I'm sure I'm just doing it wrong but I'm having trouble with an ipset hitting
"maxelem 65536 reached."
I tried:
$ sudo firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip
--option=maxelem:131072
success
which creates:
$ sudo more /etc/firewalld/ipsets/blacklist.xml
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<option name="maxelem:131072"/>
</ipset>
but when I load with $ sudo firewall-cmd --reload:
Jun 18 11:40:20 temp-2 firewalld: WARNING: INVALID_IPSET: blacklist
Jun 18 11:40:35 temp-2 firewalld: ERROR: Failed to load ipset file
'/etc/firewalld/ipsets/blacklist.xml': INVALID_OPTION: Unknown option
'maxelem:131072'
Jun 18 11:40:35 temp-2 firewalld: WARNING: INVALID_IPSET: blacklist
Jun 18 11:40:37 temp-2 firewalld: ERROR: Failed to load ipset file
'blacklist.xml': INVALID_OPTION: Unknown option 'maxelem:131072'
I thought I would work around it by splitting my ipset in two but that still generated the
maxelem error for both files:
Jun 18 12:13:27 temp-2 firewalld: ERROR: Failed to create ipset 'blacklist-1'
Jun 18 12:13:27 temp-2 firewalld: ERROR: '/usr/sbin/ipset restore' failed:
Jun 18 12:13:27 temp-2 kernel: Set blacklist-2 is full, maxelem 65536 reached
Jun 18 12:13:27 temp-2 firewalld: ERROR: Failed to create ipset 'blacklist-2'
Jun 18 12:13:27 temp-2 firewalld: ERROR: '/usr/sbin/ipset restore' failed:
and removing the larger of the two, I still get the maxelem error for what is now a pretty
small file.
I'm stumped and trying to avoid having to add each entry via sudo firewall-cmd
--permanent --ipset=blacklist --add-entry=...
Thanks for any guidance out there,
-David