Bug 1809225
Summary: | FlushAllOnReload=no does not prevent ipset flushing on reload | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Tomas Dolezal <todoleza> |
Component: | firewalld | Assignee: | Eric Garver <egarver> |
Status: | CLOSED ERRATA | QA Contact: | Jiri Peska <jpeska> |
Severity: | medium | Docs Contact: | Sagar Dubewar <sdubewar> |
Priority: | medium | ||
Version: | 8.4 | CC: | egarver, jmaxwell, jpeska, lmanasko, todoleza |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | firewalld-0.8.2-1.el8 | Doc Type: | Bug Fix |
Doc Text: |
.`firewalld` now restores `ipset` entries after reloading
Previously, `firewalld` did not retain runtime `ipset` entries after reloading. Consequently, users had to manually add the missing entries again. With this update, `firewalld` has been modified to restore `ipset` entries after reloading.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-04 01:39:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1807630 | ||
Deadline: | 2020-09-28 |
Description
Tomas Dolezal
2020-03-02 15:52:05 UTC
Tomas, I don't think we can guarantee we won't flush ipset entries added out-of-band of firewalld. We don't do that for iptables direct rules. What we can does is make sure rules added at runtime (firewall-cmd --ipset foobar --add-entry 1.2.3.4) are still present after a reload. Agreed, the option should behave the same to ipsets as it does to direct rules. If out-of-band added items get dropped on reload, ipset should have them removed as well. This applies to the non-standard 'no' value of this flush option to keep user-added items via firewalld interface. Upstream: 81d784f8c856 ("test: ipset: verify clean up on exit/reload") f5ed30ce7175 ("fix: ipset: destroy runtime sets on reload/stop") Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4461 |