Bug 1682913 - native ipsets are not cleaned up upon daemon exit
Summary: native ipsets are not cleaned up upon daemon exit
Alias: None
Deadline: 2020-09-28
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: firewalld
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.1
Assignee: Eric Garver
QA Contact: Jiri Peska
Sagar Dubewar
Depends On:
TreeView+ depends on / blocked
Reported: 2019-02-25 19:32 UTC by Tomas Dolezal
Modified: 2020-11-04 01:40 UTC (History)
5 users (show)

Fixed In Version: firewalld-0.8.2-1.el8
Doc Type: Bug Fix
Doc Text:
.`firewalld` no longer retains `ipset` entries after shutdown Previously, shutting down `firewalld` did not remove `ipset` entries. Consequently, `ipset` entries remained active in the kernel even after stopping the `firewalld` service. With this fix, shutting down `firewalld` removes `ipset` entries as expected.
Clone Of:
Last Closed: 2020-11-04 01:39:57 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4461 0 None None None 2020-11-04 01:40:21 UTC

Internal Links: 1790948

Description Tomas Dolezal 2019-02-25 19:32:19 UTC
Description of problem:
after creating an firewalld ipset using --new-ipset in permanent mode and subsequent service start and stop, the defined ipset remains active in kernel and is visible via ipset list
the behaviour is same if iptables or nftables backend is used

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
firewall-cmd --new-ipset fwdset --permanent --type hash:ip
firewall-cmd --ipset fwdset --permanent --add-entry
restart firewalld and stop it
ipset list still shows 'fwdset' and it's entry

Actual results:
ipset remains in memory
any additional entries are wiped upon service start

Expected results:
ipset is destroyed like in previous versions?

Additional info:

Comment 4 Eric Garver 2020-03-03 17:34:03 UTC

81d784f8c856 ("test: ipset: verify clean up on exit/reload")
f5ed30ce7175 ("fix: ipset: destroy runtime sets on reload/stop")

Comment 16 errata-xmlrpc 2020-11-04 01:39:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.