Bug 1204893

Summary:	yast firewall: set interface zone can not take effect based on output of "firewall-cmd --list-interfaces"
Product:	[openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP5	Reporter:	WEI GAO <wegao>
Component:	YaST2	Assignee:	Knut Alejandro Anderssen González <kanderssen>
Status:	RESOLVED INVALID	QA Contact:
Severity:	Normal
Priority:	P2 - High	CC:	cschroder, kanderssen, pdostal, wegao
Version:	unspecified	Flags:	kanderssen: needinfo? (cschroder)
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://openqa.suse.de/tests/9843511/modules/yast2_firewall_set_default_zone_prepare/steps/14
Whiteboard:
Found By:	openQA	Services Priority:
Business Priority:		Blocker:	Yes
Marketing QA Status:	---	IT Deployment:	---
Attachments:	log Select restart if needed

Description WEI GAO 2022-10-31 13:11:15 UTC

## Observation

openQA test in scenario sle-15-SP5-Online-x86_64-yast2_gui@coolgw/os-autoinst-distri-opensuse#libyui_firewall@64bit fails in
[yast2_firewall_set_default_zone_prepare](https://openqa.suse.de/tests/9843511/modules/yast2_firewall_set_default_zone_prepare/steps/14)

## Test suite description

open yast firewall -> Interfaces -> set eth0 to trusted zone -> push OK and apply change

check status with following command: 
firewall-cmd --list-interfaces --zone=trusted  <== nothing return instead of show "eth0"

expected result: should return "eth0"


NOTE:same operation no issue happen on opensuse.

Comment 1 Michal Filka 2022-11-01 09:32:26 UTC

Can we get yast logs? Code base is the same for SLE and OpenSUSE, so hard to analyze without the logs. You can use save_y2logs for collecting them.

Comment 2 WEI GAO 2022-11-03 00:32:13 UTC

Created attachment 862624 [details]
log

Comment 3 WEI GAO 2022-11-03 00:33:08 UTC

log also can get from below link:
https://openqa.suse.de/tests/9860790/file/yast2_firewall_set_default_zone_prepare-y2logs.tar.bz2

Comment 4 Stefan Hundhammer 2022-11-03 08:40:44 UTC

For future bugs (not this one), PLEASE use "save_y2logs" when we ask you to attach logs. See also the bug reporting FAQ.

https://en.opensuse.org/openSUSE:Report_a_YaST_bug#I_attached_/var/log/YaST2/y2log_to_a_YaST2_bug,_and_still_I_am_asked_to_attach_y2logs._Why?

Comment 5 Knut Alejandro Anderssen González 2022-11-07 10:37:19 UTC

According to logs what YaST does is correct...

