Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 713658 - net-firewall/firewalld-0.7.3 ipsets are not usable
Summary: net-firewall/firewalld-0.7.3 ipsets are not usable
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Virtualization Team
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-03-20 15:43 UTC by nE0sIghT
Modified: 2020-03-21 14:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
emerge --info net-firewall/firewalld (emerge.info,8.39 KB, text/plain)
2020-03-20 15:43 UTC, nE0sIghT 		Details
fixed stable ebuild (version 0.7.1) (firewalld-0.7.1-r3.ebuild,3.18 KB, text/plain)
2020-03-21 11:15 UTC, Erik Quaeghebeur 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description nE0sIghT 2020-03-20 15:43:20 UTC 
# journalctl -u firewalld:
Mar 20 19:32:37 vortex firewalld[509]: WARNING: ipset not usable, disabling ipset usage in firewall.
Mar 20 19:32:37 vortex firewalld[509]: WARNING: LAN: INVALID_TYPE: 'hash:ip' is not supported by ipset., ignoring for run-time.
Mar 20 19:32:37 vortex firewalld[509]: WARNING: LAN_pcs: INVALID_TYPE: 'hash:ip' is not supported by ipset., ignoring for run-time.
Mar 20 19:32:38 vortex firewalld[509]: WARNING: INVALID_IPSET: LAN_pcs
Mar 20 19:32:38 vortex firewalld[509]: WARNING: INVALID_IPSET: LAN_pcs
Mar 20 19:32:38 vortex firewalld[509]: WARNING: INVALID_IPSET: LAN

# zgrep -i ip_set /proc/config.gz 
CONFIG_IP_SET=y
CONFIG_IP_SET_MAX=256
CONFIG_IP_SET_BITMAP_IP=m
CONFIG_IP_SET_BITMAP_IPMAC=m
CONFIG_IP_SET_BITMAP_PORT=m
CONFIG_IP_SET_HASH_IP=y
CONFIG_IP_SET_HASH_IPMARK=y
CONFIG_IP_SET_HASH_IPPORT=y
CONFIG_IP_SET_HASH_IPPORTIP=y
CONFIG_IP_SET_HASH_IPPORTNET=y
CONFIG_IP_SET_HASH_IPMAC=y
CONFIG_IP_SET_HASH_MAC=y
CONFIG_IP_SET_HASH_NETPORTNET=y
CONFIG_IP_SET_HASH_NET=y
CONFIG_IP_SET_HASH_NETNET=y
CONFIG_IP_SET_HASH_NETPORT=y
CONFIG_IP_SET_HASH_NETIFACE=y
CONFIG_IP_SET_LIST_SET=y



Reproducible: Always
Comment 1 nE0sIghT 2020-03-20 15:43:52 UTC 
Created attachment 623314 [details]
emerge --info net-firewall/firewalld
Comment 2 nE0sIghT 2020-03-21 06:38:20 UTC 
Debugging this in [1] looks like firewalld expects `ipset` to be in /sbin, but Gentoo provides it in /usr/sbin

[1] https://github.com/firewalld/firewalld/issues/591
Comment 3 Erik Quaeghebeur 2020-03-21 11:15:37 UTC 
Created attachment 623798 [details]
fixed stable ebuild (version 0.7.1)

The pull request is for the testing version, this ebuild applies the same change to the stable version and should be possible to update as stable.
Comment 4 Erik Quaeghebeur 2020-03-21 11:18:10 UTC 
N.B.: It may well be that the correct solution is to move ipset to /sbin from /usr/sbin, in analogy to all the other (ip|nf)tables tools.
Comment 5 Matthias Maier gentoo-dev 2020-03-21 14:43:19 UTC 
Good point. What a stupid mistake (I accidentally tested on my main machine which has a merged /usr...)
Comment 6 Larry the Git Cow gentoo-dev 2020-03-21 14:44:54 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47c7b978fde49799a24ebc0872c820caacb0dd45

commit 47c7b978fde49799a24ebc0872c820caacb0dd45
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2020-03-21 14:43:33 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-03-21 14:44:18 +0000

    net-firewall/firewalld: fix ipset path
    
    Closes: https://bugs.gentoo.org/713658
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 net-firewall/firewalld/Manifest                    |   1 -
 net-firewall/firewalld/firewalld-0.6.3-r1.ebuild   | 102 ---------------------
 net-firewall/firewalld/firewalld-0.7.1-r1.ebuild   | 101 --------------------
 ...d-0.7.1-r2.ebuild => firewalld-0.7.1-r3.ebuild} |   2 +-
 ...alld-0.7.3.ebuild => firewalld-0.7.3-r1.ebuild} |   2 +-
 5 files changed, 2 insertions(+), 206 deletions(-)