Bug 9941

Summary:	Change settings in drakfirewall : shorewall shorewall-ipv6 should be instaled
Product:	Mageia	Reporter:	Adrien D <email>
Component:	RPM Packages	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	normal
Priority:	Normal	CC:	dan, davidwhodgins, denis.robel, derekjenn, geiger.david68210, jeffrobinsSAE, lists.jjorge, mageia, pterjan, rjpatrick19, sysadmin-bugs, thierry.vignaud, zen25000
Version:	3	Keywords:	PATCH, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	has_procedure mga3-64-ok mga3-32-ok
Source RPM:	drakx-net drakxtools-15.54-1.mga3.src.rpm	CVE:
Status comment:
Attachments:	patch do_pkgs.pm to return true if packages are installed

Description Adrien D 2013-05-01 18:43:46 CEST

Hi Team Mageia,

When I try to change settings into drakfirewall (with the GUI), it ask me to install shorewall and shorewall-ipv6, at every turn.

Can you fix this ?

Thanks.

Reproducible: 

Steps to Reproduce:

Comment 1 Thierry Vignaud 2013-05-02 12:14:48 CEST

This is per design

CC: (none) => thierry.vignaud
Source RPM: drak-firewall => drakx-net

Comment 2 Dave Hodgins 2013-05-22 04:31:19 CEST

With shorewall-ipv6 installed, drakfirewall is not updating /etc/shorewall/rules.drakx.

If I uninstall shorewall-ipv6, and then run drakfirewall, rules.drakx does
get updated, but shorewall-ipv6 also gets reinstalled.

CC: (none) => davidwhodgins

Comment 3 Dave Hodgins 2013-05-22 04:32:44 CEST

Should probably add, like most people in North America, my router and isp
are still ipv4 only.

Comment 4 Iulian Litcanu 2013-05-23 05:52:22 CEST

(In reply to Dave Hodgins from comment #2)
> With shorewall-ipv6 installed, drakfirewall is not updating
> /etc/shorewall/rules.drakx.
> 
> If I uninstall shorewall-ipv6, and then run drakfirewall, rules.drakx does
> get updated, but shorewall-ipv6 also gets reinstalled.

it does say it's saved BUT i tried to do the following thin and it did not work so the firewall might be still be up.

I wanted to play movies on my tv from my computer through wireless network and as such i have installed mediatomb, rygel and coherence.

None worked.

I disabled the firewall through interactive firewall interface, i added port 1900 of mediatomb through advanced settings in the same window.

Still did not work.

What i did to work: systemctl stop ip6tables.service

It worked.

So i assume although i went and disable the firewall through interactive interface the firewall was still up.

I was asked if my ISP use ipv6 or 4 ... i think 4 but i am not sure. i will ask them ... or if anyone knows IINET Australia

CC: (none) => litcanu

Comment 5 Barry Jackson 2013-05-23 19:56:34 CEST

Any news on this?

The only way I have found to access a freshly installed mga3 i586 install over ssh is to uninstall shorewall completely.

All my other installations (x86_64) have been continually updated cauldron machines (now switched to 3 repos) and these do not have shorewall-ipv6 installed and work fine.

Running the mcc -> security -> firewall seems to require shorewall-ipv6 and asks to install it, yet shorewall-ipv6 is not a require of shorewall.

CC: (none) => zen25000

Comment 6 Manuel Hiebel 2013-05-27 23:42:40 CEST

*** Bug 10290 has been marked as a duplicate of this bug. ***

CC: (none) => denis.robel

Comment 7 Derek Jennings 2013-06-05 01:15:23 CEST

I see this too.
If shorewall-ipv6 is not installed, then drakfirewall will install it and make the requested changes to the configuration.

If shorewall-ipv6 is already installed, then the configuration changes are not made.

Workaround is to uninstall shorewall-ipv6 before altering the firewall config.

CC: (none) => derekjenn

Comment 8 Derek Jennings 2013-06-05 14:06:08 CEST

The problem appears to be because the line in drakfirewall.pm

$do_pkgs->ensure_files_are_installed([ [ qw(shorewall shorewall) ], [ qw(shorewall-ipv6 shorewall6) ] ], $::isInstall) or return;

returns NULL if all the packages are installed and so drakfirewall exits.

Revision 5290 in do_pkgs.pm appears to be the cause of the NULL return.
http://svnweb.mageia.org/soft/drakx/trunk/perl-install/do_pkgs.pm?r1=4647&r2=5290

Comment 9 Derek Jennings 2013-06-06 20:26:46 CEST

Created attachment 4108 [details]
patch do_pkgs.pm to return true if packages are installed

This patch works for me if anyone would like to try it out.