====

2022-11-02 20:21:35 <1> susetest(28019) [Ruby] firewalld/api.rb(run_command):199 Executing firewall-cmd with ["--permanent", "--zone=public", "--list-interfaces"]
2022-11-02 20:21:35 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent --zone\=public --list-interfaces".
2022-11-02 20:21:35 <1> susetest(28019) [Ruby] lib/cheetah.rb(log_stream_line):208 Standard output: eth0
2022-11-02 20:21:35 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_status):180 Status: 0
2022-11-02 20:21:35 <1> susetest(28019) [Ruby] firewalld/api.rb(run_command):199 Executing firewall-cmd with ["--permanent", "--zone=public", "--remove-interface=eth0"]
2022-11-02 20:21:35 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent --zone\=public --remove-interface\=eth0".
2022-11-02 20:21:36 <1> susetest(28019) [Ruby] lib/cheetah.rb(log_stream_line):208 Standard output: success
2022-11-02 20:21:36 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_status):180 Status: 0
2022-11-02 20:21:36 <1> susetest(28019) [Ruby] firewalld/api.rb(run_command):199 Executing firewall-cmd with ["--permanent", "--zone=public", "--list-interfaces"]
2022-11-02 20:21:36 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent --zone\=public --list-interfaces".
2022-11-02 20:21:37 <1> susetest(28019) [Ruby] lib/cheetah.rb(log_stream_line):208 Standard output: 
2022-11-02 20:21:37 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_status):180 Status: 0
2022-11-02 20:21:37 <1> susetest(28019) [Ruby] firewalld/api.rb(run_command):199 Executing firewall-cmd with ["--permanent", "--zone=trusted", "--list-interfaces"]
2022-11-02 20:21:37 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent --zone\=trusted --list-interfaces".
2022-11-02 20:21:37 <1> susetest(28019) [Ruby] lib/cheetah.rb(log_stream_line):208 Standard output: 
2022-11-02 20:21:37 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_status):180 Status: 0
2022-11-02 20:21:37 <1> susetest(28019) [Ruby] firewalld/api.rb(run_command):199 Executing firewall-cmd with ["--permanent", "--zone=trusted", "--list-interfaces"]
2022-11-02 20:21:37 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent --zone\=trusted --list-interfaces".
2022-11-02 20:21:38 <1> susetest(28019) [Ruby] lib/cheetah.rb(log_stream_line):208 Standard output: 
2022-11-02 20:21:38 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_status):180 Status: 0
2022-11-02 20:21:38 <1> susetest(28019) [Ruby] firewalld/api.rb(run_command):199 Executing firewall-cmd with ["--permanent", "--zone=trusted", "--change-interface=eth0"]
2022-11-02 20:21:38 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent --zone\=trusted --change-interface\=eth0".
2022-11-02 20:21:38 <1> susetest(28019) [Ruby] lib/cheetah.rb(log_stream_line):208 Standard output: success
2022-11-02 20:21:38 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_status):180 Status: 0
2022-11-02 20:21:38 <1> susetest(28019) [Ruby] yast2/systemctl.rb(execute):41 systemctl reload firewalld.service 
2022-11-02 20:21:38 <0> susetest(28019) [Ruby] yast2/systemctl.rb(execute):43 Executing `systemctl` command:  LANG=C TERM=dumb COLUMNS=1024 /usr/bin/systemctl --plain --full --no-legend --no-pager --no-ask-password reload firewalld.service

====

Specially see:

2022-11-02 20:21:38 <1> susetest(28019) [Ruby] lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent --zone\=trusted --change-interface\=eth0".
2022-11-02 20:21:38 <1> susetest(28019) [Ruby] lib/cheetah.rb(log_stream_line):208 Standard output: success

So, it should be another issue of firewalld, I guess asking the --permanent configuration about the interfaces should list it, could you check? I will assign to firewalld maintainer meanwhile.

