RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1824349 - Firewall-d remove secmark direct rule fails
Summary: Firewall-d remove secmark direct rule fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: iptables
Version: 8.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.3
Assignee: Phil Sutter
QA Contact: Jiri Peska
URL:
Whiteboard:
Depends On: 1961714
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-16 00:01 UTC by Zach Tomkoski
Modified: 2021-11-10 09:44 UTC (History)
3 users (show)

Fixed In Version: iptables-1.8.4-20.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1961714 (view as bug list)
Environment:
Last Closed: 2021-11-09 19:54:29 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Commands Executed (67.22 KB, image/png)
2020-04-16 15:42 UTC, Zach Tomkoski 		no flags Details
/var/log/firewalld output (41.35 KB, image/png)
2020-04-16 15:42 UTC, Zach Tomkoski 		no flags Details
dmesg finding (35.45 KB, image/png)
2020-04-16 15:43 UTC, Zach Tomkoski 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4468 0 None None None 2021-11-09 19:54:40 UTC

Description Zach Tomkoski 2020-04-16 00:01:37 UTC 
Description of problem:
Firewall can't remove a direct rule involving secmark labeling.

Version-Release number of selected component (if applicable):
firewalld-0.6.3-8.el7_8.1


How reproducible:


Steps to Reproduce:
1. firewall-cmd --direct --add-rule ipv6 security INPUT 2 -p udp -s fd00:b::123 -d fd00:b::111 -sport 5259 -j SECMARK --selctx system_u:object_r:asterisk_iax2_client_t:s0
2. returns success
3. firewall-cmd --direct --remove-rule ipv6 security INPUT 2 -p udp -s fd00:b::123 -d fd00:b::111 -sport 5259 -j SECMARK --selctx system_u:object_r:asterisk_iax2_client_t:s0
4. Throws an error

Actual results:

Fails to remove direct secmark rule

Expected results:

Secmark rule should be deleted

Additional info:
Comment 2 Eric Garver 2020-04-16 11:23:51 UTC 
Please check the firewalld log (/var/log/firewalld) after the --add-rule invocation. "-sport 5259" is invalid. It should use two dashes, e.g. "--sport 5259".


# firewall-cmd --direct --add-rule ipv6 security INPUT 2 -p udp -s fd00:b::123 -d fd00:b::111 -sport 5259 -j SECMARK --selctx system_u:object_r:asterisk_iax2_client_t:s0
Error: COMMAND_FAILED: '/usr/sbin/ip6tables -w10 -t security -I INPUT_direct 1 -p udp -s fd00:b::123 -d fd00:b::111 -sport 5259 -j SECMARK --selctx system_u:object_r:asterisk_iax2_client_t:s0' failed: ip6tables v1.4.21: multiple -s flags not allowed
Try `ip6tables -h' or 'ip6tables --help' for more information.

# yum info firewalld
Installed Packages
Name        : firewalld
Arch        : noarch
Version     : 0.6.3
Release     : 9.el7
Comment 3 Zach Tomkoski 2020-04-16 13:38:06 UTC 
typo in the bug report. Couldn't copy the text directly out of the vm.. --sport has two dashes in the replicated bug. The direct rule is created fine but what ive done to replicate is run the add run hit the up arrow and directly modify the previous line to change --add-rule --remove-rule and it fails.  If its a non secmark it seems to work fine.
Comment 4 Eric Garver 2020-04-16 14:04:11 UTC 
Can you check the firewalld log file for errors or warnings? Please also check "dmesg".
Comment 5 Zach Tomkoski 2020-04-16 15:42:04 UTC 
Created attachment 1679414 [details]
Commands Executed
Comment 6 Zach Tomkoski 2020-04-16 15:42:49 UTC 
Created attachment 1679415 [details]
/var/log/firewalld output
Comment 7 Zach Tomkoski 2020-04-16 15:43:57 UTC 
Created attachment 1679417 [details]
dmesg finding
Comment 8 Zach Tomkoski 2020-04-16 15:46:25 UTC 
I attached a screenshot of the commands run slightly different as i tried other ports other contexts and this was the last saved, the outputof /var/log/firewalld (cleared before running either command) and an interesting find I saw in dmesg that possibly related?  Nothing else in the output looked relevant to me.
Comment 9 Eric Garver 2020-05-07 17:56:28 UTC 
This is actually an iptables bug. It's trivially reproduced outside of firewalld.

