Blob Blame History Raw
From 680fc277f90e5a8286016c644b40f8178bf50b12 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Fri, 7 Dec 2018 14:09:28 -0500
Subject: [PATCH 16/34] fw: on reload() retain interfaces from NetworkManager

With FlushOnAllReload=yes the interface to zone assignment controlled by
NM was being lost during a reload. This is because these assignments are
"runtime" from firewalld's point of view. Lets query NM for its
assignments during a reload and reapply them.

Also add test coverage for FlushAllOnReload=yes.

Fixes: rhbz 1656962
Fixes: 242bc4e2e20c ("Add "FlushAllOnReload" config option")
(cherry picked from commit cd97204a06f3243b789d4213f5bd888b0b156f88)
---
 src/firewall/core/fw.py             |  8 ++++++++
 src/tests/regression/rhbz1498923.at | 12 ++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 7e6255f77398..4ec2087ec48d 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -42,6 +42,7 @@ from firewall.core.fw_policies import FirewallPolicies
 from firewall.core.fw_ipset import FirewallIPSet
 from firewall.core.fw_transaction import FirewallTransaction
 from firewall.core.fw_helper import FirewallHelper
+from firewall.core.fw_nm import nm_get_bus_name, nm_get_interfaces_in_zone
 from firewall.core.logger import log
 from firewall.core.io.firewalld_conf import firewalld_conf
 from firewall.core.io.direct import Direct
@@ -1035,6 +1036,13 @@ class Firewall(object):
             # restore direct config
             self.direct.set_config(_direct_config)
 
+        # Restore permanent interfaces from NetworkManager
+        nm_bus_name = nm_get_bus_name()
+        if nm_bus_name:
+            for zone in self.zone.get_zones():
+                for interface in nm_get_interfaces_in_zone(zone):
+                    self.zone.add_interface(zone, interface, sender=nm_bus_name)
+
         # enable panic mode again if it has been enabled before or set policy
         # to ACCEPT
         if _panic:
diff --git a/src/tests/regression/rhbz1498923.at b/src/tests/regression/rhbz1498923.at
index ed1022fb0ca4..70f7a6036b8f 100644
--- a/src/tests/regression/rhbz1498923.at
+++ b/src/tests/regression/rhbz1498923.at
@@ -1,4 +1,16 @@
 FWD_START_TEST([invalid direct rule causes reload error])
+dnl Verify runtime interface to zone assignment is gone after reload
+AT_CHECK([sed -i 's/^FlushAllOnReload.*/FlushAllOnReload=yes/' ./firewalld.conf])
+FWD_RELOAD
+FWD_CHECK([-q --zone=public --add-interface=foobar0])
+FWD_CHECK([--get-zone-of-interface=foobar0], 0, [dnl
+public
+])
+FWD_RELOAD
+FWD_CHECK([--get-zone-of-interface=foobar0], 2, [], [dnl
+no zone
+])
+
 dnl Below we test retention of some items applicable to FlushAllOnReload=no
 AT_CHECK([sed -i 's/^FlushAllOnReload.*/FlushAllOnReload=no/' ./firewalld.conf])
 FWD_RELOAD
-- 
2.18.0