systemctl start SuSEfirewall2.service Sometimes this fails (silently): It applies the firewall rules, but leaves a file /run/SuSEfirewall2.booting behind which prevents any further control of

https://bugzilla.novell.com/show_bug.cgi?id=819499 https://bugzilla.novell.com/show_bug.cgi?id=819499#c0 Summary: Manual start of SuSEfirewall2 fails randomly Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86-64 OS/Version: openSUSE 12.3 Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: Yarny@public-files.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 On my system, I disables SuSEfirewall2 auto-start. If I need it, I start it manually with the firewall, e.g.

systemctl stop SuSEfirewall2.service has no effect then. systemctl status SuSEfirewall2.service says SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; disabled) Active: inactive (dead) since Sat, 2013-05-11 13:31:20 CEST; 2min 33s ago Process: 13257 ExecStop=/usr/sbin/SuSEfirewall2 systemd_stop (code=exited, status=0/SUCCESS) Process: 604 ExecStart=/usr/sbin/SuSEfirewall2 boot_setup (code=exited, status=0/SUCCESS) CGroup: name=systemd:/system/SuSEfirewall2.service

May 11 13:25:43 linux-9405.site systemd[1]: Started SuSEfirewall2 phase 2. May 11 13:31:19 linux-9405.site systemd[1]: Stopping SuSEfirewall2 phase 2... May 11 13:31:20 linux-9405.site SuSEfirewall2[13300]: /run/SuSEfirewall2.booting exists which means system boot in progress, exit. May 11 13:31:20 linux-9405.site systemd[1]: Stopped SuSEfirewall2 phase 2.

This happens not always, but commonly if NetworkManager is not running. My uneducated guess is that there is a race-condition: systemd starts SuSEfirewall2_init.service and SuSEfirewall2.service in parallel, so the SuSEfirewall script is called twice simultaneously. To prevent this, I suggest to add

Type=oneshot to both unit files' [Service] sections, and After=SuSEfirewall2_init.service to the [Unit] section of SuSEfirewall2.service.

The "oneshot" option is also a good idea in general here: without it, systemd considers the firewall to be running right after it started the firewall script, possibly long before the iptables actually got filled. Reproducible: Sometimes -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.