Bug 713658

Summary:	net-firewall/firewalld-0.7.3 ipsets are not usable
Product:	Gentoo Linux	Reporter:	nE0sIghT <ykonotopov>
Component:	Current packages	Assignee:	Virtualization Team <virtualization>
Status:	RESOLVED FIXED
Severity:	normal	CC:	jstein
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/firewalld/firewalld/issues/591 https://github.com/gentoo/gentoo/pull/15032
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	emerge --info net-firewall/firewalld fixed stable ebuild (version 0.7.1)

Description nE0sIghT 2020-03-20 15:43:20 UTC

# journalctl -u firewalld:
Mar 20 19:32:37 vortex firewalld[509]: WARNING: ipset not usable, disabling ipset usage in firewall.
Mar 20 19:32:37 vortex firewalld[509]: WARNING: LAN: INVALID_TYPE: 'hash:ip' is not supported by ipset., ignoring for run-time.
Mar 20 19:32:37 vortex firewalld[509]: WARNING: LAN_pcs: INVALID_TYPE: 'hash:ip' is not supported by ipset., ignoring for run-time.
Mar 20 19:32:38 vortex firewalld[509]: WARNING: INVALID_IPSET: LAN_pcs
Mar 20 19:32:38 vortex firewalld[509]: WARNING: INVALID_IPSET: LAN_pcs
Mar 20 19:32:38 vortex firewalld[509]: WARNING: INVALID_IPSET: LAN

# zgrep -i ip_set /proc/config.gz 
CONFIG_IP_SET=y
CONFIG_IP_SET_MAX=256
CONFIG_IP_SET_BITMAP_IP=m
CONFIG_IP_SET_BITMAP_IPMAC=m
CONFIG_IP_SET_BITMAP_PORT=m
CONFIG_IP_SET_HASH_IP=y
CONFIG_IP_SET_HASH_IPMARK=y
CONFIG_IP_SET_HASH_IPPORT=y
CONFIG_IP_SET_HASH_IPPORTIP=y
CONFIG_IP_SET_HASH_IPPORTNET=y
CONFIG_IP_SET_HASH_IPMAC=y
CONFIG_IP_SET_HASH_MAC=y
CONFIG_IP_SET_HASH_NETPORTNET=y
CONFIG_IP_SET_HASH_NET=y
CONFIG_IP_SET_HASH_NETNET=y
CONFIG_IP_SET_HASH_NETPORT=y
CONFIG_IP_SET_HASH_NETIFACE=y
CONFIG_IP_SET_LIST_SET=y



Reproducible: Always

Comment 1 nE0sIghT 2020-03-20 15:43:52 UTC

Created attachment 623314 [details]
emerge --info net-firewall/firewalld

Comment 2 nE0sIghT 2020-03-21 06:38:20 UTC

Debugging this in [1] looks like firewalld expects `ipset` to be in /sbin, but Gentoo provides it in /usr/sbin

[1] https://github.com/firewalld/firewalld/issues/591

Comment 3 Erik Quaeghebeur 2020-03-21 11:15:37 UTC

Created attachment 623798 [details]
fixed stable ebuild (version 0.7.1)

The pull request is for the testing version, this ebuild applies the same change to the stable version and should be possible to update as stable.

Comment 4 Erik Quaeghebeur 2020-03-21 11:18:10 UTC

N.B.: It may well be that the correct solution is to move ipset to /sbin from /usr/sbin, in analogy to all the other (ip|nf)tables tools.

Comment 5 Matthias Maier gentoo-dev

2020-03-21 14:43:19 UTC

Good point. What a stupid mistake (I accidentally tested on my main machine which has a merged /usr...)

Comment 6 Larry the Git Cow gentoo-dev

2020-03-21 14:44:54 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=47c7b978fde49799a24ebc0872c820caacb0dd45

commit 47c7b978fde49799a24ebc0872c820caacb0dd45
Author:     Matthias Maier <tamiko@gentoo.org>
AuthorDate: 2020-03-21 14:43:33 +0000
Commit:     Matthias Maier <tamiko@gentoo.org>
CommitDate: 2020-03-21 14:44:18 +0000

    net-firewall/firewalld: fix ipset path
    
    Closes: https://bugs.gentoo.org/713658
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Matthias Maier <tamiko@gentoo.org>

 net-firewall/firewalld/Manifest                    |   1 -
 net-firewall/firewalld/firewalld-0.6.3-r1.ebuild   | 102 ---------------------
 net-firewall/firewalld/firewalld-0.7.1-r1.ebuild   | 101 --------------------
 ...d-0.7.1-r2.ebuild => firewalld-0.7.1-r3.ebuild} |   2 +-
 ...alld-0.7.3.ebuild => firewalld-0.7.3-r1.ebuild} |   2 +-
 5 files changed, 2 insertions(+), 206 deletions(-)