Bug 1397262

Summary: Provide a service file and a script to load ip sets via ipset at boot
Product: Red Hat Enterprise Linux 7 Reporter: Thomas Spear <Speeddymon>
Component: ipsetAssignee: Thomas Woerner <twoerner>
Status: CLOSED DUPLICATE QA Contact: qe-baseos-daemons
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: blharris, calestyo, cstpierr, janfrode, jbainbri, kdube, mfuruta, mharris, psklenar, quentin, rob.townley, rskvaril, tlavigne, twoerner, ville.torhonen, wnefal+redhatbugzilla
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 888571 Environment:
Last Closed: 2016-11-22 10:06:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Thomas Spear 2016-11-22 05:10:08 UTC 
+++ This bug was initially created as a clone of Bug #888571 +++

Hi,

The original bug listed above was for RHEL6. I have recently discovered that there is no systemd service file nor a loading script for ipset for RHEL7.

It would be very handy to have a proper framework for saving IP sets and loading them via ipset at boot, as my iptables rules depend on the sets, and currently the firewall fails to start since no sets exist at boot.

Personally I have a simple setup. I download IP lists from an RBL site and load them via cron once per day.

I have 2 sets. One for IPv4 and one for IPv6. I match ip4-block set in iptables and ip6-block set in ip6tables.

Because these sets don't exist at boot, both services fail to start.

[root@jump ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Mon Nov 21 23:06:55 2016
*raw
:PREROUTING ACCEPT [395:51283]
:OUTPUT ACCEPT [212:32052]
-A PREROUTING -i eth0 -m set --match-set ip4-block src -j DROP
COMMIT
# Completed on Mon Nov 21 23:06:55 2016
# Generated by iptables-save v1.4.21 on Mon Nov 21 23:06:55 2016
*filter
-------snip-------

[root@jump ~]# cat /etc/sysconfig/ip6tables
COMMIT
# Completed on Mon Nov 21 23:06:59 2016
# Generated by ip6tables-save v1.4.21 on Mon Nov 21 23:06:59 2016
*raw
:PREROUTING ACCEPT [99:35695]
:OUTPUT ACCEPT [105:42767]
-A PREROUTING -i eth0 -m set --match-set ip6-block src -j DROP
COMMIT
# Completed on Mon Nov 21 23:06:59 2016
Comment 1 Thomas Woerner 2016-11-22 10:06:02 UTC 
Please have a look at #1136257

This is part of 7.3.

*** This bug has been marked as a duplicate of bug 1136257 ***