Ipset being deprecated?

BillT · February 2, 2023, 5:30am

I noticed the following warning on startup with rocky 9.

Warning: Deprecated Driver is detected: ipset will not be maintained in a future major release and may be disabled

I use an ipset list with all the published cloudflare address blocks to allow web server access only from cloudflare sources using

firewall-cmd --permanent --new-ipset=cloudflare --type=hash:net
firewall-cmd --permanent --ipset=cloudflare --add-entries-from-file=cloudflare.ips

and then apply it to a “rich rule”.

Does anyone know what to use instead of ipset to carry out this function that will continue working when rocky 10 comes out?

iwalker · February 2, 2023, 7:02am

I do it differently. I create a zone called cloudflare. To this zone I add the services http and https. I then use curl to get the IPv4 and IPv6 listing from Cloudflare and parse the results to then use these with the firewall-cmd --add-source command for the cloudflare zone.

Obviously then remove http and https from public zone to force everything via cloudflare with no direct connections coming to your VPS. My script that does this:

#!/bin/bash
#
# Script to get Cloudflare IP's and add to firewalld zone

# Variables
CF_IPLIST=`curl -s "https://api.cloudflare.com/client/v4/ips"`
IPV4=`echo ${CF_IPLIST} | jq .result.ipv4_cidrs[] | sed 's/"//g'`
IPV6=`echo ${CF_IPLIST} | jq .result.ipv6_cidrs[] | sed 's/"//g'`
ZONE_NAME=cloudflare

# Update firewalld to allow inbound http/https
#
# Clear all source IP's CLOUDFLARE zone
for IP in `firewall-cmd --zone=${ZONE_NAME} --list-sources`
do
  firewall-cmd --zone=${ZONE_NAME} --remove-source=${IP} --permanent > /dev/null
done

# Create IPV4 rules
for IP in $IPV4
do
  firewall-cmd --zone=${ZONE_NAME} --add-source=${IP} --permanent > /dev/null
done

# Create IPV6 rules
for IP in $IPV6
do
  firewall-cmd --zone=${ZONE_NAME} --add-source=${IP} --permanent > /dev/null
done

# Reload firewall config
firewall-cmd --reload

obviously before running the script you need to ensure the cloudflare zone has been created. I could theoretically have coded the script to deal with that and create it automatically if it didn’t exist.

The script will remove all existing source IP’s from the cloudflare zone, before adding the new ones. I run it via cron once per week so as to not get blocked pulling the IP list from cloudflare.

BillT · February 2, 2023, 8:56am

Thanks for this. I will try it out.

jlehtone · February 2, 2023, 9:53am

The ‘ipset’ and ‘iptables’ tools of old did talk to netfilter in the the kernel.
In el8 and el9 (and also backported in el7) there is nftables in the kernel.
At least the ‘iptables’ in el8 and el9 is a wrapper that translates rules to nftables syntax.
See Chapter 2. Getting started with nftables Red Hat Enterprise Linux 9 | Red Hat Customer Portal

The nftables has sets and verdict maps. Chapter 2. Getting started with nftables Red Hat Enterprise Linux 9 | Red Hat Customer Portal

The real question is, does the FirewallD’s “ipset” actually call ‘ipset’, or does it use nftables’ sets?

You have that ipset=cloudflare. Run sudo nft list ruleset to see what FirewallD has actually told to the kernel.

BillT · February 2, 2023, 10:26am

This is what it shows (I’m only running IPV4 on the server at present):

# nft list ruleset
table inet firewalld {
	set cloudflare {
		type ipv4_addr
		flags interval
		elements = { 103.21.244.0/22, 103.22.200.0/22,
			     103.31.4.0/22, 104.16.0.0/13,
			     104.24.0.0/14, 108.162.192.0/18,
			     131.0.72.0/22, 141.101.64.0/18,
			     162.158.0.0/15, 172.64.0.0/13,
			     173.245.48.0/20, 188.114.96.0/20,
			     190.93.240.0/20, 197.234.240.0/22,
			     198.41.128.0/17 }
	}

jlehtone · February 2, 2023, 11:52am

That is a nftables named set. Therefore, you (firewalld) are not using the deprecated ipset and should be able to continue to do so in the future too.

sparesimian · February 3, 2023, 8:19am

I’m still on Rocky 8 but will be filing this away for future reference. I’ve been using this resource with some scripts to massage the download into ipset XML files, but it sounds like I should be invoking firewall-cmd to manage the sets.

