Non compacted IPv6 address conflict after reload

[luizluca]

What happened

If I have an ipset defined in files with fdc8:1324:5678:0::/64, firewalld will return an error on reload like this:

Error: INVALID_ENTRY: Entry 'fdc8:1324:5678::/64' overlaps with existing entry 'fdc8:1324:5678:0::/64'

In that case, firewalld blocks all new connections, locking the machine out of the network.

What you expected to happen

It should treat both as the same address

How to reproduce it (as minimally and precisely as possible)

Use this ipset and reload firewalld:

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
  <option name="family" value="inet6"/>
  <entry>fdc8:1324:5678:0::/64</entry>
</ipset>

Anything else we need to know?

If the ipset was created using the firewall-cmd command, it avoids the issue by compacting the address before writing to the config file.

Firewalld Version

2.1.1

Firewalld Backend

nftables

Linux distribution

OpenSUSE Tumbleweed

Linux kernel version

6.7.5-1-default

Other information

No response

[erig0]

I was unable to reproduce this. I created a test case using your XML from above and reload works as expected.

erig0@1222d53

Do you have any more information that can be used to reproduce this?