Derek Jennings 2013-06-06 20:28:01 CEST

Keywords: (none) => PATCH
Source RPM: drakx-net => drakx-net drakxtools-15.54-1.mga3.src.rpm

Comment 10 Barry Jackson 2013-06-07 01:33:03 CEST

(In reply to Derek Jennings from comment #9)
> Created attachment 4108 [details]
> patch do_pkgs.pm to return true if packages are installed
> 
> This patch works for me if anyone would like to try it out.

Yes seems to work OK, however when setting "Everything (no firewall)" there is a long (1 min.) blank screen. After the rm below:-

rm '/etc/systemd/system/multi-user.target.wants/shorewall.service'
Clearing Shorewall....
Processing /etc/shorewall/stop ...
Processing /etc/shorewall/tcclear ...
Running /sbin/iptables-restore...
Processing /etc/shorewall/stopped ...
Processing /etc/shorewall/clear ...
done.

Comment 11 Derek Jennings 2013-06-07 12:23:58 CEST

>Yes seems to work OK, however when setting "Everything (no firewall)" there is a >long (1 min.) blank screen. After the rm below:-

Yes. I see that too.
I think it is a separate issue. I will take a look at it and raise a new bug report if it is.

Comment 12 Derek Jennings 2013-06-07 14:16:39 CEST

Barry.
Yes, the long delay after disabling the firewall is a separate issue. It only happens the first time the firewall is enabled and then disabled, unless shorewall6 is enabled again.

To reproduce the failure I did

#drakfirewall    #enable the firewall
#systemctl stop shorewall6.service
#systemctl start shorewall6.service
#drakfirewall    #disable the firewall

Then there will be the long delay.

If I run drakfirewall in the perl debugger it works so it is probably a race condition.

Comment 13 Pascal Terjan 2013-06-10 21:49:58 CEST

I would use 1 instead of true but the patch looks correct apart from that

CC: (none) => pterjan

Comment 14 Olivier Blin 2013-06-10 22:02:09 CEST

Same as Pascal, "return 1 if !@not_installed" would be better (the function already returns 1 at the end).

CC: (none) => mageia

Richard Patrick 2013-06-10 22:52:49 CEST

CC: (none) => rjpatrick19

Jeff Robins 2013-06-10 23:50:25 CEST

CC: (none) => jeffrobinsSAE

Comment 15 José Jorge 2013-06-12 21:31:52 CEST

This bug is fixed in Cauldron thanks to Derek's patch. Version 15.55 was also submitted to MGA3 testing as this bug also affects MGA3.

PROCEDURE for QA :
- try to change firewall settings in mcc
- re-open drakfirewall : settings were not saved
- install drakxtools-backend-15.55, settings should be saved

Status: NEW => ASSIGNED
CC: (none) => lists.jjorge
Version: Cauldron => 3
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => has_procedure

Comment 16 José Jorge 2013-06-12 21:38:55 CEST

Suggested advisory:
========================

Updated drakxtools packages fix drakfirewall behaviour:

Mageia Control Center did not apply firewall settings.
This update fixes it.
========================

Updated packages in core/updates_testing:
========================
drakx-finish-install-15.55-1.mga3.x86_64.rpm	 
drakxtools-15.55-1.mga3.x86_64.rpm
drakxtools-backend-15.55-1.mga3.x86_64.rpm
drakxtools-curses-15.55-1.mga3.x86_64.rpm	 
drakxtools-http-15.55-1.mga3.x86_64.rpm	 
harddrake-15.55-1.mga3.x86_64.rpm	 
harddrake-ui-15.55-1.mga3.x86_64.rpm


Source RPMs: 
drakxtools-15.55-1.mga3.src.rpm

Comment 17 Adrien D 2013-06-12 21:56:00 CEST

It works for me now !

Comment 18 Manuel Hiebel 2013-06-12 22:41:37 CEST

*** Bug 10460 has been marked as a duplicate of this bug. ***

Comment 19 Manuel Hiebel 2013-06-12 22:51:09 CEST

the new drakxtools package was created from the cauldron svn and not from a branch, please assign back when it's done

Assignee: qa-bugs => bugsquad

Comment 20 José Jorge 2013-06-12 23:15:00 CEST

(In reply to Manuel Hiebel from comment #19)
> the new drakxtools package was created from the cauldron svn and not from a
> branch, please assign back when it's done

You're right, I forgot the branching. Done, with a subrel 1 :

drakxtools-15.55-1.1.mga3.src.rpm

Assignee: bugsquad => qa-bugs

Comment 21 Manuel Hiebel 2013-06-12 23:44:14 CEST

seems you branched from after cauldron, maybe make a new package with what done by Nicolas ?
(or we will have other change)

claire robinson 2013-06-13 07:59:28 CEST

Whiteboard: has_procedure => has_procedure feedback

Comment 22 José Jorge 2013-06-13 08:22:58 CEST

(In reply to Manuel Hiebel from comment #21)
> seems you branched from after cauldron, maybe make a new package with what
> done by Nicolas ?
> (or we will have other change)

What is "done by Nicolas"? I branched from cauldron because there was no branch for 3.

