1734765 – order of INPUT_ZONES_SOURCE rules is not deterministic

Bug 1734765 - order of INPUT_ZONES_SOURCE rules is not deterministic

Summary: order of INPUT_ZONES_SOURCE rules is not deterministic

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Eric Garver
QA Contact:	Tomas Dolezal
Docs Contact:
URL:
Whiteboard:
Depends On:	1421222
Blocks:	1737491
TreeView+	depends on / blocked

Reported:	2019-07-31 11:38 UTC by Tomas Dolezal
Modified:	2019-11-05 22:31 UTC (History)
CC List:	1 user (show)
Fixed In Version:	firewalld-0.7.0-5.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1421222
Clones:	1737491 (view as bug list)
Environment:
Last Closed:	2019-11-05 22:31:34 UTC
Type:	Bug
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2019:3635	None	None	None	2019-11-05 22:31:49 UTC

Comment 2 Tomas Dolezal 2019-07-31 11:42:52 UTC

old correctly ordered rules:
firewalld-0.6.3-7.el8.noarch
[root@ci-vm-10-0-136-243 tmp.W8lRFVjQny]# nft list chain inet firewalld filter_INPUT_ZONES_SOURCE
table inet firewalld {
	chain filter_INPUT_ZONES_SOURCE {
		ip saddr 192.0.2.10 goto filter_IN_10_it
		ip6 saddr 2001:db8:aaaa::/70 goto filter_IN_10_it
		ip saddr 192.168.2.0/24 goto filter_IN_20_wrk
		ip6 saddr 2001:db8:aaaa::/60 goto filter_IN_20_wrk
		ip saddr 192.168.0.0/22 goto filter_IN_30_vpn
		ip6 saddr 2001:db8:aaaa:16::/64 goto filter_IN_30_vpn
	}
}

new incorrectly ordered rules for zone sources:
firewalld-0.7.0-3.el8.noarch
[root@sheep-71 tmp.RTtUA3nEzE]# nft list chain inet firewalld filter_INPUT_ZONES
table inet firewalld {
	chain filter_INPUT_ZONES {
		ip6 saddr 2001:db8:aaaa:16::/64 goto filter_IN_30_vpn
		ip saddr 192.168.0.0/22 goto filter_IN_30_vpn
		ip6 saddr 2001:db8:aaaa::/60 goto filter_IN_20_wrk
		ip saddr 192.168.2.0/24 goto filter_IN_20_wrk
		ip6 saddr 2001:db8:aaaa::/70 goto filter_IN_10_it
		ip saddr 192.0.2.10 goto filter_IN_10_it
		goto filter_INPUT_ZONES_IFACES
	}
}
[root@sheep-71 tmp.RTtUA3nEzE]# rpm -q firewalld
firewalld-0.7.0-3.el8.noarch

Comment 3 Eric Garver 2019-08-05 18:18:28 UTC

upstream:

  25032eb3a607 ("test: verify source-based zone dispatch ordered by zone name")
  afc35c20e58b ("fix: guarantee zone source dispatch is sorted by zone name")

Comment 8 errata-xmlrpc 2019-11-05 22:31:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3635

Note You need to log in before you can comment on or make changes to this bug.