Bug #3136

Invalid port forward after deleting firewall objects

Added by Filippo Carletti over 6 years ago. Updated about 6 years ago.

Status:CLOSEDStart date:
Priority:HighDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Security class: Resolution:
Affected version:v6.6 NEEDINFO:No

Description

If a firewall object (e.g. an host) referenced in a port forward is deleted, the firewall configuration breaks with an error:
ERROR: Missing destination zone /etc/shorewall/rules (line xxx).

Steps to reproduce:
1. create an host object
2. create a port forward to the above host
3. delete the host
4. see the error

Temporary solution: delete the wrong port forward or re-create the deleted host. :-)

I think we need to cross check the usage of firewall objects and deny deletion.


Related issues

Related to NethServer 6 - Bug #3173: Invalid traffic shaping rules after deleting host object CLOSED

Associated revisions

Revision 423eae1e
Added by Giacomo Sanchietti about 6 years ago

System validator: better check for firewall objects. Refs #3136

Revision 31fb0afe
Added by Giacomo Sanchietti about 6 years ago

Translations: update validator labels. Refs #3136

History

#1 Updated by Filippo Carletti over 6 years ago

A similar bug is present on traffic shaping. The error shown is:
WARNING: There are entries in /etc/shorewall/tcpri but /etc/shorewall/tcinterfaces was empty /etc/shorewall/tcpri (line 23) ERROR: Invalid tcpri entry /etc/shorewall/tcpri (line 23)

#2 Updated by Alessio Fattorini about 6 years ago

Same problem with host or group object deleted and already used on "host without Proxy" panel

Steps to reproduce:
1. create an host object
2. use it on "host without Proxy" panel
3. remove it

Obtains this red note:

Task completed with errors
Configuring shorewall #32 (exit status 1)
 ERROR: Invalid host list (!,192.168.0.211) /etc/shorewall/rules (line 290)

Now it's impossible to create/modify every firewall rule, it breaks with this error

Configuring shorewall #28 
ERROR: Unknown Interface (!,) /etc/shorewall/rules (line 285)

Line 285 shows

?COMMENT transparent proxy on green for port 80
REDIRECT    loc:!    3129    tcp    80    -    !192.168.0.2,192.168.1.4

#3 Updated by Filippo Carletti about 6 years ago

  • Priority changed from Normal to High

#4 Updated by Giacomo Sanchietti about 6 years ago

  • Category set to nethserver-firewall-base
  • Target version set to v6.6

#5 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#6 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#7 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#8 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.6.0-1.6.g31fb0af.ns6.noarch.rpm
Test case
  • Check the bug is not reproducible
  • Tests with all kind of objects including CIDR and IP ranges

#9 Updated by Filippo Carletti about 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90
I created and used every kind of object in
  • firewall rules
  • shaping priorities
  • proxy bypass
  • web filter profiles

When I tried to delete an used object I was blocked with a red error message that said the object is in use:
Could not delete object. The host is used by firewall rules.

Note: having a lot of objects used in a lot of places makes it hard to find where you used them. I'd appreciate a search function. I'll file an enhancement request.

#10 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-firewall-base-2.6.1-1.ns6.noarch.rpm

#11 Updated by Giacomo Sanchietti about 6 years ago

  • Related to Bug #3173: Invalid traffic shaping rules after deleting host object added

Also available in: Atom PDF