Bug 2222044

Summary: systemd restart firewalld.service compounds rules when CleanUpOnExit=no
Product: Red Hat Enterprise Linux 8 Reporter: Curtis Taylor <cutaylor>
Component: firewalldAssignee: Eric Garver <egarver>
Status: NEW --- QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.8CC: hartsjc, todoleza
Target Milestone: rcKeywords: TestCaseProvided, Triaged, Upstream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Curtis Taylor 2023-07-11 16:27:23 UTC 
Description of problem:
restarting firewalld.service resultes in more rules every restart, eventually slowing the system.

Version-Release number of selected component (if applicable):
First began in firewalld 0.8.0-4 and confirmed through 

How reproducible:
Easily on an RHEL system with firewalld 0.8.0-4 or newer.

Steps to Reproduce:
1. Install firewalld 0.8.0-4 or newer.
2. Set CleanUpOnExit=no in /etc/firewalld/firewalld.conf
3. systemctl restart firewalld  ### to make new setting effective
4. nft list ruleset | wc -l
5. systemctl restart firewalld
6. nft list ruleset | wc -l

Actual results:
After ever restart the ruleset grows

Expected results:
After restart of firewalld.service ruleset does not grow.

Additional info:
firewall-cmd --reload, or systemctl reload firewalld, which send SIGHUP instead of stop/start firewalld, the ruleset does not grow even with FlushAllOnReload=no:

FlushAllOnReload=no:

# nft list ruleset | wc -l
528
# firewall-cmd --reload
success
# nft list ruleset | wc -l
528

Customer uses CleanUpOnExit=no to avoid all windows where firewall rules might not exist.
Comment 1 Curtis Taylor 2023-07-11 16:33:19 UTC 
* versions where seen  was incomplete in description *

Version-Release number of selected component (if applicable):
First began in firewalld 0.8.0-4 and confirmed through (current)  _ firewalld-1.2.1-1.el9 _
Comment 2 Eric Garver 2023-08-10 15:20:50 UTC 
Upstream PR: https://github.com/firewalld/firewalld/pull/1192
Comment 3 Eric Garver 2023-08-14 15:39:26 UTC 
Upstream commits:

c66e752a00c0 ("test(CleanUpOnExit): verify restart does not duplicate rules")
6a155ea7195f ("fix(nftables): always flush main table on start")
8be561d26931 ("chore(nftables): add delete table helper")