BillT · February 3, 2023, 11:47am

OK thanks. I’m wondering why the warning? Maybe something to do with the in place upgrade from Rocky 8.

jlehtone · February 3, 2023, 1:00pm

Quite possible. Rocky does not support in-place upgrades. (Neither did CentOS.)

IMHO, if you can do a fresh, clean (re)install, then life is more secure; there are no in-place options if, for example a server burns to crisp – a clean reinstall will be required.

jlehtone · February 3, 2023, 1:08pm

Both el8 and el9 do have two mutually exclusive services: firewalld.service and nftables.service. (Well, iptables.service too, but it is clearly deprecated.)

Both services can create the sets.
If you have rather static environment (as production servers usually are) and you know how to write a proper ruleset, then nftables.service is a great choice.
If you don’t master filtering or there is a need for dynamics, then FirewallD is more convenient.

Darmach · May 15, 2023, 8:06pm

I am seeing the same on Rocky 9 fresh install, using firewalld with blocklist added with ipset.

@iwalker
Adding blocklists as single source IPs is not really feasible - as with big blocklists it tends to take a lot of time (seen mentions about half of an hour on startup :)) - with ipset it’s very fast.

iwalker · May 15, 2023, 8:20pm

@Darmach I don’t add single IP’s, mine adds for example Cloudflare subnet’s. Also, using the --permanent parameter, means the subnets are added, and reloaded later, no issues with speed whatsoever, or even restricting access when I delete potentially old unexisting subnets, before adding the new ones again. Maybe not 100% ideal, but it does the job.

But yeah, ipset I’ve used with iptables, I just prefer to do it the firewalld way now and use what is by default available with EL8/EL9 it’s quick and simple, and I don’t have to learn to deeply with nftables.

But of course, everyone is free to choose how they want

Darmach · May 15, 2023, 11:04pm

Let’s not get sidetracked by the discussion of which way is better, I’m glad blocking subnets works great for you, the lists I use have about 30k of entries (mostly subnets - www.ipdeny.com).

From @jlehtone messages it looks like I might not be impacted - as with firewalld might not be using deprecated ipsets. This, however, brings the same concerns that @BillT had - why we see the warnings?

In my case the output looks like follows - so it looks the same as @BillT nftables named set, right?

        set blacklist {
                type ipv4_addr
                flags interval
                elements = { 1.0.1.0/24, 1.0.2.0/23,
                             1.0.8.0/21, 1.0.32.0/19,
                             1.1.0.0/24, 1.1.2.0/23,
                             1.1.4.0/22, 1.1.8.0/24,
                             1.1.9.0/24, 1.1.10.0/23,
                             1.1.12.0/22, 1.1.16.0/20,
                             1.1.32.0/19, 1.2.0.0/23,
                             1.2.2.0/24, 1.2.4.0/24,
                             1.2.5.0/24, 1.2.6.0/23,
                             1.2.8.0/24, 1.2.9.0/24,
                             1.2.10.0/23, 1.2.12.0/22,
                             1.2.16.0/20, 1.2.32.0/19,
...

On RedHat ipset deprecated warning - Red Hat Customer Portal solution is in progress (for now).
From the description it looks like they’re actually calling ipset. To deploy the rules above I actually had to install ipset. @jlehtone are you sure I am not using it?

jlehtone · May 16, 2023, 6:33am

The only place, where I have (sets of any kind in use) is still a CentOS 7.

On el9_2 system:

nft add set filter ssh_flood '{ type ipv4_addr; flags dynamic; }'

adds a named set without fuss:

# nft list table filter | head -6
table ip filter {
	set ssh_flood {
		type ipv4_addr
		flags dynamic
	}

# ipset list
# dmesg | grep -i ipset
#

The ipset create black hash:ip does invoke the warning:

# ipset list
Name: black
Type: hash:ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xb475fd8f
Size in memory: 216
References: 0
Number of entries: 0
Members:
# dmesg | grep -i ipset
[86107.645424] Warning: Deprecated Driver is detected: ipset will not be maintained in a future major release and may be disabled

and ‘nft’ does not see it:

# nft list ruleset | grep black
#

In other words, the ‘ipset’ is not a wrapper/translator to nftables like the ‘iptables’ is in el8 and el9.

