Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-34206

firewalld sets interface to default zone and removes it automatically after a while

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • rhel-8.9.0.z, rhel-9.3.0.z
    • NetworkManager
    • None
    • None
    • None
    • rhel-net-mgmt
    • ssg_networking
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • Red Hat Enterprise Linux
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      firewalld sets a interface to the default zone if the interface has no connection.zone. However, the interface is removed automatically after a while. 

      [root@localhost ~]# date; firewall-cmd --get-active-zone
Thu Apr 25 08:32:15 EDT 2024
public
  interfaces: eth0 eth1   <<<---
[root@localhost ~]# tail -f /var/log/firewalld
2024-04-25 08:31:58 DEBUG1: config.GetAll('org.fedoraproject.FirewallD1.config')
2024-04-25 08:31:58 DEBUG1: zone.changeZoneOfInterface('', 'eth0')
2024-04-25 08:31:58 DEBUG1: Setting zone of interface 'eth0' to 'public'
2024-04-25 08:31:58 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth0')
2024-04-25 08:31:58 DEBUG1: zone.ZoneChanged('public', 'eth0')
2024-04-25 08:31:58 DEBUG1: zone.changeZoneOfInterface('', 'eth1')
2024-04-25 08:31:58 DEBUG1: Setting zone of interface 'eth1' to 'public'
2024-04-25 08:31:58 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1')
2024-04-25 08:31:58 DEBUG1: zone.ZoneChanged('public', 'eth1')
2024-04-25 08:32:15 DEBUG1: zone.getActiveZones()
2024-04-25 08:32:43 DEBUG1: zone.removeInterface('', 'eth1')
2024-04-25 08:32:43 DEBUG1: zone.InterfaceRemoved('public', 'eth1')
2024-04-25 08:32:43 DEBUG1: zone.changeZoneOfInterface('', 'eth1')
2024-04-25 08:32:43 DEBUG1: Setting zone of interface 'eth1' to 'public'
2024-04-25 08:32:43 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1')
2024-04-25 08:32:43 DEBUG1: zone.ZoneChanged('public', 'eth1')
2024-04-25 08:33:28 DEBUG1: zone.removeInterface('', 'eth1')
2024-04-25 08:33:28 DEBUG1: zone.InterfaceRemoved('public', 'eth1')
2024-04-25 08:33:28 DEBUG1: zone.changeZoneOfInterface('', 'eth1')
2024-04-25 08:33:28 DEBUG1: Setting zone of interface 'eth1' to 'public'
2024-04-25 08:33:28 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1')
2024-04-25 08:33:28 DEBUG1: zone.ZoneChanged('public', 'eth1')
2024-04-25 08:34:13 DEBUG1: zone.removeInterface('', 'eth1')
2024-04-25 08:34:13 DEBUG1: zone.InterfaceRemoved('public', 'eth1')
2024-04-25 08:34:13 DEBUG1: zone.changeZoneOfInterface('', 'eth1')
2024-04-25 08:34:13 DEBUG1: Setting zone of interface 'eth1' to 'public'
2024-04-25 08:34:13 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1')
2024-04-25 08:34:13 DEBUG1: zone.ZoneChanged('public', 'eth1')
2024-04-25 08:34:58 DEBUG1: zone.removeInterface('', 'eth1')
2024-04-25 08:34:58 DEBUG1: zone.InterfaceRemoved('public', 'eth1')
^C
[root@localhost ~]# date; firewall-cmd --get-active-zone
Thu Apr 25 08:35:06 EDT 2024
public
  interfaces: eth0   <<<---

      As we can see from the debug log, firewalld tries to set and remove from default zone couple of times, and  remove the interface from default zone in the end.

       

      This issue also occurs when user runs firewall-cmd --change-interface=<IF> --zone=<ZONE>.

