[Pkg-utopia-maintainers] Bug#1033144: [Firewalld] exit with status-code cleaned up rules in firewall

[Danny van Heumen]

Package: firewalld
Version: 1.3.0-1~bpo11+1

I do not know exactly how to reproduce, so I will describe my facts and suspicions best I can.

I checked current status of the firewall on my system (`firewalld`) and discovered it was not running and in addition, the rules were not present in nftables (`sudo nft list ruleset`). Manually restarting the service restored operation. There were no changes to the firewall configuration involved. (that I can recall)

Journald showed an entry:
```
<timestamp> <host> systemd[1]: firewalld.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
<timestamp> <host> systemd[1]: firewalld.service: Failed with result 'exit-code'.
```

I do not know what caused the error with this exit-code, so I am not sure how to reproduce. I am using some software that creates a separate network-namespace which includes firewall rules, so there may be exceptional circumstances it cannot handle.

Regardless, I suspect there is an error in handling this use case. There are three factors at play:

1.) firewalld exited suddenly.
2.) systemd service configuration did not properly restart it.
3.) configuration: the firewall rules were cleaned up (I suspect due to default config to clean up rules at exit.)

I would expect either:

a) immediate restart by systemd to ensure the firewall is operational. Or
b) the firewall-rules not being cleaned up as to not drop protection of the system if an error occurs.

So one solution *may be* to have the configuration *not* clean up firewall rules on exit. Another may be to configure the systemd service file to force restarts on certain exit codes, or rather everything but the expected success exit code. A quick check showed that you can configure broadly to restart on anything but success, or you can configure specific actions on specific exit codes.

Regards,
Danny