- changed status to open
firewalld-backend: fw_init() causes errors trying to insert ipsets/rules that already exist
Issue #100
resolved
OS: Tested on Fedora 28/Archlinux with firewalld v5.5.x/v6.x.x Version: sshguard 2.2.0 Backend: sshg-fw-firewalld
The fw_init() function causes an error in firewalld when adding the sshguard4/6 ipsets and a warning when adding the rich rules anytime sshguard is started after the first run, due to the ipsets/rules being persistent between restarts:
firewalld[31407]: ERROR: NAME_CONFLICT: new_ipset(): 'sshguard6' firewalld[31407]: WARNING: ALREADY_ENABLED: rule family=ipv6 source ipset=sshguard6 drop firewalld[31407]: ERROR: NAME_CONFLICT: new_ipset(): 'sshguard4' firewalld[31407]: WARNING: ALREADY_ENABLED: rule family=ipv4 source ipset=sshguard4 drop
This does not affect functionality, it just causes the above errors to be logged by firewalld, which is annoying when monitoring logs.
Steps to reproduce: 1. Run sshguard with the firewalld-backend. 2. Stop and restart sshguard. 3. Check the logs for firewalld-errors.
I've attached a patch to sshg-fw-firewalld.sh that fixes this by first checking whether the filtering rule exists before creating the rule & ipset.
Comments (4)
-
-
-
assigned issue to
Daniel Aleksandersen
-
assigned issue to
-
- changed status to resolved
Don't recreate existing ipsets
Thanks to Christopher Engelhard!
Resolves
#100→ <<cset 9badc2f1a6fc>>
-
- removed version
Removing version: 2.2 (automated comment)
- Log in to comment
@da2x are you able to take a look?