem:

When I followed steps of the firewalld test day, the iptables-save | grep contained several repeated rules. 

For the following the zone of the active interface was changed to work. 

Version-Release number of selected component (if applicable):
firewalld-0.2.11-1.fc18.noarch

How reproducible:
reproduced

Steps to Reproduce:
1. firewall-cmd --zone work --permanent --add-service smtp
2. firewall-cmd --reload
3. iptables-save | grep work 
  
Actual results:
some rules are repeated - sort | uniq -d shows:
-A IN_ZONE_work_allow -d X.X.X.X/Y -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT

Expected results:
all rules are listed once, hence sort | uniq -d has empty output

Additional info:
Other duplicity happened just after the change of interface zone to work (using system settings->network->options->general) and firewalld-cmd --reload.
After reverting back to the default (public) zone it was again without duplicities.
Comment 1 Lukáš Zachar 2012-12-12 12:58:19 UTC 
Created attachment 662324 [details]
log_messages
Comment 2 Lukáš Zachar 2012-12-12 13:02:53 UTC 
Created attachment 662325 [details]
changed_zone_to_work

Whole iptables-save output after the change of interface zone to work and --reload. This was before smtp got added to that zone.
Comment 3 Lukáš Zachar 2012-12-12 15:28:21 UTC 
Created attachment 662402 [details]
log_firewald_debug

Reproduced with FIREWALLD_ARGS=--debug=2 in /etc/sysconfig/firewalld.
Comment 4 Lukáš Zachar 2012-12-12 15:30:13 UTC 
The produced work.xml is OK though:

# cat /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Work</short>
  <description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ipp-client"/>
  <service name="mdns"/>
  <service name="smtp"/>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
</zone>
Comment 5 Aleksandar Kostadinov 2012-12-12 15:37:07 UTC 
If you remove /etc/firewalld/zones/work.xml does it remove duplication? It does for me.
It seems like a bug with built-in zones after customizations are made.
Comment 6 Lukáš Zachar 2012-12-12 15:54:18 UTC 
It does. 
But without that file the configuration is not permanent, is it?
Comment 7 Lukáš Zachar 2012-12-12 16:36:22 UTC 

*** This bug has been marked as a duplicate of bug 886515 ***
Note You need to log in before you can comment on or make changes to this bug.