886515 – double rules after firewalld restart

Bug 886515 - double rules after firewalld restart

Summary: double rules after firewalld restart

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firewalld
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Thomas Woerner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	886503 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-12-12 13:25 UTC by Aleksandar Kostadinov
Modified:	2014-09-13 18:58 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-18 20:37:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
debug log from firewalld start (40.94 KB, text/plain) 2012-12-12 14:26 UTC, Aleksandar Kostadinov	no flags	Details
this change seems to fix the problem (3.41 KB, patch) 2012-12-13 14:39 UTC, Jiri Popelka	no flags	Details \| Diff
View All

Description Aleksandar Kostadinov 2012-12-12 13:25:42 UTC

After doing the non-permanent firewalld tests [1] I see the rules being double inserted. Please see log:


[root@localhost ~]# firewall-cmd --zone=work --add-service=samba-client
[root@localhost ~]# iptables-save | grep work
:IN_ZONE_work - [0:0]
:IN_ZONE_work_allow - [0:0]
:IN_ZONE_work_deny - [0:0]
-A IN_ZONE_work -j IN_ZONE_work_deny
-A IN_ZONE_work -j IN_ZONE_work_allow
-A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
[root@localhost ~]#  service firewalld restart
Redirecting to /bin/systemctl restart  firewalld.service
[root@localhost ~]# iptables-save | grep work
:IN_ZONE_work - [0:0]
:IN_ZONE_work_allow - [0:0]
:IN_ZONE_work_deny - [0:0]
-A IN_ZONE_work -j IN_ZONE_work_deny
-A IN_ZONE_work -j IN_ZONE_work_allow
-A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

Comment 1 Aleksandar Kostadinov 2012-12-12 14:26:47 UTC

Created attachment 662389 [details]
debug log from firewalld start

Comment 2 Martin 2012-12-12 16:30:58 UTC

I can also reproduce it with: https://fedoraproject.org/wiki/QA:Testcase_persistent_firewalld_zones

Comment 3 Lukáš Zachar 2012-12-12 16:36:22 UTC

*** Bug 886503 has been marked as a duplicate of this bug. ***

Comment 4 Jiri Popelka 2012-12-13 14:39:04 UTC

Created attachment 663004 [details]
this change seems to fix the problem

Comment 5 Jiri Popelka 2012-12-13 16:55:25 UTC

Pushed
http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=2152843143fe68bd29cddc1005f227544a9d5082

Comment 6 Fedora Update System 2013-01-14 16:18:16 UTC

firewalld-0.2.12-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/firewalld-0.2.12-1.fc18

Comment 7 Fedora Update System 2013-01-15 02:27:49 UTC

Package firewalld-0.2.12-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.2.12-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-0810/firewalld-0.2.12-1.fc18
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2013-01-18 20:37:42 UTC

firewalld-0.2.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.