www.cendio.com
Bug 4311 - Support firewalld in tl-setup firewall module
: Support firewalld in tl-setup firewall module
Status: CLOSED FIXED
: ThinLinc
Server Installer
: 3.4.0
: PC Linux
: P2 Enhancement
: 4.2.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2012-05-29 19:53 by
Modified: 2014-05-06 11:22 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2012-05-29 19:53:33
Fedora 17 ships with firewalld, and expects programs to interface with the
firewall using firewall-cmd.

https://fedorahosted.org/firewalld/
https://fedoraproject.org/wiki/FirewallD/
------- Comment #1 From cendio 2014-02-03 11:12:05 -------
To identify if firewalld is enabled and running, 'firewall-cmd  --state' will
exit with code 252 if service is not running.
------- Comment #2 From cendio 2014-02-03 11:39:32 -------
A service definition can be created, firewalld uses xml to describe service.

----

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing
commands on remote machines. It provides secure encrypted communications. If
you plan on accessing your machine remotely via SSH over a firewalled
interface, enable this option. You need the openssh-server package installed
for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>
------- Comment #3 From cendio 2014-02-03 16:03:48 -------
Inital implementation of Firwalld backend in commit 28360

Commit 28362 adds on_finalize() callback for proper reload of firewalld
service definitions before enabling services. This was reverted in commit
28363. 

Instead of on_finalize(), reload on each creation of service definition in
commit 28364.
------- Comment #4 From cendio 2014-02-03 16:05:46 -------
We also need to make the detection of firewall suite a bit better than just
check if tools are available. Additional check if firewall is enabled is good
enough.
------- Comment #5 From cendio 2014-02-03 16:19:23 -------
(In reply to comment #4)
> We also need to make the detection of firewall suite a bit better than just
> check if tools are available. Additional check if firewall is enabled is good
> enough.

Fixed in commit 28365.

Before we had support for 3 different systems and tested just existence of
tools used on either system. This however layed ground for the backend class
names which includes system name such as FirewallBackendRHEL. We should rename
those to reflect which firewall suite is used instead of which system uses what
suite.
------- Comment #6 From cendio 2014-02-03 16:25:24 -------
(In reply to comment #5)
> (In reply to comment #4)
> > We also need to make the detection of firewall suite a bit better than just
> > check if tools are available. Additional check if firewall is enabled is good
> > enough.
> 
> Fixed in commit 28365.
> 
> Before we had support for 3 different systems and tested just existence of
> tools used on either system. This however layed ground for the backend class
> names which includes system name such as FirewallBackendRHEL. We should rename
> those to reflect which firewall suite is used instead of which system uses what
> suite.

(In reply to comment #5)
> (In reply to comment #4)
> > We also need to make the detection of firewall suite a bit better than just
> > check if tools are available. Additional check if firewall is enabled is good
> > enough.
> 
> Fixed in commit 28365.
> 
> Before we had support for 3 different systems and tested just existence of
> tools used on either system. This however layed ground for the backend class
> names which includes system name such as FirewallBackendRHEL. We should rename
> those to reflect which firewall suite is used instead of which system uses what
> suite.

Class names updated in commit 28366.
------- Comment #7 From cendio 2014-02-03 16:52:00 -------
(In reply to comment #6)
> 
> Class names updated in commit 28366.

Typo fixed in commit 28367.


Tests of the changes has been made on Fedora 17 with systemd and Ubuntu 13.10
with ufw. Detection works as expected.

