|
Bugzilla – Full Text Bug Listing |
| Summary: | firewalld, SFW2 and conversion script | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Peter Sütterlin <P.Suetterlin> |
| Component: | Network | Assignee: | Matthias Gerstner <matthias.gerstner> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | forgotten_0qCuzawwPH, marcus.gould, mchandras, meissner, michiel |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
according to jan engelhardt this should be solved as a systemd service level conflict. Jan writes: That looks like a bug. The conflict is at runtime, so should be expressed in SuSEfirewall2.service/firewalld.service, not at the package level. Thank you for the report. I am aware of the situation, but I don't know how to fix it at the moment. There already is a conflict on systemd level. But it does not suffice. Both units can still be enabled and this causes trouble. In bug 1084177 a user upgraded to Tumbleweed and ended up with a broken firewall setup, because of this. This is where my decision to conflict both packages came from. This topic uncovered various problems: 1) It is unclear why firewalld is implicitly enabled during upgrade to Tumbleweed (bug 1084177). This should not be the case. Probably it originates from a YaST configuration. 2) There is no protection or warning that prevents users from enabling both firewalls on systemd level. 3) The susefirewall2-to-firewalld package is an online migration tool that requires both packages to be installed. In SLE-15 there is no SuSEfirewall2 any more, however. Therefore there is no working migration path for SLE distributions. Regarding 1) I can try asking the YaST maintainers if they can do something against this. Regarding 2) There seems to be no better option in systemd to avoid this. Even if 1) is fixed users may accidentally enable both units, resulting in strange behaviour. Regarding 3) We could rewrite the migration tool to operate on the SuSEfirewall2 configuration file only, not requiring SuSEfirewall2 to be installed. Even after removal of SuSEfirewall2 the original configuration file is kept in /etc/sysconfig/SuSEfirewall2.rpmsave. For all these reasons I am not sure what to do about the Conflict right now. After some testing I could not reproduce bug 1084177. After discussions with the firewalld maintainer we decided to remove the rpm level conflicts statement again. Submission is on its way. This is an autogenerated message for OBS integration: This bug (1085260) was mentioned in https://build.opensuse.org/request/show/588606 Factory / SuSEfirewall2 This issue should be solved. I rolled back the rpm level conflict. The bug 1084177 could not be reproduced. Keeping things as they are for now. |
Since TW 20180312 firewalld produces a conflict with SuSEfirewall2. But the also offered conversion script, susefirewall2-to-firewalld, requires both installed: lux:~% zypper info --requires susefirewall2-to-firewalld Information for package susefirewall2-to-firewalld: --------------------------------------------------- Repository : openSUSE-Tumbleweed Name : susefirewall2-to-firewalld Version : 0.0.1-1.5 Arch : noarch Vendor : openSUSE Installed Size : 83.8 KiB Installed : No Status : not installed Source package : susefirewall2-to-firewalld-0.0.1-1.5.src Summary : Basic SuSEfirewall2 to FirewallD migration script Description : This is a simple bash script aiming to provide a basic migration path from SuSEfirewall2 to FirewallD. Requires : [7] /bin/bash iptables firewalld SuSEfirewall2 rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1