<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi All<br>
    From firewalld doc and my experiments , I understood that we don't
    have any option to add/remove port to/from service
    runtime/permanent  (this can double for  zone) . The only way is
    modifying service xml file but it requires firewall reload (which
    cause the loosing run time settings).<br>
              Is there any way to reload firewall without loosing run
    time settings or is there any way to reload particular service.<br>
    <br>
    Regards<br>
    Anand.N<br>
    <br>
    <div class="moz-cite-prefix">On 09/01/2015 12:49 PM, Christopher
      Blum wrote:<br>
    </div>
    <blockquote
cite="mid:CAGFr3v1xG6D3U47f4ojh8ADqzgvpULSHNcMYB9yMyV7i+JO4eA@mail.gmail.com"
      type="cite">
      <div dir="ltr">There is a function in the d-bus interface:
        <div>
          <p id="yui_3_17_2_1_1441091166270_210"
            style="max-width:590px;color:rgb(51,51,51);font-family:Corbel,HelveticaNeue-Light,'Helvetica
            Neue Light','Helvetica Neue',Helvetica,Arial,'Lucida
            Grande',sans-serif;font-size:medium;background-color:rgb(247,247,247)">getZoneOfInterface(s:
            interface) → s</p>
        </div>
        <div>that will return the current zone of the interface and you
          can then add ports to that interface.</div>
        <div>As far as I see it, the hooks get only executed when I
          start the volume, right? So when I created and started the
          volume, but then change the zone of the interface, we need to
          detect that (I guess it would be enough to handle that on
          reboot) and move the ports/services to the new zone.</div>
        <div><br>
        </div>
        <div>Regarding Org.fedoraproject.firewalld1.config.service - I
          think that would need additional tests if that is really only
          for the persistent config, or if the changes are also applied
          in the running config.</div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="gmail_signature">
            <div dir="ltr">
              <div>
                <div dir="ltr">
                  <div dir="ltr">
                    <div dir="ltr">
                      <div dir="ltr">
                        <div dir="ltr">
                          <div style="font-size:small"><span
                              style="font-size:12.8000001907349px">Christopher
                              Blum</span><br>
                          </div>
                          <div style="font-size:small">Associate Storage
                            Consultant</div>
                          <div style="font-size:small">Global Storage
                            Consulting, Red Hat</div>
                          <div style="font-size:small"><br>
                          </div>
                          <div style="font-size:small"><a
                              moz-do-not-send="true"
                              href="tel:%2B49%20711%2096%2043%207009"
                              value="+4971196437009"
                              style="color:rgb(17,85,204);font-size:12.8000001907349px"
                              target="_blank">+49 711 96 43 7009</a></div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">On Tue, Sep 1, 2015 at 8:58 AM, Kaushal
          M <span dir="ltr">&lt;<a moz-do-not-send="true"
              href="mailto:kshlmster@gmail.com" target="_blank">kshlmster@gmail.com</a>&gt;</span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div class="HOEnZb">
              <div class="h5">On Mon, Aug 31, 2015 at 5:15 PM, Kaushal M
                &lt;<a moz-do-not-send="true"
                  href="mailto:kshlmster@gmail.com">kshlmster@gmail.com</a>&gt;
                wrote:<br>
                &gt; Hi all,<br>
                &gt;<br>
                &gt; I wanted know if there is any existing information
                on how to manage<br>
                &gt; dynamically changing services using firewalld. If
                there are none<br>
                &gt; existing, could you please let us know if the
                approach we're following<br>
                &gt; below is correct.<br>
                &gt;<br>
                &gt; We want to provide firewalld service configuration
                for GlusterFS. One<br>
                &gt; of the properties of GlusterFS is that it has a set
                of fixed ports,<br>
                &gt; and a set of dynamic ports, which need to be
                opened.<br>
                &gt;<br>
                &gt; We propose to ship 2 firewalld services with
                GlusterFS.<br>
                &gt; - glusterfs-static - This contains the list of
                static ports that<br>
                &gt; should be opened up. This is placed in
                /usr/lib/firewalld/services<br>
                &gt; - glusterfs-dynamic - This will contain the list of
                dynamic ports.<br>
                &gt; This will be shipped empty, and be placed in
                /etc/firewalld/services .<br>
                &gt; The ports in this service will be kept updated by a
                couple of scripts,<br>
                &gt; which hook into the glusterfs start/stop events.<br>
                &gt;<br>
                &gt; The scripts, add or remove ports from the
                glusterfs-dyanmic.xml file,<br>
                &gt; and call `firewall-cmd --reload` to have firewalld
                reload<br>
                &gt; configuration. We do it this way, instead of using
                a dbus call because<br>
                &gt; we want the configuration to be persisted, and also
                applied live.<br>
                &gt;<br>
                &gt; We've tested this, and this works. But we'd like to
                validate this<br>
                &gt; solution with you guys.<br>
                &gt;<br>
                &gt; Do you see any issues with our approach? Is there
                anything we could do<br>
                &gt; to improve the solution.<br>
                &gt;<br>
                &gt; For reference, the glusterfs bug and proposed
                solution are available<br>
                &gt; at [1] and [2].<br>
                &gt;<br>
                &gt; Thanks.<br>
                &gt;<br>
                &gt; Kaushal<br>
                &gt;<br>
                &gt; [1] <a moz-do-not-send="true"
                  href="https://bugzilla.redhat.com/show_bug.cgi?id=1253967"
                  rel="noreferrer" target="_blank">https://bugzilla.redhat.com/show_bug.cgi?id=1253967</a><br>
                &gt; [2] <a moz-do-not-send="true"
                  href="http://review.gluster.org/11989"
                  rel="noreferrer" target="_blank">http://review.gluster.org/11989</a><br>
                &gt;<br>
                &gt; PS: Apologies if I should have posted this to the
                users list instead.<br>
                <br>
              </div>
            </div>
            I've had a private conversation with Christopher Blum (CCd),
            who<br>
            identified a major flaw with our current solution. Having
            firewalld<br>
            reload will cause any runtime rules that were set to be
            lost. This<br>
            should be avoided at all costs.<br>
            <br>
            Chris suggested using firewalld dbus commands [1] which
            could solve<br>
            this. We have dbus commands to add/remove ports from a
            service<br>
            permanently. This is an alternative to updating the service
            xml files.<br>
            But we don't see a method to update a service during
            runtime.<br>
            <br>
            There are dbus commands to add/remove ports to zones during
            runtime.<br>
            But this is not useful as we wouldn't know which zone to
            apply it to.<br>
            One of the reasons we chose to use services was this.<br>
            <br>
            So now we have two questions,<br>
            1. Is there a way to do a runtime modification of a
            firewalld service<br>
            2. If not, is there a easy way to get active zones, which
            have our<br>
            services enabled and add/remove ports from them.<br>
            <br>
            Thanks.<br>
            <br>
            Kaushal<br>
            <br>
            [1] <a moz-do-not-send="true"
              href="https://www.mankier.com/5/firewalld.dbus"
              rel="noreferrer" target="_blank">https://www.mankier.com/5/firewalld.dbus</a><br>
            [2] <a moz-do-not-send="true"
href="https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service"
              rel="noreferrer" target="_blank">https://www.mankier.com/5/firewalld.dbus#Interfaces-Org.fedoraproject.firewalld1.config.service</a><br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Gluster-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Gluster-devel@gluster.org">Gluster-devel@gluster.org</a>
<a class="moz-txt-link-freetext" href="http://www.gluster.org/mailman/listinfo/gluster-devel">http://www.gluster.org/mailman/listinfo/gluster-devel</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>