2055330 – nft-backend unusable with ipset and timeout

Bug 2055330 - nft-backend unusable with ipset and timeout

Summary: nft-backend unusable with ipset and timeout

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	firewalld
Sub Component:
Version:	8.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Haller
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-16 17:43 UTC by Oliver Paukstadt
Modified:	2023-08-16 07:28 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	If this bug requires documentation, please select an appropriate Doc Type value.
Clone Of:
Environment:
Last Closed:	2023-08-16 07:28:35 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	firewalld firewalld issues 699	None	open	firewalld sets with timeouts on nftables back end not getting the timeouts.	2022-02-16 23:08:13 UTC
Github	firewalld firewalld issues 908	None	open	nftables: ipset timeout flag is not set in the backend	2022-02-16 21:17:23 UTC
Github	firewalld firewalld pull 1167	None	open	fix(ipset): fix configuring "timeout","maxelem" values for ipsets with nftables	2023-07-18 10:48:52 UTC
Red Hat Issue Tracker	RHELPLAN-112640	None	None	None	2022-02-16 17:44:24 UTC

Description Oliver Paukstadt 2022-02-16 17:43:23 UTC

Description of problem:
$ firewall-cmd --permanent --new-ipset=temp4 --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400

is not passed to the backend: No timeout parameter available in ruleset.
This makes nft backend unusable if you want timeout sets and you are stuck with iptables.

$ nft list set ip firewalld temp4

table ip firewalld {
        set temp4 {
                type ipv4_addr
                flags interval
        }
}


Version-Release number of selected component (if applicable):
Name        : firewalld
Version     : 0.9.3
Release     : 7.el8
Architecture: noarch

How reproducible:
try the commands above.

Additional info:
Maybe related to units, as the native nft command requires "14400s" to add an set and firewalld works on an integer implicit assuming seconds.

Comment 2 Thomas Haller 2023-08-04 14:12:57 UTC

fixed upstream by https://github.com/firewalld/firewalld/pull/1167

Comment 4 RHEL Program Management 2023-08-16 07:28:35 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.

Note You need to log in before you can comment on or make changes to this bug.