Rocky 9.5 breaks netfilter

tux · November 20, 2024, 8:58am

Hi,
after update from 9.4 to 9.5 it looks nft are broken.
After the update I can’t flush ip sets.

# nft flush set inet firewalld <IP set>
Error: Could not process rule: Operation not permitted
flush set inet firewalld <IP set>

nft list set inet firewalld <IP set>
table inet firewalld {
	set <IP set> {
		type ipv4_addr
		flags interval
		elements = { <IP> }
	}
}

On 9.4 it will works as expected.

tux · November 20, 2024, 9:11am

I found the source.
The firewalld default options was changed, but not noted in the release notes
After set NftablesTableOwner=no in /etc/firewalld/firewalld.conf, now the flush will works again.

The external flush will be needed, because firewall-cmd can only add or remove one entry from set, but not flush the set.