[CentOS] firewall-cmd - bug or bad design

Thu Dec 3 05:48:38 UTC 2020
Jon LaBadie <jcu at labadie.us>

In my firewall I use an ipset as a geographical blacklist.

A single addresses can be entered into the blacklist using
CIDR notation or not, i.e.

    111.222.111.222/32  OR  111.222.111.222

while a block of IP addresses can be entered using CIDR notation:

    111.222.111.0/24

Both the ipset and firewall-cmd commands have ways to ask if an address
has already been entered into the blacklist.  The basic syntax is

  ipset test <blacklist> <ip_addr>

  firewall-cmd --ipset=<blacklist> --query-entry=<ip_addr>

With ipset I can test a single address using CIDR or not regardless
of how it was entered.  If the entry was a block of addresses, any
address within the block is reported as "in the ipset".

firewall-cmd responds differently.  If I entered "111.222.111.222/32"
(i.e. using CIDR) into the list, firewall-cmd reports the address as
"NOT entered" if I query the simple form "111.222.111.222" even though
they are the same single address.  Conversely, if the original entry
was simple, the CIDR form is reported as "NOT entered".

With block entries like 111.222.111.0/24, any address within the block
is reported as "NOT entered"!  Only the actual string entered,
111.222.111.0/24, is considered "entered".

I use these types of queries to decided whether an ip address is already
being blocked.  Clearly relying  the firewall-cmd query would lead to
unnecessary entries.

What do you think, Should I consider this simply a poor design decision
or a reportable "bug"?

-- 
Jon H. LaBadie                  jcu at labadie.us