Bug 4311 - Support firewalld in tl-setup firewall module
Summary: Support firewalld in tl-setup firewall module
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Server Installer (show other bugs)
Version: 3.4.0
Hardware: PC Linux
: P2 Enhancement
Target Milestone: 4.2.0
Assignee: Henrik Andersson
URL:
Keywords: relnotes, samuel_tester
Depends on:
Blocks:
 
Reported: 2012-05-29 19:53 CEST by Karl Mikaelsson
Modified: 2014-05-06 11:22 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Karl Mikaelsson cendio 2012-05-29 19:53:33 CEST 
Fedora 17 ships with firewalld, and expects programs to interface with the firewall using firewall-cmd.

https://fedorahosted.org/firewalld/
https://fedoraproject.org/wiki/FirewallD/
Comment 1 Henrik Andersson cendio 2014-02-03 11:12:05 CET 
To identify if firewalld is enabled and running, 'firewall-cmd  --state' will exit with code 252 if service is not running.
Comment 2 Henrik Andersson cendio 2014-02-03 11:39:32 CET 
A service definition can be created, firewalld uses xml to describe service.

----

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>
Comment 3 Henrik Andersson cendio 2014-02-03 16:03:48 CET 
Inital implementation of Firwalld backend in commit 28360

Commit 28362 adds on_finalize() callback for proper reload of firewalld
service definitions before enabling services. This was reverted in commit 28363. 

Instead of on_finalize(), reload on each creation of service definition in commit 28364.
Comment 4 Henrik Andersson cendio 2014-02-03 16:05:46 CET 
We also need to make the detection of firewall suite a bit better than just check if tools are available. Additional check if firewall is enabled is good enough.
Comment 5 Henrik Andersson cendio 2014-02-03 16:19:23 CET 
(In reply to comment #4)
> We also need to make the detection of firewall suite a bit better than just
> check if tools are available. Additional check if firewall is enabled is good
> enough.

Fixed in commit 28365.

Before we had support for 3 different systems and tested just existence of tools used on either system. This however layed ground for the backend class names which includes system name such as FirewallBackendRHEL. We should rename those to reflect which firewall suite is used instead of which system uses what suite.
Comment 6 Henrik Andersson cendio 2014-02-03 16:25:24 CET 
(In reply to comment #5)
> (In reply to comment #4)
> > We also need to make the detection of firewall suite a bit better than just
> > check if tools are available. Additional check if firewall is enabled is good
> > enough.
> 
> Fixed in commit 28365.
> 
> Before we had support for 3 different systems and tested just existence of
> tools used on either system. This however layed ground for the backend class
> names which includes system name such as FirewallBackendRHEL. We should rename
> those to reflect which firewall suite is used instead of which system uses what
> suite.

(In reply to comment #5)
> (In reply to comment #4)
> > We also need to make the detection of firewall suite a bit better than just
> > check if tools are available. Additional check if firewall is enabled is good
> > enough.
> 
> Fixed in commit 28365.
> 
> Before we had support for 3 different systems and tested just existence of
> tools used on either system. This however layed ground for the backend class
> names which includes system name such as FirewallBackendRHEL. We should rename
> those to reflect which firewall suite is used instead of which system uses what
> suite.

Class names updated in commit 28366.
Comment 7 Henrik Andersson cendio 2014-02-03 16:52:00 CET 
(In reply to comment #6)
> 
> Class names updated in commit 28366.

Typo fixed in commit 28367.


Tests of the changes has been made on Fedora 17 with systemd and Ubuntu 13.10 with ufw. Detection works as expected.

Tester should verify functionality on firewall suits: systemd (Fedora >17), lokkit (RHEL), ufw (Ubuntu) and suse firewall
Comment 8 Pierre Ossman cendio 2014-02-27 11:35:09 CET 
Doesn't work on a default install of Fedora 20:

2014-02-27 11:31:15,130: Creating firewall service 'tlwebadm' using ports 1010:TCP
2014-02-27 11:31:17,530: Enable firewall service 'tlwebadm'
2014-02-27 11:31:18,175: Failed to enable firewall service tlwebadm
2014-02-27 11:31:18,176:     [91mError: COMMAND_FAILED: '/sbin/ip6tables -A IN_public_allow -t filter -m ipv6header --header TCP --dport 1010 -m conntrack --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6' specified
2014-02-27 11:31:18,176:     Try `ip6tables -h' or 'ip6tables --help' for more information.[00m
2014-02-27 11:31:18,176: Creating firewall service 'tlmaster' using ports 9000:TCP
2014-02-27 11:31:20,330: Enable firewall service 'tlmaster'
2014-02-27 11:31:20,890: Failed to enable firewall service tlmaster
2014-02-27 11:31:20,891:     [91mError: COMMAND_FAILED: '/sbin/ip6tables -A IN_public_allow -t filter -m ipv6header --header TCP --dport 9000 -m conntrack --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6' specified
2014-02-27 11:31:20,891:     Try `ip6tables -h' or 'ip6tables --help' for more information.[00m
2014-02-27 11:31:20,891: Creating firewall service 'tlagent' using ports 904:TCP
2014-02-27 11:31:23,120: Enable firewall service 'tlagent'
2014-02-27 11:31:23,672: Failed to enable firewall service tlagent
2014-02-27 11:31:23,672:     [91mError: COMMAND_FAILED: '/sbin/ip6tables -A IN_public_allow -t filter -m ipv6header --header TCP --dport 904 -m conntrack --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6' specified
2014-02-27 11:31:23,673:     Try `ip6tables -h' or 'ip6tables --help' for more information.[00m
2014-02-27 11:31:23,673: Enable system firewall service 'ssh'
2014-02-27 11:31:24,258: failed to configure firewall.
Comment 9 Henrik Andersson cendio 2014-02-27 12:38:49 CET 
(In reply to comment #8)
> Doesn't work on a default install of Fedora 20:
> 
> 2014-02-27 11:31:15,130: Creating firewall service 'tlwebadm' using ports
> 1010:TCP
> 2014-02-27 11:31:17,530: Enable firewall service 'tlwebadm'
> 2014-02-27 11:31:18,175: Failed to enable firewall service tlwebadm
> 2014-02-27 11:31:18,176:     [91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 1010 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-02-27 11:31:18,176:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.[00m
> 2014-02-27 11:31:18,176: Creating firewall service 'tlmaster' using ports
> 9000:TCP
> 2014-02-27 11:31:20,330: Enable firewall service 'tlmaster'
> 2014-02-27 11:31:20,890: Failed to enable firewall service tlmaster
> 2014-02-27 11:31:20,891:     [91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 9000 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-02-27 11:31:20,891:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.[00m
> 2014-02-27 11:31:20,891: Creating firewall service 'tlagent' using ports
> 904:TCP
> 2014-02-27 11:31:23,120: Enable firewall service 'tlagent'
> 2014-02-27 11:31:23,672: Failed to enable firewall service tlagent
> 2014-02-27 11:31:23,672:     [91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 904 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-02-27 11:31:23,673:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.[00m
> 2014-02-27 11:31:23,673: Enable system firewall service 'ssh'
> 2014-02-27 11:31:24,258: failed to configure firewall.