Tester should verify functionality on firewall suits: systemd (Fedora >17),
lokkit (RHEL), ufw (Ubuntu) and suse firewall
------- Comment #8 From cendio 2014-02-27 11:35:09 -------
Doesn't work on a default install of Fedora 20:

2014-02-27 11:31:15,130: Creating firewall service 'tlwebadm' using ports
1010:TCP
2014-02-27 11:31:17,530: Enable firewall service 'tlwebadm'
2014-02-27 11:31:18,175: Failed to enable firewall service tlwebadm
2014-02-27 11:31:18,176:     Error: COMMAND_FAILED: '/sbin/ip6tables -A
IN_public_allow -t filter -m ipv6header --header TCP --dport 1010 -m conntrack
--ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
specified
2014-02-27 11:31:18,176:     Try `ip6tables -h' or 'ip6tables --help' for more
information.
2014-02-27 11:31:18,176: Creating firewall service 'tlmaster' using ports
9000:TCP
2014-02-27 11:31:20,330: Enable firewall service 'tlmaster'
2014-02-27 11:31:20,890: Failed to enable firewall service tlmaster
2014-02-27 11:31:20,891:     Error: COMMAND_FAILED: '/sbin/ip6tables -A
IN_public_allow -t filter -m ipv6header --header TCP --dport 9000 -m conntrack
--ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
specified
2014-02-27 11:31:20,891:     Try `ip6tables -h' or 'ip6tables --help' for more
information.
2014-02-27 11:31:20,891: Creating firewall service 'tlagent' using ports
904:TCP
2014-02-27 11:31:23,120: Enable firewall service 'tlagent'
2014-02-27 11:31:23,672: Failed to enable firewall service tlagent
2014-02-27 11:31:23,672:     Error: COMMAND_FAILED: '/sbin/ip6tables -A
IN_public_allow -t filter -m ipv6header --header TCP --dport 904 -m conntrack
--ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
specified
2014-02-27 11:31:23,673:     Try `ip6tables -h' or 'ip6tables --help' for more
information.
2014-02-27 11:31:23,673: Enable system firewall service 'ssh'
2014-02-27 11:31:24,258: failed to configure firewall.
------- Comment #9 From cendio 2014-02-27 12:38:49 -------
(In reply to comment #8)
> Doesn't work on a default install of Fedora 20:
> 
> 2014-02-27 11:31:15,130: Creating firewall service 'tlwebadm' using ports
> 1010:TCP
> 2014-02-27 11:31:17,530: Enable firewall service 'tlwebadm'
> 2014-02-27 11:31:18,175: Failed to enable firewall service tlwebadm
> 2014-02-27 11:31:18,176:     Error: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 1010 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-02-27 11:31:18,176:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.
> 2014-02-27 11:31:18,176: Creating firewall service 'tlmaster' using ports
> 9000:TCP
> 2014-02-27 11:31:20,330: Enable firewall service 'tlmaster'
> 2014-02-27 11:31:20,890: Failed to enable firewall service tlmaster
> 2014-02-27 11:31:20,891:     Error: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 9000 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-02-27 11:31:20,891:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.
> 2014-02-27 11:31:20,891: Creating firewall service 'tlagent' using ports
> 904:TCP
> 2014-02-27 11:31:23,120: Enable firewall service 'tlagent'
> 2014-02-27 11:31:23,672: Failed to enable firewall service tlagent
> 2014-02-27 11:31:23,672:     Error: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 904 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-02-27 11:31:23,673:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.
> 2014-02-27 11:31:23,673: Enable system firewall service 'ssh'
> 2014-02-27 11:31:24,258: failed to configure firewall.

