1419058 – Improve support for ipsets in firewalld

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1419058 - Improve support for ipsets in firewalld

Summary: Improve support for ipsets in firewalld

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	Tomas Dolezal
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:	1420299
TreeView+	depends on / blocked

Reported:	2017-02-03 15:01 UTC by Stephen Wadeley
Modified:	2020-09-10 10:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	firewalld now supports additional IP sets With this update of the firewalld service daemon, support for the following ipset types has been added: * hash:ip,port * hash:ip,port,ip * hash:ip,port,net * hash:ip,mark * hash:net,net * hash:net,port * hash:net,port,net * hash:net,iface The following ipset types that provide a combination of sources and destinations at the same time are not supported as sources in firewalld. IP sets using these types are created by firewalld, but their usage is limited to direct rules: * hash:ip,port,ip * hash:ip,port,net * hash:net,net * hash:net,port,net The _ipset_ packages have been rebased to upstream version 6.29, and the following ipset types are now additionally supported: * hash:mac * hash:net,port,net * hash:net,net * hash:ip,mark
Clone Of:
Environment:
Last Closed:	2017-08-01 16:22:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:1934	0	normal	SHIPPED_LIVE	firewalld bug fix and enhancement update	2017-08-01 17:55:15 UTC

Internal Links: 1936896

Description Stephen Wadeley 2017-02-03 15:01:13 UTC

Description of problem:

Firewalld currently supports:
hash:ip, hash:net, hash:mac 

Trying another ipset type ('hash:ip,port) gives:

WARNING: INVALID_IPSET: ipset type 'hash:ip,port' not usable, ignoring.
Will this type and other ipset types be supported as well? 

Can support for more types be added in some way? Either internaly or by firewalld code calling existing ipset code?


Version-Release number of selected component (if applicable):
Version     : 0.4.3.2
Release     : 8.el7



Thank you

Comment 3 Tomas Dolezal 2017-02-03 16:29:05 UTC

Thomas, please describe what kind of sets are to be added in this bugreport. Also please mention any other related changes because this bugzilla is potentially bigger than a set or two.

Comment 4 Thomas Woerner 2017-02-09 16:30:48 UTC

These are the set types that have been added upstream:
  hash:ip,port
  hash:ip,port,ip
  hash:ip,port,net
  hash:ip,mark
  hash:net,net
  hash:net,port
  hash:net,port,net
  hash:net,iface

https://github.com/t-woerner/firewalld/commit/5eb1f78bee1346a83128bf2c3b18d38972a8632f
to
https://github.com/t-woerner/firewalld/commit/87051bb54aaf08e26b1c9aa13558598ca482ac94

Comment 8 Tomas Dolezal 2017-03-06 17:34:44 UTC

FAILED firewalld-0.4.4.3-2.el7.noarch
following sets are not supported properly:
hash:ip,mark
hash:net,net
hash:net,port,net

they can be created
they are not listed as supported
they are not loadable from config

errors from log (first two errors are part of test - expected):
firewalld[11250]: ERROR: INVALID_TYPE: 'hash:ip,ip,iface' is not valid ipset type
firewalld[11250]: ERROR: INVALID_TYPE: 'bitmap:ip,mac' is not valid ipset type
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset.
firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset.

Comment 11 Thomas Woerner 2017-03-16 13:17:51 UTC

(In reply to Tomas Dolezal from comment #8)
> FAILED firewalld-0.4.4.3-2.el7.noarch
> following sets are not supported properly:
> hash:ip,mark
> hash:net,net
> hash:net,port,net
> 
These are not supported by ipset v6.19. ipset-6.29 adds these ipset types:

hash:mac
hash:net,port,net
hash:net,net
hash:ip,mark

Please use the ipset rebase package to text these additional types.

Comment 13 Thomas Woerner 2017-03-27 15:33:05 UTC

Here is an additional patch to show the ipset type of an unsupported ipset type in a special label:

firewall-config: Show invalid ipset type in the ipset dialog in the bad label
https://github.com/t-woerner/firewalld/commit/63a83db430bc41afa61775598d99bb0e297a30b3

Comment 15 Tomas Dolezal 2017-04-28 13:05:42 UTC

ipset supported by ipset user-space utility but not by 7.4 kernel:
hash:ip,mark
hash:mac
hash:net,net
hash:net,port,net

these sets are configurable by firewalld, but it fails to create them due to
2017-04-28 08:58:57 ERROR: Failed to create ipset 'ipmark'
2017-04-28 08:58:57 ERROR: '/usr/sbin/ipset restore' failed: ipset v6.29: Error in line 1: Kernel error received: set type not supported

firewalld then reports error if such set is added as a source:
Error: NOT_APPLIED: ipmark, the set does not get into configuration

Comment 19 errata-xmlrpc 2017-08-01 16:22:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1934

Note You need to log in before you can comment on or make changes to this bug.