Bug 1419058 - Improve support for ipsets in firewalld
Summary: Improve support for ipsets in firewalld
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: firewalld
Version: 7.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Thomas Woerner
QA Contact: Tomas Dolezal
Mirek Jahoda
URL:
Whiteboard:
Keywords: RFE
Depends On:
Blocks: 1420299
TreeView+ depends on / blocked
 
Reported: 2017-02-03 15:01 UTC by Stephen Wadeley
Modified: 2018-02-01 15:52 UTC (History)
4 users (show)

(edit) 
*firewalld* now supports additional IP sets

With this update of the *firewalld* service daemon, support for the following *ipset* types has been added:

 * hash:ip,port
 * hash:ip,port,ip
 * hash:ip,port,net
 * hash:ip,mark
 * hash:net,net
 * hash:net,port
 * hash:net,port,net
 * hash:net,iface

The following *ipset* types that provide a combination of sources and destinations at the same time are not supported as sources in *firewalld*. IP sets using these types are created by *firewalld*, but their usage is limited to direct rules:

 * hash:ip,port,ip
 * hash:ip,port,net
 * hash:net,net
 * hash:net,port,net

The _ipset_ packages have been rebased to upstream version 6.29, and the following *ipset* types are now additionally supported:

 * hash:mac
 * hash:net,port,net
 * hash:net,net
 * hash:ip,mark
Clone Of:
(edit)
Last Closed: 2017-08-01 16:22:56 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1934 normal SHIPPED_LIVE firewalld bug fix and enhancement update 2017-08-01 17:55:15 UTC

Description Stephen Wadeley 2017-02-03 15:01:13 UTC 
Description of problem:

Firewalld currently supports:
hash:ip, hash:net, hash:mac 

Trying another ipset type ('hash:ip,port) gives:

WARNING: INVALID_IPSET: ipset type 'hash:ip,port' not usable, ignoring.
Will this type and other ipset types be supported as well? 

Can support for more types be added in some way? Either internaly or by firewalld code calling existing ipset code?


Version-Release number of selected component (if applicable):
Version     : 0.4.3.2
Release     : 8.el7



Thank you
Comment 3 Tomas Dolezal 2017-02-03 16:29:05 UTC 
Thomas, please describe what kind of sets are to be added in this bugreport. Also please mention any other related changes because this bugzilla is potentially bigger than a set or two.
Comment 4 Thomas Woerner 2017-02-09 16:30:48 UTC 
These are the set types that have been added upstream:
  hash:ip,port
  hash:ip,port,ip
  hash:ip,port,net
  hash:ip,mark
  hash:net,net
  hash:net,port
  hash:net,port,net
  hash:net,iface

https://github.com/t-woerner/firewalld/commit/5eb1f78bee1346a83128bf2c3b18d38972a8632f
to
https://github.com/t-woerner/firewalld/commit/87051bb54aaf08e26b1c9aa13558598ca482ac94
Comment 8 Tomas Dolezal 2017-03-06 17:34:44 UTC 
FAILED firewalld-0.4.4.3-2.el7.noarch
following sets are not supported properly:
hash:ip,mark
hash:net,net
hash:net,port,net

they can be created
they are not listed as supported
they are not loadable from config

errors from log (first two errors are part of test - expected):
firewalld[11250]: ERROR: INVALID_TYPE: 'hash:ip,ip,iface' is not valid ipset type
firewalld[11250]: ERROR: INVALID_TYPE: 'bitmap:ip,mac' is not valid ipset type
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset.
Comment 11 Thomas Woerner 2017-03-16 13:17:51 UTC 
(In reply to Tomas Dolezal from comment #8)
> FAILED firewalld-0.4.4.3-2.el7.noarch
> following sets are not supported properly:
> hash:ip,mark
> hash:net,net
> hash:net,port,net
> 
These are not supported by ipset v6.19. ipset-6.29 adds these ipset types:

hash:mac
hash:net,port,net
hash:net,net
hash:ip,mark

Please use the ipset rebase package to text these additional types.
Comment 13 Thomas Woerner 2017-03-27 15:33:05 UTC 
Here is an additional patch to show the ipset type of an unsupported ipset type in a special label:

firewall-config: Show invalid ipset type in the ipset dialog in the bad label
https://github.com/t-woerner/firewalld/commit/63a83db430bc41afa61775598d99bb0e297a30b3
Comment 15 Tomas Dolezal 2017-04-28 13:05:42 UTC 
ipset supported by ipset user-space utility but not by 7.4 kernel:
hash:ip,mark
hash:mac
hash:net,net
hash:net,port,net

these sets are configurable by firewalld, but it fails to create them due to
2017-04-28 08:58:57 ERROR: Failed to create ipset 'ipmark'
2017-04-28 08:58:57 ERROR: '/usr/sbin/ipset restore' failed: ipset v6.29: Error in line 1: Kernel error received: set type not supported

firewalld then reports error if such set is added as a source:
Error: NOT_APPLIED: ipmark, the set does not get into configuration
Comment 19 errata-xmlrpc 2017-08-01 16:22:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1934
Note You need to log in before you can comment on or make changes to this bug.