      [root@localhost ~]# date; firewall-cmd --get-active-zone
Thu Apr 25 04:34:44 EDT 2024
public
  interfaces: eth0 eth1
[root@localhost ~]# date; firewall-cmd --change-interface=eth1 --zone=work
Thu Apr 25 04:35:00 EDT 2024
success
[root@localhost ~]# tail -f /var/log/firewalld
2024-04-25 04:34:36 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1')
2024-04-25 04:34:36 DEBUG1: zone.ZoneChanged('public', 'eth1')
2024-04-25 04:34:44 DEBUG1: zone.getActiveZones()
2024-04-25 04:35:00 DEBUG1: zone.changeZoneOfInterface('work', 'eth1')
2024-04-25 04:35:00 DEBUG1: Setting zone of interface 'eth1' to 'work'
2024-04-25 04:35:00 DEBUG1: Applying policy (zone_work_HOST) derived from zone 'work'
2024-04-25 04:35:00 DEBUG1: Applying policy (zone_ANY_work) derived from zone 'work'
2024-04-25 04:35:00 DEBUG1: Applying policy (zone_work_ANY) derived from zone 'work'
2024-04-25 04:35:00 DEBUG1: zone.ZoneOfInterfaceChanged('work', 'eth1')
2024-04-25 04:35:00 DEBUG1: zone.ZoneChanged('work', 'eth1')
2024-04-25 04:35:22 DEBUG1: zone.removeInterface('', 'eth1')
2024-04-25 04:35:22 DEBUG1: zone.InterfaceRemoved('work', 'eth1')
2024-04-25 04:35:22 DEBUG1: zone.changeZoneOfInterface('', 'eth1')
2024-04-25 04:35:22 DEBUG1: Setting zone of interface 'eth1' to 'public'
2024-04-25 04:35:22 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1')
2024-04-25 04:35:22 DEBUG1: zone.ZoneChanged('public', 'eth1')
2024-04-25 04:36:07 DEBUG1: zone.removeInterface('', 'eth1')
2024-04-25 04:36:07 DEBUG1: zone.InterfaceRemoved('public', 'eth1')
2024-04-25 04:36:07 DEBUG1: zone.changeZoneOfInterface('', 'eth1')
2024-04-25 04:36:07 DEBUG1: Setting zone of interface 'eth1' to 'public'
2024-04-25 04:36:07 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1')
2024-04-25 04:36:07 DEBUG1: zone.ZoneChanged('public', 'eth1')
2024-04-25 04:36:52 DEBUG1: zone.removeInterface('', 'eth1')
2024-04-25 04:36:52 DEBUG1: zone.InterfaceRemoved('public', 'eth1')
2024-04-25 04:36:52 DEBUG1: zone.changeZoneOfInterface('', 'eth1')
2024-04-25 04:36:52 DEBUG1: Setting zone of interface 'eth1' to 'public'
2024-04-25 04:36:52 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1')
2024-04-25 04:36:52 DEBUG1: zone.ZoneChanged('public', 'eth1')
2024-04-25 04:37:37 DEBUG1: zone.removeInterface('', 'eth1')
2024-04-25 04:37:37 DEBUG1: zone.InterfaceRemoved('public', 'eth1')
^C
[root@localhost ~]# date; firewall-cmd --get-active-zone
Thu Apr 25 04:39:04 EDT 2024
public
  interfaces: eth0

      In this situation, firewalld sets zone=work to eth1, and removes and sets again default zone to eth1. The default zone for eth1 is removed and set repeatedly, and then eth1 is removed completely from default zone.

      Please provide the package NVR for which bug is seen:

      firewalld-1.2.5-2.el9_3.noarch

      this issue occurs with the later version in RHEL9 and RHEL8 (possibly RHEL7)

      How reproducible:

      Steps to reproduce

      1. boot up the system with an interface that has no connection.zone configuration.
      2. check the interface is in default zone.
      3. wait for 1 - 2 min
      4. check again if the interface is removed from default zone.

      Expected results

      The interface should always be in default zone if the interface has not been set connection.zone like this;

      # firewall-cmd --get-active-zone
public
  interfaces: eth0 eth1

      Actual results

      The interface is removed automatically without realizing.

      # firewall-cmd --get-active-zone
public
  interfaces: eth0

       

        1. nm-2024-04-36-1034.log
          1.94 MB

              nm-team Network Management Team
              rhn-support-ryasuoka Ryosuke Yasuoka
              Network Management Team Network Management Team
              Vladimir Benes Vladimir Benes
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: