Bug #77511 Cannot set mysql_firewall_trace at runtime
Submitted: 26 Jun 2015 15:54 Modified: 19 Jul 2015 21:08
Reporter: Paul DuBois Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Firewall Severity:S3 (Non-critical)
Version:5.6.24, 5.6.27, 5.7.8 OS:Any
Assigned to: CPU Architecture:Any

[26 Jun 2015 15:54] Paul DuBois 
Description:
MySQL Enterprise Firewall exposes a mysql_firewall_trace system variable, but it cannot be set at runtime.

How to repeat:
Install the firewall, then try this:

SET GLOBAL mysql_firewall_trace=0;
SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_trace';
SET GLOBAL mysql_firewall_trace=1;
SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_trace';

Result:

mysql> SET GLOBAL mysql_firewall_trace=0;
Query OK, 0 rows affected (0.01 sec)

mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_trace';
+----------------------+-------+
| Variable_name        | Value |
+----------------------+-------+
| mysql_firewall_trace | OFF   |
+----------------------+-------+
1 row in set (0.00 sec)

mysql> SET GLOBAL mysql_firewall_trace=1;
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_trace';
+----------------------+-------+
| Variable_name        | Value |
+----------------------+-------+
| mysql_firewall_trace | OFF   |
+----------------------+-------+
1 row in set (0.00 sec)

It is, however, possible to set mysql_firewall_trace at server startup. For example, this works:

[mysqld]
mysql_firewall_trace=1

In that case, mysql_firewall_trace cannot be turned *off* at runtime:

mysql> SET GLOBAL mysql_firewall_trace=0;
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_trace';
+----------------------+-------+
| Variable_name        | Value |
+----------------------+-------+
| mysql_firewall_trace | ON    |
+----------------------+-------+
1 row in set (0.00 sec)

mysql> SET GLOBAL mysql_firewall_trace=1;
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_trace';
+----------------------+-------+
| Variable_name        | Value |
+----------------------+-------+
| mysql_firewall_trace | ON    |
+----------------------+-------+
1 row in set (0.00 sec)

Suggested fix:
Make mysql_firewall_trace settable at runtime.
[27 Jun 2015 5:10] MySQL Verification Team 
Hello Paul,

Thank you for the report.

Thanks,
Umesh
[27 Jun 2015 5:22] MySQL Verification Team 
// 5.6.27/5.7.8 affected

mysql> show variables like '%version%';
+-------------------------+---------------------------------------------------------+
| Variable_name           | Value                                                   |
+-------------------------+---------------------------------------------------------+
| innodb_version          | 5.6.27                                                  |
| protocol_version        | 10                                                      |
| slave_type_conversions  |                                                         |
| version                 | 5.6.27-enterprise-commercial-advanced                   |
| version_comment         | MySQL Enterprise Server - Advanced Edition (Commercial) |
| version_compile_machine | x86_64                                                  |
| version_compile_os      | linux-glibc2.5                                          |
+-------------------------+---------------------------------------------------------+
7 rows in set (0.00 sec)

mysql> SET GLOBAL mysql_firewall_trace=0;
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_trace';
+----------------------+-------+
| Variable_name        | Value |
+----------------------+-------+
| mysql_firewall_trace | OFF   |
+----------------------+-------+
1 row in set (0.00 sec)

mysql> SET GLOBAL mysql_firewall_trace=1;
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_trace';
+----------------------+-------+
| Variable_name        | Value |
+----------------------+-------+
| mysql_firewall_trace | OFF   |
+----------------------+-------+
1 row in set (0.00 sec)

mysql> \q
Bye

// 5.7.8

mysql> show variables like '%version%';
+-------------------------+---------------------------------------------------------+
| Variable_name           | Value                                                   |
+-------------------------+---------------------------------------------------------+
| innodb_version          | 5.7.8                                                   |
| protocol_version        | 10                                                      |
| slave_type_conversions  |                                                         |
| version                 | 5.7.8-rc-enterprise-commercial-advanced                 |
| version_comment         | MySQL Enterprise Server - Advanced Edition (Commercial) |
| version_compile_machine | x86_64                                                  |
| version_compile_os      | Linux                                                   |
+-------------------------+---------------------------------------------------------+
7 rows in set, 1 warning (0.00 sec)

mysql> SET GLOBAL mysql_firewall_trace=0;
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_trace';
+----------------------+-------+
| Variable_name        | Value |
+----------------------+-------+
| mysql_firewall_trace | OFF   |
+----------------------+-------+
1 row in set (0.00 sec)

mysql> SET GLOBAL mysql_firewall_trace=1;
Query OK, 0 rows affected (0.00 sec)

mysql> SHOW GLOBAL VARIABLES LIKE 'mysql_firewall_trace';
+----------------------+-------+
| Variable_name        | Value |
+----------------------+-------+
| mysql_firewall_trace | OFF   |
+----------------------+-------+
1 row in set (0.00 sec)
[19 Jul 2015 21:08] Paul DuBois 
FIxed in 5.7.9.

No changelog entry because this is not fixed in any series for which there is an Enterprise release.