-
Bug
-
Resolution: Done-Errata
-
Major
-
rhel-8.8.0
-
firewalld-0.9.11-4.el8
-
None
-
Moderate
-
rhel-sst-networking-core
-
ssg_networking
-
14
-
None
-
QE ack, Dev ack
-
False
-
-
No
-
None
-
Release Note Not Required
-
-
All
-
None
Description of problem:
restarting firewalld.service resultes in more rules every restart, eventually slowing the system.
Version-Release number of selected component (if applicable):
First began in firewalld 0.8.0-4 and confirmed through
How reproducible:
Easily on an RHEL system with firewalld 0.8.0-4 or newer.
Steps to Reproduce:
1. Install firewalld 0.8.0-4 or newer.
2. Set CleanUpOnExit=no in /etc/firewalld/firewalld.conf
3. systemctl restart firewalld ### to make new setting effective
4. nft list ruleset | wc -l
5. systemctl restart firewalld
6. nft list ruleset | wc -l
Actual results:
After ever restart the ruleset grows
Expected results:
After restart of firewalld.service ruleset does not grow.
Additional info:
firewall-cmd --reload, or systemctl reload firewalld, which send SIGHUP instead of stop/start firewalld, the ruleset does not grow even with FlushAllOnReload=no:
FlushAllOnReload=no:
- nft list ruleset | wc -l
528 - firewall-cmd --reload
success - nft list ruleset | wc -l
528
Customer uses CleanUpOnExit=no to avoid all windows where firewall rules might not exist.
- account is impacted by
-
RHEL-11281 RHEL 8.10 RPL
-
- Closed
-
- external trackers
- links to
-
RHBA-2024:127014
firewalld update
- mentioned on
