View Issue Details

IDProjectCategoryView StatusLast Update
0007430CentOS-7firewalldpublic2014-09-09 05:37
Reporterdkozei Assigned To 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status newResolutionopen 
Product Version7.0-1406 
Summary0007430: failing to add rich rules to "drop" firewall zone
DescriptionI'm kinda new to firewalld and can miss something but still looks like a bug for me.
I was trying to achieve DROP action instead of REJECT on all unneeded traffic.
This seems to be available only if you select "drop" zone as active for an interface. But DROP action is applied to ICMP messages too. I was trying to enable icmp proto with rich rules:
"firewall-cmd --zone=drop --add-rich-rule='rule protocol value="icmp" accept'"
and got message:
"Error: COMMAND_FAILED: '/sbin/iptables -t filter -A DROP_allow -p icmp -m conntrack --ctstate NEW -j ACCEPT' failed: iptables: No chain/target/match by that name."
Adding the same rule for --zone=public works fine (this zone is still the default system zone):
"firewall-cmd --zone=public --add-rich-rule='rule protocol value="icmp" accept'"

Looks like firewalld wrapper changes chain name to wrong value, correct one seems for me as "IN_drop_allow":
"/sbin/iptables -t filter -A IN_drop_allow -p icmp -m conntrack --ctstate NEW -j ACCEPT"
Running the above line works as intended but as stated in manual we should not mix plain iptables rules and firewalld. Also rich rules seem to be the only permanent settings sollution for custom rules with firewalld.
Steps To ReproduceSet zone for active interface:
firewall-cmd --zone=drop --change-interface=eno1
Try to add custom rich rule for that zone:
firewall-cmd --zone=public --add-rich-rule='rule protocol value="icmp" accept'

TagsNo tags attached.
abrt_hash
URL

Activities

dkozei

dkozei

2014-07-26 08:53

reporter   ~0020540

Steps to reproduce should be read as:
Set zone for active interface:
firewall-cmd --zone=drop --change-interface=eno1
Try to add custom rich rule for that zone:
firewall-cmd --zone=drop --add-rich-rule='rule protocol value="icmp" accept'

Sorry for the typo
markham

markham

2014-09-09 05:37

reporter   ~0020866

I can confirm this for the ipv6 family as well. I tried to add a rule and received the same error. If I use --permanent then it creates the correct rule in the drop.xml file but when you do a 'firewall-cmd --reload' the same error shows up in the logs even though it says it succeeded. An 'ip6tables -L -n' reveals that the rule was not successful.

However, I wrote a rule that used service instead of protocol and that seemed to work just fine. It appears it may be just related to the use of a protocol rule.

Mark

Issue History

Date Modified Username Field Change
2014-07-25 19:51 dkozei New Issue
2014-07-26 08:53 dkozei Note Added: 0020540
2014-09-09 05:37 markham Note Added: 0020866