Bug 1365198 - firewall-cmd ipset --add-entries-from-file broken
Summary: firewall-cmd ipset --add-entries-from-file broken
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Thomas Woerner
QA Contact: Tomas Dolezal
URL:
Whiteboard:
Depends On: 1363741
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-08 15:19 UTC by Thomas Woerner
Modified: 2016-11-03 21:03 UTC (History)
4 users (show)

Fixed In Version: firewalld-0.4.3.2-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1363741
Environment:
Last Closed: 2016-11-03 21:03:57 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2597 normal SHIPPED_LIVE Moderate: firewalld security, bug fix, and enhancement update 2016-11-03 12:11:47 UTC

Description Thomas Woerner 2016-08-08 15:19:46 UTC
+++ This bug was initially created as a clone of Bug #1363741 +++

firewall-cmd added support in firewalld-0.4.1 for the ability to populate an ipset from a file.  In firewalld-0.4.3.2 that command is broken:

    # firewall-cmd --version
    0.4.3.2
     
    # firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=ip-blacklist.conf
    Failed to read file 'i': [Errno 2] No such file or directory: 'i'
    Failed to read file 'p': [Errno 2] No such file or directory: 'p'
    Failed to read file '-': [Errno 2] No such file or directory: '-'
    Failed to read file 'b': [Errno 2] No such file or directory: 'b'
    Failed to read file 'l': [Errno 2] No such file or directory: 'l'
    Failed to read file 'a': [Errno 2] No such file or directory: 'a'
    Failed to read file 'c': [Errno 2] No such file or directory: 'c'
    Failed to read file 'k': [Errno 2] No such file or directory: 'k'
    Failed to read file 'l': [Errno 2] No such file or directory: 'l'
    Failed to read file 'i': [Errno 2] No such file or directory: 'i'
    Failed to read file 's': [Errno 2] No such file or directory: 's'
    Failed to read file 't': [Errno 2] No such file or directory: 't'
    Failed to read file '.': [Errno 21] Is a directory: '.'
    Failed to read file 'c': [Errno 2] No such file or directory: 'c'
    Failed to read file 'o': [Errno 2] No such file or directory: 'o'
    Failed to read file 'n': [Errno 2] No such file or directory: 'n'
    Failed to read file 'f': [Errno 2] No such file or directory: 'f'
    success
     
# firewall-cmd --permanent --new-ipset-from-file=/etc/firewall
d/blacklists/ip-blacklist.conf --name=blacklist2
Failed to load ipset file '/etc/firewalld/blacklists/ip-blacklist.conf': INVALID
_NAME: 'ip-blacklist.conf' is missing .xml suffix
 
 # cp ip-blacklist.conf ip-blacklist.xml

 # firewall-cmd --permanent --new-ipset-from-file=/etc/firewalld/blacklists/ip-blacklist.conf --name=blacklist2
    Failed to load ipset file '/etc/firewalld/blacklists/ip-blacklist.conf': INVALID_NAME: 'ip-blacklist.conf' is missing .xml suffix
     
# cp ip-blacklist.conf ip-blacklist.xml

# firewall-cmd --permanent --new-ipset-from-file=/etc/firewalld/blacklists/ip-blacklist.xml --name=blacklist2
    Traceback (most recent call last):
      File "/usr/bin/firewall-cmd", line 954, in <module>
        obj = ipset_reader(filename, dirname)
      File "/usr/lib/python2.7/site-packages/firewall/core/io/ipset.py", line 226, i
    n ipset_reader
        parser.parse(f)
      File "/usr/lib64/python2.7/xml/sax/expatreader.py", line 110, in parse
        xmlreader.IncrementalParser.parse(self, source)
      File "/usr/lib64/python2.7/xml/sax/xmlreader.py", line 123, in parse
        self.feed(buffer)
      File "/usr/lib64/python2.7/xml/sax/expatreader.py", line 217, in feed
        self._err_handler.fatalError(exc)
      File "/usr/lib64/python2.7/xml/sax/handler.py", line 38, in fatalError
        raise exception
    xml.sax._exceptions.SAXParseException: /etc/firewalld/blacklists/ip-blacklist.xm
    l:1:0: syntax error

--- Additional comment from Thomas Woerner on 2016-08-08 11:18:01 EDT ---

The fist part has been fixed upstream for firewall-cmd: https://github.com/t-woerner/firewalld/commit/04f5c99e5a8d82f490deeccf643a7a84941d2f7c
and firewall-offline-cmd: https://github.com/t-woerner/firewalld/commit/495a1a527f03e12195ec6334a21eb7ba3924a6e8

But the second part is not correct. The option --new-ipset-from-file= requires a valid ipset xml file (see firewalld.ipset(5)) with the ipset settings like type.

Comment 2 Thomas Woerner 2016-08-08 16:32:16 UTC
Here is the fix to show a nice error message instead of a traceback using not xml content: https://github.com/t-woerner/firewalld/commit/9afdbaeb1d0ec11cff7d362618657d63df5b6dff

Comment 6 errata-xmlrpc 2016-11-03 21:03:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2597.html


Note You need to log in before you can comment on or make changes to this bug.