Rocky-8: FirewallD reload extreme slow with hughe IPSET list

Rocky Linux Help & Support
21

I have done that. The rule is not active until a reload/restart.

22

If using the firewalld commands that I gave previously that is simply not possible. See below how my public zone looks:

root@rocky9:~# firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: cockpit dhcpv6-client mssql ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
	port=443:proto=tcp:toport=8443:toaddr=
  source-ports: 
  icmp-blocks: 
  rich rules:

You can clearly see the ports: section is empty. Now I am going to add port 6443:

root@rocky9:~# firewall-cmd --zone=public --add-port=6443/tcp
success

as you can see a reload hasn’t been done, now let’s check what is active:

root@rocky9:~# firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: cockpit dhcpv6-client mssql ssh
  ports: 6443/tcp
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
	port=443:proto=tcp:toport=8443:toaddr=
  source-ports: 
  icmp-blocks: 
  rich rules:

as you can see port 6443 is clearly there. If I use a reload now, I will lose that configuration because I have not yet used the second command that I gave with the permanent parameter which is the one that saves it to the configuration. Whether I use Rocky 8 or Rocky 9 the results are still the same. If it doesn’t work for you then it would suggest your machine is messed up from whatever you have been trying up until now.

23

To be fair, there are firewall-cmd commands where the --permanent is obligatory. For example, the --new-policy.
However, since these cannot be run without --permanent, it should be evident that they do not take effect before reload.

There is also --runtime-to-permanent action. If you can make all changes on runtime, then you can save current runtime config to (permanent) files in one go, saving you from rerunning all commands with the --permanent.

Another way to check whether command has any effect on runtime:

nft list ruleset > before.nft
firewall-cmd ...
nft list ruleset > after.nft
diff before.nft after.nft
1 Like
24

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.