-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.3.0
-
firewalld-1.3.4-1.el9
-
None
-
Important
-
rhel-sst-networking-core
-
ssg_networking
-
13
-
None
-
QE ack, Dev ack
-
False
-
-
No
-
None
-
-
x86_64
-
None
Description of problem:
-> $ firewall-cmd --info-service=kube-control-plane-secure
kube-control-plane-secure
ports:
protocols:
source-ports:
modules:
destination:
includes: etcd-client etcd-server kube-apiserver kube-controller-manager-secure kube-scheduler-secure
helpers:
-> $ firewall-cmd --info-service=kube-apiserver
kube-apiserver
ports: 6443/tcp
protocols:
...
-> $ _FIRE=kube-control-plane-secure; firewall-cmd --zone=internal --add-rich-rule=\"rule family="ipv4" source address=${_IP} service name=${_FIRE} accept\"
-> $ nmap 10.3.1.61 -p 6443 # result -> filtered
-> $ _FIRE=kube-apiserver; firewall-cmd --zone=internal --add-rich-rule=\"rule family="ipv4" source address=${_IP} service name=${_FIRE} accept\"
-> $ nmap 10.3.1.61 -p 6443 # result -> open
Does that make sense?
Also, if such service - eg. kube-control-plane-secure - is allowed "normally", in 'service' then what happens is what I'd expect - included services get allowed too.
Version-Release number of selected component (if applicable):
firewalld-filesystem-1.2.1-1.el9.noarch
firewalld-1.2.1-1.el9.noarch
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
- is blocked by
-
RHEL-14485 Firewalld rebase to latest 1.3.z
-
- Closed
-
- external trackers
- links to
-
RHBA-2024:127432
firewalld update
