firewalld dies when loading ipsets

[KernelOops]

Hello everyone,

I have a 4 xml ipsets in CentOS 7, which contain a total of 71000 addresses. These 4 sets are blocked via my drop zone. This works great in CentOS 7 but seems to cause significant problems under CentOS 8.

If I try to load the same 4 sets in CentOS 8 (8.2.2004), firewalld dies with a bunch of errors that don't help me much:

systemctl:

Code: Select all

● firewalld.service                                                                      loaded failed failed    firewalld - dynamic firewall daemon                        

systemctl status firewalld:

Code: Select all

systemd[1]: firewalld.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
systemd[1]: firewalld.service: Failed with result 'exit-code'.

/var/log/firewalld:

Code: Select all

ERROR: 'python-nftables' failed: internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

internal:0:0-0: Error: No such file or directory

Even if I reboot the server, firewalld appears to load but eventually the service dies and leaves the system in degraded status. I can also start empty xmls files, and load the 71000 addresses manually via the --add-entries-from-file= parameter, but this method also leads to the same result, with a dead firewalld service.

What is interesting, as I already mentioned, is that CentOS 7 has no problem whatsoever, I've been loading these addresses in firewalld for years now.

Anyone else has experienced a similar issue with firewalld?

Thanks.

[TrevorH]

This bug https://bugzilla.redhat.com/show_bug.cgi?id=1817205 leads to the same error messages but I don't think it's the problem you are hitting.

There's also https://serverfault.com/questions/10202 ... es-backend which says your ipsets cannot contain two subnets one of which contains the other.

[KernelOops]

TrevorH thanks for the suggestions,

it does look like an issue with nftables and overlapping net ranges.

this is a serious issue and not easily addressable, due to various factors:

- firewalld should NOT crash and die. The service should remain running no matter what.
- there should be a better error message that explains the issue
- overlapping net ranges should not be allowed via firewall-cmd
- even if there are ranges like that in the xml files, they overlapping lines should be ignored and a warning issued

since I am not a large redhat customer and I can't make them fix these issues

do you think its possible to replace nftables with something else?

[jlehtone]

do you think its possible to replace nftables with something else?

The nftables is in the kernel. There is still netfilter code in the kernel too and it is used by nftables code for some operations.
The only userland tool to access kernel is nft (and its library); the 'iptables' command is mere wrapper for nft.

So no, I don't see nftables replaced, unless upstream kernel does so.

nftables has sets and maps
http://wiki.nftables.org/wiki-nftables/index.php/Sets
https://access.redhat.com/documentation ... g-networks

A nftables named set looks similar to ipset (but I've hardly ever used ipset).


If you think that firewalld should check sanity of user input (and that is a reasonable request because what else does it do anyway?) then perhaps you should contact upstream firewalld developers. It (if they implement it) will naturally trickle slowly to users, like RHEL.

In the mean time you have to reformat your data.

[KernelOops]

jlehtone, I agree with your assessment. I think the only viable solution is to parse and reformat my data.

I won't bother with submitting a feature request, even if someone implements it in code, it will take decades before the change reaches us.

[TrevorH]

I do not think firewalld is a good product.

[jlehtone]

I do not think firewalld is a good product.

In fact, the RHEL docs that I did link to do state that one should prefer nftables.service for serious use, i.e. Red Hat does not promote firewalld as magic pill.

Firewalld might be simple to use in simple case but isn't network security a field, whose users should really know what they are doing?


[EDIT] I had a server where "simple basic commands" to firewalld would not produce the firewall that was needed. I did dump the ruleset that firewalld had created so far into a file, disabled firewalld, installed nftables.service, and did edit the ruleset to my liking. Although, writing from scratch could be less work than by erasing (a lot) of bloat.