Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2149039

Summary: RFE: firewalld calling set_policy("DROP") on reload produces issues on hosts with busy monitoring services
Product: Red Hat Enterprise Linux 9 Reporter: Juanma Sanchez <juasanch>
Component: firewalldAssignee: Thomas Haller <thaller>
Status: CLOSED MIGRATED QA Contact: qe-baseos-daemons
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.1CC: arawal, cutaylor, egarver, mcolombo, myllynen, sferguso, todoleza
Target Milestone: rcKeywords: FutureFeature, MigratedToJIRA
Target Release: ---Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-21 12:27:37 UTC Type: Story
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Juanma Sanchez 2022-11-28 16:24:52 UTC 
Description of problem:

  When firewall-cmd --reload is called, one of the first actions performed is
  to add a new table "firewalld_policy_drop" and set everything to DROP except
  for related,established traffic.
  This ruleset is kept until reload is completed.

  On hosts creating a high amount of connections per second, this inevitably
  results in a number of connection attempts returning EPERM when the
  "connection" is UDP or ICMP and sendto() is called.

  An example of a host behaving like this is any monitoring software performing 
  pings and retrieving SNMP data (udp) from hundreds or thousands of hosts with 
  1-2 minutes interval per host.

  An example of a real world problem: OpenNMS will mark a service/host as down  
  if sendto() fails when trying to retrieve SNMP data or when trying to ping    
  a host and there's a netfilter rule that would drop that packet.
  In practical terms, busy OpenNMS hosts using firewalld and calling            
  `firewall-cmd --reload` will temporarily mark a high number of hosts as down  
  because java.io.IOException("EPERM") is raised and OpenNMS seems to           
  understand that the host/service is down because no response is received.

  I understand that we could blame OpenNMS here because receiving EPERM as      
  result of a call to `sendto()` doesn't mean that a host/service is down, and  
  it should keep trying a number of times until the request times out or a      
  response is received.                                                         


  It would be useful in these situations if the user could have some more       
  control over this "firewalld_policy_drop" temporary state.

  For example, having a configuration option like this one:

      AllowOutputOnReload=yes/no


  Could allow the user to configure whether outbound traffic is considered safe 
  and should be permitted while the ruleset is being reloaded.                  


  I understand that this is probably more an RFE than a bug report, but I wanted to check first to make sure I'm not missing something and maybe this behavior can be controlled somehow.


Version-Release number of selected component (if applicable):                   

  All firewalld releases.                                                       


How reproducible:                                                               

  Always                                                                        


Steps to Reproduce:                                                             

  1. Start listening UDP on one host:                                           
     # socat udp-recv:1234 stdout  >/dev/null

  2. Send UDP packets as quickly as possible to that host:

     # for i in {1..10000}; do nc -u DEST_IP 1234 <<<$i >/dev/null; done

  3. Reload the firewalld ruleset via `firewall-cmd --reload`. See the EPERM    
     messages on the shell running the for loop

      Ncat: Operation not permitted.
      Ncat: Operation not permitted.
      Ncat: Operation not permitted.
      Ncat: Operation not permitted.
      Ncat: Operation not permitted.
      Ncat: Operation not permitted.



Actual results:                                                                 

  Some UDP and ICMP outbound traffic is forbidden with EPERM


Expected results:

  Outbound traffic shouldn't be forbidden while firewalld is reloading the
  ruleset

Additional info:

  No additional info
Comment 13 RHEL Program Management 2023-09-21 12:27:04 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 14 RHEL Program Management 2023-09-21 12:27:37 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.