New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
firewalld sets with timeouts on nftables back end not getting the timeouts. #699
Comments
thom311
added a commit
to thom311/firewalld
that referenced
this issue
Jul 12, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')
thom311
added a commit
to thom311/firewalld
that referenced
this issue
Jul 12, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')
thom311
added a commit
to thom311/firewalld
that referenced
this issue
Jul 12, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')
thom311
added a commit
to thom311/firewalld
that referenced
this issue
Jul 12, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')
thom311
added a commit
to thom311/firewalld
that referenced
this issue
Jul 12, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')
thom311
added a commit
to thom311/firewalld
that referenced
this issue
Jul 28, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')
thom311
added a commit
to thom311/firewalld
that referenced
this issue
Aug 3, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')
thom311
added a commit
to thom311/firewalld
that referenced
this issue
Aug 3, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: firewalld#699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface')
erig0
pushed a commit
to erig0/firewalld
that referenced
this issue
Oct 2, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: firewalld#699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)
erig0
pushed a commit
that referenced
this issue
Oct 2, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 #699 #908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: #699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)
erig0
pushed a commit
to erig0/firewalld
that referenced
this issue
Oct 2, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: firewalld#699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)
erig0
pushed a commit
that referenced
this issue
Oct 2, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 #699 #908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: #699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)
erig0
pushed a commit
to erig0/firewalld
that referenced
this issue
Oct 3, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 firewalld#699 firewalld#908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: firewalld#699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)
erig0
pushed a commit
that referenced
this issue
Oct 3, 2023
…h nftables With firewall-cmd --permanent --delete-ipset=testipset || : firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 firewall-cmd --reload firewalld would send the JSON request { "add": { "set": { "family": "inet", "table": "firewalld", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, But the "timeout","size" keys are NUMBER types in libnftables-json. They are silently ignored otherwise ([1]). The fix is to pass them as numbers. Try also: nft delete table inet testtable &>/dev/null || : nft add table inet testtable echo ' { "nftables": [ { "metainfo": { "json_schema_version": 1 } }, { "add": { "set": { "family": "inet", "table": "testtable", "name": "testipset", "type": "ipv4_addr", "flags": [ "interval" ], "timeout": "14400", "size": "65536" } } }, { "flush": { "set": { "family": "inet", "table": "testtable", "name": "testipset" } } } ] } ' | nft -j -f - nft list ruleset | grep -C6 testipset [1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 #699 #908 https://bugzilla.redhat.com/show_bug.cgi?id=2055330 Fixes: #699 Fixes: 1582c5d ('feat: nftables: convert to libnftables JSON interface') (cherry picked from commit ed93b04)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, as per note in the firewalld-users list, I'm opening this about firewalld timed sets not being created with a timeout with the nftables back-end.
In CentOS 8 with firewalld-0.8.0-4.el8.noarch:
however listing the set shows it doesn't have a timeout:
and in fact when I add something to the running set it doesn't disappear after 5
seconds:
I see in the docs that firewall-cmd won't list members of timeout sets, but nft list should show them since that is where they are controlled. (And actually, if you want me to open up an issue, shouldn't the firewall-cmd be able to list the members by calling nft list and parsing out the elements at that particular time?)
firewalld rocks! Thanks for creating this service.
-nik
The text was updated successfully, but these errors were encountered: