firewalld complains that interface belongs to another zone when using
--runtime-to-permanent
by Markos Chandras
Hi,
I noticed the following strange behavior when configuring my firewall
$ firewall-cmd -q --permanent --zone=public --add-interface=br0
$ firewall-cmd -q --zone=public --remove-interface=br0
$ firewall-cmd -q --zone=external --add-interface=br0
$ firewall-cmd --runtime-to-permanent
Error: RT_TO_PERM_FAILED: zone 'external' :
org.fedoraproject.FirewallD1.Exception: ZONE_CONFLICT: br0
My understanding of the --runtime-to-permanent option from the manpage
is that it will simply replace the previous permanent configuration with
the runtime one so it should simply ignore the previous permanent
configuration. Am I reading the manpage wrong?
Thank you
8 years, 1 month
Preparation for release 0.4.0
by Thomas Woerner
Hello,
the firewalld version 0.4.0 will be released soon now.
These are the highlights of the 0.4.0 release:
- Speedups by using the {ip|ip6|eb}tables restore commands.
- Source MAC support for source bindings and in rich rules.
- ipset support for source bindings and in rich rules.
- Several bug fixes and other enhancements.
- Some doc changes.
- firewall-applet has been extended to support the complete
functionality of the old gtk applet with an additional config file
/etc/firewall/applet.conf to store global defaults.
Please give it a try and report bugs you are running into.
You can clone the GIT tree from github:
https://github.com/t-woerner/firewalld.git or you can download a zip
file at https://github.com/t-woerner/firewalld.
To create a test rpm for Fedora from the (GIT) tree use the command
"./autogen.sh && make test-rpm" in the top firewalld directory.
On Fedora you will need also the latest selinux-policy update to allow
the use of the restore commands with input created by firewalld:
F-24: http://koji.fedoraproject.org/koji/buildinfo?buildID=705822
F-23: http://koji.fedoraproject.org/koji/buildinfo?buildID=705823
F-22: http://koji.fedoraproject.org/koji/buildinfo?buildID=705824
You will most likely need to update these packages: selinux-policy,
selinux-policy-devel, selinux-policy-sandbox and selinux-policy-targeted
If the use of the {ip,ip6,eb}tables-restore commands is not working for
you, then you can set IndividualCalls=yes in the firewalld.conf file in
/etc/firewalld. This is also good for debugging. The use of the -restore
commands has a down-side: The locks for xtables and ebtables are not
used by the -restore commands.
Regards,
Thomas
Here is the complete list of changes:
- firewalld: Fixed 'pid_file' referenced before assignment (RHBZ#1233232)
- Fix typos in firewall-cmd helptext
- firewall-applet: Fix Ok button sensitivity in dialogs
- firewall-applet: Fix blink, blink-count and show-inactive settings
- firewall-applet: Enable global applet settings, reload user settings
if changed
- firewall-applet: Added shields up/down handling and editor
- firewall-applet: Reworked about dialog to have a more common look
- config/applet.conf: Added defaults for shields-up/down, fixed blink
default
- doc/xml/firewall-applet.xml: Adaption to new firewall-applet version
- config/xmlschema*.xsd: No fixed order of items in xml config files
- config/xmlschema/check.sh: Enhance flow and error handling, more verbose
- firewalld.conf: Fixed bool fallback handling for missing settings
(RHBZ#1239326)
- config/xmlschema/check.sh: Install script in the same directory as
schema files
- man: Interface handling with and without NetworkManager (RHBZ#1122739
RHBZ#1128563)
- fw.py._start: Fix reload with runtime rules, but no direct.xml
(RHBZ#1183008)
- firewall-applet,-config: Additional fix for PermissionDenied excpetion
with NM (RHBZ#1190520, RHBZ#1227413)
- firewall-applet: Use own watcher to fix qsettings reload in all cases
- firewall-applet: Use the error icon also if blink is deactivated
- add ceph services
- firewall-cmd: Zones with source bindings are also active
- firewalld.spec: Require python3-gobject-base for fedora >= 23 and rhel
>= 8
- firewalld.spec: Fix rhel defines: No python3 for rhel-7
- ipsec.service: add NAT-Traversal port
- firewall-config: Use proper store in nm_signal_receiver
- firewall-cmd_test: masquerade with destination is supported since 0.3.14
- New protocols support in zones and services
- fw_zone: Missing patch for new protocol usage in services
- firewall-cmd (bash-completion): Added support for new protocol options
- Use gi.require_version() to avoid PyGIWarning seen with Gtk-3.17
- services: add pulseaudio
- add docker registry services
- Handle source bindings in the same way as interface bindings
- firewall.server.fw_zone: Fix get_config_with_settings for protocol
support in zones
- firewall-cmd: New info options to print information about zones,
services and icmptypes (RHBZ#1147500)
