Bug 2228505
| Summary: | services "included" are not in effect when part of 'rich-rules' | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | lejeczek <peljasz> |
| Component: | firewalld | Assignee: | Eric Garver <egarver> |
| Status: | NEW --- | QA Contact: | qe-baseos-daemons |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | CentOS Stream | CC: | bstinson, jwboyer, todoleza |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: -> $ firewall-cmd --info-service=kube-control-plane-secure kube-control-plane-secure ports: protocols: source-ports: modules: destination: includes: etcd-client etcd-server kube-apiserver kube-controller-manager-secure kube-scheduler-secure helpers: -> $ firewall-cmd --info-service=kube-apiserver kube-apiserver ports: 6443/tcp protocols: ... -> $ _FIRE=kube-control-plane-secure; firewall-cmd --zone=internal --add-rich-rule=\"rule family="ipv4" source address=${_IP} service name=${_FIRE} accept\" -> $ nmap 10.3.1.61 -p 6443 # result -> filtered -> $ _FIRE=kube-apiserver; firewall-cmd --zone=internal --add-rich-rule=\"rule family="ipv4" source address=${_IP} service name=${_FIRE} accept\" -> $ nmap 10.3.1.61 -p 6443 # result -> open Does that make sense? Also, if such service - eg. kube-control-plane-secure - is allowed "normally", in 'service' then what happens is what I'd expect - included services get allowed too. Version-Release number of selected component (if applicable): firewalld-filesystem-1.2.1-1.el9.noarch firewalld-1.2.1-1.el9.noarch How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: