907375 – RFE: Do not create empty chains for unused zones

Bug 907375 - RFE: Do not create empty chains for unused zones

Summary: RFE: Do not create empty chains for unused zones

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firewalld
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Thomas Woerner
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-02-04 08:54 UTC by Marian Ganisin
Modified:	2014-03-09 04:42 UTC (History)
CC List:	6 users (show)
Fixed In Version:	firewalld-0.3.9.3-1.fc19
Clone Of:
Environment:
Last Closed:	2014-01-15 05:54:18 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Marian Ganisin 2013-02-04 08:54:46 UTC

Description of problem:

In Fedora 18 I see many empty chains or collections of empty chains in output of iptables -L

firewalld could create all necessary chains and super-chains just in case that particular zone/chain is used. This will make iptables output easier to read/track.

Example of empty chains and chains containing empty chains only:

Chain FORWARD_ZONES (1 references)
target     prot opt source               destination         
FWDO_ZONE_public  all  --  anywhere             anywhere            
FWDI_ZONE_public  all  --  anywhere             anywhere            

Chain FORWARD_direct (1 references)
target     prot opt source               destination         

Chain FWDI_ZONE_public (1 references)
target     prot opt source               destination         
FWDI_ZONE_public_deny  all  --  anywhere             anywhere            
FWDI_ZONE_public_allow  all  --  anywhere             anywhere            

Chain FWDI_ZONE_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_ZONE_public_deny (1 references)
target     prot opt source               destination

Comment 1 Thomas Woerner 2013-04-26 12:48:24 UTC

Without creating the chains and rules for unused zones, it would take some time to add an interface to a zone, that has been unused before.

Comment 2 Jiri Popelka 2013-04-26 13:03:59 UTC

... which does not happen so often - in most cases only once per boot or when user changes the zone of interface.

I had already been thinking about it before Marian filled the request, but haven't had time yet to investigate it more.

Comment 3 Jiri Popelka 2014-01-13 16:39:02 UTC

Should be AFAICT fixed upstream with
https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=1236770365336e2cffe01035910fe50bc311bd85

Comment 4 Fedora Update System 2014-01-13 16:46:55 UTC

firewalld-0.3.9-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/firewalld-0.3.9-1.fc20

Comment 5 Fedora Update System 2014-01-13 16:49:45 UTC

firewalld-0.3.9-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/firewalld-0.3.9-1.fc19

Comment 6 Fedora Update System 2014-01-14 08:39:14 UTC

Package firewalld-0.3.9-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.9-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-0738/firewalld-0.3.9-1.fc20
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2014-01-15 05:54:18 UTC

firewalld-0.3.9-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2014-03-09 04:42:44 UTC

firewalld-0.3.9.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.