Firewalld direct rules result in wrong ordering.

Solution Verified - Updated -

Issue

  • firewalld direct rules result in wrong ordering when back end is set toiptables and input rules contain parameter(s) -d, --destination address[/mask][,...] or -s,--source address[/mask] with multiple network or host addresses. Example 1 below, shows the incorrect ordering occurring using network spaces defined in RFC 1918.

  • Please refer to the resolution section below to avoid incorrect ordering of iptables rules.

Example one:

firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 9 -j DROP

Result of Example one:

]# iptables -t filter -nvL OUTPUT_direct
Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.0/24      
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            172.16.0.0/16       
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.0/8          
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.0.0/16       
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.0/8

Expected ordering:

]# iptables -t filter -nvL OUTPUT_direct
Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.0.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            192.168.0.0/24      
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            172.16.0.0/16       
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.0/8          
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.16.0.0/16       
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.0/8          
    0     0 DROP           all  --  *      *       0.0.0.0/0            0.0.0.0/0

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • firewalld
    • backend: iptables

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content