Hide Forgot
Description of problem: Firewalld currently supports: hash:ip, hash:net, hash:mac Trying another ipset type ('hash:ip,port) gives: WARNING: INVALID_IPSET: ipset type 'hash:ip,port' not usable, ignoring. Will this type and other ipset types be supported as well? Can support for more types be added in some way? Either internaly or by firewalld code calling existing ipset code? Version-Release number of selected component (if applicable): Version : 0.4.3.2 Release : 8.el7 Thank you
Thomas, please describe what kind of sets are to be added in this bugreport. Also please mention any other related changes because this bugzilla is potentially bigger than a set or two.
These are the set types that have been added upstream: hash:ip,port hash:ip,port,ip hash:ip,port,net hash:ip,mark hash:net,net hash:net,port hash:net,port,net hash:net,iface https://github.com/t-woerner/firewalld/commit/5eb1f78bee1346a83128bf2c3b18d38972a8632f to https://github.com/t-woerner/firewalld/commit/87051bb54aaf08e26b1c9aa13558598ca482ac94
FAILED firewalld-0.4.4.3-2.el7.noarch following sets are not supported properly: hash:ip,mark hash:net,net hash:net,port,net they can be created they are not listed as supported they are not loadable from config errors from log (first two errors are part of test - expected): firewalld[11250]: ERROR: INVALID_TYPE: 'hash:ip,ip,iface' is not valid ipset type firewalld[11250]: ERROR: INVALID_TYPE: 'bitmap:ip,mac' is not valid ipset type firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset. firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset. firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/test6set09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset. firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset06.xml': INVALID_TYPE: 'hash:ip,mark' is not supported by ipset. firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset07.xml': INVALID_TYPE: 'hash:net,net' is not supported by ipset. firewalld[11250]: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/testset09.xml': INVALID_TYPE: 'hash:net,port,net' is not supported by ipset.
(In reply to Tomas Dolezal from comment #8) > FAILED firewalld-0.4.4.3-2.el7.noarch > following sets are not supported properly: > hash:ip,mark > hash:net,net > hash:net,port,net > These are not supported by ipset v6.19. ipset-6.29 adds these ipset types: hash:mac hash:net,port,net hash:net,net hash:ip,mark Please use the ipset rebase package to text these additional types.
Here is an additional patch to show the ipset type of an unsupported ipset type in a special label: firewall-config: Show invalid ipset type in the ipset dialog in the bad label https://github.com/t-woerner/firewalld/commit/63a83db430bc41afa61775598d99bb0e297a30b3
ipset supported by ipset user-space utility but not by 7.4 kernel: hash:ip,mark hash:mac hash:net,net hash:net,port,net these sets are configurable by firewalld, but it fails to create them due to 2017-04-28 08:58:57 ERROR: Failed to create ipset 'ipmark' 2017-04-28 08:58:57 ERROR: '/usr/sbin/ipset restore' failed: ipset v6.29: Error in line 1: Kernel error received: set type not supported firewalld then reports error if such set is added as a source: Error: NOT_APPLIED: ipmark, the set does not get into configuration
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1934