View Issue Details

IDProjectCategoryView StatusLast Update
0012350CentOS-7firewalldpublic2017-01-20 18:48
Reporterdarrelle 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version7.3.1611 
Target VersionFixed in Version 
Summary0012350: firewalld interface zone assignment lost when using networkmanager
DescriptionInterface zone assignments are lost following a reboot when using network manager and firewalld. The ifcfg-IFNAME file is modified during boot to remove the "ZONE=" line.
Steps To Reproduce- Assign a network manager managed interface to a zone other than the default. This can be done via nmcli, firewall-cmd, or by editting the ifcfg-IFNAME file.
- reboot (two reboots are required if the interface was not up initially)
Additional InformationThe removal appears to be due to the following ifdown-post:

# Inform firewall
if [ -x /usr/bin/firewall-cmd -a "${REALDEVICE}" != "lo" ]; then
    /usr/bin/firewall-cmd --remove-interface="${DEVICE}" > /dev/null 2>&1
fi

If the interface is managed by network manager, then the firewall-cmd command actually applies persistently (despite not including --permanent). This modifies ifcfg-IFNAME and the next time the interface comes up the zone goes back to the default one.


Other possibly related issues are:
https://bugs.centos.org/view.php?id=7407
https://bugs.centos.org/view.php?id=7526

These bugs are many years old and appear to be slightly different issues though.
TagsNo tags attached.
abrt_hash
URL

Activities

devhen

devhen

2016-12-13 04:05

reporter   ~0028125

I'm seeing this bug as well. I have not yet tested on bare metal hardware but several KVM guests using NetworkManager all have this issue after upgrading to 7.3.1611. The only workaround I've found is to disable NetworkManager, add NM_CONTROLLED=no to my ifcfg files, and enable the "network" service.
devhen

devhen

2016-12-13 04:22

reporter   ~0028126

This appears to be the upstream RHEL bug report, with several comments and a possible fix in the works:

https://bugzilla.redhat.com/show_bug.cgi?id=1381314
sactobob

sactobob

2016-12-13 05:03

reporter   ~0028127

I saw similar issues (briefly mentioned in 0012349) , the rules were there, but not loading. By taking the output from "firewall-cmd --direct --get-all-rules" and creating a list of removes and adds for my "fix".
darrelle

darrelle

2016-12-13 17:16

reporter   ~0028130

Thanks for the RHEL link. The upstream firewalld patch mentioned there looks like the answer:

https://github.com/t-woerner/firewalld/commit/636e01137515f3830c655619096e9642651a674c

A workaround that is working for is to just "chattr +i ifcfg-IFNAME". That way firewalld can't change the file.
DanielJohnson

DanielJohnson

2017-01-20 15:06

reporter   ~0028430

RHEL has resolved this in updates released 2017-01-17, see https://rhn.redhat.com/errata/RHBA-2017-0103.html . I see that firewalld.noarch v0.4.3.2-8.1.el7_3 is available in the CentOS repo's and a test update of a v7.2 system to v7.3-current worked fine, so I think we can mark this as Resolved now.
devhen

devhen

2017-01-20 18:48

reporter   ~0028432

Yep, the latest firewalld update seems to have fixed this for me.

Issue History

Date Modified Username Field Change
2016-12-12 23:29 darrelle New Issue
2016-12-13 04:05 devhen Note Added: 0028125
2016-12-13 04:22 devhen Note Added: 0028126
2016-12-13 05:03 sactobob Note Added: 0028127
2016-12-13 17:16 darrelle Note Added: 0028130
2017-01-20 15:06 DanielJohnson Note Added: 0028430
2017-01-20 18:48 devhen Note Added: 0028432