commit 636e01137515f3830c655619096e9642651a674c
Author: Thomas Woerner <twoerner@redhat.com>
Date: Thu Dec 1 12:02:55 2016 +0100
firewall.core.fw_zone: Do not reset ZONE with ifdown
On reboot or shutdown the zone has been reset to default if the network
service is enabled and controlling the interface.
The call of firewall-cmd --remove-interface in ifdown.post is now only removing
the zone binding in the firewall, but not modifying the ifcfg file anymore.
This fixes RHBZ#1381314
diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml
index 3503df4..c9d8ef5 100644
--- a/doc/xml/firewall-cmd.xml
+++ b/doc/xml/firewall-cmd.xml
@@ -896,7 +896,12 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
<listitem>
<para>
If the interface is under control of NetworkManager, it is at first connected to change the zone for the connection that is using the interface. If this fails, the zone binding is created in firewalld and the limitations below apply.
-For interfaces that are not under control of NetworkManager, firewalld tries to change the ZONE setting in the ifcfg file, if the file exists.
+ </para>
+ <para>
+ For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
+ </para>
+ <para>
+ Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone. Only the zone binding is then removed in firewalld then.
</para>
<para>
Remove binding of interface <replaceable>interface</replaceable> from zone it was previously added to.
diff --git a/doc/xml/firewallctl.xml b/doc/xml/firewallctl.xml
index 11b5e60..30be89f 100644
--- a/doc/xml/firewallctl.xml
+++ b/doc/xml/firewallctl.xml
@@ -550,7 +550,6 @@
</para>
<para>
If the interface is under control of NetworkManager, it is at first connected to change the zone for the connection that is using the interface for new or changed interface bindings. If the setting in NetworkManager fails, the zone binding is created or changed in firewalld and the limitations below apply.
-For interfaces that are not under control of NetworkManager, firewalld tries to change the ZONE setting in the ifcfg file, if the file exists.
</para>
<para>
As a end user you don't need to create or change zone bindings of interfaces in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to <option>ZONE=</option> option from ifcfg-<replaceable>interface</replaceable> file) if <replaceable>NM_CONTROLLED=no</replaceable> is not set.
@@ -559,6 +558,12 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
Please also have a look at the <citerefentry><refentrytitle>firewalld</refentrytitle><manvolnum>1</manvolnum></citerefentry> man page in the <replaceable>Concepts</replaceable> section.
For permanent association of interface with a zone, see also 'How to set or change a zone for a connection?' in <citerefentry><refentrytitle>firewalld.zones</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
+ <para>
+ For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
+ </para>
+ <para>
+ Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone. Only the zone binding is then removed in firewalld then.
+ </para>
</listitem>
</varlistentry>
diff --git a/doc/xml/firewalld.zones.xml b/doc/xml/firewalld.zones.xml
index 2f81a8a..387cf6b 100644
--- a/doc/xml/firewalld.zones.xml
+++ b/doc/xml/firewalld.zones.xml
@@ -223,6 +223,12 @@
<para>
If the connection is controlled by NetworkManager, you can also use <command>nm-connection-editor</command> to change the zone.
</para>
+ <para>
+ For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
+ </para>
+ <para>
+ Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone. Only the zone binding is then removed in firewalld then.
+ </para>
</refsect2>
</refsect1>
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index e4fdecf..098eed9 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -671,7 +671,11 @@ class FirewallZone(object):
zone_transaction.add_post(self.__unregister_interface, _obj,
interface_id)
- zone_transaction.add_post(ifcfg_set_zone_of_interface, "", interface)
+ # Do not reset ZONE with ifdown
+ # On reboot or shutdown the zone has been reset to default
+ # if the network service is enabled and controlling the
+ # interface (RHBZ#1381314)
+ #zone_transaction.add_post(ifcfg_set_zone_of_interface, "", interface)
if use_zone_transaction is None:
zone_transaction.execute(True)
commit fe6cf16e5a5ef3e49cdb554af8cf18024371554a
Author: Thomas Woerner <twoerner@redhat.com>
Date: Thu Oct 6 15:07:37 2016 +0200
firewall.core.io.ifcfg: Use .bak for save files
diff --git a/src/firewall/core/io/ifcfg.py b/src/firewall/core/io/ifcfg.py
index e145f49..6ae0302 100644
--- a/src/firewall/core/io/ifcfg.py
+++ b/src/firewall/core/io/ifcfg.py
@@ -179,7 +179,7 @@ class ifcfg(object):
# make backup
if os.path.exists(self.filename):
try:
- shutil.copy2(self.filename, "%s.old" % self.filename)
+ shutil.copy2(self.filename, "%s.bak" % self.filename)
except Exception as msg:
os.remove(temp_file.name)
raise IOError("Backup of '%s' failed: %s" % (self.filename, msg))