Fixed in commit 28535.
------- Comment #10 From cendio 2014-02-27 12:45:07 -------
(In reply to comment #9)
> (In reply to comment #8)
> > Doesn't work on a default install of Fedora 20:
> > 
> > 2014-02-27 11:31:15,130: Creating firewall service 'tlwebadm' using ports
> > 1010:TCP
> > 2014-02-27 11:31:17,530: Enable firewall service 'tlwebadm'
> > 2014-02-27 11:31:18,175: Failed to enable firewall service tlwebadm
> > 2014-02-27 11:31:18,176:     Error: COMMAND_FAILED: '/sbin/ip6tables -A
> > IN_public_allow -t filter -m ipv6header --header TCP --dport 1010 -m conntrack
> > --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> > specified
> > 2014-02-27 11:31:18,176:     Try `ip6tables -h' or 'ip6tables --help' for more
> > information.
> > 2014-02-27 11:31:18,176: Creating firewall service 'tlmaster' using ports
> > 9000:TCP
> > 2014-02-27 11:31:20,330: Enable firewall service 'tlmaster'
> > 2014-02-27 11:31:20,890: Failed to enable firewall service tlmaster
> > 2014-02-27 11:31:20,891:     Error: COMMAND_FAILED: '/sbin/ip6tables -A
> > IN_public_allow -t filter -m ipv6header --header TCP --dport 9000 -m conntrack
> > --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> > specified
> > 2014-02-27 11:31:20,891:     Try `ip6tables -h' or 'ip6tables --help' for more
> > information.
> > 2014-02-27 11:31:20,891: Creating firewall service 'tlagent' using ports
> > 904:TCP
> > 2014-02-27 11:31:23,120: Enable firewall service 'tlagent'
> > 2014-02-27 11:31:23,672: Failed to enable firewall service tlagent
> > 2014-02-27 11:31:23,672:     Error: COMMAND_FAILED: '/sbin/ip6tables -A
> > IN_public_allow -t filter -m ipv6header --header TCP --dport 904 -m conntrack
> > --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> > specified
> > 2014-02-27 11:31:23,673:     Try `ip6tables -h' or 'ip6tables --help' for more
> > information.
> > 2014-02-27 11:31:23,673: Enable system firewall service 'ssh'
> > 2014-02-27 11:31:24,258: failed to configure firewall.
> 
> Fixed in commit 28535.

28536 fixes typo in commit 28535.
------- Comment #11 From cendio 2014-03-31 09:20:59 -------
Doesn't work when tested on a default-installed Fedora 20 (32-bit):

2014-03-31 09:13:57,590: Creating firewall service 'tlwebaccess' using ports
300:TCP
2014-03-31 09:13:59,842: Enable firewall service 'tlwebaccess'
2014-03-31 09:14:00,433: Failed to enable firewall service tlwebaccess
2014-03-31 09:14:00,434:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
IN_public_allow -t filter -m ipv6header --header TCP --dport 300 -m conntrack
--ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
specified
2014-03-31 09:14:00,434:     Try `ip6tables -h' or 'ip6tables --help' for more
information.ESC[00m
2014-03-31 09:14:00,434: Creating firewall service 'tlwebadm' using ports
1010:TCP
2014-03-31 09:14:02,779: Enable firewall service 'tlwebadm'
2014-03-31 09:14:03,392: Failed to enable firewall service tlwebadm
2014-03-31 09:14:03,393:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
IN_public_allow -t filter -m ipv6header --header TCP --dport 1010 -m conntrack
--ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
specified
2014-03-31 09:14:03,393:     Try `ip6tables -h' or 'ip6tables --help' for more
information.ESC[00m
2014-03-31 09:14:03,393: Creating firewall service 'tlmaster' using ports
9000:TCP
2014-03-31 09:14:05,717: Enable firewall service 'tlmaster'
2014-03-31 09:14:06,337: Failed to enable firewall service tlmaster
2014-03-31 09:14:06,338:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
IN_public_allow -t filter -m ipv6header --header TCP --dport 9000 -m conntrack
--ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
specified
2014-03-31 09:14:06,338:     Try `ip6tables -h' or 'ip6tables --help' for more
information.ESC[00m
2014-03-31 09:14:06,338: Creating firewall service 'tlagent' using ports
904:TCP
2014-03-31 09:14:08,660: Enable firewall service 'tlagent'
2014-03-31 09:14:09,247: Failed to enable firewall service tlagent
2014-03-31 09:14:09,247:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
IN_public_allow -t filter -m ipv6header --header TCP --dport 904 -m conntrack
--ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
specified
2014-03-31 09:14:09,248:     Try `ip6tables -h' or 'ip6tables --help' for more
information.ESC[00m
2014-03-31 09:14:09,248: Enable system firewall service 'ssh'
2014-03-31 09:14:09,796: failed to configure firewall.
------- Comment #12 From cendio 2014-04-01 13:05:47 -------
(In reply to comment #11)
> Doesn't work when tested on a default-installed Fedora 20 (32-bit):
> 
> 2014-03-31 09:13:57,590: Creating firewall service 'tlwebaccess' using ports
> 300:TCP
> 2014-03-31 09:13:59,842: Enable firewall service 'tlwebaccess'
> 2014-03-31 09:14:00,433: Failed to enable firewall service tlwebaccess
> 2014-03-31 09:14:00,434:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 300 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-03-31 09:14:00,434:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.ESC[00m
> 2014-03-31 09:14:00,434: Creating firewall service 'tlwebadm' using ports
> 1010:TCP
> 2014-03-31 09:14:02,779: Enable firewall service 'tlwebadm'
> 2014-03-31 09:14:03,392: Failed to enable firewall service tlwebadm
> 2014-03-31 09:14:03,393:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 1010 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-03-31 09:14:03,393:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.ESC[00m
> 2014-03-31 09:14:03,393: Creating firewall service 'tlmaster' using ports
> 9000:TCP
> 2014-03-31 09:14:05,717: Enable firewall service 'tlmaster'
> 2014-03-31 09:14:06,337: Failed to enable firewall service tlmaster
> 2014-03-31 09:14:06,338:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 9000 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-03-31 09:14:06,338:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.ESC[00m
> 2014-03-31 09:14:06,338: Creating firewall service 'tlagent' using ports
> 904:TCP
> 2014-03-31 09:14:08,660: Enable firewall service 'tlagent'
> 2014-03-31 09:14:09,247: Failed to enable firewall service tlagent
> 2014-03-31 09:14:09,247:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 904 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-03-31 09:14:09,248:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.ESC[00m
> 2014-03-31 09:14:09,248: Enable system firewall service 'ssh'
> 2014-03-31 09:14:09,796: failed to configure firewall.

