Direct passthroughs rules not removed on reload

[DevDorrejo]

What happened:
removing passthroughts and doing reload wont remove the rules

What you expected to happen:
on reload rules not appear

How to reproduce it (as minimally and precisely as possible):
firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -o virbr0 -j ACCEPT firewall-cmd --direct --get-all-passthroughs firewall-cmd --permanent --direct --remove-passthrough ipv4 -I FORWARD -o virbr0 -j ACCEPT firewall-cmd --reload firewall-cmd --permanent --direct --remove-passthrough ipv4 -I FORWARD -o virbr0 -j ACCEPT

Anything else we need to know?:
workaround: systemctl restart firewalld.service

Environment:

• Firewalld Version (if Fedora based dnf info firewalld or commit hash if developing from git git log -n1 --format=format:"%H"): 1.1.1
• Firewalld Backend (cat /etc/firewalld/firewalld.conf | grep FirewallBackend): nftables
• OS (e.g: cat /etc/os-release):

NAME="openSUSE Tumbleweed"
# VERSION="20220428"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20220428"
PRETTY_NAME="openSUSE Tumbleweed"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:tumbleweed:20220428"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"
DOCUMENTATION_URL="https://en.opensuse.org/Portal:Tumbleweed"
LOGO="distributor-logo-Tumbleweed

• Others:

[erig0]

Do you have FlushAllOnReload=no in /etc/firewalld/firewalld.conf?

[erig0]

tl;dr don't use --permanent

You're using --permanent. It looks like when you use --permanent --direct --passthrough it is synonymous with --permanent --direct --add-passthrough. I don't know why.

Even the man pages say you shouldn't be able to use --permanent with --passthrough:

--direct --passthrough { ipv4 | ipv6 | eb } args
Pass a command through to the firewall. args can be all iptables,
ip6tables and ebtables command line arguments. This command is
untracked, which means that firewalld is not able to provide
information about this command later on, also not a listing of the
untracked passthoughs.

But, the code obviously allows it and aliases it to --add-passthrough:

firewalld/src/firewall-cmd.in

Lines 1888 to 1901 in 797234e

	elif options_direct:
	direct = fw.config().direct()
	if a.passthrough:
	if len(a.passthrough) < 2:
	cmd.fail("usage: --permanent --direct --passthrough { ipv4 | ipv6 | eb } <args>")
	cmd.print_msg(direct.addPassthrough(cmd.check_ipv(a.passthrough[0]),
	splitArgs(a.passthrough[1])))
	if a.add_passthrough:
	if len(a.add_passthrough) < 2:
	cmd.fail("usage: --permanent --direct --add-passthrough { ipv4 | ipv6 | eb } <args>")
	cmd.print_msg(direct.addPassthrough(cmd.check_ipv(a.add_passthrough[0]),
	splitArgs(a.add_passthrough[1])))

We can't fix this with out potentially breaking users that rely on --permanent --direct --passthrough being an alias for --permanent --direct --add-passthrough. It would be a breaking change.

[DevDorrejo]

Thanks, understand, so i wont use --permanent, on this case

[erig0]

Maybe in the short term we should update the man page to indicate this is an alias for --permanent --add-passthrough... and that it will change in a future release, e.g. 2.0.0.

[DevDorrejo]

👍🏽