"systemd restart firewalld.service" compounds rules when CleanUpOnExit=no

Solution Unverified - Updated -

Issue

  • systemd restart firewalld.service compounds rules when CleanUpOnExit=no is set in /etc/firewalld/firewalld.conf.
  • firewalld doesn't flush its own nftables table at startup when CleanUpOnExit=no is set in /etc/firewalld/firewalld.conf.
  • The nftables maintained by firewalld has grown so significantly after restarts that system is spending excessive time in netfilter code paths with system performance and packet loss occurring as a result.

Environment

  • Red Hat Enterprise Linux (RHEL) 8
  • Red Hat Enterprise Linux (RHEL) 9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content