*firewalld* now prevents partially applied rules
Previously, if a direct rule failed to be inserted for any reason, then all following direct rules with a higher priority also failed to insert. As a consequence, direct rules were not applied completely. The processing has been changed to either apply all direct rules successfully or revert them all. As a result, if a rule failure occurs at startup, *firewalld* enters the `failed` status and allows the user to remedy the situation. This prevents unexpected results by having partially applied rules.
If a direct rule fails to insert for any reason (e.g. improper args), then all following direct rules with a higher priority will also fail to insert.
firewalld is translating a priority to an iptables insert index, but this logic breaks down if the previous insertion fails. firewalld should be able to detect the failure and adjust insert indexes appropriately.
This is especially problematic for permanent rules because the errors are hidden away in the log.
[root@dev-rhel7 ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m set --match-set foobar -p tcp --dport 443 -j DROP
[root@dev-rhel7 ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 10 -m set --match-set foobar dst -p tcp --dport 8080 -j DROP
success
[root@dev-rhel7 ~]# firewall-cmd --reload
success
[root@dev-rhel7 ~]# systemctl status -l -n 50 firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Thu 2017-10-05 10:22:47 EDT; 9min ago
Docs: man:firewalld(1)
Main PID: 5732 (firewalld)
CGroup: /system.slice/firewalld.service
└─5732 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
[...]
Oct 05 10:31:53 dev-rhel7 firewalld[5732]: WARNING: '/usr/sbin/iptables -w2 -t filter -I OUTPUT_direct 1 -m set --match-set foobar -p tcp --dport 443 -j DROP' failed: iptables v1.4.21: --match-set requires two args.
Try `iptables -h' or 'iptables --help' for more information.
Oct 05 10:31:53 dev-rhel7 firewalld[5732]: WARNING: '/usr/sbin/iptables -w2 -t filter -I OUTPUT_direct 2 -m set --match-set foobar dst -p tcp --dport 8080 -j DROP' failed: iptables: Index of insertion too big.
Here "Index of insertion too big" means we requested inserting to index 2, but there is no index 1.
Additionally fixes as per comment 9 through comment 13:
f475bd2293b7 ("fw: if failure occurs during startup set state to FAILED")
d3acaac62106 ("fw: on restart set policy from same function")
8b3591c3f238 ("tests/functions: check state after a reload")
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:3120
If a direct rule fails to insert for any reason (e.g. improper args), then all following direct rules with a higher priority will also fail to insert. firewalld is translating a priority to an iptables insert index, but this logic breaks down if the previous insertion fails. firewalld should be able to detect the failure and adjust insert indexes appropriately. This is especially problematic for permanent rules because the errors are hidden away in the log. [root@dev-rhel7 ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m set --match-set foobar -p tcp --dport 443 -j DROP [root@dev-rhel7 ~]# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 10 -m set --match-set foobar dst -p tcp --dport 8080 -j DROP success [root@dev-rhel7 ~]# firewall-cmd --reload success [root@dev-rhel7 ~]# systemctl status -l -n 50 firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: active (running) since Thu 2017-10-05 10:22:47 EDT; 9min ago Docs: man:firewalld(1) Main PID: 5732 (firewalld) CGroup: /system.slice/firewalld.service └─5732 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid [...] Oct 05 10:31:53 dev-rhel7 firewalld[5732]: WARNING: '/usr/sbin/iptables -w2 -t filter -I OUTPUT_direct 1 -m set --match-set foobar -p tcp --dport 443 -j DROP' failed: iptables v1.4.21: --match-set requires two args. Try `iptables -h' or 'iptables --help' for more information. Oct 05 10:31:53 dev-rhel7 firewalld[5732]: WARNING: '/usr/sbin/iptables -w2 -t filter -I OUTPUT_direct 2 -m set --match-set foobar dst -p tcp --dport 8080 -j DROP' failed: iptables: Index of insertion too big. Here "Index of insertion too big" means we requested inserting to index 2, but there is no index 1.