Comment 6 WEI GAO 2022-11-11 12:28:21 UTC

(In reply to Knut Alejandro Anderssen González from comment #5)
> According to logs what YaST does is correct...
> 
> ====
> 
> 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> firewalld/api.rb(run_command):199 Executing firewall-cmd with
> ["--permanent", "--zone=public", "--list-interfaces"]
> 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> --zone\=public --list-interfaces".
> 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(log_stream_line):208 Standard output: eth0
> 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_status):180 Status: 0
> 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> firewalld/api.rb(run_command):199 Executing firewall-cmd with
> ["--permanent", "--zone=public", "--remove-interface=eth0"]
> 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> --zone\=public --remove-interface\=eth0".
> 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(log_stream_line):208 Standard output: success
> 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_status):180 Status: 0
> 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> firewalld/api.rb(run_command):199 Executing firewall-cmd with
> ["--permanent", "--zone=public", "--list-interfaces"]
> 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> --zone\=public --list-interfaces".
> 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(log_stream_line):208 Standard output: 
> 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_status):180 Status: 0
> 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> firewalld/api.rb(run_command):199 Executing firewall-cmd with
> ["--permanent", "--zone=trusted", "--list-interfaces"]
> 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> --zone\=trusted --list-interfaces".
> 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(log_stream_line):208 Standard output: 
> 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_status):180 Status: 0
> 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> firewalld/api.rb(run_command):199 Executing firewall-cmd with
> ["--permanent", "--zone=trusted", "--list-interfaces"]
> 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> --zone\=trusted --list-interfaces".
> 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(log_stream_line):208 Standard output: 
> 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_status):180 Status: 0
> 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> firewalld/api.rb(run_command):199 Executing firewall-cmd with
> ["--permanent", "--zone=trusted", "--change-interface=eth0"]
> 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> --zone\=trusted --change-interface\=eth0".
> 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(log_stream_line):208 Standard output: success
> 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_status):180 Status: 0
> 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> yast2/systemctl.rb(execute):41 systemctl reload firewalld.service 
> 2022-11-02 20:21:38 <0> susetest(28019) [Ruby]
> yast2/systemctl.rb(execute):43 Executing `systemctl` command:  LANG=C
> TERM=dumb COLUMNS=1024 /usr/bin/systemctl --plain --full --no-legend
> --no-pager --no-ask-password reload firewalld.service
> 
> ====
> 
> Specially see:
> 
> 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> --zone\=trusted --change-interface\=eth0".
> 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> lib/cheetah.rb(log_stream_line):208 Standard output: success
> 
> So, it should be another issue of firewalld, I guess asking the --permanent
> configuration about the interfaces should list it, could you check? I will
> assign to firewalld maintainer meanwhile.


susetest:~ # firewall-cmd --list-interfaces --zone=trusted  

susetest:~ # firewall-cmd --permanent --zone\=trusted --change-interface\=eth0
success
susetest:~ # firewall-cmd --list-interfaces --zone=trusted  

susetest:~ # cat /etc/os-release 
NAME="SLES"
VERSION="15-SP5"
VERSION_ID="15.5"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp5"
DOCUMENTATION_URL="https://documentation.suse.com/"
susetest:~ # firewall-cmd --version
0.9.3
susetest:~ # firewall-cmd --permanent --zone=trusted --change-interface=eth0
success
susetest:~ # firewall-cmd --list-interfaces --zone=trusted

Comment 7 Knut Alejandro Anderssen González 2022-11-14 07:40:45 UTC

(In reply to WEI GAO from comment #6)
> (In reply to Knut Alejandro Anderssen González from comment #5)
> > According to logs what YaST does is correct...
> > 
> > ====
> > 
> > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > ["--permanent", "--zone=public", "--list-interfaces"]
> > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > --zone\=public --list-interfaces".
> > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(log_stream_line):208 Standard output: eth0
> > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_status):180 Status: 0
> > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > ["--permanent", "--zone=public", "--remove-interface=eth0"]
> > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > --zone\=public --remove-interface\=eth0".
> > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_status):180 Status: 0
> > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > ["--permanent", "--zone=public", "--list-interfaces"]
> > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > --zone\=public --list-interfaces".
> > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_status):180 Status: 0
> > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > ["--permanent", "--zone=trusted", "--list-interfaces"]
> > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > --zone\=trusted --list-interfaces".
> > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_status):180 Status: 0
> > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > ["--permanent", "--zone=trusted", "--list-interfaces"]
> > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > --zone\=trusted --list-interfaces".
> > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_status):180 Status: 0
> > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > ["--permanent", "--zone=trusted", "--change-interface=eth0"]
> > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > --zone\=trusted --change-interface\=eth0".
> > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_status):180 Status: 0
> > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > yast2/systemctl.rb(execute):41 systemctl reload firewalld.service 
> > 2022-11-02 20:21:38 <0> susetest(28019) [Ruby]
> > yast2/systemctl.rb(execute):43 Executing `systemctl` command:  LANG=C
> > TERM=dumb COLUMNS=1024 /usr/bin/systemctl --plain --full --no-legend
> > --no-pager --no-ask-password reload firewalld.service
> > 
> > ====
> > 
> > Specially see:
> > 
> > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > --zone\=trusted --change-interface\=eth0".
> > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > 
> > So, it should be another issue of firewalld, I guess asking the --permanent
> > configuration about the interfaces should list it, could you check? I will
> > assign to firewalld maintainer meanwhile.
> 
> 
> susetest:~ # firewall-cmd --list-interfaces --zone=trusted  
> 
> susetest:~ # firewall-cmd --permanent --zone\=trusted
> --change-interface\=eth0
> success
> susetest:~ # firewall-cmd --list-interfaces --zone=trusted  

