Bug#1006544: firewall-cmd times out with large blocklists

Fri, 01 Apr 2022 07:27:17 -0700 

Control: forwarded -1 https://github.com/firewalld/firewalld/issues/933

I forwarded this issue upstream.

Eric, the upstream author, suggested to use ipset for large block lists.
See https://www.epilis.gr/en/blog/2017/04/03/ipset-firewalld/

Regards,
Michael
On Sun, 27 Feb 2022 11:56:09 +0100 Felix Niederwanger <[email protected]> wrote: 
Package: firewalld
Version: 0.9.3-2

## Observation

I'm noticing that `firewalld-cmd --reload` crashes when it has to deal
with a large drop.xml file, as shown here:

root@debian:/etc/firewalld/zones# time firewall-cmd --
reload ERROR:dbus.proxies:Introspect error on 
:1.28084:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException:
org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible
causes include: the remote applicat
ion did not send a reply, the message bus security policy blocked the
reply, the reply timeout expired, or the network connection was broken.
Error: Message recipient disconnected from message bus without
replying real 15m2.633s 
user    0m0.273s
sys     0m0.045s


root@debian:/etc/firewalld/zones# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/lib/systemd/system/firewalld.service; enabled; 
vendor preset: enabled)
     Active: failed (Result: signal) since Sun 2022-02-27 10:46:57 CET;
27min
ago Docs: man:firewalld(1) 
    Process: 33724 ExecStart=/usr/sbin/firewalld --nofork --nopid
(code=killed, signal=KILL) Main PID: 33724 (code=killed, signal=KILL) 
        CPU: 15min
20.336s 
Feb 27 10:31:34 debian systemd[1]: Starting firewalld - dynamic
firewall daemon...
Feb 27 10:31:35 debian systemd[1]: Started firewalld - dynamic firewall
daemon.
Feb 27 10:46:57 debian systemd[1]: firewalld.service: Main process 
exited, code=killed, status=9/KILL
Feb 27 10:46:57 debian systemd[1]: firewalld.service: Failed with
result 'signal'.
Feb 27 10:46:57 debian systemd[1]: firewalld.service: Consumed 15min
20.336s CPU time.


## Reproducer

Find attached to this email my drop.xml list. I tested this bug in a
fresh VM running Debian 10 with all installed updates.

* Put attached drop.xml into /etc/firewalld/zones/drop.xml

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to