Firewalld not reloading in 3.0

[ntlug]

Is there anyway to force the firewall-cmd --reload

Here's what I have for a node:

firewalld_service { 'Allow postgresql':
ensure => 'present',
service => 'postgresql',
zone => 'public',
}

did I miss something easy in the docs? I thought I read that on any change a forced reload would get done, or something like that. I need at least a --reload done.

[ntlug]

After manually doing a firewalld restart (yes, I even did the full restart)... I see the entries via iptables -L -n, but still can't connect. I'm comparing with our reference (non-puppeted) box and iptables -L -n matches exactly and zones/public.xml look the same.... sigh... but the reference box firewall allows the connection, and our puppeted box does not (sigh). We'll keep looking. But still, didn't seem to do the reload on its own, we forced it.

[allen00se]

What I have noticed is that the reload isnt enough. I created a service with this puppet module and the config shows up in /etc/firewalld/service/"name of service".xml . At that point I can do a reload or restart and the config still wont take affect. I have to run a

firewall-cmd --permanent --add-service="name of service"
firewall-cmd --reload

in order for the config to actually go into effect.

[gothicx]

Are you using the latest version of the module? I'm using RHEL7 and I don't have any issues.

https://github.com/gothicx/puppet-firewalld/blob/master/lib/puppet/provider/firewalld_service/firewall_cmd.rb

The code here shows that it's doing a --permanent and a reload afterwards, so you should not have issues.

[BrandonIngalls]

In testing the latest version 3.0.1 I have been running into this issue with rich rules as well.

[root@blingall-72-2 firewalld]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: 
  ports: 5555/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept
        rule family="ipv4" source address="10.50.55.0/23" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="rpc-bind" accept
        rule family="ipv4" source address="192.168.0.0/16" service name="ssh" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="ssh" accept

[root@blingall-72-2 firewalld]# puppet apply --parser future -e 'include lab_roles::lab_machine'
Notice: Compiled catalog for blingall-72-2.local in environment production in 2.40 seconds
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from campus - tcp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from off campus - udp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from campus - udp]/ensure: created
Notice: /Stage[main]/Lab_profiles::Lab_machine::Firewall/Firewalld_rich_rule[Allow un-restricted ports from off campus - tcp]/ensure: created
Notice: Finished catalog run in 10.63 seconds

[root@blingall-72-2 firewalld]# firewall-cmd --list-all
public (default, active)
  interfaces: enp0s3
  sources: 
  services: 
  ports: 5555/tcp
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.0.0.0/8" service name="ssh" accept
        rule family="ipv4" source address="10.50.55.0/23" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="rpc-bind" accept
        rule family="ipv4" source address="192.168.0.0/16" service name="ssh" accept
        rule family="ipv4" source address="10.50.50.0/16" service name="ssh" accept

[root@blingall-72-2 firewalld]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <rule family="ipv4">
    <source address="10.0.0.0/8"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="0.0.0.0/0"/>
    <port protocol="tcp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <port protocol="tcp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="192.168.0.0/16"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <port protocol="udp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="0.0.0.0/0"/>
    <port protocol="udp" port="1025-65535"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <service name="ssh"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.55.0/23"/>
    <accept/>
  </rule>
  <rule family="ipv4">
    <source address="10.50.50.0/16"/>
    <service name="rpc-bind"/>
    <accept/>
  </rule>
</zone>

Once I issue firewall-cmd --reload the firewall rules are applied.

[root@blingall-72-2 firewalld]# cat /etc/redhat-release 
Red Hat Enterprise Linux Workstation release 7.2 (Maipo)

[crayfishx]

@BrandonIngalls are you sure you are including the firewall class (include firewalld) or are you just defining firewalld_zone resources from the profile without the base class included? If firewalld is included it should farm out to the exec to reload the firewall upon change....

[crayfishx]

We do have a problem here, we used to do collector syntax chaining to notify the exec to reload firewalld but now that notify is only valid for resources declared from the class (eg from hiera). The short term solution is to make sure you notify Exec['firewalld::reload'] from the resource declaration. I think the best long term fix is to use the autonotify feature in the firewalld_service type (this I can test tomorrow), that would only be valid for puppet 4.0+ though

[crayfishx]

An easier (and more backwards compatible) fix will be just to reintroduce the chaining dependencies from init.pp that we dropped in 3.0.0, I can do that tomorrow as it's a minor bug fix

[crayfishx]

@BrandonIngalls does #70 solve this issue for you?

[crayfishx]

I've changed the topic of this issue to reflect the latest discussion, since the older posts were slightly different and fixed in 2.2

[BrandonIngalls]

@crayfishx PR #70 does resolve this issue for me.

[root@puppet-firewalld-test firewalld-test]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[root@puppet-firewalld-test firewalld-test]# puppet apply test1.pp                                      
Notice: Compiled catalog for puppet-firewalld-test.local in environment production in 0.91 seconds
Notice: /Stage[main]/Main/Firewalld_rich_rule[Allow IT Access to ALL]/ensure: created
Notice: /Stage[main]/Firewalld/Exec[firewalld::reload]: Triggered 'refresh' from 1 events
Notice: Finished catalog run in 2.55 seconds

[root@puppet-firewalld-test firewalld-test]# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
        rule family="ipv4" source address="10.50.55.0/24" accept

[crayfishx]

Released in 3.1.0