OPERATIONAL DEFECT DATABASE
...
...
What were you trying to do that didn't work? firewalld sets a interface to the default zone if the interface has no connection.zone. However, the interface is removed automatically after a while. [root@localhost ~]# date; firewall-cmd --get-active-zone Thu Apr 25 08:32:15 EDT 2024 public interfaces: eth0 eth1 <<<--- [root@localhost ~]# tail -f /var/log/firewalld 2024-04-25 08:31:58 DEBUG1: config.GetAll('org.fedoraproject.FirewallD1.config') 2024-04-25 08:31:58 DEBUG1: zone.changeZoneOfInterface('', 'eth0') 2024-04-25 08:31:58 DEBUG1: Setting zone of interface 'eth0' to 'public' 2024-04-25 08:31:58 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth0') 2024-04-25 08:31:58 DEBUG1: zone.ZoneChanged('public', 'eth0') 2024-04-25 08:31:58 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 08:31:58 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 08:31:58 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 08:31:58 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 08:32:15 DEBUG1: zone.getActiveZones() 2024-04-25 08:32:43 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 08:32:43 DEBUG1: zone.InterfaceRemoved('public', 'eth1') 2024-04-25 08:32:43 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 08:32:43 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 08:32:43 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 08:32:43 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 08:33:28 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 08:33:28 DEBUG1: zone.InterfaceRemoved('public', 'eth1') 2024-04-25 08:33:28 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 08:33:28 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 08:33:28 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 08:33:28 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 08:34:13 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 08:34:13 DEBUG1: zone.InterfaceRemoved('public', 'eth1') 2024-04-25 08:34:13 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 08:34:13 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 08:34:13 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 08:34:13 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 08:34:58 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 08:34:58 DEBUG1: zone.InterfaceRemoved('public', 'eth1') ^C [root@localhost ~]# date; firewall-cmd --get-active-zone Thu Apr 25 08:35:06 EDT 2024 public interfaces: eth0 <<<--- As we can see from the debug log, firewalld tries to set and remove from default zone couple of times, and remove the interface from default zone in the end. This issue also occurs when user runs firewall-cmd --change-interface=<IF> --zone=<ZONE>. [root@localhost ~]# date; firewall-cmd --get-active-zone Thu Apr 25 04:34:44 EDT 2024 public interfaces: eth0 eth1 [root@localhost ~]# date; firewall-cmd --change-interface=eth1 --zone=work Thu Apr 25 04:35:00 EDT 2024 success [root@localhost ~]# tail -f /var/log/firewalld 2024-04-25 04:34:36 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 04:34:36 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 04:34:44 DEBUG1: zone.getActiveZones() 2024-04-25 04:35:00 DEBUG1: zone.changeZoneOfInterface('work', 'eth1') 2024-04-25 04:35:00 DEBUG1: Setting zone of interface 'eth1' to 'work' 2024-04-25 04:35:00 DEBUG1: Applying policy (zone_work_HOST) derived from zone 'work' 2024-04-25 04:35:00 DEBUG1: Applying policy (zone_ANY_work) derived from zone 'work' 2024-04-25 04:35:00 DEBUG1: Applying policy (zone_work_ANY) derived from zone 'work' 2024-04-25 04:35:00 DEBUG1: zone.ZoneOfInterfaceChanged('work', 'eth1') 2024-04-25 04:35:00 DEBUG1: zone.ZoneChanged('work', 'eth1') 2024-04-25 04:35:22 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 04:35:22 DEBUG1: zone.InterfaceRemoved('work', 'eth1') 2024-04-25 04:35:22 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 04:35:22 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 04:35:22 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 04:35:22 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 04:36:07 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 04:36:07 DEBUG1: zone.InterfaceRemoved('public', 'eth1') 2024-04-25 04:36:07 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 04:36:07 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 04:36:07 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 04:36:07 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 04:36:52 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 04:36:52 DEBUG1: zone.InterfaceRemoved('public', 'eth1') 2024-04-25 04:36:52 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 04:36:52 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 04:36:52 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 04:36:52 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 04:37:37 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 04:37:37 DEBUG1: zone.InterfaceRemoved('public', 'eth1') ^C [root@localhost ~]# date; firewall-cmd --get-active-zone Thu Apr 25 04:39:04 EDT 2024 public interfaces: eth0 In this situation, firewalld sets zone=work to eth1, and removes and sets again default zone to eth1. The default zone for eth1 is removed and set repeatedly, and then eth1 is removed completely from default zone. Please provide the package NVR for which bug is seen: firewalld-1.2.5-2.el9_3.noarch this issue occurs with the later version in RHEL9 and RHEL8 (possibly RHEL7) How reproducible: Steps to reproduce boot up the system with an interface that has no connection.zone configuration. check the interface is in default zone. wait for 1 - 2 min check again if the interface is removed from default zone. Expected results The interface should always be in default zone if the interface has not been set connection.zone like this; # firewall-cmd --get-active-zone public interfaces: eth0 eth1 Actual results The interface is removed automatically without realizing. # firewall-cmd --get-active-zone public interfaces: eth0
Done
Red Hat Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