Could you reload / restart after applying the changes, you are modifying only the permanent configuration (--permanent) option, but then you are querying the running one, you need to reload / restart in order to apply the permanent configuration to the running system, otherwise you need to modify the running one directly. 

In the past there were some bug in firewalld but I would expect it to be already solved.

> 
> susetest:~ # cat /etc/os-release 
> NAME="SLES"
> VERSION="15-SP5"
> VERSION_ID="15.5"
> PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
> ID="sles"
> ID_LIKE="suse"
> ANSI_COLOR="0;32"
> CPE_NAME="cpe:/o:suse:sles:15:sp5"
> DOCUMENTATION_URL="https://documentation.suse.com/"
> susetest:~ # firewall-cmd --version
> 0.9.3
> susetest:~ # firewall-cmd --permanent --zone=trusted --change-interface=eth0
> success
> susetest:~ # firewall-cmd --list-interfaces --zone=trusted

Comment 8 WEI GAO 2022-11-16 08:03:34 UTC

(In reply to Knut Alejandro Anderssen González from comment #7)
> (In reply to WEI GAO from comment #6)
> > (In reply to Knut Alejandro Anderssen González from comment #5)
> > > According to logs what YaST does is correct...
> > > 
> > > ====
> > > 
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=public", "--list-interfaces"]
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=public --list-interfaces".
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: eth0
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=public", "--remove-interface=eth0"]
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=public --remove-interface\=eth0".
> > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=public", "--list-interfaces"]
> > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=public --list-interfaces".
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=trusted", "--list-interfaces"]
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=trusted --list-interfaces".
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=trusted", "--list-interfaces"]
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=trusted --list-interfaces".
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=trusted", "--change-interface=eth0"]
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=trusted --change-interface\=eth0".
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > yast2/systemctl.rb(execute):41 systemctl reload firewalld.service 
> > > 2022-11-02 20:21:38 <0> susetest(28019) [Ruby]
> > > yast2/systemctl.rb(execute):43 Executing `systemctl` command:  LANG=C
> > > TERM=dumb COLUMNS=1024 /usr/bin/systemctl --plain --full --no-legend
> > > --no-pager --no-ask-password reload firewalld.service
> > > 
> > > ====
> > > 
> > > Specially see:
> > > 
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=trusted --change-interface\=eth0".
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > 
> > > So, it should be another issue of firewalld, I guess asking the --permanent
> > > configuration about the interfaces should list it, could you check? I will
> > > assign to firewalld maintainer meanwhile.
> > 
> > 
> > susetest:~ # firewall-cmd --list-interfaces --zone=trusted  
> > 
> > susetest:~ # firewall-cmd --permanent --zone\=trusted
> > --change-interface\=eth0
> > success
> > susetest:~ # firewall-cmd --list-interfaces --zone=trusted  
> 
> Could you reload / restart after applying the changes, you are modifying
> only the permanent configuration (--permanent) option, but then you are
> querying the running one, you need to reload / restart in order to apply the
> permanent configuration to the running system, otherwise you need to modify
> the running one directly. 
> 
> In the past there were some bug in firewalld but I would expect it to be
> already solved.
> 
> > 
> > susetest:~ # cat /etc/os-release 
> > NAME="SLES"
> > VERSION="15-SP5"
> > VERSION_ID="15.5"
> > PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
> > ID="sles"
> > ID_LIKE="suse"
> > ANSI_COLOR="0;32"
> > CPE_NAME="cpe:/o:suse:sles:15:sp5"
> > DOCUMENTATION_URL="https://documentation.suse.com/"
> > susetest:~ # firewall-cmd --version
> > 0.9.3
> > susetest:~ # firewall-cmd --permanent --zone=trusted --change-interface=eth0
> > success
> > susetest:~ # firewall-cmd --list-interfaces --zone=trusted


The yast UI should reload / (In reply to Knut Alejandro Anderssen González from comment #7)
> (In reply to WEI GAO from comment #6)
> > (In reply to Knut Alejandro Anderssen González from comment #5)
> > > According to logs what YaST does is correct...
> > > 
> > > ====
> > > 
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=public", "--list-interfaces"]
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=public --list-interfaces".
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: eth0
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=public", "--remove-interface=eth0"]
> > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=public --remove-interface\=eth0".
> > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=public", "--list-interfaces"]
> > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=public --list-interfaces".
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=trusted", "--list-interfaces"]
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=trusted --list-interfaces".
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=trusted", "--list-interfaces"]
> > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=trusted --list-interfaces".
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > ["--permanent", "--zone=trusted", "--change-interface=eth0"]
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=trusted --change-interface\=eth0".
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_status):180 Status: 0
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > yast2/systemctl.rb(execute):41 systemctl reload firewalld.service 
> > > 2022-11-02 20:21:38 <0> susetest(28019) [Ruby]
> > > yast2/systemctl.rb(execute):43 Executing `systemctl` command:  LANG=C
> > > TERM=dumb COLUMNS=1024 /usr/bin/systemctl --plain --full --no-legend
> > > --no-pager --no-ask-password reload firewalld.service
> > > 
> > > ====
> > > 
> > > Specially see:
> > > 
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > --zone\=trusted --change-interface\=eth0".
> > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > 
> > > So, it should be another issue of firewalld, I guess asking the --permanent
> > > configuration about the interfaces should list it, could you check? I will
> > > assign to firewalld maintainer meanwhile.
> > 
> > 
> > susetest:~ # firewall-cmd --list-interfaces --zone=trusted  
> > 
> > susetest:~ # firewall-cmd --permanent --zone\=trusted
> > --change-interface\=eth0
> > success
> > susetest:~ # firewall-cmd --list-interfaces --zone=trusted  
> 
> Could you reload / restart after applying the changes, you are modifying
> only the permanent configuration (--permanent) option, but then you are
> querying the running one, you need to reload / restart in order to apply the
> permanent configuration to the running system, otherwise you need to modify
> the running one directly. 
> 
> In the past there were some bug in firewalld but I would expect it to be
> already solved.
> 
> > 
> > susetest:~ # cat /etc/os-release 
> > NAME="SLES"
> > VERSION="15-SP5"
> > VERSION_ID="15.5"
> > PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
> > ID="sles"
> > ID_LIKE="suse"
> > ANSI_COLOR="0;32"
> > CPE_NAME="cpe:/o:suse:sles:15:sp5"
> > DOCUMENTATION_URL="https://documentation.suse.com/"
> > susetest:~ # firewall-cmd --version
> > 0.9.3
> > susetest:~ # firewall-cmd --permanent --zone=trusted --change-interface=eth0
> > success
> > susetest:~ # firewall-cmd --list-interfaces --zone=trusted

This is issue about yast UI, yast UI should take case how the configuration take effect after click apply button(either reload or restart firewall etc..).
Change in yast UI and do command such as reload/restart with command line is not end user scenario.

Comment 9 Stefan Hundhammer 2022-11-16 08:51:23 UTC

(In reply to WEI GAO from comment #8)
> This is issue about yast UI, yast UI should take case how the configuration
> take effect 
...
> Change in yast UI and do command such as reload/restart with command line is
> not end user scenario.

You had me confused here for a while...

You mean "the YaST module". "YaST UI" is a very specific thing, the GUI / TUI engine that draws buttons ("widgets" in general) and takes care about the widget layout. That's not the part that causes problems here; it's the logic of that YaST module.

I am writing this because that terminology is well-defined, documented, fixed and generally accepted in the YaST and SUSE world; changing it on the fly introduces confusion for people casually reading bugs such as this.

TIA

Comment 10 Stefan Hundhammer 2022-11-16 08:53:50 UTC

Knut, so how do we continue with this?

I guess it's time to Trello'ize this because it keeps coming back into our "incoming bugs" queue.

Comment 12 Knut Alejandro Anderssen González 2022-11-21 10:25:43 UTC

(In reply to WEI GAO from comment #8)
> (In reply to Knut Alejandro Anderssen González from comment #7)
> > (In reply to WEI GAO from comment #6)
> > > (In reply to Knut Alejandro Anderssen González from comment #5)
> > > > According to logs what YaST does is correct...
> > > > 
> > > > ====
> > > > 
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=public", "--list-interfaces"]
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=public --list-interfaces".
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: eth0
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=public", "--remove-interface=eth0"]
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=public --remove-interface\=eth0".
> > > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=public", "--list-interfaces"]
> > > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=public --list-interfaces".
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=trusted", "--list-interfaces"]
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=trusted --list-interfaces".
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=trusted", "--list-interfaces"]
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=trusted --list-interfaces".
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=trusted", "--change-interface=eth0"]
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=trusted --change-interface\=eth0".
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > yast2/systemctl.rb(execute):41 systemctl reload firewalld.service 
> > > > 2022-11-02 20:21:38 <0> susetest(28019) [Ruby]
> > > > yast2/systemctl.rb(execute):43 Executing `systemctl` command:  LANG=C
> > > > TERM=dumb COLUMNS=1024 /usr/bin/systemctl --plain --full --no-legend
> > > > --no-pager --no-ask-password reload firewalld.service
> > > > 
> > > > ====
> > > > 
> > > > Specially see:
> > > > 
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=trusted --change-interface\=eth0".
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > > 
> > > > So, it should be another issue of firewalld, I guess asking the --permanent
> > > > configuration about the interfaces should list it, could you check? I will
> > > > assign to firewalld maintainer meanwhile.
> > > 
> > > 
> > > susetest:~ # firewall-cmd --list-interfaces --zone=trusted  
> > > 
> > > susetest:~ # firewall-cmd --permanent --zone\=trusted
> > > --change-interface\=eth0
> > > success
> > > susetest:~ # firewall-cmd --list-interfaces --zone=trusted  
> > 
> > Could you reload / restart after applying the changes, you are modifying
> > only the permanent configuration (--permanent) option, but then you are
> > querying the running one, you need to reload / restart in order to apply the
> > permanent configuration to the running system, otherwise you need to modify
> > the running one directly. 
> > 
> > In the past there were some bug in firewalld but I would expect it to be
> > already solved.
> > 
> > > 
> > > susetest:~ # cat /etc/os-release 
> > > NAME="SLES"
> > > VERSION="15-SP5"
> > > VERSION_ID="15.5"
> > > PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
> > > ID="sles"
> > > ID_LIKE="suse"
> > > ANSI_COLOR="0;32"
> > > CPE_NAME="cpe:/o:suse:sles:15:sp5"
> > > DOCUMENTATION_URL="https://documentation.suse.com/"
> > > susetest:~ # firewall-cmd --version
> > > 0.9.3
> > > susetest:~ # firewall-cmd --permanent --zone=trusted --change-interface=eth0
> > > success
> > > susetest:~ # firewall-cmd --list-interfaces --zone=trusted
> 
> 
> The yast UI should reload / (In reply to Knut Alejandro Anderssen González
> from comment #7)
> > (In reply to WEI GAO from comment #6)
