Description of problem: restarting firewalld.service resultes in more rules every restart, eventually slowing the system. Version-Release number of selected component (if applicable): First began in firewalld 0.8.0-4 and confirmed through How reproducible: Easily on an RHEL system with firewalld 0.8.0-4 or newer. Steps to Reproduce: 1. Install firewalld 0.8.0-4 or newer. 2. Set CleanUpOnExit=no in /etc/firewalld/firewalld.conf 3. systemctl restart firewalld ### to make new setting effective 4. nft list ruleset | wc -l 5. systemctl restart firewalld 6. nft list ruleset | wc -l Actual results: After ever restart the ruleset grows Expected results: After restart of firewalld.service ruleset does not grow. Additional info: firewall-cmd --reload, or systemctl reload firewalld, which send SIGHUP instead of stop/start firewalld, the ruleset does not grow even with FlushAllOnReload=no: FlushAllOnReload=no: # nft list ruleset | wc -l 528 # firewall-cmd --reload success # nft list ruleset | wc -l 528 Customer uses CleanUpOnExit=no to avoid all windows where firewall rules might not exist.
* versions where seen was incomplete in description * Version-Release number of selected component (if applicable): First began in firewalld 0.8.0-4 and confirmed through (current) _ firewalld-1.2.1-1.el9 _
Upstream PR: https://github.com/firewalld/firewalld/pull/1192
Upstream commits: c66e752a00c0 ("test(CleanUpOnExit): verify restart does not duplicate rules") 6a155ea7195f ("fix(nftables): always flush main table on start") 8be561d26931 ("chore(nftables): add delete table helper")