Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1419058

Summary: Improve support for ipsets in firewalld
Product: Red Hat Enterprise Linux 7 Reporter: Stephen Wadeley <swadeley>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Tomas Dolezal <todoleza>
Severity: unspecified Docs Contact: Mirek Jahoda <mjahoda>
Priority: unspecified    
Version: 7.2CC: ajohn, mjahoda, todoleza, twoerner
Target Milestone: rcKeywords: RFE
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
*firewalld* now supports additional IP sets With this update of the *firewalld* service daemon, support for the following *ipset* types has been added: * hash:ip,port * hash:ip,port,ip * hash:ip,port,net * hash:ip,mark * hash:net,net * hash:net,port * hash:net,port,net * hash:net,iface The following *ipset* types that provide a combination of sources and destinations at the same time are not supported as sources in *firewalld*. IP sets using these types are created by *firewalld*, but their usage is limited to direct rules: * hash:ip,port,ip * hash:ip,port,net * hash:net,net * hash:net,port,net The _ipset_ packages have been rebased to upstream version 6.29, and the following *ipset* types are now additionally supported: * hash:mac * hash:net,port,net * hash:net,net * hash:ip,mark
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 16:22:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1420299    

Description Stephen Wadeley 2017-02-03 15:01:13 UTC 
Description of problem:

Firewalld currently supports:
hash:ip, hash:net, hash:mac 

Trying another ipset type ('hash:ip,port) gives:

WARNING: INVALID_IPSET: ipset type 'hash:ip,port' not usable, ignoring.
Will this type and other ipset types be supported as well? 

Can support for more types be added in some way? Either internaly or by firewalld code calling existing ipset code?


Version-Release number of selected component (if applicable):
Version     : 0.4.3.2
Release     : 8.el7



Thank you
Comment 3 Tomas Dolezal 2017-02-03 16:29:05 UTC 
Thomas, please describe what kind of sets are to be added in this bugreport. Also please mention any other related changes because this bugzilla is potentially bigger than a set or two.
Comment 4 Thomas Woerner 2017-02-09 16:30:48 UTC 
These are the set types that have been added upstream:
  hash:ip,port
  hash:ip,port,ip
  hash:ip,port,net
  hash:ip,mark
  hash:net,net
  hash:net,port
  hash:net,port,net
  hash:net,iface

https://github.com/t-woerner/firewalld/commit/5eb1f78bee1346a83128bf2c3b18d38972a8632f
to
https://github.com/t-woerner/firewalld/commit/87051bb54aaf08e26b1c9aa13558598ca482ac94
Comment 8 Tomas Dolezal 2017-03-06 17:34:44 UTC 
FAILED firewalld-0.4.4.3-2.el7.noarch
following sets are not supported properly:
hash:ip,mark
hash:net,net
hash:net,port,net

they can be created
they are not listed as supported
they are not loadable from config

errors from log (first two errors are part of test - expected):
firewalld[11250]: ERROR: INVALID_TYPE: 'hash:ip,ip,iface' is not valid ipset type
firewalld[11250]: ERROR: INVALID_TYPE: 'bitmap:ip,mac' is not valid ipset type
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset.
Comment 11 Thomas Woerner 2017-03-16 13:17:51 UTC 
(In reply to Tomas Dolezal from comment #8)
> FAILED firewalld-0.4.4.3-2.el7.noarch
> following sets are not supported properly:
> hash:ip,mark
> hash:net,net
> hash:net,port,net
> 
These are not supported by ipset v6.19. ipset-6.29 adds these ipset types:

hash:mac
hash:net,port,net
hash:net,net
hash:ip,mark

Please use the ipset rebase package to text these additional types.
Comment 13 Thomas Woerner 2017-03-27 15:33:05 UTC 
Here is an additional patch to show the ipset type of an unsupported ipset type in a special label:

firewall-config: Show invalid ipset type in the ipset dialog in the bad label
https://github.com/t-woerner/firewalld/commit/63a83db430bc41afa61775598d99bb0e297a30b3
Comment 15 Tomas Dolezal 2017-04-28 13:05:42 UTC 
ipset supported by ipset user-space utility but not by 7.4 kernel:
hash:ip,mark
hash:mac
hash:net,net
hash:net,port,net

these sets are configurable by firewalld, but it fails to create them due to
2017-04-28 08:58:57 ERROR: Failed to create ipset 'ipmark'
2017-04-28 08:58:57 ERROR: '/usr/sbin/ipset restore' failed: ipset v6.29: Error in line 1: Kernel error received: set type not supported

firewalld then reports error if such set is added as a source:
Error: NOT_APPLIED: ipmark, the set does not get into configuration
Comment 19 errata-xmlrpc 2017-08-01 16:22:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1934