Overall, Ipset - nftables wiki does that show how to translate ipset sets into nftables constructs. If nft does not see the ipset set, then how could it use it?

Does the firewalld create (and populate) both ipset and nftables sets in your config?

PS. The “ipset create” did load the ip_set kernel module. That is the most likely source of the warning.
The lsmod | grep ip_set should show something. The question remains, why that load is triggered?

Darmach · May 16, 2023, 9:42am

Looks like it’s not bein loaded - lsmod | grep ipset shows nothing on my machine!

Maybe the warning itself is false positive, I can’t uninstall ipset though:

root@nas ~ 0 $ yum remove ipset
Dependencies resolved.
==============================================================================================================================================================================================================================================
 Package                                                         Architecture                                      Version                                                        Repository                                             Size
==============================================================================================================================================================================================================================================
Removing:
 ipset                                                           x86_64                                            7.11-7.el9_1                                                   @baseos                                                71 k
Removing dependent packages:
 fail2ban                                                        noarch                                            1.0.2-3.el9                                                    @epel                                                   0
 firewalld                                                       noarch                                            1.1.1-3.el9                                                    @anaconda                                             2.0 M

My blacklists are added with a script using:

# Create the ipset blacklist which accepts both IP addresses and networks
firewall-cmd -q --permanent --new-ipset=blacklist --type=hash:net \
    --option=family=inet --option=hashsize=4096 --option=maxelem=200000
...
    firewall-cmd -q --permanent --ipset=blacklist  --add-entries-from-file=./$country.zone

None from the script above cause actual ipset module to be used/loaded, right?

From this:

root@nas ~ 0 $ lsmod |grep ipset
root@nas ~ 1 $ yum list installed | grep ipset
ipset.x86_64                            7.11-7.el9_1                  @baseos
ipset-libs.x86_64                       7.11-7.el9_1                  @baseos
root@nas ~ 0 $ yum remove ipset
...
Removing:
 ipset                                                           x86_64                                            7.11-7.el9_1                                                   @baseos                                                71 k
Removing dependent packages:
 fail2ban                                                        noarch                                            1.0.2-3.el9                                                    @epel                                                   0
 firewalld                                                       noarch                                            1.1.1-3.el9                                                    @anaconda                                             2.0 M

I suspect that:

since modules is not loaded, it’s not really used
the warning does not change if module is used, but if package is installed
fail2ban and firewalld dependencies are wrong?

jlehtone · May 16, 2023, 12:14pm

The underscore:

lsmod | grep ip_set

Darmach · May 16, 2023, 12:21pm

Indeed…

root@nas ~ 1 $ lsmod | grep ip_set
ip_set_hash_net        53248  1
ip_set                 61440  1 ip_set_hash_net
nfnetlink              20480  3 nf_tables,ip_set

jlehtone · May 16, 2023, 12:31pm

So, you have at least one set that has hashes, presumably. Do you see it with:

ipset list

If you do, does it have same or different entries than the set in nft ruleset?

Darmach · May 18, 2023, 11:15am

Yes, it does. I cleaned up ipset/nft, cleaned up firewalld. Recreated entries with firewalld, ipset was created, nft ruleset created, same addresses. So it looks like the warning is legit - I am using actual ipset when doing

firewall-cmd -q --permanent --new-ipset=blacklist --type=hash:net \
    --option=family=inet --option=hashsize=4096 --option=maxelem=200000
...
    firewall-cmd -q --permanent --ipset=blacklist  --add-entries-from-file=./$country.zone

jlehtone · May 18, 2023, 1:09pm

In other words, the issue is that FirewallD does produce both ipset and nftables set with its --new-ipset action, while one expects it to create only one set that matches the chosen backend. None of the generated (nftables) rules do actually use the ipset set (when backend is nftables).

One probably should:

Get a CentOS Stream system
Verify that firewall in it still has this behaviour
Report a CentOS Stream bug to Red Hat

That, after all, is the touted purpose of CentOS Stream, isn’t it?