Bug 1734765 - order of INPUT_ZONES_SOURCE rules is not deterministic
Summary: order of INPUT_ZONES_SOURCE rules is not deterministic
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: firewalld
Version: 8.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: 8.0
Assignee: Eric Garver
QA Contact: Tomas Dolezal
URL:
Whiteboard:
Depends On: 1421222
Blocks: 1737491
TreeView+ depends on / blocked
 
Reported: 2019-07-31 11:38 UTC by Tomas Dolezal
Modified: 2019-11-05 22:31 UTC (History)
1 user (show)

Fixed In Version: firewalld-0.7.0-5.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1421222
: 1737491 (view as bug list)
Environment:
Last Closed: 2019-11-05 22:31:34 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:3635 None None None 2019-11-05 22:31:49 UTC

Comment 2 Tomas Dolezal 2019-07-31 11:42:52 UTC
old correctly ordered rules:
firewalld-0.6.3-7.el8.noarch
[root@ci-vm-10-0-136-243 tmp.W8lRFVjQny]# nft list chain inet firewalld filter_INPUT_ZONES_SOURCE
table inet firewalld {
	chain filter_INPUT_ZONES_SOURCE {
		ip saddr 192.0.2.10 goto filter_IN_10_it
		ip6 saddr 2001:db8:aaaa::/70 goto filter_IN_10_it
		ip saddr 192.168.2.0/24 goto filter_IN_20_wrk
		ip6 saddr 2001:db8:aaaa::/60 goto filter_IN_20_wrk
		ip saddr 192.168.0.0/22 goto filter_IN_30_vpn
		ip6 saddr 2001:db8:aaaa:16::/64 goto filter_IN_30_vpn
	}
}

new incorrectly ordered rules for zone sources:
firewalld-0.7.0-3.el8.noarch
[root@sheep-71 tmp.RTtUA3nEzE]# nft list chain inet firewalld filter_INPUT_ZONES
table inet firewalld {
	chain filter_INPUT_ZONES {
		ip6 saddr 2001:db8:aaaa:16::/64 goto filter_IN_30_vpn
		ip saddr 192.168.0.0/22 goto filter_IN_30_vpn
		ip6 saddr 2001:db8:aaaa::/60 goto filter_IN_20_wrk
		ip saddr 192.168.2.0/24 goto filter_IN_20_wrk
		ip6 saddr 2001:db8:aaaa::/70 goto filter_IN_10_it
		ip saddr 192.0.2.10 goto filter_IN_10_it
		goto filter_INPUT_ZONES_IFACES
	}
}
[root@sheep-71 tmp.RTtUA3nEzE]# rpm -q firewalld
firewalld-0.7.0-3.el8.noarch

Comment 3 Eric Garver 2019-08-05 18:18:28 UTC
upstream:

  25032eb3a607 ("test: verify source-based zone dispatch ordered by zone name")
  afc35c20e58b ("fix: guarantee zone source dispatch is sorted by zone name")

Comment 8 errata-xmlrpc 2019-11-05 22:31:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3635


Note You need to log in before you can comment on or make changes to this bug.