firewalld-backend: fw_init() causes errors trying to insert ipsets/rules that already exist

Issue #100 resolved
Christopher Engelhard
created an issue

OS: Tested on Fedora 28/Archlinux with firewalld v5.5.x/v6.x.x Version: sshguard 2.2.0 Backend: sshg-fw-firewalld

The fw_init() function causes an error in firewalld when adding the sshguard4/6 ipsets and a warning when adding the rich rules anytime sshguard is started after the first run, due to the ipsets/rules being persistent between restarts:

firewalld[31407]: ERROR: NAME_CONFLICT: new_ipset(): 'sshguard6'
firewalld[31407]: WARNING: ALREADY_ENABLED: rule family=ipv6 source ipset=sshguard6 drop
firewalld[31407]: ERROR: NAME_CONFLICT: new_ipset(): 'sshguard4'
firewalld[31407]: WARNING: ALREADY_ENABLED: rule family=ipv4 source ipset=sshguard4 drop

This does not affect functionality, it just causes the above errors to be logged by firewalld, which is annoying when monitoring logs.

Steps to reproduce: 1. Run sshguard with the firewalld-backend. 2. Stop and restart sshguard. 3. Check the logs for firewalld-errors.

I've attached a patch to sshg-fw-firewalld.sh that fixes this by first checking whether the filtering rule exists before creating the rule & ipset.

Comments (3)

  1. Log in to comment