# ip6tables -t security -I INPUT_direct 1 -p udp -s fd00:b::123 -d fd00:b::111 --sport 5259 -j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0

# ip6tables -t security -D INPUT_direct -p udp -s fd00:b::123 -d fd00:b::111 --sport 5259 -j SECMARK --selctx system_u:object_r:firewalld_exec_t:s0
ip6tables: No chain/target/match by that name.
Comment 10 Eric Garver 2020-05-07 17:59:10 UTC 
As a workaround, it is possible to delete the rule using an index.
e.g.

   # ip6tables -t security -D INPUT_direct 1
Comment 11 Phil Sutter 2020-05-12 17:13:22 UTC 
Fix sent upstream: https://lore.kernel.org/netfilter-devel/20200512171018.16871-1-phil@nwl.cc/

Sadly this required quite a bit of code, probably not RHEL7 material anymore. I would prefer to make this a known issue in RHEL7 and fix the bug in RHEL8 instead.
Comment 12 Phil Sutter 2020-05-15 13:19:09 UTC 
Zach,

(In reply to Zach Tomkoski from comment #0)
> Steps to Reproduce:
> 1. firewall-cmd --direct --add-rule ipv6 security INPUT 2 -p udp -s
> fd00:b::123 -d fd00:b::111 -sport 5259 -j SECMARK --selctx
> system_u:object_r:asterisk_iax2_client_t:s0
> 2. returns success
> 3. firewall-cmd --direct --remove-rule ipv6 security INPUT 2 -p udp -s
> fd00:b::123 -d fd00:b::111 -sport 5259 -j SECMARK --selctx
> system_u:object_r:asterisk_iax2_client_t:s0
> 4. Throws an error

As far as I can tell, this is not a regression in iptables and hence none in firewalld either, right?

Are you OK with treating this as knonw issue in RHEL7 and fixing in RHEL8 instead?

Thanks, Phil
Comment 13 Zach Tomkoski 2020-05-15 14:12:49 UTC 
I'd prefer the fix was backported to RHEL7 but understand if its at the netfilter level that's not exactly reasonable. 

 At the end of the day I need to write a program to add and remove these rules and I can work with Eric's suggestion of find the rules index and delete by rule. I appreciate the feedback
Comment 14 Phil Sutter 2020-05-19 10:51:28 UTC 
Hi Zach,

(In reply to Zach Tomkoski from comment #13)
> I'd prefer the fix was backported to RHEL7 but understand if its at the
> netfilter level that's not exactly reasonable. 
> 
>  At the end of the day I need to write a program to add and remove these
> rules and I can work with Eric's suggestion of find the rules index and
> delete by rule. I appreciate the feedback

At this point, there is no accepted solution upstream yet and the discussion
tends towards bumping revision of xt_SECMARK in kernel. This means a combined
change of kernel and user space is required to fix the problem, so even more
effort than my original solution.

That said, I don't think it is impossible to do still within RHEL7, but we'll
need a strong business case for it. If you consider this crucial functionality,
you may want to go via support and make sure a customer case is opened with
reference to this ticket.

Cheers, Phil
Comment 15 Zach Tomkoski 2020-06-02 09:33:57 UTC 
At somepoint we'll be looking at moving to rhel 8 so I'll work with the workaround for rhel 7 and I'd be fine changing the target milestone to rhel 8
Comment 16 Phil Sutter 2020-06-02 13:42:53 UTC 
(In reply to Zach Tomkoski from comment #15)
> At somepoint we'll be looking at moving to rhel 8 so I'll work with the
> workaround for rhel 7 and I'd be fine changing the target milestone to rhel 8

Thanks for clarifying. I'll move the ticket to RHEL8 then.
Comment 18 Phil Sutter 2021-05-18 14:31:52 UTC 
Upstream commit to backport:

commit 616800af0da86d151cb695f1376d5ec6ede6fa72
Author: Phil Sutter <phil>
Date:   Thu Apr 29 15:28:59 2021 +0200

    extensions: SECMARK: Implement revision 1
    
    The changed data structure for communication with kernel allows to
    exclude the field 'secid' which is populated on kernel side. Thus
    this fixes the formerly always failing extension comparison breaking
    rule check and rule delete by content.
    
    Signed-off-by: Phil Sutter <phil>
Comment 20 Phil Sutter 2021-06-24 09:49:35 UTC 
https://src.osci.redhat.com/rpms/iptables/pull-request/14
Comment 29 errata-xmlrpc 2021-11-09 19:54:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (iptables bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4468
Note You need to log in before you can comment on or make changes to this bug.