Normal What were you trying to do that didn't work?
Right now, on all rhel8/9/10/Fedora versions, when adding a rich rule referring to a non-existing ipset with 'firewall-cmd --permanent ...', then the existing rules are flushed.
What is the impact of this issue to you?
Customers end up with systems without network protection, or without ability to login at the system.
Please provide the package NVR for which the bug is seen:
firewalld, all versions
How reproducible is this bug?:
always
Steps to reproduce
// Save the existing nftables rules. # nft list ruleset > new_def.nft // Add ipset rules (ipset611) that are not defined. # firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source ipset=ipset4223 port protocol="tcp" port="80" accept" # firewall-cmd --reload // Following error occurs when running the above command. Error: COMMAND_FAILED: 'python-nftables' failed: internal:0:0-0: Error: Could not process rule: No such file or directory internal:0:0-0: Error: Could not process rule: No such file or directory [..] // Save nftables rules at this point. # nft list ruleset > new_ruleset.nft // verify changes # diff -y new_def.nft new_ruleset.nft [..many changes..]
Expected results
Ideally, the same rules as before should be in place.
Actual results
Flushed rules etc.
