firewalld sets with timeouts on nftables back end not getting the timeouts. #699

nikconwell · 2020-10-19T13:35:43Z

Hi, as per note in the firewalld-users list, I'm opening this about firewalld timed sets not being created with a timeout with the nftables back-end.

In CentOS 8 with firewalld-0.8.0-4.el8.noarch:

# firewall-cmd --permanent --new-ipset set3 --type=hash:ip --family=inet --option=timeout=5
# firewall-cmd --reload

however listing the set shows it doesn't have a timeout:

# nft list table inet firewalld|grep -A4 set
set set3 {
type ipv4_addr
flags interval
}

and in fact when I add something to the running set it doesn't disappear after 5
seconds:

# firewall-cmd --ipset=set3 --add-entry=1.2.3.4
success

# nft list table inet firewalld|grep -A4 set
set set3 {
type ipv4_addr
flags interval
elements = { 1.2.3.4 }
}

I see in the docs that firewall-cmd won't list members of timeout sets, but nft list should show them since that is where they are controlled. (And actually, if you want me to open up an issue, shouldn't the firewall-cmd be able to list the members by calling nft list and parsing out the elements at that particular time?)

firewalld rocks! Thanks for creating this service.
-nik

The text was updated successfully, but these errors were encountered:

…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')

…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')

…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: firewalld#699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')

…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: firewalld#699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)

…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 #699 #908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: #699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)

…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: firewalld#699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)

…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 #699 #908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: #699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)

…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: firewalld#699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)

…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 #699 #908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: #699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)

pstadt mentioned this issue Feb 16, 2022

nftables: ipset timeout flag is not set in the backend #908

Closed

erig0 added the high High priority bug. label Feb 16, 2022

erig0 added this to backlog in firewalld via automation Feb 16, 2022

erig0 moved this from backlog to Priority in firewalld Feb 16, 2022

erig0 mentioned this issue Jun 6, 2023

ipset with timeout create a set without the timeout flag #1144

Closed

thom311 mentioned this issue Jul 12, 2023

fix(ipset): fix configuring "timeout","maxelem" values for ipsets with nftables #1167

Merged

erig0 closed this as completed in ed93b04 Aug 4, 2023

firewalld automation moved this from Priority to Done Aug 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

firewalld sets with timeouts on nftables back end not getting the timeouts. #699

firewalld sets with timeouts on nftables back end not getting the timeouts. #699

nikconwell commented Oct 19, 2020

firewalld sets with timeouts on nftables back end not getting the timeouts. #699

firewalld sets with timeouts on nftables back end not getting the timeouts. #699

Comments

nikconwell commented Oct 19, 2020