- firewalld: Only use DEFAULT_ZONE_TARGET in firewalld itself, use
"default" externally
- firewall-config: Fix for zone editor to use proper target (RHBZ#1251057)
- client.py: Show full traceback in excption handler for code issues
- firewall-config: masquerade with destination is supported since 0.3.14
- firewall-config: Fixed gtk_list_store_set_sort_column_id errors
- firewall-config: Adapt glade file to newer glade syntax
- config: Fixed year in COPYRIGHT
- gtk3_chooserbutton: New is_sensitive and get_sensitive methods
- firewall/functions: New check_mac function
- firewall/errors: New INVALID_MAC error
- firewall/core/rich: Add support for MAC sources in Rich_Source
- firewall/core/io/zone: New support for MAC sources
- firewall/core/fw_zone: New support for MAC sources in rich rules and
as source bindings
- Man pages: Add information about MAC sources
- firewall-config: New support for MAC sources in rich rules and as
source bindings
- firewalld.dbus.xml: Several fixes
- Fix reload after default zone change to newly introduced zone
(RHBZ#1273888)
- Fix removal of destination addresses for services in permanent view
(RHBZ#1278281)
- Additional fix for removal of destination addresses for services in
permanent view (RHBZ#1278281)
- Add requirement for dbus-x11 for firewall-config and firewall-applet
(RHBZ#1281416)
- fw_direct cleanup: Remove unused imports
- New ipset directories in /etc/firewalld and /usr/lib/firewalld
- New ipset dbus interface and path definitions, increased dbus
interface revision
- New ipset file handler and parser
- ipset handler
- Fix MAC handling, always uppercase MAC addresses
- New errors for ipsets: INVALID_IPSET, INVALID_ENTRY and IPSET_WITH_TIMEOUT
- New FirewallIPSet class for use in fw and fw_config
- New ipset usage in fw and fw_config
- New ipset support in rich rule source
- New ipset support in zones
- functions: New function check_ipset
- New ipset D-Bus interface
- New ipset support in FirewallClient
- org.fedoraproject.FirewallConfig.gschema.xml: New show-ipsets
- firewall-cmd: New support for ipsets
- firewall-config: New support for ipsets
- New firewalld.ipset man page
- firewalld.richlanguage: Document ipset support in rich rules
- firewalld.spec: New requires for ipset
- firewalld.service: conflict with ipset.service
- errors: Adding lost BUILTIN_IPSET
- README: Add information about ipset
- firewalld.dbus man page: Add ipset interfaces, ..
- firewalld.dbus man page: Added missing builting properties for zone,
service and icmptype
- firewall.core.io.zone: Fix address attribute usage in writer
- firewall-config: Properly initialy ipset variable in
richRuleDialog_getRule
- Fix MAC handling, always uppercase MAC addresses (2)
- IPSet: Fix family check for IPv6 addresses
- FirewallClient: Added lost getEntries method
- gtk3_chooserbutton: Fixed connect return value, added disconnect
- FirewallZone: Apply ipset hash:mac sources
- shell-completion/bash/firewall-cmd: Add support for --remove-rules option
- Fix issue #61: Not masquerading loopback
- Fixed issue #54: New zone does not limit zone name len
- Fixed issue #47: Log to syslog/journald without timestamp
- firewall-config: Use sourceDialog to manage source bindings
- FirewallIPSet: Dropped mostly unused applied attribute, code cleanup
- src/Makefile.am: Ship and install ipset files in the firewall tree
- firewall-cmd: Renamed --list-ipsets to --get-ipsts for consistency reasons
- firewall-cmd: Moved checks for ipset options to the proper place
- firewall-cmd: Use __print_zone_info for all zone info prints
- src/firewall/core/ipXtables.py: Cleanup
- src/firewall/core/fw_test.py: New support for ipset
- firewall-offline-cmd help: Removed [--permanent] from protocol options
- firewall-offline-cmd: Add support for --info-[zone|service|icmptype]
option
- firewall-offline-cmd: New support for ipset options
- src/firewall/core/ebtabes.py: Remove dangling ebtables lock file
- src/tests/firewall-cmd_test.sh: Added tests for ipsets
- src/firewall/core/io/zone.py: zone_ContentHandler: Fixed protocol use
outside of rich rules
- src/firewall/core/prog.py: Added stdin option to runProg
- firewalld: Create temporary directory in /run/firewalld at start if it
does not exist
- ipXtables, ebtables: New support for set_rules methods usind -restore
commands
- firewall/core/fw.py: Unify handle_rules methods, removed handle_rules2
- firewall/core/fw_zone.py: Added ipset destination matches for
POSTROUTING and FORWARD
- Extra quote strings that could contain spaces, needed for use in
-restore commands
- firewall/core/fw.py: New rules method, handle several rules at once
- New firewalld config setting IndividualCalls
- firewall/core/fw.py: Use individual calls setting, enable use of
restore commands
- firewalld.conf(5): Added information about new IndividualCalls setting
8 years, 2 months