Bug 1734765
| Summary: | order of INPUT_ZONES_SOURCE rules is not deterministic | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Tomas Dolezal <todoleza> | |
| Component: | firewalld | Assignee: | Eric Garver <egarver> | |
| Status: | CLOSED ERRATA | QA Contact: | Tomas Dolezal <todoleza> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 8.1 | CC: | todoleza | |
| Target Milestone: | rc | Keywords: | Regression | |
| Target Release: | 8.0 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | firewalld-0.7.0-5.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1421222 | |||
| : | 1737491 (view as bug list) | Environment: | ||
| Last Closed: | 2019-11-05 22:31:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1421222 | |||
| Bug Blocks: | 1737491 | |||
upstream:
25032eb3a607 ("test: verify source-based zone dispatch ordered by zone name")
afc35c20e58b ("fix: guarantee zone source dispatch is sorted by zone name")
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:3635 |
old correctly ordered rules: firewalld-0.6.3-7.el8.noarch [root@ci-vm-10-0-136-243 tmp.W8lRFVjQny]# nft list chain inet firewalld filter_INPUT_ZONES_SOURCE table inet firewalld { chain filter_INPUT_ZONES_SOURCE { ip saddr 192.0.2.10 goto filter_IN_10_it ip6 saddr 2001:db8:aaaa::/70 goto filter_IN_10_it ip saddr 192.168.2.0/24 goto filter_IN_20_wrk ip6 saddr 2001:db8:aaaa::/60 goto filter_IN_20_wrk ip saddr 192.168.0.0/22 goto filter_IN_30_vpn ip6 saddr 2001:db8:aaaa:16::/64 goto filter_IN_30_vpn } } new incorrectly ordered rules for zone sources: firewalld-0.7.0-3.el8.noarch [root@sheep-71 tmp.RTtUA3nEzE]# nft list chain inet firewalld filter_INPUT_ZONES table inet firewalld { chain filter_INPUT_ZONES { ip6 saddr 2001:db8:aaaa:16::/64 goto filter_IN_30_vpn ip saddr 192.168.0.0/22 goto filter_IN_30_vpn ip6 saddr 2001:db8:aaaa::/60 goto filter_IN_20_wrk ip saddr 192.168.2.0/24 goto filter_IN_20_wrk ip6 saddr 2001:db8:aaaa::/70 goto filter_IN_10_it ip saddr 192.0.2.10 goto filter_IN_10_it goto filter_INPUT_ZONES_IFACES } } [root@sheep-71 tmp.RTtUA3nEzE]# rpm -q firewalld firewalld-0.7.0-3.el8.noarch