BugZero | Red Hat BugID RHEL-34206 - firewalld sets interface to default zone and remov...

Red Hat - Defect ID: RHEL-34206

firewalld sets interface to default zone and removes it automatically after a while

Red Hat - Defect ID: RHEL-34206

firewalld sets interface to default zone and removes it automatically after a while

Last updated on 5/31/2024

Overall: 88.0

Severity: 8.28.2

Community: 6.96.9

Lifecycle: 9.49.4

What is the BugZero Risk Score?

Vendor details

Priority: Undefined
Status: Closed
Impact Category: NetworkManager

Overall: 88.0

Severity: 8.28.2

Community: 6.96.9

Lifecycle: 9.49.4

What is the BugZero Risk Score?

Vendor details

Priority: Undefined
Status: Closed
Impact Category: NetworkManager

Issue

What were you trying to do that didn't work? firewalld sets a interface to the default zone if the interface has no connection.zone. However, the interface is removed automatically after a while. [root@localhost ~]# date; firewall-cmd --get-active-zone Thu Apr 25 08:32:15 EDT 2024 public interfaces: eth0 eth1 <<<--- [root@localhost ~]# tail -f /var/log/firewalld 2024-04-25 08:31:58 DEBUG1: config.GetAll('org.fedoraproject.FirewallD1.config') 2024-04-25 08:31:58 DEBUG1: zone.changeZoneOfInterface('', 'eth0') 2024-04-25 08:31:58 DEBUG1: Setting zone of interface 'eth0' to 'public' 2024-04-25 08:31:58 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth0') 2024-04-25 08:31:58 DEBUG1: zone.ZoneChanged('public', 'eth0') 2024-04-25 08:31:58 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 08:31:58 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 08:31:58 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 08:31:58 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 08:32:15 DEBUG1: zone.getActiveZones() 2024-04-25 08:32:43 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 08:32:43 DEBUG1: zone.InterfaceRemoved('public', 'eth1') 2024-04-25 08:32:43 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 08:32:43 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 08:32:43 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 08:32:43 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 08:33:28 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 08:33:28 DEBUG1: zone.InterfaceRemoved('public', 'eth1') 2024-04-25 08:33:28 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 08:33:28 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 08:33:28 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 08:33:28 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 08:34:13 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 08:34:13 DEBUG1: zone.InterfaceRemoved('public', 'eth1') 2024-04-25 08:34:13 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 08:34:13 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 08:34:13 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 08:34:13 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 08:34:58 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 08:34:58 DEBUG1: zone.InterfaceRemoved('public', 'eth1') ^C [root@localhost ~]# date; firewall-cmd --get-active-zone Thu Apr 25 08:35:06 EDT 2024 public interfaces: eth0 <<<--- As we can see from the debug log, firewalld tries to set and remove from default zone couple of times, and remove the interface from default zone in the end. This issue also occurs when user runs firewall-cmd --change-interface=<IF> --zone=<ZONE>. [root@localhost ~]# date; firewall-cmd --get-active-zone Thu Apr 25 04:34:44 EDT 2024 public interfaces: eth0 eth1 [root@localhost ~]# date; firewall-cmd --change-interface=eth1 --zone=work Thu Apr 25 04:35:00 EDT 2024 success [root@localhost ~]# tail -f /var/log/firewalld 2024-04-25 04:34:36 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 04:34:36 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 04:34:44 DEBUG1: zone.getActiveZones() 2024-04-25 04:35:00 DEBUG1: zone.changeZoneOfInterface('work', 'eth1') 2024-04-25 04:35:00 DEBUG1: Setting zone of interface 'eth1' to 'work' 2024-04-25 04:35:00 DEBUG1: Applying policy (zone_work_HOST) derived from zone 'work' 2024-04-25 04:35:00 DEBUG1: Applying policy (zone_ANY_work) derived from zone 'work' 2024-04-25 04:35:00 DEBUG1: Applying policy (zone_work_ANY) derived from zone 'work' 2024-04-25 04:35:00 DEBUG1: zone.ZoneOfInterfaceChanged('work', 'eth1') 2024-04-25 04:35:00 DEBUG1: zone.ZoneChanged('work', 'eth1') 2024-04-25 04:35:22 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 04:35:22 DEBUG1: zone.InterfaceRemoved('work', 'eth1') 2024-04-25 04:35:22 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 04:35:22 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 04:35:22 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 04:35:22 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 04:36:07 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 04:36:07 DEBUG1: zone.InterfaceRemoved('public', 'eth1') 2024-04-25 04:36:07 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 04:36:07 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 04:36:07 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 04:36:07 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 04:36:52 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 04:36:52 DEBUG1: zone.InterfaceRemoved('public', 'eth1') 2024-04-25 04:36:52 DEBUG1: zone.changeZoneOfInterface('', 'eth1') 2024-04-25 04:36:52 DEBUG1: Setting zone of interface 'eth1' to 'public' 2024-04-25 04:36:52 DEBUG1: zone.ZoneOfInterfaceChanged('public', 'eth1') 2024-04-25 04:36:52 DEBUG1: zone.ZoneChanged('public', 'eth1') 2024-04-25 04:37:37 DEBUG1: zone.removeInterface('', 'eth1') 2024-04-25 04:37:37 DEBUG1: zone.InterfaceRemoved('public', 'eth1') ^C [root@localhost ~]# date; firewall-cmd --get-active-zone Thu Apr 25 04:39:04 EDT 2024 public interfaces: eth0 In this situation, firewalld sets zone=work to eth1, and removes and sets again default zone to eth1. The default zone for eth1 is removed and set repeatedly, and then eth1 is removed completely from default zone. Please provide the package NVR for which bug is seen: firewalld-1.2.5-2.el9_3.noarch this issue occurs with the later version in RHEL9 and RHEL8 (possibly RHEL7) How reproducible: Steps to reproduce boot up the system with an interface that has no connection.zone configuration. check the interface is in default zone. wait for 1 - 2 min check again if the interface is removed from default zone. Expected results The interface should always be in default zone if the interface has not been set connection.zone like this; # firewall-cmd --get-active-zone public interfaces: eth0 eth1 Actual results The interface is removed automatically without realizing. # firewall-cmd --get-active-zone public interfaces: eth0

Release Notes

No. of Comments

Resolution

Done

No bugs this month

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Red Hat - Defect ID: RHEL-34206

firewalld sets interface to default zone and removes it automatically after a while

Red Hat - Defect ID: RHEL-34206

firewalld sets interface to default zone and removes it automatically after a while

Last updated on 5/31/2024

Vendor details

Vendor details

Description

Issue

Release Notes

No. of Comments

Resolution

Links

Top Red Hat defects by risk score

Ready to prevent the next vendor outage?