> > > (In reply to Knut Alejandro Anderssen González from comment #5)
> > > > According to logs what YaST does is correct...
> > > > 
> > > > ====
> > > > 
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=public", "--list-interfaces"]
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=public --list-interfaces".
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: eth0
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=public", "--remove-interface=eth0"]
> > > > 2022-11-02 20:21:35 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=public --remove-interface\=eth0".
> > > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=public", "--list-interfaces"]
> > > > 2022-11-02 20:21:36 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=public --list-interfaces".
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=trusted", "--list-interfaces"]
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=trusted --list-interfaces".
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=trusted", "--list-interfaces"]
> > > > 2022-11-02 20:21:37 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=trusted --list-interfaces".
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: 
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > firewalld/api.rb(run_command):199 Executing firewall-cmd with
> > > > ["--permanent", "--zone=trusted", "--change-interface=eth0"]
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=trusted --change-interface\=eth0".
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_status):180 Status: 0
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > yast2/systemctl.rb(execute):41 systemctl reload firewalld.service 
> > > > 2022-11-02 20:21:38 <0> susetest(28019) [Ruby]
> > > > yast2/systemctl.rb(execute):43 Executing `systemctl` command:  LANG=C
> > > > TERM=dumb COLUMNS=1024 /usr/bin/systemctl --plain --full --no-legend
> > > > --no-pager --no-ask-password reload firewalld.service
> > > > 
> > > > ====
> > > > 
> > > > Specially see:
> > > > 
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(record_commands):160 Executing "firewall-cmd --permanent
> > > > --zone\=trusted --change-interface\=eth0".
> > > > 2022-11-02 20:21:38 <1> susetest(28019) [Ruby]
> > > > lib/cheetah.rb(log_stream_line):208 Standard output: success
> > > > 
> > > > So, it should be another issue of firewalld, I guess asking the --permanent
> > > > configuration about the interfaces should list it, could you check? I will
> > > > assign to firewalld maintainer meanwhile.
> > > 
> > > 
> > > susetest:~ # firewall-cmd --list-interfaces --zone=trusted  
> > > 
> > > susetest:~ # firewall-cmd --permanent --zone\=trusted
> > > --change-interface\=eth0
> > > success
> > > susetest:~ # firewall-cmd --list-interfaces --zone=trusted  
> > 
> > Could you reload / restart after applying the changes, you are modifying
> > only the permanent configuration (--permanent) option, but then you are
> > querying the running one, you need to reload / restart in order to apply the
> > permanent configuration to the running system, otherwise you need to modify
> > the running one directly. 
> > 
> > In the past there were some bug in firewalld but I would expect it to be
> > already solved.
> > 
> > > 
> > > susetest:~ # cat /etc/os-release 
> > > NAME="SLES"
> > > VERSION="15-SP5"
> > > VERSION_ID="15.5"
> > > PRETTY_NAME="SUSE Linux Enterprise Server 15 SP5"
> > > ID="sles"
> > > ID_LIKE="suse"
> > > ANSI_COLOR="0;32"
> > > CPE_NAME="cpe:/o:suse:sles:15:sp5"
> > > DOCUMENTATION_URL="https://documentation.suse.com/"
> > > susetest:~ # firewall-cmd --version
> > > 0.9.3
> > > susetest:~ # firewall-cmd --permanent --zone=trusted --change-interface=eth0
> > > success
> > > susetest:~ # firewall-cmd --list-interfaces --zone=trusted
> 
> This is issue about yast UI, yast UI should take case how the configuration
> take effect after click apply button(either reload or restart firewall
> etc..).

In the yast firewall module the user can decide the action to be done after apply the changes, so by default it is reload, but you could decide to write permanent configuration without restarting / reloading anything at all.

In the logs it is shown that YaST uses the --permanent option always and you are showing the results of the command querying the running system, so, maybe I'm overlooking something but looks incorrect and useless...