Fixed in commit 28535.
Comment 10 Henrik Andersson cendio 2014-02-27 12:45:07 CET 
(In reply to comment #9)
> (In reply to comment #8)
> > Doesn't work on a default install of Fedora 20:
> > 
> > 2014-02-27 11:31:15,130: Creating firewall service 'tlwebadm' using ports
> > 1010:TCP
> > 2014-02-27 11:31:17,530: Enable firewall service 'tlwebadm'
> > 2014-02-27 11:31:18,175: Failed to enable firewall service tlwebadm
> > 2014-02-27 11:31:18,176:     [91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> > IN_public_allow -t filter -m ipv6header --header TCP --dport 1010 -m conntrack
> > --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> > specified
> > 2014-02-27 11:31:18,176:     Try `ip6tables -h' or 'ip6tables --help' for more
> > information.[00m
> > 2014-02-27 11:31:18,176: Creating firewall service 'tlmaster' using ports
> > 9000:TCP
> > 2014-02-27 11:31:20,330: Enable firewall service 'tlmaster'
> > 2014-02-27 11:31:20,890: Failed to enable firewall service tlmaster
> > 2014-02-27 11:31:20,891:     [91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> > IN_public_allow -t filter -m ipv6header --header TCP --dport 9000 -m conntrack
> > --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> > specified
> > 2014-02-27 11:31:20,891:     Try `ip6tables -h' or 'ip6tables --help' for more
> > information.[00m
> > 2014-02-27 11:31:20,891: Creating firewall service 'tlagent' using ports
> > 904:TCP
> > 2014-02-27 11:31:23,120: Enable firewall service 'tlagent'
> > 2014-02-27 11:31:23,672: Failed to enable firewall service tlagent
> > 2014-02-27 11:31:23,672:     [91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> > IN_public_allow -t filter -m ipv6header --header TCP --dport 904 -m conntrack
> > --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> > specified
> > 2014-02-27 11:31:23,673:     Try `ip6tables -h' or 'ip6tables --help' for more
> > information.[00m
> > 2014-02-27 11:31:23,673: Enable system firewall service 'ssh'
> > 2014-02-27 11:31:24,258: failed to configure firewall.
> 
> Fixed in commit 28535.

28536 fixes typo in commit 28535.
Comment 11 Samuel Mannehed cendio 2014-03-31 09:20:59 CEST 
Doesn't work when tested on a default-installed Fedora 20 (32-bit):

2014-03-31 09:13:57,590: Creating firewall service 'tlwebaccess' using ports 300:TCP
2014-03-31 09:13:59,842: Enable firewall service 'tlwebaccess'
2014-03-31 09:14:00,433: Failed to enable firewall service tlwebaccess
2014-03-31 09:14:00,434:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A IN_public_allow -t filter -m ipv6header --header TCP --dport 300 -m conntrack --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6' specified
2014-03-31 09:14:00,434:     Try `ip6tables -h' or 'ip6tables --help' for more information.ESC[00m
2014-03-31 09:14:00,434: Creating firewall service 'tlwebadm' using ports 1010:TCP
2014-03-31 09:14:02,779: Enable firewall service 'tlwebadm'
2014-03-31 09:14:03,392: Failed to enable firewall service tlwebadm
2014-03-31 09:14:03,393:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A IN_public_allow -t filter -m ipv6header --header TCP --dport 1010 -m conntrack --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6' specified
2014-03-31 09:14:03,393:     Try `ip6tables -h' or 'ip6tables --help' for more information.ESC[00m
2014-03-31 09:14:03,393: Creating firewall service 'tlmaster' using ports 9000:TCP
2014-03-31 09:14:05,717: Enable firewall service 'tlmaster'
2014-03-31 09:14:06,337: Failed to enable firewall service tlmaster
2014-03-31 09:14:06,338:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A IN_public_allow -t filter -m ipv6header --header TCP --dport 9000 -m conntrack --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6' specified
2014-03-31 09:14:06,338:     Try `ip6tables -h' or 'ip6tables --help' for more information.ESC[00m
2014-03-31 09:14:06,338: Creating firewall service 'tlagent' using ports 904:TCP
2014-03-31 09:14:08,660: Enable firewall service 'tlagent'
2014-03-31 09:14:09,247: Failed to enable firewall service tlagent
2014-03-31 09:14:09,247:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A IN_public_allow -t filter -m ipv6header --header TCP --dport 904 -m conntrack --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6' specified
2014-03-31 09:14:09,248:     Try `ip6tables -h' or 'ip6tables --help' for more information.ESC[00m
2014-03-31 09:14:09,248: Enable system firewall service 'ssh'
2014-03-31 09:14:09,796: failed to configure firewall.
Comment 12 Henrik Andersson cendio 2014-04-01 13:05:47 CEST 
(In reply to comment #11)
> Doesn't work when tested on a default-installed Fedora 20 (32-bit):
> 
> 2014-03-31 09:13:57,590: Creating firewall service 'tlwebaccess' using ports
> 300:TCP
> 2014-03-31 09:13:59,842: Enable firewall service 'tlwebaccess'
> 2014-03-31 09:14:00,433: Failed to enable firewall service tlwebaccess
> 2014-03-31 09:14:00,434:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 300 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-03-31 09:14:00,434:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.ESC[00m
> 2014-03-31 09:14:00,434: Creating firewall service 'tlwebadm' using ports
> 1010:TCP
> 2014-03-31 09:14:02,779: Enable firewall service 'tlwebadm'
> 2014-03-31 09:14:03,392: Failed to enable firewall service tlwebadm
> 2014-03-31 09:14:03,393:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 1010 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-03-31 09:14:03,393:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.ESC[00m
> 2014-03-31 09:14:03,393: Creating firewall service 'tlmaster' using ports
> 9000:TCP
> 2014-03-31 09:14:05,717: Enable firewall service 'tlmaster'
> 2014-03-31 09:14:06,337: Failed to enable firewall service tlmaster
> 2014-03-31 09:14:06,338:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 9000 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-03-31 09:14:06,338:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.ESC[00m
> 2014-03-31 09:14:06,338: Creating firewall service 'tlagent' using ports
> 904:TCP
> 2014-03-31 09:14:08,660: Enable firewall service 'tlagent'
> 2014-03-31 09:14:09,247: Failed to enable firewall service tlagent
> 2014-03-31 09:14:09,247:     ESC[91mError: COMMAND_FAILED: '/sbin/ip6tables -A
> IN_public_allow -t filter -m ipv6header --header TCP --dport 904 -m conntrack
> --ctstate NEW -j ACCEPT' failed: ip6tables v1.4.19.1: unknown header `6'
> specified
> 2014-03-31 09:14:09,248:     Try `ip6tables -h' or 'ip6tables --help' for more
> information.ESC[00m
> 2014-03-31 09:14:09,248: Enable system firewall service 'ssh'
> 2014-03-31 09:14:09,796: failed to configure firewall.

