Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1365198 - firewall-cmd ipset --add-entries-from-file broken
firewall-cmd ipset --add-entries-from-file broken
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Thomas Woerner
Tomas Dolezal
:
Depends On: 1363741
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-08 11:19 EDT by Thomas Woerner
Modified: 2016-11-03 17:03 EDT (History)
4 users (show)

See Also:
Fixed In Version: firewalld-0.4.3.2-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1363741
Environment:
Last Closed: 2016-11-03 17:03:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2597 normal SHIPPED_LIVE Moderate: firewalld security, bug fix, and enhancement update 2016-11-03 08:11:47 EDT

  None (edit)
Description Thomas Woerner 2016-08-08 11:19:46 EDT 
+++ This bug was initially created as a clone of Bug #1363741 +++

firewall-cmd added support in firewalld-0.4.1 for the ability to populate an ipset from a file.  In firewalld-0.4.3.2 that command is broken:

    # firewall-cmd --version
    0.4.3.2
     
    # firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=ip-blacklist.conf
    Failed to read file 'i': [Errno 2] No such file or directory: 'i'
    Failed to read file 'p': [Errno 2] No such file or directory: 'p'
    Failed to read file '-': [Errno 2] No such file or directory: '-'
    Failed to read file 'b': [Errno 2] No such file or directory: 'b'
    Failed to read file 'l': [Errno 2] No such file or directory: 'l'
    Failed to read file 'a': [Errno 2] No such file or directory: 'a'
    Failed to read file 'c': [Errno 2] No such file or directory: 'c'
    Failed to read file 'k': [Errno 2] No such file or directory: 'k'
    Failed to read file 'l': [Errno 2] No such file or directory: 'l'
    Failed to read file 'i': [Errno 2] No such file or directory: 'i'
    Failed to read file 's': [Errno 2] No such file or directory: 's'
    Failed to read file 't': [Errno 2] No such file or directory: 't'
    Failed to read file '.': [Errno 21] Is a directory: '.'
    Failed to read file 'c': [Errno 2] No such file or directory: 'c'
    Failed to read file 'o': [Errno 2] No such file or directory: 'o'
    Failed to read file 'n': [Errno 2] No such file or directory: 'n'
    Failed to read file 'f': [Errno 2] No such file or directory: 'f'
    success
     
# firewall-cmd --permanent --new-ipset-from-file=/etc/firewall
d/blacklists/ip-blacklist.conf --name=blacklist2
Failed to load ipset file '/etc/firewalld/blacklists/ip-blacklist.conf': INVALID
_NAME: 'ip-blacklist.conf' is missing .xml suffix
 
 # cp ip-blacklist.conf ip-blacklist.xml

 # firewall-cmd --permanent --new-ipset-from-file=/etc/firewalld/blacklists/ip-blacklist.conf --name=blacklist2
    Failed to load ipset file '/etc/firewalld/blacklists/ip-blacklist.conf': INVALID_NAME: 'ip-blacklist.conf' is missing .xml suffix
     
# cp ip-blacklist.conf ip-blacklist.xml

# firewall-cmd --permanent --new-ipset-from-file=/etc/firewalld/blacklists/ip-blacklist.xml --name=blacklist2
    Traceback (most recent call last):
      File "/usr/bin/firewall-cmd", line 954, in <module>
        obj = ipset_reader(filename, dirname)
      File "/usr/lib/python2.7/site-packages/firewall/core/io/ipset.py", line 226, i
    n ipset_reader
        parser.parse(f)
      File "/usr/lib64/python2.7/xml/sax/expatreader.py", line 110, in parse
        xmlreader.IncrementalParser.parse(self, source)
      File "/usr/lib64/python2.7/xml/sax/xmlreader.py", line 123, in parse
        self.feed(buffer)
      File "/usr/lib64/python2.7/xml/sax/expatreader.py", line 217, in feed
        self._err_handler.fatalError(exc)
      File "/usr/lib64/python2.7/xml/sax/handler.py", line 38, in fatalError
        raise exception
    xml.sax._exceptions.SAXParseException: /etc/firewalld/blacklists/ip-blacklist.xm
    l:1:0: syntax error

--- Additional comment from Thomas Woerner on 2016-08-08 11:18:01 EDT ---

The fist part has been fixed upstream for firewall-cmd: https://github.com/t-woerner/firewalld/commit/04f5c99e5a8d82f490deeccf643a7a84941d2f7c
and firewall-offline-cmd: https://github.com/t-woerner/firewalld/commit/495a1a527f03e12195ec6334a21eb7ba3924a6e8

But the second part is not correct. The option --new-ipset-from-file= requires a valid ipset xml file (see firewalld.ipset(5)) with the ipset settings like type.
Comment 2 Thomas Woerner 2016-08-08 12:32:16 EDT 
Here is the fix to show a nice error message instead of a traceback using not xml content: https://github.com/t-woerner/firewalld/commit/9afdbaeb1d0ec11cff7d362618657d63df5b6dff
Comment 6 errata-xmlrpc 2016-11-03 17:03:57 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.