Enhancement #2873
Handle nethserver-firewall-base uninstallation
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | No |
Description
The nethserver-firewall-base package sets the property firewall[event]
to nethserver-firewall-base-save
just after installation.
This behavior disable lokkit and enable shorewall.
If nethserver-firewall-base is uninstalled, the property is not reset to previous value (lokkit-save
).
To workaround the problem, it's possible to add a script inside the %post section of nethserver-firewall-base rpm: on uninstall, execute a setprop
command to reset the firewall[event]
property.
Related issues
Associated revisions
spec: provides nethserver-firewall. Refs #2873
firewall-adjust: do not use event property. Refs #2873
yum plugin: fire runlevel-adjust before firewall-adjust. Refs #2873
lsm Upstart configuration: stop lsm daemon if nethserver-firewall is not installed. Refs #2873
History
#1 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.5
- % Done changed from 0 to 20
#2 Updated by Giacomo Sanchietti almost 7 years ago
- get rid of the
event
property firewall-adjust
action will check for an rpm which providesnethserver-firewall
, if the package is found the action will fire the event<package-name>-save
otherwise lokkit will be used
#3 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4 Updated by Giacomo Sanchietti almost 7 years ago
- Category changed from nethserver-shorewall to nethserver-firewall-base
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
Implemented in branch b2873 of nethserver-firewall-base and nethserver-base repositories.
#5 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
nethserver-base-2.3.0-4.0git9be8d744.ns6.noarch.rpm
nethserver-base-2.3.0-10.0git8f3b0d95.ns6.noarch.rpmnethserver-firewall-base-2.0.0-2.5git1bbdcb0.ns6.noarch.rpm
nethserver-firewall-base-2.0.0-2.10gitc9af047.ns6.noarch.rpm
- Install only nethserver-base package
- Signal
firewall-adjust
event - Check the fired event is
lokkit-save
- Install both packages
- Signal
firewall-adjust
event - Check the fired event is
nethserver-firewall-base-save
- Execute test case 2
- Remove nethserver-firewall-base package
- Signal
firewall-adjust
event - Check the fired event is
lokkit-save
#6 Updated by Davide Principi almost 7 years ago
- Assignee set to Davide Principi
#7 Updated by Davide Principi almost 7 years ago
- Status changed from ON_QA to TRIAGED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 20
Test case 1
OK
Test case 2
OK
Test case 3
OK, BUT
The firewall is in unexpected state after uninstall. The runlevel-adjust
event stops shorewall
after lokkit-save
, losing the right settings:
Removed: nethserver-firewall-base.noarch 0:2.0.0-2.10gitc9af047.ns6 Complete! [root@davidep2 ~]# iptables -nvL Chain INPUT (policy DROP 4 packets, 801 bytes) pkts bytes target prot opt in out source destination 281 38509 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 10 600 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT udp -- eth1 eth1 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68 Chain OUTPUT (policy ACCEPT 292 packets, 42026 bytes) pkts bytes target prot opt in out source destination
#8 Updated by Davide Principi almost 7 years ago
- Related to Feature #2861: Shorewall: enable green-only mode added
#9 Updated by Davide Principi almost 7 years ago
- Related to Enhancement #2872: System initialization: change default ip addresses added
#10 Updated by Giacomo Sanchietti almost 7 years ago
Proposed solution: modify NethServer yum plugin to execute runlevel-adjust before system-adjust.
#11 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#12 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#13 Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-yum-1.3.2-1.0gite3e395e3.ns6.noarch.rpm
- nethserver-firewall-base-2.0.0-2.10gitc9af047.ns6.noarch.rpm
- nethserver-base-2.3.0-10.0git8f3b0d95.ns6.noarch.rpm
- nethserver-lsm-1.0.0-1.0gitfdc58fda.ns6.noarch.rpm
Repeat test case 3 and verify lokkit rules are loaded after nethserver-firewall-base uninstall.
#14 Updated by Davide Principi almost 7 years ago
- Assignee set to Davide Principi
#15 Updated by Davide Principi almost 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
#16 Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-base-2.4.0-1.ns6.noarch.rpm
nethserver-firewall-base-2.1.0-1.ns6.noarch.rpm
nethserver-lsm-1.0.1-1.ns6.noarch.rpm
nethserver-yum-1.3.3-1.ns6.noarch.rpm