My firewalld configuration has ipsets. I have switched to nftables backend by setting FirewallBackend=nftables in /etc/firewalld/firewalld.conf and restarting firewalld.
nft command shows empty sets (no elements) while ipsets still exist (an example is below).
Is firewalld with nftables can be used at all if it has ipsets? Is nftables compatible with ipsets? Does nftables read IP list from ipsets?
Searching on the Internet suggests using nftables sets but it seems that firewalld does not support them.
--------------------------------------------------- # nft list sets table inet firewalld { set gluster_v4 { <---- nftables set exists but empty type ipv4_addr flags interval } }
# ipset list Name: gluster_v4 Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 328 References: 0 Number of entries: 5 Members: <---- IP list is part of the ipset 172.16.x.a 172.16.x.b ....
I am using Fedora 29 and firewalld-0.6.3-1.fc29.noarch.
This has been fixed upstream.
https://github.com/firewalld/firewalld/commit/4157393136bbaff53e812029376b2a...
It should be included in the next release.
On Sun, Dec 30, 2018 at 07:13:25PM -0000, Alexander Murashkin wrote:
My firewalld configuration has ipsets. I have switched to nftables backend by setting FirewallBackend=nftables in /etc/firewalld/firewalld.conf and restarting firewalld.
nft command shows empty sets (no elements) while ipsets still exist (an example is below).
Is firewalld with nftables can be used at all if it has ipsets? Is nftables compatible with ipsets? Does nftables read IP list from ipsets?
Searching on the Internet suggests using nftables sets but it seems that firewalld does not support them.
# nft list sets table inet firewalld { set gluster_v4 { <---- nftables set exists but empty type ipv4_addr flags interval } }
# ipset list Name: gluster_v4 Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 328 References: 0 Number of entries: 5 Members: <---- IP list is part of the ipset 172.16.x.a 172.16.x.b ....
I am using Fedora 29 and firewalld-0.6.3-1.fc29.noarch. _______________________________________________ firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos...
firewalld-users@lists.fedorahosted.org