Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1601610

Summary: firewall-cmd shows stale entries that it successfully deleted from an ipset.
Product: Red Hat Enterprise Linux 7 Reporter: patrick
Component: firewalldAssignee: Eric Garver <egarver>
Status: CLOSED CURRENTRELEASE QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: medium    
Version: 7.4CC: todoleza
Target Milestone: rcKeywords: TestOnly, Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: firewalld-0.6.3-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-06 16:57:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1637204    
Bug Blocks:    

Description patrick 2018-07-16 22:11:14 UTC 
Description of problem:
firewall-cmd shows stale entries that it successfully deleted from an ipset.

Version-Release number of selected component (if applicable):
$ sudo firewall-cmd -V
0.4.4.4
$ sudo ipset -V
ipset v6.29, protocol version: 6

How reproducible:
Very reproducible.

Steps to Reproduce:
1. Create new ipset using firewall-cmd and reload firewall: 
sudo firewall-cmd --new-ipset=test_ipset --permanent --type=hash:net
sudo firewall-cmd --reload

2. Add firewall-cmd ipset entries:
for i in `seq 1 3`; do
  sudo firewall-cmd --ipset=test_ipset --add-entry=10.1.$i.0/22
done

3. Remove firewall-cmd ipset entries:
for i in `seq 1 3`; do
  sudo firewall-cmd --ipset=test_ipset --remove-entry=10.1.$i.0/22
done

Actual results:
List firewall-cmd ipset entries will show stale entries that were "successfully" removed in step 3.
  sudo firewall-cmd --ipset=test_ipset --get-entries

Expected results:
No stale entries should be returned for sudo firewall-cmd --get-ipsets --ipset=test_ipset. Note that running the "sudo ipset list test_ipset" command directly shows no stale entries.

Additional info:
Seems to occur when the ipset contains multiple entries.
Comment 2 Eric Garver 2018-07-17 12:44:33 UTC 
Thanks for reporting. I've reproduced this on firewalld-0.5.3-2.el7.
Comment 3 Eric Garver 2018-09-14 12:45:03 UTC 
This occurs because 10.1.1.0/22, 10.1.2.0/22, and 10.1.3.0/22 actually refer to the same amount of significant bits. A mask of /22 means the last two least significant bits of the third octet are not used for matching.

ipset is smart enough to detect this. When the 2nd and 3rd ip/mask are added it doesn't actually add another entry, because an equivalent one exists. Firewalld is using the ipset option "-exist" so no error is given. On the delete, firewalld is _not_ using "-exist" so an error is correctly given from ipset when the 2nd and 3rd ip/mask are attempted to be deleted.

Relevant error logs when reproducing this:

Sep 14 08:28:28 fedora firewalld[5689]: ERROR: Failed to remove entry '10.1.2.0/22' from ipset 'test_ipset'
Sep 14 08:28:28 fedora firewalld[5689]: ERROR: '/usr/sbin/ipset del test_ipset 10.1.2.0/22' failed: ipset v6.38: Element cannot be deleted from the set: it's not added
Sep 14 08:28:29 fedora firewalld[5689]: ERROR: Failed to remove entry '10.1.3.0/22' from ipset 'test_ipset'
Sep 14 08:28:29 fedora firewalld[5689]: ERROR: '/usr/sbin/ipset del test_ipset 10.1.3.0/22' failed: ipset v6.38: Element cannot be deleted from the set: it's not added
Comment 4 Eric Garver 2018-09-14 12:52:33 UTC 
Dropping priority/severity as this only occurs when passing functionally equivalent ip/mask pairs to firewalld. e.g. 10.1.1.0/22, 10.1.2.0/22.

To avoid the issue, don't use equivalent ip/mask pairs.

This is okay: 10.1.8.0/22, 10.1.16.0/22
This is NOT okay: 10.1.1.0/22, 10.1.2.0/22
Comment 5 Eric Garver 2018-09-17 16:01:50 UTC 
Upstream:

   2937d89d959b ("ipset: only use "-exist" on restore")
Comment 7 Eric Garver 2019-11-06 16:57:06 UTC 
Closing. This was fixed implicitly in RHEL-7.7.