Loading...

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: rhel-8.5.0
Component/s: firewalld
Labels:
- MigratedToJIRA

Regression:
None
Severity:
Low

AssignedTeam:
rhel-net-firewall
Sub-System Group:

ssg_networking

Story Points:
15
Blocked:
False
Ready:
False
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Bug Fix
Release Note Text:

Hide
Cause (the user action or circumstances that trigger the bug):
Consequence (what the user experience is when the bug occurs):
Fix (what has changed to fix the bug; do not include overly technical details):
Result (what happens now that the patch is applied):

Show
Cause (the user action or circumstances that trigger the bug): Consequence (what the user experience is when the bug occurs): Fix (what has changed to fix the bug; do not include overly technical details): Result (what happens now that the patch is applied):
Release Note Status:
Proposed

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 2058221

PX Impact Score:
PX Priority Data:
PX Review Complete:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None
Internal Target Milestone numeric:
57,005

Description of problem:

When adding a timeout to a service inside a policy, the timeout is not recognized. The service remains allowed until the firewall rules are reloaded or the system rebooted.

Upstream Bug: https://github.com/firewalld/firewalld/issues/1381

Version-Release number of selected component (if applicable):

firewalld-0.9.3-7.el8.noarch

How reproducible:

Very

Steps to Reproduce:
1. Have a firewalld policy
2. Add a service with a timeout to the policy
3. Note that firewall-cmd accepts the command with no complaints/errors

Actual results:

The service is not removed from the policy unless the rules are reloaded

[root@rhel8 ~]# firewall-cmd --policy any-to-external --add-service https --timeout 15s
success

[root@rhel8 ~]# date
Thu Feb 24 09:12:47 EST 2022

[root@rhel8 ~]# firewall-cmd --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept

any-to-external
priority: -1
target: CONTINUE
ingress-zones:
egress-zones: ANY
services: https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@rhel8 ~]# date
Thu Feb 24 09:24:10 EST 2022

[root@rhel8 ~]# firewall-cmd --list-all-policies
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept

any-to-external
priority: -1
target: CONTINUE
ingress-zones:
egress-zones: ANY
services: https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Expected results:

The service is removed from the policy after the timeout

Additional info:

If timeouts aren't allowed with policies, then the command should fail.

account is impacted by

RHEL-95705 Firewalld --timeout argument does not work for policies

Planning

external trackers

Red Hat Customer Portal 03151957

Red Hat Issue Tracker RHELPLAN-113668

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates