Description of problem:
firewalld maintained ipsets are flushed independently of FlushAllOnReload setting in firewalld.conf(5). Although ipset is not explicitly named, it falls into the 'All' part of the config name.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
sed -n '/FlushAllOnReload/,/^$/ p' /etc/firewalld/firewalld.conf
# Flush all runtime rules on a reload. In previous releases some runtime
# configuration was retained during a reload, namely; interface to zone
# assignment, and direct rules. This was confusing to users. To get the old
# behavior set this to "no".
# Default: yes
firewall-cmd --permanent --new-ipset foo --type hash:ip
firewall-cmd --permanent --ipset foo --add-entry 188.8.131.52
ipset add foo 184.108.40.206
entry 220.127.116.11 is missing after reload.
suggestion: all newly added items are retained, the permanent-config stored ones are readded
Tomas, I don't think we can guarantee we won't flush ipset entries added out-of-band of firewalld. We don't do that for iptables direct rules.
What we can does is make sure rules added at runtime (firewall-cmd --ipset foobar --add-entry 18.104.22.168) are still present after a reload.
Agreed, the option should behave the same to ipsets as it does to direct rules. If out-of-band added items get dropped on reload, ipset should have them removed as well. This applies to the non-standard 'no' value of this flush option to keep user-added items via firewalld interface.
81d784f8c856 ("test: ipset: verify clean up on exit/reload")
f5ed30ce7175 ("fix: ipset: destroy runtime sets on reload/stop")
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (firewalld bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.