Fixed in commit 28766.
Comment 13 Samuel Mannehed cendio 2014-04-09 16:29:04 CEST 
(In reply to comment #12)
> Fixed in commit 28766.

Tested with build 4318 on Fedora 20 (32 bit), it works as expected:

2014-04-09 16:24:14,650: Detected firewall backend FirewallBackendFirewalld
2014-04-09 16:24:14,651: Supported Firewall found
Comment 14 Peter Åstrand cendio 2014-05-05 10:48:20 CEST 
Firewall is now broken on SLED11:

2014-05-05 04:30:38,658: No supported firewall backend detected.

I believe the problem is commit r28365. The logic in firewall.py is all wrong:

-        if FirewallBackendSuse.__tool is not None \
-                and FirewallBackendSuse.__tool2 is not None \
-                and os.path.exists("/etc/sysconfig/SuSEfirewall2.d/services"):
-            return super(FirewallBackendSuse, cls).__new__(cls)
+        if FirewallBackendSuse.__tool is None or FirewallBackendSuse.__tool2 \
+           or not os.path.exists("/etc/sysconfig/SuSEfirewall2.d/services"):
+            return None
Comment 15 Henrik Andersson cendio 2014-05-06 08:16:27 CEST 
(In reply to comment #14)
> Firewall is now broken on SLED11:
> 
> 2014-05-05 04:30:38,658: No supported firewall backend detected.
> 
> I believe the problem is commit r28365. The logic in firewall.py is all wrong:
> 
> -        if FirewallBackendSuse.__tool is not None \
> -                and FirewallBackendSuse.__tool2 is not None \
> -                and os.path.exists("/etc/sysconfig/SuSEfirewall2.d/services"):
> -            return super(FirewallBackendSuse, cls).__new__(cls)
> +        if FirewallBackendSuse.__tool is None or FirewallBackendSuse.__tool2 \
> +           or not os.path.exists("/etc/sysconfig/SuSEfirewall2.d/services"):
> +            return None

Commit r28937 fixes this error.
Comment 16 Samuel Mannehed cendio 2014-05-06 11:22:17 CEST 
Closing this, that the issue on SLED is fixed will be verified in bug 3060.
Note You need to log in before you can comment on or make changes to this bug.