|
Bugzilla – Full Text Bug Listing |
| Summary: | firewalld does not longer understand IPv4 network masks of type `255.255.255.0` | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | Frank Kühndel <frank.kuehndel> |
| Component: | Network | Assignee: | Mohd Saquib <mohd.saquib> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Minor | ||
| Priority: | P5 - None | CC: | santiago.zarate |
| Version: | Leap 15.5 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
Hi, I've applied the patch for the fix and tested it's working. It will be available with the update sometime soon. Meanwhile, you can either use firewalld >= 0.9.6 which has the fix available, or use it from TW which has the latest version. Thanks, Saquib Hello Saquib, many thanks for your work and for the swift response. Frank SUSE-RU-2023:3148-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1212974 Sources used: openSUSE Leap 15.4 (src): firewalld-0.9.3-150400.8.12.1 openSUSE Leap Micro 5.3 (src): firewalld-0.9.3-150400.8.12.1 openSUSE Leap Micro 5.4 (src): firewalld-0.9.3-150400.8.12.1 openSUSE Leap 15.5 (src): firewalld-0.9.3-150400.8.12.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): firewalld-0.9.3-150400.8.12.1 SUSE Linux Enterprise Micro 5.3 (src): firewalld-0.9.3-150400.8.12.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): firewalld-0.9.3-150400.8.12.1 SUSE Linux Enterprise Micro 5.4 (src): firewalld-0.9.3-150400.8.12.1 Basesystem Module 15-SP4 (src): firewalld-0.9.3-150400.8.12.1 Basesystem Module 15-SP5 (src): firewalld-0.9.3-150400.8.12.1 Desktop Applications Module 15-SP4 (src): firewalld-0.9.3-150400.8.12.1 Desktop Applications Module 15-SP5 (src): firewalld-0.9.3-150400.8.12.1 Development Tools Module 15-SP4 (src): firewalld-0.9.3-150400.8.12.1 Development Tools Module 15-SP5 (src): firewalld-0.9.3-150400.8.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-RU-2023:3147-1: An update that has one recommended fix can now be installed. Category: recommended (moderate) Bug References: 1212974 Sources used: SUSE Linux Enterprise Micro 5.2 (src): firewalld-0.9.3-150300.3.15.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): firewalld-0.9.3-150300.3.15.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): firewalld-0.9.3-150300.3.15.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): firewalld-0.9.3-150300.3.15.1 SUSE Linux Enterprise Real Time 15 SP3 (src): firewalld-0.9.3-150300.3.15.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): firewalld-0.9.3-150300.3.15.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): firewalld-0.9.3-150300.3.15.1 SUSE Manager Proxy 4.2 (src): firewalld-0.9.3-150300.3.15.1 SUSE Manager Retail Branch Server 4.2 (src): firewalld-0.9.3-150300.3.15.1 SUSE Manager Server 4.2 (src): firewalld-0.9.3-150300.3.15.1 SUSE Enterprise Storage 7.1 (src): firewalld-0.9.3-150300.3.15.1 SUSE Linux Enterprise Micro 5.1 (src): firewalld-0.9.3-150300.3.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. Closing the issue. |
firewalld does not understand network mask of the form `192.168.193.0/255.255.255.0`. Bug work around: Use the alternative form `192.168.193.0/24`. From the man-page of firewall-cmd(1) section "Options to Handle Bindings of Sources": "[...] For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. [...]" [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset Bind the source to zone zone. If zone is omitted, default zone will be used. How to reproduce: # firewall-cmd --add-source=3.3.3.3/255.255.255.0 Error: invalid literal for int() with base 10: '255.255.255.0' On my machine the problem seems to appear for the first time when I upgraded from Leap 15.2 to 15.3 back in 2021-07-04. Before that date it accepted this type of netmask without any issue. Note that firewalld does not understand its configuration files anymore when they contain such an network mask from the time before this bug was introduced. `firewall-cmd` will happily show the configuration it does not understand (e.g. `firewall-cmd --info-zone home`) but the firewall will not be configured appropriately when started (`firewall-cmd --state` reports `failed`). The error message appears in file `/var/log/firewalld` when the configuration files contain such a network mask: 2023-06-30 16:07:59 Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/firewall/server/decorators.py", line 53, in handle_exceptions return func(*args, **kwargs) File "/usr/lib/python3.6/site-packages/firewall/server/firewalld.py", line 93, in start return self.fw.start() File "/usr/lib/python3.6/site-packages/firewall/core/fw.py", line 541, in start self._start() File "/usr/lib/python3.6/site-packages/firewall/core/fw.py", line 502, in _start self.zone.apply_zones(use_transaction=transaction) File "/usr/lib/python3.6/site-packages/firewall/core/fw_zone.py", line 178, in apply_zones self.apply_zone_settings(zone, use_transaction=use_transaction) File "/usr/lib/python3.6/site-packages/firewall/core/fw_zone.py", line 297, in apply_zone_settings self._zone_settings(True, _zone, transaction) File "/usr/lib/python3.6/site-packages/firewall/core/fw_zone.py", line 267, in _zone_settings self._source(enable, zone, args[0], args[1], transaction) File "/usr/lib/python3.6/site-packages/firewall/core/fw_zone.py", line 752, in _source policy, source, table, chain) File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 935, in build_zone_source_address_rules "expr": [self._rule_addr_fragment(opt, address), File "/usr/lib/python3.6/site-packages/firewall/core/nftables.py", line 1217, in _rule_addr_fragment address = {"prefix": {"addr": addr_len[0], "len": int(addr_len[1])}} ValueError: invalid literal for int() with base 10: '255.255.255.0' I did not find any way to remove the offending `source` configuration. `firewall-cmd --zone=home --remove-sources=192.168.193.0/255.255.255.0` will fail with the above shown error. I had to edit the file `/etc/firewalld/zones/home.xml` manually. For the resulting security issue I will open an extra bug because in my view this is a different concern.