> Change in yast UI and do command such as reload/restart with command line is
> not end user scenario.

We are trying to determine if it is a firewalld bug or YaST but at all, as commented I already reported bugs in the past about firewalld not reflecting the changes after reload / restart with permanent configuration changes.

I will try to reproduce myself and will do the firewalld checks I requested to verify where the problem is if there is a problem at all.

Comment 13 Knut Alejandro Anderssen González 2022-11-21 10:27:25 UTC

(In reply to Stefan Hundhammer from comment #10)
> Knut, so how do we continue with this?
> 
> I guess it's time to Trello'ize this because it keeps coming back into our
> "incoming bugs" queue.

Fine with me, but it is still not clear if it is a YaST bug or a firewalld bug at all, I will check it.

Comment 14 Knut Alejandro Anderssen González 2022-11-21 11:24:47 UTC

So basically the current behavior is consequence of Michal Rostecki patch which sets FlushAllOnReload as no.

https://build.suse.de/request/show/226123


From https://firewalld.org/documentation/man-pages/firewall-cmd.html

Reload firewall rules and keep state information. Current permanent configuration will become new runtime configuration, i.e. all runtime only changes done until reload are lost with reload if they have not been also in permanent configuration.

Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not affected and will therefore stay in place until firewalld daemon is restarted completely. For FlushAllOnReload, see firewalld.conf(5).

Therefore if it is set to no, a reload of the configuration will not apply permanent changes to running one but in just you can set the service to be restarted after writing the configuration.

So, for me the current behavior is the expected one according to openSUSE / SUSE defaults, there is no reference to a bug or discussions about why it was modified from yes to no but "no" is the default value since 2 years ago.

Comment 15 Knut Alejandro Anderssen González 2022-11-21 11:25:29 UTC

Created attachment 863003 [details]
Select restart if needed

Comment 16 Knut Alejandro Anderssen González 2022-11-21 11:39:43 UTC

BTW this bug looks related to (https://bugzilla.suse.com/show_bug.cgi?id=1114673)

Comment 17 Knut Alejandro Anderssen González 2022-11-21 12:09:47 UTC

The original fix which introduced the option for flushing the configuration is https://bugzilla.suse.com/show_bug.cgi?id=1112008

Comment 18 Knut Alejandro Anderssen González 2022-12-12 10:46:37 UTC

(In reply to Knut Alejandro Anderssen González from comment #14)
> So basically the current behavior is consequence of Michal Rostecki patch
> which sets FlushAllOnReload as no.
> 
> https://build.suse.de/request/show/226123
> 
> 
> From https://firewalld.org/documentation/man-pages/firewall-cmd.html
> 
> Reload firewall rules and keep state information. Current permanent
> configuration will become new runtime configuration, i.e. all runtime only
> changes done until reload are lost with reload if they have not been also in
> permanent configuration.
> 
> Note: If FlushAllOnReload=no, runtime changes applied via the direct
> interface are not affected and will therefore stay in place until firewalld
> daemon is restarted completely. For FlushAllOnReload, see firewalld.conf(5).
> 
> Therefore if it is set to no, a reload of the configuration will not apply
> permanent changes to running one but in just you can set the service to be
> restarted after writing the configuration.
> 
> So, for me the current behavior is the expected one according to openSUSE /
> SUSE defaults, there is no reference to a bug or discussions about why it
> was modified from yes to no but "no" is the default value since 2 years ago.

Carla, although there is no issue to be fixed in YaST maybe we could improve the current documentation (https://github.com/SUSE/doc-sle/pull/949 a little bit mentioning that YaST only works or manage the firewalld permanent configuration.

In the current documentation it is also mentioned that a reload is enough but taking into account current defaults the user should be aware that a restart could be needed after some change.

See https://github.com/SUSE/doc-sle/blob/56412e788f79667ea152579a75a3ad80c1e3bf52/xml/security_firewall.xml#L473

I can create a new bug for that if needed.