firewalld with ipset

Latest response

Hi latest RHEL 7.3 allows ipset usage with firewalld, but only for type ip:hash. I tried another ipset type ('hash:ip,port) and got:
WARNING: INVALID_IPSET: ipset type 'hash:ip,port' not usable, ignoring.
Will this type and other ipset types be supported as well?

The xml file contains this:

<?xml version="1.0" encoding="utf-8"?>

RH-SAT
RHEL Satellite
IPof RHSAT,tcp:80
IPof RHSAT,tcp:443
IPof RHSAT,tcp:4545
IPof RHSAT,tcp:5222

Thanks

Responses

Hello,

Can you try hash:ip,port,ip?

The use of IP sets is documented in the Security Guide. See the IPTables and IP Sets section.

Hi, thanks for answering, but I did not explain properly, the problem is with firewalld, not ipset.

The hash:ip,port,ip and the one I posted (hash:ip,port) are valid ipset types, they do work with "ipset create...." The problem is that firewalld does not support these types, I think it does not support other ipset types other than the most simple one "hash:ip", which works...ipset support was added very recently in firewalld 4.3 (rhel 7.3 latest update). When firewalld tries to parse the ipset.xml files, you get log entries like the one I posted already: '/etc/firewalld/ipsets/rhsat2.xml': INVALID_TYPE: 'hash:ip,port,ip' is not supported by ipset. '/etc/firewalld/ipsets/rhsat.xml': INVALID_TYPE: 'hash:ip,port' is not supported by ipset Then ones with type "hash:ip" are properly parsed. The question was: will firewalld support other (than hash:ip) ipset types in the near future?

OK, sorry for reading too quickly. The section Using IP Sets with firewalld does not mention any restrictions on the type of IP sets used. I was under the impression firewalld is just calling ipsets code. I will ask and report back.

Hello, developer confirms, only the sets mentioned in the firewalld.ipset manual page are supported by firewalld directly, and can be used within rich and direct rules. See also the post below from Akhil John. Please raise a support request if this is less than a trivial problem for you.

I see now you are asking about internal support within firewalld code. I see from the release notes "ipset support: firewalld now supports ipsets used as zone sources, within rich and direct rules." I have asked for more detailed info.

Thanks in advance for your help

firewalld supports only 3 ipset method:type pairs:

hash:ip hash:net hash:mac

And the firewalld.ipset man page only mentions these three method:types

<br />    ipset
       The mandatory ipset start and end tag defines the ipset.
       This tag can only be used once in a ipset configuration
       file. There is one mandatory and also optional attributes
       for ipsets:

       type="string"
           The mandatory type of the ipset. This cas be one of
           these types: hash:ip, hash:net, hash:mac.

       version="string"
           To give the ipset a version.

Hello, if you would like the support for ipsets in firewalld to be improved then please raise a support case and reference this bug: Bug 1419058 – Improve support for ipsets in firewalld.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.