View Issue Details

IDProjectCategoryView StatusLast Update
0016518CentOS-8firewalldpublic2019-10-02 13:22
Reportermerhardt 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Product Version8.0.1905 
Target VersionFixed in Version 
Summary0016518: Bug in firewalld/nftables
DescriptionThere seems to be a bug in nftables when using rich rules in firewalld that refer to ipsets with networks in CIDR notation.
This seems to occur only when the "hash:net" ipset contains networks (/24). When creating a "hash:net" ipset with hosts in CIDR notation (/32) everything works as expected.

The rich rule does not work and /var/log/firewalld shows:
2019-10-01 15:40:44 ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
2019-10-01 15:40:44 ERROR: '/usr/sbin/nft add rule inet firewalld filter_IN_public_allow meta nfproto ipv4 ip saddr @example tcp dport 22 ct state new,untracked accept' failed:
2019-10-01 15:40:45 ERROR: Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.
2019-10-01 15:40:45 ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING_ZONES iifname "ens192" goto raw_PRE_public' failed: Error: Could not process rule: No such file or directory
insert rule inet firewalld raw_PREROUTING_ZONES iifname "ens192" goto raw_PRE_public
Steps To Reproduce-Firewalld running with default config

firewall-cmd --permanent --new-ipset=example --type=hash:net
firewall-cmd --permanent --ipset=example --add-entry=10.10.123.0/24
firewall-cmd --permanent --ipset=example --add-entry=10.10.123.0/24

firewall-cmd --permanent --zone=public --add-rich-rule 'rule family=ipv4 source ipset=example port port=22 protocol=tcp accept'
firewall-cmd --permanent --zone=public --remove-service=ssh

init 6

-Try to access the host via SSH from the Networks within the ipset
Additional InformationCentOS Linux release 8.0.1905 (Core) (Minimal installation using Kickstart)
firewalld-0.6.3-7.el8.noarch
nftables-0.9.0-8.el8.x86_64
Tagsfirewalld

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-10-02 12:56 merhardt New Issue
2019-10-02 12:56 merhardt Tag Attached: firewalld