Firewalld direct rules result in wrong ordering.
Issue
-
firewalld
direct rules result in wrong ordering when back end is set toiptables
and input rules contain parameter(s)-d, --destination address[/mask][,...]
or-s,--source address[/mask]
with multiple network or host addresses. Example 1 below, shows the incorrect ordering occurring using network spaces defined in RFC 1918. -
Please refer to the resolution section below to avoid incorrect ordering of iptables rules.
Example one:
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 9 -j DROP
Result of Example one:
]# iptables -t filter -nvL OUTPUT_direct
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.0/24
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.0/24
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.0.0/16
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.0/8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.0.0/16
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8
Expected ordering:
]# iptables -t filter -nvL OUTPUT_direct
Chain OUTPUT_direct (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.0/24
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.0/24
0 0 ACCEPT udp -- * * 0.0.0.0/0 172.16.0.0/16
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.0/8
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.16.0.0/16
0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.0.0/8
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- firewalld
- backend: iptables
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.