Comment 23 José Jorge 2013-06-13 08:35:46 CEST

(In reply to José Jorge from comment #22)
> > seems you branched from after cauldron, maybe make a new package with what
> > done by Nicolas ?
> > (or we will have other change)

Sorry, now I have seen my error. I thought latest cauldron had no changes since MGA3 release. I will make a new package from Nicolas's branch.

Comment 24 José Jorge 2013-06-13 13:13:00 CEST

So sorry for the mess, I am learning. So it is now 15.54.1 version :

Suggested advisory:
========================

Updated drakxtools packages fix drakfirewall behaviour:

Mageia Control Center did not apply firewall settings.
This update fixes it.
========================

Updated packages in core/updates_testing:
========================
drakx-finish-install-15.54.1-1.mga3.x86_64.rpm	 
drakxtools-15.54.1-1.mga3.x86_64.rpm
drakxtools-backend-15.54.1-1.mga3.x86_64.rpm
drakxtools-curses-15.54.1-1.mga3.x86_64.rpm	 
drakxtools-http-15.54.1-1.mga3.x86_64.rpm	 
harddrake-15.54.1-1.mga3.x86_64.rpm	 
harddrake-ui-15.54.1-1.mga3.x86_64.rpm


Source RPMs: 
drakxtools-15.54.1-1.mga3.src.rpm

Whiteboard: has_procedure feedback => has_procedure

Comment 25 Dave Hodgins 2013-06-13 22:46:34 CEST

Testing complete on Mageia 3 i586 and x86_64.

Could someone from the sysadmin team push the srpm
drakxtools-15.54.1-1.mga3.src.rpm
from Mageia 3 Core Updates Testing to Core Updates.

Advisory: Updated drakxtools packages fix drakfirewall saving of changes.
Mageia Control Center did not apply changes to firewall settings, when
the shorewall-ipv6 package was already installed. This update fixes it.

https://bugs.mageia.org/show_bug.cgi?id=9941

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 26 José Jorge 2013-06-13 23:56:08 CEST

(In reply to Dave Hodgins from comment #25)
> Testing complete on Mageia 3 i586 and x86_64.
> 
> Could someone from the sysadmin team push the srpm
> drakxtools-15.54.1-1.mga3.src.rpm
> from Mageia 3 Core Updates Testing to Core Updates.

Huh? I could not submit it!

Comment 27 Dave Hodgins 2013-06-14 00:07:28 CEST

http://mirrors.kernel.org/mageia/distrib/3/x86_64/media/core/updates_testing/drakxtools-15.55-1.1.mga3.x86_64.rpm

And from http://pkgsubmit.mageia.org/
drakxtools-15.55-1.1.mga3	zezinho 
19 hours ago	3 
core/updates_testing	 uploaded 
1 minute

Looks like I have the wrong srpm

Unvalidating the update, till this is sorted out.

Keywords: validated_update => (none)
Whiteboard: has_procedure MGA3-64-OK MGA3-32-OK => has_procedure

Comment 28 Dave Hodgins 2013-06-14 00:09:51 CEST

Please remove the feedback whiteboard entry, and list the correct
srpm to test, when ready.

Whiteboard: has_procedure => has_procedure feedback

Comment 29 José Jorge 2013-06-14 12:41:19 CEST

Comment 24 lists everything, and the submit is done, so please test.

Whiteboard: has_procedure feedback => has_procedure

Comment 30 claire robinson 2013-06-16 12:30:23 CEST

This is not fixed for me x86_64, sorry José

Firewall setting changes are not preserved when shorewall-ipv6 is installed.