Fixed in commit 28766.
------- Comment #13 From cendio 2014-04-09 16:29:04 -------
(In reply to comment #12)
> Fixed in commit 28766.

Tested with build 4318 on Fedora 20 (32 bit), it works as expected:

2014-04-09 16:24:14,650: Detected firewall backend FirewallBackendFirewalld
2014-04-09 16:24:14,651: Supported Firewall found
------- Comment #14 From cendio 2014-05-05 10:48:20 -------
Firewall is now broken on SLED11:

2014-05-05 04:30:38,658: No supported firewall backend detected.

I believe the problem is commit r28365. The logic in firewall.py is all wrong:

-        if FirewallBackendSuse.__tool is not None \
-                and FirewallBackendSuse.__tool2 is not None \
-                and os.path.exists("/etc/sysconfig/SuSEfirewall2.d/services"):
-            return super(FirewallBackendSuse, cls).__new__(cls)
+        if FirewallBackendSuse.__tool is None or FirewallBackendSuse.__tool2 \
+           or not os.path.exists("/etc/sysconfig/SuSEfirewall2.d/services"):
+            return None
------- Comment #15 From cendio 2014-05-06 08:16:27 -------
(In reply to comment #14)
> Firewall is now broken on SLED11:
> 
> 2014-05-05 04:30:38,658: No supported firewall backend detected.
> 
> I believe the problem is commit r28365. The logic in firewall.py is all wrong:
> 
> -        if FirewallBackendSuse.__tool is not None \
> -                and FirewallBackendSuse.__tool2 is not None \
> -                and os.path.exists("/etc/sysconfig/SuSEfirewall2.d/services"):
> -            return super(FirewallBackendSuse, cls).__new__(cls)
> +        if FirewallBackendSuse.__tool is None or FirewallBackendSuse.__tool2 \
> +           or not os.path.exists("/etc/sysconfig/SuSEfirewall2.d/services"):
> +            return None

Commit r28937 fixes this error.
------- Comment #16 From cendio 2014-05-06 11:22:17 -------
Closing this, that the issue on SLED is fixed will be verified in bug 3060.