Bug 717583

reassigning to SuSEfirewall2 maintainer, SuSEfirewall2 is hardcoded to not unload its firewall rules when called from systemd (check /etc/init.d/SuSEfirewall2_setup)

SuSEfirewall2 needs to know whether is was called manually or during shutdown. During shutdown rules must not be unloaded to avoid exposing the machine in case some network interfaces are still online (and it's a waste of time anyways). Please correct if I'm wrong but AFAIK there is no way to find out so never unloading rules was the best I could do. Has that changed meanwhile or is there any way to tell systemd to just not call SuSEfirewall2 on shutdown?

Users can still call /sbin/SuSEfirewall2 stop directly to unload rules btw.

There is a way, I've justed tested.

--- /etc/init.d/SuSEfirewall2_setup	2011-04-08 23:31:19.000000000 +0200
+++ /home/fcrozat/SuSEfirewall2_setup	2011-09-19 11:41:14.120301321 +0200
@@ -41,9 +41,12 @@
 		# called due to shutdown of the machine. So we can't
 		# unload rules here. Call /sbin/SuSEfirewall2
 		# directly instead to unload rules.
-		echo -n "Not unloading firewall rules when using systemd "
-		rc_status -s
-	elif [ -z "$REDIRECT" ]; then
+		systemctl show -p ActiveState shutdown.target | grep -qi inactive
+		if [ $? != 0 ]; then
+			unset REDIRECT
+		fi
+	fi
+	if [ -z "$REDIRECT" ]; then
 		echo -n "Unloading firewall rules"
 		$SUSEFWALL -q stop
 		rc_status -v

This is not very pretty but it works ;)

Of course, for 12.2, we will probably switch to systemd unit files which could help in this regard.

There are actually more things wrong.

rcSuSEfirewall2 doesn't work because the rc.status magic doesn't detect the symlink to SuSEfirewall2_setup

"systemctl SuSEfirewall2_setup.service status" doesn't actually call the script but simply claims success. Someone could have manually unloaded the rules so the script must be called always. There is no daemon after all.

(In reply to comment #3)
> +        systemctl show -p ActiveState shutdown.target | grep -qi inactive

Doesn't work for me.
I've added the following code to SuSEfirewall2_setup:

   for i in shutdown reboot; do
   echo -n $i...
       /bin/systemctl --no-pager show -p ActiveState $i.target
   done > /dev/tty10
   echo -n "sleeping " > /dev/tty10
   for i in 1 2 3 4 5 6 7; do
       sleep 1
       echo -n . > /dev/tty10
   done

On tty10 one can see that neither target is active. Neither on
reboot nor on shutdown. So SuSEfirewall2 would always unload the
ruels which is not supposed to happen

Created attachment 454897 [details]
initscript 

please test attached file, it doesn't unload iptables rules for me, either on reboot nor shutdown ( I left a sleep 10 call when unloading rules, so it really delays the shutdown / reboot process).


For the status, rc* script should not use the initscript, but do the check itself ( see http://www.freedesktop.org/wiki/Software/systemd/Incompatibilities )

So it does not unload rules at shutdown but neither does it when called manually. the shutdown.target is always inactive, even on shutdown.
systemctl list-units shows 'stop' for basic.target when shutting down though.
Is there a way to isolate that other than 'systemctl list-units|grep 'basic.target.*stop'?

This is an autogenerated message for OBS integration:
This bug (717583) was mentioned in
https://build.opensuse.org/request/show/87807 Factory / SuSEfirewall2

added list-units and grep for basic.target as workaround