Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-9316

RFE: firewall-cmd should be able to deal with nft-rules with "burst"

XMLWordPrintable

    • firewalld-0.9.11-8.el8_10
    • rhel-sst-networking-core
    • ssg_networking
    • 20
    • 5
    • False
    • Yes
    • None
    • Enhancement
    • Hide
      Feature, enhancement (describe the feature or enhancement from the user's point of view): The firewalld rich language feature "limit" now supports a "burst" argument.
      Reason (why has the feature or enhancement been implemented): This allows adding a "brust" to the rate limiter for accept/drop/etc.
      Result (what is the current user experience): Users can now control the burstiness of their rich rules.
      Show
      Feature, enhancement (describe the feature or enhancement from the user's point of view): The firewalld rich language feature "limit" now supports a "burst" argument. Reason (why has the feature or enhancement been implemented): This allows adding a "brust" to the rate limiter for accept/drop/etc. Result (what is the current user experience): Users can now control the burstiness of their rich rules.
    • Proposed
    • None

      Description of problem:
      Via rich rules, one can use for example

      1. firewall-cmd --permanent --zone=XXX --add-rich-rule='rule family="ipv4" source address=192.168.4.0/24 service name=all log prefix="IN_BOUND_XXX " level="info" limit value="2/d" accept'
        Once bz2181406 is implemented, that will create nft like the following command work create:
      2. nft add rule inet firewalld filter_IN_public_log ip saddr 192.168.4.0/24 \
        tcp dport 22 ct state { new, untracked } \
        limit rate 2/day log prefix "IN_BOUND_XXXX " level info

        The issue is that firewall-cmd does not handle the nft "burst" option. Above will assume "burst 5 packets", but to set the limit of 2/day, we would need firewall-cmd to handle burst, so it creates a rule like this:
        # nft add rule inet firewalld filter_IN_public_log ip saddr 192.168.4.0/24 \
        tcp dport 22 ct state { new, untracked }

        \
        limit rate 2/day burst 1 packets log prefix "IN_BOUND_XXXX " level info

      firewall-cmd might instead of the nft utility use a different interface.

      Version-Release number of selected component (if applicable):
      all

      How reproducible:
      always

      Expected outcome:
      firewall-cmd should be extended to create nft rules which allow setting of burst, i.e. "burst 1 packets".

              egarver Eric Garver
              rhn-support-chorn Christian Horn
              Thomas Haller Thomas Haller
              Tomas Dolezal Tomas Dolezal
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: