Bug 979804 - Rich rules produces incorrect iptables rules
Rich rules produces incorrect iptables rules
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
: 987523 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-30 14:26 EDT by Niki Guldbrand
Modified: 2013-08-03 20:09 EDT (History)
4 users (show)

See Also:
Fixed In Version: firewalld-0.3.4-1.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-03 20:09:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Niki Guldbrand 2013-06-30 14:26:30 EDT
Description of problem:
I have added these rules to my home zone for testing:

  <rule family="ipv4">
    <source address="192.168.2.0/24"/>
    <destination address="10.0.0.0/8"/>
    <protocol value="tcp"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.2.0/24"/>
    <destination address="192.168.0.0/16"/>
    <accept/>
  </rule>


Version-Release number of selected component (if applicable):
firewalld-0.3.3-2.fc19


How reproducible:
always

Steps to Reproduce:
1. Add the above rule to a zone
2. Load the zone
3. Look in the logs for the errors

Actual results:
This gives me this output in my logs:

ERROR: INVALID_RULE: destination action: rule family="ipv4" source address="192.168.2.0/24" destination address="192.168.0.0/16" accept
ERROR: '/sbin/iptables -t filter -A IN_ZONE_home_allow -s 192.168.2.0/24 -s 10.0.0.0/8 -p tcp -m conntrack --ctstate NEW -j ACCEPT' failed: iptables v1.4.18: multiple -s flags not allowed
ERROR: '/sbin/iptables -t filter -A IN_ZONE_home_allow -s 192.168.2.0/24 -s 10.0.0.0/8 -p tcp -m conntrack --ctstate NEW -j ACCEPT' failed: iptables v1.4.18: multiple -s flags not allowed
ERROR: Failed to load zone file '/etc/firewalld/zones/home.xml':
ERROR: INVALID_RULE: destination action: rule family="ipv4" source address="192.168.2.0/24" destination address="192.168.0.0/16" accept


Expected results:
No errors from iptables, and generation of the correct rules.

Additional info:
Comment 1 Thomas Woerner 2013-07-01 07:08:00 EDT
Fixed in GIT https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=cc54b7451a55b9d6f9f16a79af80d6876ff9ef8b

Will be part of the next update.
Comment 2 Thomas Woerner 2013-07-23 11:08:13 EDT
*** Bug 987523 has been marked as a duplicate of this bug. ***
Comment 3 Fedora Update System 2013-07-30 15:13:37 EDT
firewalld-0.3.4-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/firewalld-0.3.4-1.fc19
Comment 4 Fedora Update System 2013-08-01 23:48:34 EDT
Package firewalld-0.3.4-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.3.4-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-14046/firewalld-0.3.4-1.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-08-03 20:09:07 EDT
firewalld-0.3.4-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.