Bug 1936896

Summary: Adding an ipset of type "hash:net,net" breaks firewalld (firewall-cmd)
Product: Red Hat Enterprise Linux 8 Reporter: Štěpán Němec <snemec>
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED ERRATA QA Contact: Štěpán Němec <snemec>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: jmaxwell, snemec, todoleza
Target Milestone: rcKeywords: Triaged, Upstream
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: firewalld-0.9.3-5.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:55:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1935910    
Attachments:
Description Flags
firewall-cmd --reload output after adding hash:net,net ipset none

Description Štěpán Němec 2021-03-09 12:39:10 UTC 
Created attachment 1761992 [details]
firewall-cmd --reload output after adding hash:net,net ipset

Description of problem:
Adding an ipset of type "hash:net,net" (using `firewall-cmd --permanent --new-ipset`) reports success, but subsequent `firewall-cmd --reload` fails and firewall-cmd continues to exhibit strange behavior.

Version-Release number of selected component (if applicable):
firewalld-0.8.2-6.el8

How reproducible:
always

Steps to Reproduce:
# systemctl start firewalld
# firewall-cmd --permanent --new-ipset testset --type hash:net,net
success
# firewall-cmd --reload

Actual results:
Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory

[
NB: Afterwards, `firewall-cmd --state` reports "not running" despite some commands working as expected (e.g. firewall-cmd --version) and systemctl reporting the firewalld service status as "active (running)". Only after restarting the service using systemctl does `firewall-cmd --state` report "failed" and the following line appears in the journal:

ERROR: COMMAND_FAILED: INVALID_TYPE: ipset type name 'hash:net,net' is not valid
]

Expected results:
success

Additional info:
Full command output attached.

tested with 1MT-RHEL-8.4.0-20210304.2

# dnf list installed | grep nftables
nftables.x86_64                               1:0.9.3-17.el8                           @anaconda
python3-nftables.x86_64                       1:0.9.3-17.el8                           @anaconda

# dnf list installed | grep firewall
firewalld.noarch                              0.8.2-6.el8                              @anaconda
firewalld-filesystem.noarch                   0.8.2-6.el8                              @anaconda
python3-firewall.noarch                       0.8.2-6.el8                              @anaconda
Comment 6 Eric Garver 2021-04-16 16:18:38 UTC 
Upstream commits:

f3bd1297f656 ("test(ipset): add test to verify hash:net,net")
36f3d50d729d ("fix(ipset): fix hash:net,net functionality")
Comment 20 errata-xmlrpc 2021-11-09 18:55:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4355