firewalld with ipset
Hi latest RHEL 7.3 allows ipset usage with firewalld, but only for type ip:hash. I tried another ipset type ('hash:ip,port) and got:
WARNING: INVALID_IPSET: ipset type 'hash:ip,port' not usable, ignoring.
Will this type and other ipset types be supported as well?
The xml file contains this:
<?xml version="1.0" encoding="utf-8"?>
RH-SAT
RHEL Satellite
IPof RHSAT,tcp:80
IPof RHSAT,tcp:443
IPof RHSAT,tcp:4545
IPof RHSAT,tcp:5222
Thanks
Responses
Hello,
Can you try hash:ip,port,ip?
The use of IP sets is documented in the Security Guide. See the IPTables and IP Sets section.
OK, sorry for reading too quickly. The section Using IP Sets with firewalld does not mention any restrictions on the type of IP sets used. I was under the impression firewalld is just calling ipsets code. I will ask and report back.
Hello, developer confirms, only the sets mentioned in the firewalld.ipset manual page are supported by firewalld directly, and can be used within rich and direct rules. See also the post below from Akhil John. Please raise a support request if this is less than a trivial problem for you.
I see now you are asking about internal support within firewalld code. I see from the release notes "ipset support: firewalld now supports ipsets used as zone sources, within rich and direct rules." I have asked for more detailed info.
firewalld supports only 3 ipset method:type pairs:
hash:ip hash:net hash:mac
And the firewalld.ipset man page only mentions these three method:types
<br /> ipset
The mandatory ipset start and end tag defines the ipset.
This tag can only be used once in a ipset configuration
file. There is one mandatory and also optional attributes
for ipsets:
type="string"
The mandatory type of the ipset. This cas be one of
these types: hash:ip, hash:net, hash:mac.
version="string"
To give the ipset a version.
Hello, if you would like the support for ipsets in firewalld to be improved then please raise a support case and reference this bug: Bug 1419058 – Improve support for ipsets in firewalld.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
