[BR]: firewallcmd-ipset.conf multiport invalid port/service `1-65535' specified

[kowach]

fail2ban v0.11.2
firewalld v0.8.2
CentOS 8.3.2011

Here is the error log:

  exec: ipset create f2b-dovecot hash:ip timeout 0
  firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo '1:65535' | sed s/:/-/g)" -m set --match-set f2b-dovecot src -j REJECT --reject-with icmp-port-unreachable
  ipset v7.1: Set cannot be created: set with the same name already exists
  Error: COMMAND_FAILED: '/usr/sbin/iptables-restore -w -n' failed: iptables-restore v1.8.4 (nf_tables): invalid port/service `1-65535' specified
  Error occurred at line: 2
  Try `iptables-restore -h' or 'iptables-restore --help' for more information.

Looks like this version of firewall-cmd does accepts dports delimiter "-" in "1-65535" and it should be left "1:65535".

Solution is to replace multiport in firewallcmd-ipset.conf:
multiport = -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)"
to
multiport = -p <protocol> -m multiport --dports "<port>"

[sebres]

Hmm...
and how one would handle this now?!

#2821 reported about vice versa situation (and therefore it was fixed in a038fd5), but not even a year later it must be reverted...

Still worse if this depends now on firewalld backend (e. g. - vs. : related to iptables vs. nftables).

But how fail2ban action must distinguish what exactly is expected (to be backwards and "forwards" compatible)?

I'm slowly tired to ask - why one uses this weird wrapper "firewalls" instead of native net-filters like iptables/ipset or nftables?

[kowach]

Oh, that is very messy situation.
Now I know why my iptables are empty, because nftables replaced it 😄

[kovacs-andras]

Oh, that is very messy situation. Now I know why my iptables are empty, because nftables replaced it smile

No, it isn't. You should check iptables-nft https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall

[kovacs-andras]

Imho it's a matter of taste how people like to interact with their firewalls. It's probably harder to break but easier to read this way.

There is a clear statement in man firewall-cmd:
Warning: Direct rules behavior is different depending on the value of FirewallBackend. See CAVEATS in firewalld.direct(5).

We could check the backend like:
grep -q '^FirewallBackend=nftabless' /etc/firewalld/firewalld.conf

I just tested it with xtables-nft-multi and xtables-legacy-multi, both works with :.
So it seems like the best would be just revert to : from -.

[sebres]

So it seems like the best would be just revert to : from -

Agree.
I'll revert a038fd5 because if someone need it with - (for nft and other backends), it is simply possible by specifying own port range. Vice versa it would be impossible (since it gets wrapped in action).
Thus the conclusion is very simple.

And I'll repeat my statement:
Why one uses this weird wrapper "firewalls" in fail2ban instead of native net-filters like iptables/ipset or nftables?
Why?!

[kovacs-andras]

Many thanks!
It felt disrespectful to make a PR with this revert in it but please, let me know if I can further help!

[sebres]

Just for the record:
a038fd5 was reverted in 4b54a07 (no replacement of range separator takes place in the firewalld actions anymore).
Released in v.1.0.x.