Bug 1419058
| Summary: | Improve support for ipsets in firewalld | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Stephen Wadeley <swadeley> |
| Component: | firewalld | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED ERRATA | QA Contact: | Tomas Dolezal <todoleza> |
| Severity: | unspecified | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | unspecified | ||
| Version: | 7.2 | CC: | ajohn, mjahoda, todoleza, twoerner |
| Target Milestone: | rc | Keywords: | RFE |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: |
*firewalld* now supports additional IP sets
With this update of the *firewalld* service daemon, support for the following *ipset* types has been added:
* hash:ip,port
* hash:ip,port,ip
* hash:ip,port,net
* hash:ip,mark
* hash:net,net
* hash:net,port
* hash:net,port,net
* hash:net,iface
The following *ipset* types that provide a combination of sources and destinations at the same time are not supported as sources in *firewalld*. IP sets using these types are created by *firewalld*, but their usage is limited to direct rules:
* hash:ip,port,ip
* hash:ip,port,net
* hash:net,net
* hash:net,port,net
The _ipset_ packages have been rebased to upstream version 6.29, and the following *ipset* types are now additionally supported:
* hash:mac
* hash:net,port,net
* hash:net,net
* hash:ip,mark
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-08-01 16:22:56 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1420299 | ||
Thomas, please describe what kind of sets are to be added in this bugreport. Also please mention any other related changes because this bugzilla is potentially bigger than a set or two. These are the set types that have been added upstream: hash:ip,port hash:ip,port,ip hash:ip,port,net hash:ip,mark hash:net,net hash:net,port hash:net,port,net hash:net,iface https://github.com/t-woerner/firewalld/commit/5eb1f78bee1346a83128bf2c3b18d38972a8632f to https://github.com/t-woerner/firewalld/commit/87051bb54aaf08e26b1c9aa13558598ca482ac94 FAILED firewalld-0.4.4.3-2.el7.noarch following sets are not supported properly: hash:ip,mark hash:net,net hash:net,port,net they can be created they are not listed as supported they are not loadable from config errors from log (first two errors are part of test - expected): firewalld[11250]: ERROR: INVALID_TYPE: 'hash:ip,ip,iface' is not valid ipset type firewalld[11250]: ERROR: INVALID_TYPE: 'bitmap:ip,mac' is not valid ipset type firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset. firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset. firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset. firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset. firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset. firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset. (In reply to Tomas Dolezal from comment #8) > FAILED firewalld-0.4.4.3-2.el7.noarch > following sets are not supported properly: > hash:ip,mark > hash:net,net > hash:net,port,net > These are not supported by ipset v6.19. ipset-6.29 adds these ipset types: hash:mac hash:net,port,net hash:net,net hash:ip,mark Please use the ipset rebase package to text these additional types. Here is an additional patch to show the ipset type of an unsupported ipset type in a special label: firewall-config: Show invalid ipset type in the ipset dialog in the bad label https://github.com/t-woerner/firewalld/commit/63a83db430bc41afa61775598d99bb0e297a30b3 ipset supported by ipset user-space utility but not by 7.4 kernel: hash:ip,mark hash:mac hash:net,net hash:net,port,net these sets are configurable by firewalld, but it fails to create them due to 2017-04-28 08:58:57 ERROR: Failed to create ipset 'ipmark' 2017-04-28 08:58:57 ERROR: '/usr/sbin/ipset restore' failed: ipset v6.29: Error in line 1: Kernel error received: set type not supported firewalld then reports error if such set is added as a source: Error: NOT_APPLIED: ipmark, the set does not get into configuration Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1934 |
Description of problem: Firewalld currently supports: hash:ip, hash:net, hash:mac Trying another ipset type ('hash:ip,port) gives: WARNING: INVALID_IPSET: ipset type 'hash:ip,port' not usable, ignoring. Will this type and other ipset types be supported as well? Can support for more types be added in some way? Either internaly or by firewalld code calling existing ipset code? Version-Release number of selected component (if applicable): Version : 0.4.3.2 Release : 8.el7 Thank you