Whiteboard: has_procedure => has_procedure feedback

Comment 31 Adrien D 2013-06-16 13:14:26 CEST

It's fixed for me I installed this packages :

1 [13:11:51] adrien@superlinux: ~  $ rpm -qa --last | grep drak
harddrake-ui-15.55-1.mga3.x86_64              mer. 12 juin 2013 21:54:10 CEST
harddrake-15.55-1.mga3.x86_64                 mer. 12 juin 2013 21:54:10 CEST
drakxtools-curses-15.55-1.mga3.x86_64         mer. 12 juin 2013 21:54:10 CEST
drakxtools-backend-15.55-1.mga3.x86_64        mer. 12 juin 2013 21:54:10 CEST
drakxtools-15.55-1.mga3.x86_64                mer. 12 juin 2013 21:54:10 CEST


But now, this packages are not in update_testing repository.

Comment 32 Dan Fandrich 2013-06-16 14:26:59 CEST

I second comment #30 and (almost) comment #31; drakxtools-15.54.1-1.mga3 (from updates_testing) does NOT solve the problem, but drakxtools-15.55-2.mga3 (built from the cauldron spec) DOES solve it.

CC: (none) => dan

Iulian Litcanu 2013-06-16 15:47:20 CEST

CC: litcanu => (none)

Comment 33 Dave Hodgins 2013-06-16 22:58:54 CEST

[root@x3v ~]# rpm -q -i drakxtools-backend|grep Source
Source RPM  : drakxtools-15.54.1-1.mga3.src.rpm
[root@x3v ~]# head -n 76 /usr/lib/libDrakX/do_pkgs.pm |tail -n 1
    return if !@not_installed;

The patch as not been applied.

Comment 34 José Jorge 2013-06-17 10:26:31 CEST

(In reply to Adrien D from comment #31)
> It's fixed for me I installed this packages :
> 
> 1 [13:11:51] adrien@superlinux: ~  $ rpm -qa --last | grep drak
> harddrake-ui-15.55-1.mga3.x86_64              mer. 12 juin 2013 21:54:10 CEST
> harddrake-15.55-1.mga3.x86_64                 mer. 12 juin 2013 21:54:10 CEST
> drakxtools-curses-15.55-1.mga3.x86_64         mer. 12 juin 2013 21:54:10 CEST
> drakxtools-backend-15.55-1.mga3.x86_64        mer. 12 juin 2013 21:54:10 CEST
> drakxtools-15.55-1.mga3.x86_64                mer. 12 juin 2013 21:54:10 CEST
> 
> 
> But now, this packages are not in update_testing repository.

Yes, that was an error I did. Please test again removing 15.55 packages. I applied everything but the patch in 15.54.1, so did a new release 2 with THE patch. I am sorry for the time you all lost on this.

Suggested advisory:
========================

Updated drakxtools packages fix drakfirewall behaviour:

Mageia Control Center did not apply firewall settings.
This update fixes it.
========================

Updated packages in core/updates_testing:
========================
drakx-finish-install-15.54.1-2.mga3.x86_64.rpm	 
drakxtools-15.54.1-2.mga3.x86_64.rpm
drakxtools-backend-15.54.1-2.mga3.x86_64.rpm
drakxtools-curses-15.54.1-2.mga3.x86_64.rpm	 
drakxtools-http-15.54.1-2.mga3.x86_64.rpm	 
harddrake-15.54.1-2.mga3.x86_64.rpm	 
harddrake-ui-15.54.1-2.mga3.x86_64.rpm


Source RPMs: 
drakxtools-15.54.1-2.mga3.src.rpm

Whiteboard: has_procedure feedback => has_procedure

Comment 35 claire robinson 2013-06-17 11:06:50 CEST

Testing complete mga3 64

Firewall settings are now preserved. It doesn't affect bug 10301 though sadly.

Whiteboard: has_procedure => has_procedure mga3-64-ok

Comment 36 Rémi Verschelde 2013-06-17 12:04:42 CEST

Testing complete mga3 32, following procedure from comment 15.

Validating update, thanks.
To the sysadmins: please push the update from core/updates_testing to core/updates in Mageia 3. Thanks in advance.

See comment 34 for RPMs, SRPM and advisory.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga3-64-ok => has_procedure mga3-64-ok mga3-32-ok

Comment 37 David GEIGER 2013-06-17 14:24:17 CEST

Testing complete on Mageia release 3 (Official) for x86_64, for it's Ok too.

CC: (none) => geiger.david68210

Comment 38 Dave Hodgins 2013-06-19 01:57:01 CEST

http://svnweb.mageia.org/advisories/9941.adv?view=markup ready to push.

Comment 39 Nicolas Vigier 2013-06-19 12:37:16 CEST

http://advisories.mageia.org/MGAA-2013-0035.html

Status: ASSIGNED => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED

Nicolas Vigier 2014-05-08 18:05:42 CEST

CC: boklm => (none)