Re: Evaluating monitoring rules in multiple zones (public and
another zone)
by Eric Garver
On Mon, Aug 21, 2023 at 01:11:32PM +0000, Will Furnell - STFC UKRI wrote:
> Hello,
>
> Sorry to bump this - but I was looking at this again and noted you
> appear to be the one packaging firewalld as well - do you know if this
> fix will be backported to EL9?
It seems unlikely because it was fixed as part of a major version bump,
v2.0.0. Backporting it to RHEL-9 would be very difficult.
8 months, 1 week
tcp-mss-clamp
by D. Hugh Redelmeier
I'm having trouble getting a gateway/router working.
Context:
- I have two gateways, both to broadband, both requiring PPPoE
- both are running Fedora 38 and use firewalld-1.3.1-1.fc38.noarch
- one works and one doesn't work reliably: some web sites time out
I think that the problem is with MTU. PPPoE doesn't allow 1500 byte
packets through: the limit is 1492.
The "proof" is that if I set the MTU to 1492 on a client's ethernet
interface, the client can use the bad gateway with no problem.
firewalld.policy(5) says that there is an option:
tcp-mss-clamp
Is an optional empty-element tag and can be used several times. If left
empty maximum segment size is set to 'pmtu'. This tag has exactly one
optional attribute:
value="string"
Value can set maximum segment size to 'pmtu' (Path Maximum
Transmission Unit) or a user-defined value that is greater than or
equal to 536.
I took this as meaning that I could add <tcp-mss-clamp/> to the policy
file, like this:
<?xml version="1.0" encoding="utf-8"?>
<policy priority="100" target="ACCEPT">
<ingress-zone name="FedoraServer"/>
<egress-zone name="external"/>
<tcp-mss-clamp/>
</policy>
When I do so, firewalld throws a python error (see below).
==> am I writing this option correctly?
Should I have used <tcp-mss-clamp value="1492"/>?
==> is there a way of expressing this in firewall-cmd?
(None is documented in firewall-cmd(1).)
==> is this a reasonable diagnostic?
(I don't think so.)
==> bonus questions:
Why would some web sites be blocked by this MTU problem with one
ISP and not the other?
The working ISP is providing VDSL, the last mile provided by Bell
Canada. The failing ISP is Bell Canada itself, providing FTTH.
Why some sites (eg. news.banggood.com) and not others?
What is the correct fix for my problem? Somehow Path MTU
discovery isn't solving the problem.
================ log of firewalld python error ================
Aug 06 02:29:40 my-hostname systemd[1]: Starting firewalld.service - firewalld - dynamic firewall daemon...
Aug 06 02:29:40 my-hostname systemd[1]: Started firewalld.service - firewalld - dynamic firewall daemon.
Aug 06 02:29:40 my-hostname audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=firewalld comm="systemd" exe="/usr/lib>
Aug 06 02:29:40 my-hostname firewalld[17576]: ERROR: Failed to load user configuration. Falling back to full stock configuration.
Aug 06 02:29:40 my-hostname audit[17576]: NETFILTER_CFG table=firewalld:13 family=1 entries=1 op=nft_register_table pid=17576 subj=system_u:system_r:firewalld_t:s0 comm="firewa>
Aug 06 02:29:40 my-hostname audit[17576]: NETFILTER_CFG table=firewalld:14 family=1 entries=222 op=nft_register_chain pid=17576 subj=system_u:system_r:firewalld_t:s0 comm="fire>
Aug 06 02:29:40 my-hostname firewalld[17576]: Traceback (most recent call last):
File "/usr/lib/python3.11/site-packages/firewall/server/decorators.py", line 51, in _impl
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/firewall/server/firewalld.py", line 91, in start
return self.fw.start()
^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 656, in start
raise original_ex
File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 633, in start
self._start()
File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 584, in _start
self._start_load_user_config()
File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 410, in _start_load_user_config
self._loader_policies(config.ETC_FIREWALLD_POLICIES)
File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 716, in _loader_policies
obj = policy_reader(filename, path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/firewall/core/io/policy.py", line 1075, in policy_reader
parser.parse(source)
File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 111, in parse
xmlreader.IncrementalParser.parse(self, source)
File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 125, in parse
self.feed(buffer)
File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 217, in feed
self._parser.Parse(data, isFinal)
File "/builddir/build/BUILD/Python-3.11.4/Modules/pyexpat.c", line 416, in StartElement
File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 333, in start_element
self._cont_handler.startElement(name, AttributesImpl(attrs))
File "/usr/lib/python3.11/site-packages/firewall/core/io/policy.py", line 993, in startElement
if common_startElement(self, name, attrs):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.11/site-packages/firewall/core/io/policy.py", line 117, in common_startElement
attrs["value"])
~~~~~^^^^^^^^^
File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 318, in __getitem__
return self._attrs[name]
~~~~~~~~~~~^^^^^^
KeyError: 'value'
8 months, 3 weeks