I'm sure I'm just doing it wrong but I'm having trouble with an ipset hitting "maxelem 65536 reached." I tried: $ sudo firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --option=maxelem:131072 success
which creates: $ sudo more /etc/firewalld/ipsets/blacklist.xml <?xml version="1.0" encoding="utf-8"?> <ipset type="hash:ip"> <option name="maxelem:131072"/> </ipset>
but when I load with $ sudo firewall-cmd --reload: Jun 18 11:40:20 temp-2 firewalld: WARNING: INVALID_IPSET: blacklist Jun 18 11:40:35 temp-2 firewalld: ERROR: Failed to load ipset file '/etc/firewalld/ipsets/blacklist.xml': INVALID_OPTION: Unknown option 'maxelem:131072' Jun 18 11:40:35 temp-2 firewalld: WARNING: INVALID_IPSET: blacklist Jun 18 11:40:37 temp-2 firewalld: ERROR: Failed to load ipset file 'blacklist.xml': INVALID_OPTION: Unknown option 'maxelem:131072'
I thought I would work around it by splitting my ipset in two but that still generated the maxelem error for both files: Jun 18 12:13:27 temp-2 firewalld: ERROR: Failed to create ipset 'blacklist-1' Jun 18 12:13:27 temp-2 firewalld: ERROR: '/usr/sbin/ipset restore' failed: Jun 18 12:13:27 temp-2 kernel: Set blacklist-2 is full, maxelem 65536 reached Jun 18 12:13:27 temp-2 firewalld: ERROR: Failed to create ipset 'blacklist-2' Jun 18 12:13:27 temp-2 firewalld: ERROR: '/usr/sbin/ipset restore' failed:
and removing the larger of the two, I still get the maxelem error for what is now a pretty small file.
I'm stumped and trying to avoid having to add each entry via sudo firewall-cmd --permanent --ipset=blacklist --add-entry=...
Thanks for any guidance out there, -David
As noted, clearly I was doing it wrong: $ sudo firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --option=maxelem:131072 should be: $ sudo firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip --option=maxelem=131072 "=" not ";". That corrected my syntax issue. I was still running into the maxelem limit. My blacklist is a mix of IPs and networks. Doing a broader search, I ran across a post at centos forums (https://www.centos.org/forums/viewtopic.php?t=8268). The gist being hash:ip seems to expand networks (like 192.168.1.0/24) into all the addresses in the network. hash:net is much more efficient for networks. So I now have a blacklist-ip list and blacklist-net list (one hash:ip, one hash:net). That seems to have solved my dilemma. -David
firewalld-users@lists.fedorahosted.org