Enhancement #2873

Handle nethserver-firewall-base uninstallation

Added by Giacomo Sanchietti about 5 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.5
Resolution: NEEDINFO:No

Description

The nethserver-firewall-base package sets the property firewall[event] to nethserver-firewall-base-save just after installation.
This behavior disable lokkit and enable shorewall.

If nethserver-firewall-base is uninstalled, the property is not reset to previous value (lokkit-save).
To workaround the problem, it's possible to add a script inside the %post section of nethserver-firewall-base rpm: on uninstall, execute a setprop command to reset the firewall[event] property.


Related issues

Related to NethServer 6 - Feature #2861: Shorewall: enable green-only mode CLOSED
Related to NethServer 6 - Enhancement #2872: System initialization: change default ip addresses CLOSED

Associated revisions

Revision 1bbdcb0c
Added by Giacomo Sanchietti about 5 years ago

spec: provides nethserver-firewall. Refs #2873

Revision 9be8d744
Added by Giacomo Sanchietti about 5 years ago

firewall-adjust: do not use event property. Refs #2873

Revision 795cb73d
Added by Davide Principi about 5 years ago

Merged into master. Refs #2873 #2872

  • Handle nethserver-firewall-base uninstallation
  • System initialization: change default ip addresses

Revision 1deb6268
Added by Davide Principi about 5 years ago

Merged into master. Refs #2873 #2861

Revision e3e395e3
Added by Giacomo Sanchietti about 5 years ago

yum plugin: fire runlevel-adjust before firewall-adjust. Refs #2873

Revision fdc58fda
Added by Davide Principi about 5 years ago

lsm Upstart configuration: stop lsm daemon if nethserver-firewall is not installed. Refs #2873

History

#1 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.5
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti about 5 years ago

Proposed solution:
  • get rid of the event property
  • firewall-adjust action will check for an rpm which provides nethserver-firewall, if the package is found the action will fire the event <package-name>-save otherwise lokkit will be used

#3 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti about 5 years ago

  • Category changed from nethserver-shorewall to nethserver-firewall-base
  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

Implemented in branch b2873 of nethserver-firewall-base and nethserver-base repositories.

#5 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-base-2.3.0-4.0git9be8d744.ns6.noarch.rpm
    nethserver-base-2.3.0-10.0git8f3b0d95.ns6.noarch.rpm
  • nethserver-firewall-base-2.0.0-2.5git1bbdcb0.ns6.noarch.rpm
    nethserver-firewall-base-2.0.0-2.10gitc9af047.ns6.noarch.rpm
Test case 1
  • Install only nethserver-base package
  • Signal firewall-adjust event
  • Check the fired event is lokkit-save
Test case 2
  • Install both packages
  • Signal firewall-adjust event
  • Check the fired event is nethserver-firewall-base-save
Test case 3
  • Execute test case 2
  • Remove nethserver-firewall-base package
  • Signal firewall-adjust event
  • Check the fired event is lokkit-save

#6 Updated by Davide Principi about 5 years ago

  • Assignee set to Davide Principi

#7 Updated by Davide Principi about 5 years ago

  • Status changed from ON_QA to TRIAGED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 20

Test case 1

OK

Test case 2

OK

Test case 3

OK, BUT

The firewall is in unexpected state after uninstall. The runlevel-adjust event stops shorewall after lokkit-save, losing the right settings:

Removed:
  nethserver-firewall-base.noarch 0:2.0.0-2.10gitc9af047.ns6                                                                                                                                  

Complete!
[root@davidep2 ~]# iptables -nvL
Chain INPUT (policy DROP 4 packets, 801 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  281 38509 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
   10   600 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpts:67:68 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0           udp dpts:67:68 

Chain OUTPUT (policy ACCEPT 292 packets, 42026 bytes)
 pkts bytes target     prot opt in     out     source               destination

#8 Updated by Davide Principi about 5 years ago

  • Related to Feature #2861: Shorewall: enable green-only mode added

#9 Updated by Davide Principi about 5 years ago

  • Related to Enhancement #2872: System initialization: change default ip addresses added

#10 Updated by Giacomo Sanchietti about 5 years ago

Proposed solution: modify NethServer yum plugin to execute runlevel-adjust before system-adjust.

#11 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#12 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#13 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-yum-1.3.2-1.0gite3e395e3.ns6.noarch.rpm
  • nethserver-firewall-base-2.0.0-2.10gitc9af047.ns6.noarch.rpm
  • nethserver-base-2.3.0-10.0git8f3b0d95.ns6.noarch.rpm
  • nethserver-lsm-1.0.0-1.0gitfdc58fda.ns6.noarch.rpm

Repeat test case 3 and verify lokkit rules are loaded after nethserver-firewall-base uninstall.

#14 Updated by Davide Principi about 5 years ago

  • Assignee set to Davide Principi

#15 Updated by Davide Principi about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

#16 Updated by Davide Principi about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-base-2.4.0-1.ns6.noarch.rpm
nethserver-firewall-base-2.1.0-1.ns6.noarch.rpm
nethserver-lsm-1.0.1-1.ns6.noarch.rpm
nethserver-yum-1.3.3-1.ns6.noarch.rpm

Also available in: Atom PDF