Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(ipset): fix configuring IP range for ipsets with nftables
Setting an IP range with nftables did not work: firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --delete-zone=testzone || : ENTRY=1.1.1.1-1.1.1.10 firewall-cmd --permanent --new-ipset=testipset --type=hash:ip firewall-cmd --permanent --ipset=testipset --add-entry="$ENTRY" firewall-cmd --permanent --info-ipset=testipset firewall-cmd --permanent --new-zone=testzone firewall-cmd --permanent --zone=testzone --add-rich-rule='rule family="ipv4" source ipset="testipset" service name="ssh" accept' firewall-cmd --reload & This would generate the following JSON request: { "add": { "element": { "family": "inet", "table": "firewalld", "name": "testipset", "elem": [ "1.1.1.1-1.1.1.10" ] } } } libnftables will try to resolve "1.1.1.1-1.1.1.10" via getaddrinfo(). Calling getaddrinfo() to resolve names is bound to fail, and it blocks the process for a very long time. libnftables should not block the calling process ([1]). We need to generate the correct JSON request, which is { "add": { "element": { "family": "inet", "table": "firewalld", "name": "testipset", "elem": [ { "range": [ "1.1.1.1", "1.1.1.10" ] } ] } } } This is an ugly fix, because the parsing of ipset entries is duplicated and inconsistent. A better solution for that shall follow. [1] https://marc.info/?l=netfilter-devel&m=168901121103612 https://bugzilla.redhat.com/show_bug.cgi?id=2028748 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit 4db89e3)
- Loading branch information