RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1596304 - strip or reject non-printable characters (e.g. carriage return) in --add-rich-rule
Summary: strip or reject non-printable characters (e.g. carriage return) in --add-rich...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: firewalld
Version: 8.2
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: 8.3
Assignee: Eric Garver
QA Contact: Štěpán Němec
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-28 14:46 UTC by Ashraf
Modified: 2021-05-18 14:58 UTC (History)
4 users (show)

Fixed In Version: firewalld-0.8.2-6.el8
Doc Type: Bug Fix
Doc Text:
Cause: non printable characters were permitted in rich rules Consequence: displaying the rules may cause artifacts such as breaking the rule across two lines. Fix: strip non printable characters from the rich rule string Result: rich rules are now displayed correctly.
Clone Of:
Environment:
Last Closed: 2021-05-18 14:58:48 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Ashraf 2018-06-28 14:46:03 UTC 
Description of problem:
when trying to add (white list) IP from external url, if the list in url is not correctly encoded, you will be totally blocked from the server, you won't be able to connect unless physically or through KVM platform. even ping won't work, or web, ftp, ssh, all services will be blocked

Version-Release number of selected component (if applicable):


How reproducible:

for i in $(curl "https://www.cloudflare.com/ips-v4"); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port=80 protocol=tcp accept'; done

if (https://www.cloudflare.com/ips-v4) is a url not correctly encoded, you are blocked.

Steps to Reproduce:
1.
2.
3.

Actual results:
firewall-cmd --list-all
you will see incorrect or incomplete rule at the end of list


Expected results:
if IP is not correct, fail to add rule

Additional info:
even if you uninstalled firewalld 
yum remove firewalld -y
and then reinstalled it
yum install firewalld

once it is enabled you will be blocked away from server, must access it via KVM
Comment 2 Eric Garver 2018-10-11 19:46:04 UTC 
Can you provide an example of the improperly formatted input so I an reproduce this? As of now I'm unable to reproduce the issue.
Comment 3 Eric Garver 2018-11-13 22:09:04 UTC 
As per comment 2 there is insufficient data to reproduce this issue.
Comment 4 Ashraf 2018-11-28 10:06:16 UTC 
http://atyourserver.com/ip/ip.txt

this text file import in curl will cause all connections to server to be blocked, you will not be able to access server but physically by connecting keyboard
Comment 5 Eric Garver 2018-11-28 14:00:15 UTC 
Thanks for providing the "bad" file. This occurs due to the carriage returns in the file. You can avoid it by running dos2unix on the file.
e.g.

  for i in $(curl "https://www.cloudflare.com/ips-v4" | dos2unix); do sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port=80 protocol=tcp accept'; done


However, firewalld should be smart enough to strip no printable characters from the string given to --add-rich-rule. So I'll reopen this BZ for that purpose.
Comment 7 Eric Garver 2020-05-07 17:27:33 UTC 
This is a minor issue and there are no plans to fix this in RHEL-7. It can be worked around by sanitizing the input. Moving to RHEL-8.
Comment 23 errata-xmlrpc 2021-05-18 14:58:48 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1643
Note You need to log in before you can comment on or make changes to this bug.