Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 886515 - double rules after firewalld restart
Summary: double rules after firewalld restart
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 886503 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-12 13:25 UTC by Aleksandar Kostadinov
Modified: 2014-09-13 18:58 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-18 20:37:40 UTC
Type: Bug

Attachments (Terms of Use)
debug log from firewalld start (40.94 KB, text/plain)
2012-12-12 14:26 UTC, Aleksandar Kostadinov 		no flags Details
this change seems to fix the problem (3.41 KB, patch)
2012-12-13 14:39 UTC, Jiri Popelka 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Aleksandar Kostadinov 2012-12-12 13:25:42 UTC 
After doing the non-permanent firewalld tests [1] I see the rules being double inserted. Please see log:


[root@localhost ~]# firewall-cmd --zone=work --add-service=samba-client
[root@localhost ~]# iptables-save | grep work
:IN_ZONE_work - [0:0]
:IN_ZONE_work_allow - [0:0]
:IN_ZONE_work_deny - [0:0]
-A IN_ZONE_work -j IN_ZONE_work_deny
-A IN_ZONE_work -j IN_ZONE_work_allow
-A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 137 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 138 -m conntrack --ctstate NEW -j ACCEPT
[root@localhost ~]#  service firewalld restart
Redirecting to /bin/systemctl restart  firewalld.service
[root@localhost ~]# iptables-save | grep work
:IN_ZONE_work - [0:0]
:IN_ZONE_work_allow - [0:0]
:IN_ZONE_work_deny - [0:0]
-A IN_ZONE_work -j IN_ZONE_work_deny
-A IN_ZONE_work -j IN_ZONE_work_allow
-A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT
-A IN_ZONE_work_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
Comment 1 Aleksandar Kostadinov 2012-12-12 14:26:47 UTC 
Created attachment 662389 [details]
debug log from firewalld start
Comment 2 Martin 2012-12-12 16:30:58 UTC 
I can also reproduce it with: https://fedoraproject.org/wiki/QA:Testcase_persistent_firewalld_zones
Comment 3 Lukáš Zachar 2012-12-12 16:36:22 UTC 
*** Bug 886503 has been marked as a duplicate of this bug. ***
Comment 4 Jiri Popelka 2012-12-13 14:39:04 UTC 
Created attachment 663004 [details]
this change seems to fix the problem
Comment 5 Jiri Popelka 2012-12-13 16:55:25 UTC 
Pushed
http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=2152843143fe68bd29cddc1005f227544a9d5082
Comment 6 Fedora Update System 2013-01-14 16:18:16 UTC 
firewalld-0.2.12-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/firewalld-0.2.12-1.fc18
Comment 7 Fedora Update System 2013-01-15 02:27:49 UTC 
Package firewalld-0.2.12-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.2.12-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-0810/firewalld-0.2.12-1.fc18
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2013-01-18 20:37:42 UTC 
firewalld-0.2.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.