Bug 1419058 – Improve support for ipsets in firewalld

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1419058 - Improve support for ipsets in firewalld

Summary:	Improve support for ipsets in firewalld

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firewalld (Show other bugs)
Sub Component:
Version:	7.2
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Thomas Woerner
QA Contact:	Tomas Dolezal
Docs Contact:	Mirek Jahoda

URL:
Whiteboard:
Keywords:	RFE

Depends On:
Blocks:	1420299
	Show dependency tree / graph

Reported:	2017-02-03 10:01 EST by Stephen Wadeley
Modified:	2018-02-01 10:52 EST (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	firewalld now supports additional IP sets With this update of the firewalld service daemon, support for the following ipset types has been added: * hash:ip,port * hash:ip,port,ip * hash:ip,port,net * hash:ip,mark * hash:net,net * hash:net,port * hash:net,port,net * hash:net,iface The following ipset types that provide a combination of sources and destinations at the same time are not supported as sources in firewalld. IP sets using these types are created by firewalld, but their usage is limited to direct rules: * hash:ip,port,ip * hash:ip,port,net * hash:net,net * hash:net,port,net The _ipset_ packages have been rebased to upstream version 6.29, and the following ipset types are now additionally supported: * hash:mac * hash:net,port,net * hash:net,net * hash:ip,mark
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-08-01 12:22:56 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1934	normal	SHIPPED_LIVE	firewalld bug fix and enhancement update	2017-08-01 13:55:15 EDT

Groups: None (edit)

Description Stephen Wadeley 2017-02-03 10:01:13 EST

Description of problem:

Firewalld currently supports:
hash:ip, hash:net, hash:mac 

Trying another ipset type ('hash:ip,port) gives:

WARNING: INVALID_IPSET: ipset type 'hash:ip,port' not usable, ignoring.
Will this type and other ipset types be supported as well? 

Can support for more types be added in some way? Either internaly or by firewalld code calling existing ipset code?


Version-Release number of selected component (if applicable):
Version     : 0.4.3.2
Release     : 8.el7



Thank you

Comment 3 Tomas Dolezal 2017-02-03 11:29:05 EST

Thomas, please describe what kind of sets are to be added in this bugreport. Also please mention any other related changes because this bugzilla is potentially bigger than a set or two.

Comment 4 Thomas Woerner 2017-02-09 11:30:48 EST

These are the set types that have been added upstream:
  hash:ip,port
  hash:ip,port,ip
  hash:ip,port,net
  hash:ip,mark
  hash:net,net
  hash:net,port
  hash:net,port,net
  hash:net,iface

https://github.com/t-woerner/firewalld/commit/5eb1f78bee1346a83128bf2c3b18d38972a8632f
to
https://github.com/t-woerner/firewalld/commit/87051bb54aaf08e26b1c9aa13558598ca482ac94

Comment 8 Tomas Dolezal 2017-03-06 12:34:44 EST

FAILED firewalld-0.4.4.3-2.el7.noarch
following sets are not supported properly:
hash:ip,mark
hash:net,net
hash:net,port,net

they can be created
they are not listed as supported
they are not loadable from config

errors from log (first two errors are part of test - expected):
firewalld[11250]: ERROR: INVALID_TYPE: 'hash:ip,ip,iface' is not valid ipset type
firewalld[11250]: ERROR: INVALID_TYPE: 'bitmap:ip,mac' is not valid ipset type
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset.

Comment 11 Thomas Woerner 2017-03-16 09:17:51 EDT

(In reply to Tomas Dolezal from comment #8)
> FAILED firewalld-0.4.4.3-2.el7.noarch
> following sets are not supported properly:
> hash:ip,mark
> hash:net,net
> hash:net,port,net
> 
These are not supported by ipset v6.19. ipset-6.29 adds these ipset types:

hash:mac
hash:net,port,net
hash:net,net
hash:ip,mark

Please use the ipset rebase package to text these additional types.

Comment 13 Thomas Woerner 2017-03-27 11:33:05 EDT

Here is an additional patch to show the ipset type of an unsupported ipset type in a special label:

firewall-config: Show invalid ipset type in the ipset dialog in the bad label
https://github.com/t-woerner/firewalld/commit/63a83db430bc41afa61775598d99bb0e297a30b3

Comment 15 Tomas Dolezal 2017-04-28 09:05:42 EDT

ipset supported by ipset user-space utility but not by 7.4 kernel:
hash:ip,mark
hash:mac
hash:net,net
hash:net,port,net

these sets are configurable by firewalld, but it fails to create them due to
2017-04-28 08:58:57 ERROR: Failed to create ipset 'ipmark'
2017-04-28 08:58:57 ERROR: '/usr/sbin/ipset restore' failed: ipset v6.29: Error in line 1: Kernel error received: set type not supported

firewalld then reports error if such set is added as a source:
Error: NOT_APPLIED: ipmark, the set does not get into configuration

Comment 19 errata-xmlrpc 2017-08-01 12:22:56 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1934

Note You need to log in before you can comment on or make changes to this bug.