Unable to commit runtime zone change to config

[Vogtinator]

After adding a custom zone and moving an interface to it, which was previously by default in the public zone, --runtime-to-permanent fails.

How to reproduce it (as minimally and precisely as possible):

# firewall-cmd --permanent --new-zone=my-external
success
# firewall-cmd --reload
success
# firewall-cmd --zone=my-external --change-interface=ens4
success
# firewall-cmd --runtime-to-permanent
Error: RT_TO_PERM_FAILED

The journal shows:

Nov 26 07:59:40 susetest firewalld[3500]: ERROR: ZONE_CONFLICT: ens4public
Nov 26 07:59:40 susetest firewalld[3500]: WARNING: Runtime To Permanent failed on zone 'my-external': org.fedoraproject.FirewallD1.Exception: ZONE_CONFLICT: ens4public
Nov 26 07:59:40 susetest firewalld[3500]: ERROR: RT_TO_PERM_FAILED

The full firewalld log with --debug=1 is attached: firewalld.log

I added the conflicting zone to the exception message, so it's visible that during copy of the my-external zone, the check for duplication fails because ens4 is still assigned to the public zone.

Anything else we need to know?:

Environment:

• Firewalld Version: 1.0.2
• Firewalld Backend (cat /etc/firewalld/firewalld.conf | grep FirewallBackend): nftables
• OS (e.g: cat /etc/os-release): openSUSE Tumbleweed 20211124

[erig0]

Are you using NetworkManager?

Did you previously assign ens4 to the public zone?
Check the status with:

# firewall-cmd --permanent --get-zone-of-interface ens4

[Vogtinator]

Are you using NetworkManager?

No.

Did you previously assign ens4 to the public zone?

Yep, implicitly by the system installation:

# firewall-cmd --permanent --get-zone-of-interface ens4
public
# firewall-cmd --get-zone-of-interface ens4
my-external

I just checked the state of the configuration files after running the commands:
/etc/sysconfig/network/ifcfg-ens4 has ZONE=my-external but /etc/firewalld/zones/public.xml has <interface name="ens4"/>. So even though --runtime-to-permanent failed, it appears to have saved some inconsistent configuration. Before running the commands, the ifcfg file had ZONE=public.

[erig0]

Looks like we should be moving the interface regardless of the existing permanent configuration.
This comment also indicates that may be the case:

firewalld/src/firewall/server/config_zone.py

Lines 219 to 224 in 0a910f3

	for iface in added_ifaces:
	if self.parent.getZoneOfInterface(iface):
	raise FirewallError(errors.ZONE_CONFLICT, iface) # or move to new zone ?
	for source in added_sources:
	if self.parent.getZoneOfSource(source):
	raise FirewallError(errors.ZONE_CONFLICT, source) # or move to new zone ?

I'll have to investigate this area to make sure it's safe to make said change.

[Vogtinator]

I'll have to investigate this area to make sure it's safe to make said change.

As long as it correctly removes the old zone assignment that should be fine FWICT - otherwise the runtime configuration would be broken as well.

[erig0]

It's a bit more complicated due to NetworkManager and ifcfg files. Since the config move from runtime to permanent it needs to be determined which of those should be updated.
Likely needs to be:

1. try adding interface to NM, if fails move on to 2, else done
2. set ZONE in ifcfg-
3. add interface to firewalld zone's XML config

Of course, we also need to deal with removal from the old zone.