RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Document URL:
<https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Load_Balancer_Administration/s1-lvs-multi-VSA.html>


Section Number and Name:
3.4.1. Assigning Firewall Marks Using firewalld


Describe the issue:
The add-rich-rule example given near the end of 3.4.1 causes this error to be printed:
  Error: INVALID_RULE: attribute 'port' outside of any element.
  Use 'rule <element> port= ...'.


Suggestions for improvement:
Add "port" and "family=ipv4" into the firewall-cmd command.


Additional information:
Below is the progressions of commands I had to run to get this to work, starting with what is in the _Load Balancer Administration_ document.


# firewall-cmd --add-rich-rule='rule destination address="192.168.1.19" port=80 protocol=tcp mark set="80"' --permanent
Error: INVALID_RULE: attribute 'port' outside of any element. Use 'rule <element> port= ...'.

# firewall-cmd --add-rich-rule='rule destination address="192.168.1.19" port port=80 protocol=tcp mark set="80"' --permanent
Error: MISSING_FAMILY

# firewall-cmd --add-rich-rule='rule family=ipv4 destination address="192.168.1.19" port port=80 protocol=tcp mark set="80"' --permanent
success

# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 (Maipo)

# rpm -qf `which firewall-cmd`
firewalld-0.4.4.4-6.el7.noarch

Brandon:

Can you verify for me whether I can make this correction as noted?  

Stevenn

Fixed examples are now on the Portal:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Load_Balancer_Administration/s1-lvs-multi-VSA.html#sect-Assigning_Firewall_Marks_Using_firewalld