Enhancement #2873
Handle nethserver-firewall-base uninstallation
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-firewall-base | |||
| Target version: | v6.5 | |||
| Resolution: | NEEDINFO: | No |
Description
The nethserver-firewall-base package sets the property firewall[event] to nethserver-firewall-base-save just after installation.
This behavior disable lokkit and enable shorewall.
If nethserver-firewall-base is uninstalled, the property is not reset to previous value (lokkit-save).
To workaround the problem, it's possible to add a script inside the %post section of nethserver-firewall-base rpm: on uninstall, execute a setprop command to reset the firewall[event] property.
Related issues
Associated revisions
spec: provides nethserver-firewall. Refs #2873
firewall-adjust: do not use event property. Refs #2873
yum plugin: fire runlevel-adjust before firewall-adjust. Refs #2873
lsm Upstart configuration: stop lsm daemon if nethserver-firewall is not installed. Refs #2873
History
#1
Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.5
- % Done changed from 0 to 20
#2
Updated by Giacomo Sanchietti almost 7 years ago
- get rid of the
eventproperty firewall-adjustaction will check for an rpm which providesnethserver-firewall, if the package is found the action will fire the event<package-name>-saveotherwise lokkit will be used
#3
Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4
Updated by Giacomo Sanchietti almost 7 years ago
- Category changed from nethserver-shorewall to nethserver-firewall-base
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
Implemented in branch b2873 of nethserver-firewall-base and nethserver-base repositories.
#5
Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
nethserver-base-2.3.0-4.0git9be8d744.ns6.noarch.rpm
nethserver-base-2.3.0-10.0git8f3b0d95.ns6.noarch.rpmnethserver-firewall-base-2.0.0-2.5git1bbdcb0.ns6.noarch.rpm
nethserver-firewall-base-2.0.0-2.10gitc9af047.ns6.noarch.rpm
- Install only nethserver-base package
- Signal
firewall-adjustevent - Check the fired event is
lokkit-save
- Install both packages
- Signal
firewall-adjustevent - Check the fired event is
nethserver-firewall-base-save
- Execute test case 2
- Remove nethserver-firewall-base package
- Signal
firewall-adjustevent - Check the fired event is
lokkit-save
#6
Updated by Davide Principi almost 7 years ago
- Assignee set to Davide Principi
#7
Updated by Davide Principi almost 7 years ago
- Status changed from ON_QA to TRIAGED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 20
Test case 1
OK
Test case 2
OK
Test case 3
OK, BUT
The firewall is in unexpected state after uninstall. The runlevel-adjust event stops shorewall after lokkit-save, losing the right settings:
Removed:
nethserver-firewall-base.noarch 0:2.0.0-2.10gitc9af047.ns6
Complete!
[root@davidep2 ~]# iptables -nvL
Chain INPUT (policy DROP 4 packets, 801 bytes)
pkts bytes target prot opt in out source destination
281 38509 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
10 600 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth1 eth1 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
Chain OUTPUT (policy ACCEPT 292 packets, 42026 bytes)
pkts bytes target prot opt in out source destination
#8
Updated by Davide Principi almost 7 years ago
- Related to Feature #2861: Shorewall: enable green-only mode added
#9
Updated by Davide Principi almost 7 years ago
- Related to Enhancement #2872: System initialization: change default ip addresses added
#10
Updated by Giacomo Sanchietti almost 7 years ago
Proposed solution: modify NethServer yum plugin to execute runlevel-adjust before system-adjust.
#11
Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#12
Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#13
Updated by Giacomo Sanchietti almost 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-yum-1.3.2-1.0gite3e395e3.ns6.noarch.rpm
- nethserver-firewall-base-2.0.0-2.10gitc9af047.ns6.noarch.rpm
- nethserver-base-2.3.0-10.0git8f3b0d95.ns6.noarch.rpm
- nethserver-lsm-1.0.0-1.0gitfdc58fda.ns6.noarch.rpm
Repeat test case 3 and verify lokkit rules are loaded after nethserver-firewall-base uninstall.
#14
Updated by Davide Principi almost 7 years ago
- Assignee set to Davide Principi
#15
Updated by Davide Principi almost 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
#16
Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-base-2.4.0-1.ns6.noarch.rpm
nethserver-firewall-base-2.1.0-1.ns6.noarch.rpm
nethserver-lsm-1.0.1-1.ns6.noarch.rpm
nethserver-yum-1.3.3-1.ns6.noarch.rpm