New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tables not belonging to firewalld gets flushed on firewalld reload/restart #863
Comments
There are a couple things going on here.
Firewalld's Unfortunately we can't do anything here. We either a) maintain compatibility and let the |
As an aside, I don't know what you're trying to do with direct rules, but firewalld v0.9.0+ supports policies which cover a lot of use cases typically done via direct rules. Policy Objects should be in the upcoming RHEL-8.5. |
@erig0 Thanks for you quick reply and sorry for my delay responding to you! I understand that this is for backward compatibility purposes, but would it be acceptable/possible to provide an option in firewalld preventing it to flush iptables rules? I know it's an edge case, but I should say “nothing ventured, nothing gained”. Regarding your comment on policies, I think it’s a great feature but it doesn’t match my use case because the issue is related to a third party in a Kubernetes environment. See this serverfault post to better understand my use case. Anyway, thanks again and keep up the good work with firewalld! It’s a great software 🙂 |
Maybe
However, this does not address flushing on a full stop/start, e.g. |
@erig0 Thanks for the workaround, I will definitely try that! |
@erig0 it would be nice to have an option to disable iptables usage For people looking for a workaround, you can hide iptables from firewalld:
|
we are also hitting the same issue with MicroShift, firewalld flushes iptables on reload or restart (even if you use the .conf settings to prevent that, but probably I misunderstood those). Flush also happens under certain events, like DHCP assignment of a new address or hostname (https://issues.redhat.com/browse/USHIFT-789). The workaround described in #863 (comment) seems to help, but I agree with @champtar, a setting to avoid flushing iptables would help with this. @erig0 I understand that the workaround would work as long as MicroShift/OVN doesn't generate incompatible rules to firewalld. But I would love to have a moment to talk about this issue. |
Just a caveat with my workaround, it triggers SELinux: https://bugzilla.redhat.com/show_bug.cgi?id=2126583 |
Thanks for the heads up. It seems not to be very especially noisy, but yes, better if we can handle this in firewalld. In which context did you hit this issue with firewalld @champtar ? |
Single node K8S 'appliance', we're using firewalled to protect the host. We open some ports dynamically by looking at the hostPorts, and we allow users to change firewalld config as they see fit. Too many ways to trigger a flush, we needed a way to make it fool proof. (And I don't like to put warnings in docs, nobody read docs) |
FWIW, as of firewalld v1.0.0 the e.g.
|
We may be able to skip flushing iptables if the |
No. What happens is iptables becomes unusable (from firewalld's perspective). So when firewalld starts it detects that and the iptables backend is disabled. This is functionally equivalent to the build hack I mentioned above. firewalld should throw an INFO level log (syslog or /var/log/firewalld):
|
@erig0 most people don't want to rebuild core packages of their distro ;) |
Reopened. We can attempt to avoid touching iptables (i.e. skip flush on shutdown) if |
What do you mean by direct rules? Direct iptables rules? Direct nftables rules? |
Ah sorry, you mean iptable rules added via direct firewalld rules. |
Thanks for re-prioritizing this, I see you added the labels but the bug is still in "Closed" state. |
If FirewallBackend=nftables and there are no direct rules; then we can avoid flushing iptables at startup and shutdown. This means other applications can control iptables while firewalld only touches nftables. Fixes: firewalld#863
@mangelajo, #1082 addresses this. It would be great if you could provide feedback, e.g. test in your environment. Otherwise I'll just merge it since there is reasonable test coverage. ;) |
If FirewallBackend=nftables and there are no direct rules; then we can avoid flushing iptables at startup and shutdown. This means other applications can control iptables while firewalld only touches nftables. Fixes: firewalld#863
If FirewallBackend=nftables and there are no direct rules; then we can avoid flushing iptables at startup and shutdown. This means other applications can control iptables while firewalld only touches nftables. Fixes: firewalld#863
Thank you, I am testing it now on the environment. |
If FirewallBackend=nftables and there are no direct rules; then we can avoid flushing iptables at startup and shutdown. This means other applications can control iptables while firewalld only touches nftables. Fixes: #863
What happened:
Default tables (ip filter, ip nat, ip mangle, ect…) not belonging to firewalld gets flushed on
firewall-cmd --reload
orsystemctl restart firewalld
orsystemctl reload firewalld
What you expected to happen:
Only
firewalld
table gets flushedHow to reproduce it (as minimally and precisely as possible):
ip filter
table:nft add rule ip filter INPUT ip saddr 10.1.1.9 drop
nft list chain ip filter INPUT
firewall-cmd --reload
nft list chain ip filter INPUT
Same happens when using
iptables
command (please note that on RHEL8 based OS, iptables usesnf_tables
API, effectively adding rules into nftables):ip filter
table:iptables -A INPUT -s 10.1.1.9 -j DROP
iptables-save
nft list chain ip filter INPUT
firewall-cmd --reload
iptables-save
nft list chain ip filter INPUT
Anything else we need to know?:
This doesn’t happen when creating a custom table. You can also read this serverfault post for better context understanding.
Environment:
dnf info firewalld
or commit hash if developing from gitgit log -n1 --format=format:"%H"
):cat /etc/firewalld/firewalld.conf | grep FirewallBackend
):cat /etc/os-release
):The text was updated successfully, but these errors were encountered: