1843398 – Rich rule with a MAC address doesnt work

Bug 1843398 - Rich rule with a MAC address doesnt work

Summary: Rich rule with a MAC address doesnt work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firewalld
Sub Component:
Version:	32
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Eric Garver
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-03 08:42 UTC by Alessio
Modified:	2020-07-03 01:19 UTC (History)
CC List:	2 users (show)
Fixed In Version:	firewalld-0.8.3-1.fc32
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-03 01:19:00 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
firewall-cmd --reload errors (12.90 KB, text/plain) 2020-06-03 08:42 UTC, Alessio	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	firewalld firewalld issues 643	None	closed	Rich rule with a MAC address doesn't work	2020-08-04 19:58:09 UTC

Description Alessio 2020-06-03 08:42:44 UTC

Created attachment 1694736 [details]
firewall-cmd --reload errors

Let's assume a rule like this:

firewall-cmd --zone=FedoraWorkstation --permanent --add-rich-rule='rule source mac="11:22:33:44:55:66" reject'

success

But reloading with firewall-cmd --reload lead to a series of errors as per the attached file, starting with

Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory


The same steps on Fedora 31 seem to work.

sudo firewall-cmd --zone=FedoraWorkstation --list-rich-rules
rule source mac="11:22:33:44:55:66" drop

Comment 1 Alessio 2020-06-05 16:26:48 UTC

In addition, inserting that rule, firewalld is unable to restart.
The only way to solve the issue is manually editing the zone file in /etc/firewalls/zones

Comment 2 Eric Garver 2020-06-09 12:34:06 UTC

This has been fixed upstream.

  e255e7357358 ("fix(rich): source mac with nftables backend")

Comment 3 Fedora Update System 2020-07-01 20:14:31 UTC

FEDORA-2020-8eaabfad8b has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-8eaabfad8b

Comment 4 Fedora Update System 2020-07-02 01:16:06 UTC

FEDORA-2020-8eaabfad8b has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-8eaabfad8b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-8eaabfad8b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2020-07-03 01:19:00 UTC

FEDORA-2020-8eaabfad8b has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.