From 0d36f4350b84ef0a040916ba951565148a5bfb41 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Thu, 13 Nov 2014 14:55:47 +0100
Subject: firewall: don't set firewall zone for assumed devices

https://bugzilla.redhat.com/show_bug.cgi?id=1098281

Signed-off-by: Thomas Haller <thaller@redhat.com>
---
 src/devices/nm-device.c | 12 +++++++++++-
 src/nm-policy.c         |  6 ++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/devices/nm-device.c b/src/devices/nm-device.c
index dbea8c94ec..3c497fae6c 100644
--- a/src/devices/nm-device.c
+++ b/src/devices/nm-device.c
@@ -4625,6 +4625,14 @@ nm_device_activate_schedule_stage3_ip_config_start (NMDevice *self)
 	s_con = nm_connection_get_setting_connection (connection);
 
 	zone = nm_setting_connection_get_zone (s_con);
+
+	if (nm_device_uses_assumed_connection (self)) {
+		_LOGD (LOGD_DEVICE, "Activation: skip setting firewall zone '%s' for assumed device", zone ? zone : "default");
+		activation_source_schedule (self, nm_device_activate_stage3_ip_config_start, 0);
+		_LOGI (LOGD_DEVICE, "Activation: Stage 3 of 5 (IP Configure Start) scheduled.");
+		return;
+	}
+
 	_LOGD (LOGD_DEVICE, "Activation: setting firewall zone '%s'", zone ? zone : "default");
 	priv->fw_call = nm_firewall_manager_add_or_change_zone (nm_firewall_manager_get (),
 	                                                        nm_device_get_ip_iface (self),
@@ -6925,7 +6933,9 @@ _cleanup_generic_pre (NMDevice *self, gboolean deconfigure)
 	}
 
 	connection = nm_device_get_connection (self);
-	if (deconfigure && connection) {
+	if (   deconfigure
+	    && connection
+	    && !nm_device_uses_assumed_connection (self)) {
 		nm_firewall_manager_remove_from_zone (nm_firewall_manager_get (),
 		                                      nm_device_get_ip_iface (self),
 		                                      NULL);
diff --git a/src/nm-policy.c b/src/nm-policy.c
index 0a8f54e370..87fcdcc925 100644
--- a/src/nm-policy.c
+++ b/src/nm-policy.c
@@ -1576,7 +1576,8 @@ firewall_update_zone (NMPolicy *policy, NMConnection *connection)
 		NMDevice *dev = NM_DEVICE (iter->data);
 
 		if (   (nm_device_get_connection (dev) == connection)
-		    && (nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED)) {
+		    && (nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED)
+		    && !nm_device_uses_assumed_connection (dev)) {
 			nm_firewall_manager_add_or_change_zone (nm_firewall_manager_get (),
 			                                        nm_device_get_ip_iface (dev),
 			                                        nm_setting_connection_get_zone (s_con),
@@ -1606,7 +1607,8 @@ firewall_started (NMFirewallManager *manager,
 			continue;
 
 		s_con = nm_connection_get_setting_connection (connection);
-		if (nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED) {
+		if (    nm_device_get_state (dev) == NM_DEVICE_STATE_ACTIVATED
+		    && !nm_device_uses_assumed_connection (dev)) {
 			nm_firewall_manager_add_or_change_zone (nm_firewall_manager_get (),
 			                                        nm_device_get_ip_iface (dev),
 			                                        nm_setting_connection_get_zone (s_con),
-- 
cgit v1.2.1