firewalld/0001-fix-policy-ipXtables-calculate-max-name-len-properly.patch

From c6fe749fb75004c30818bcc0696ac23801239d0b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 21 Jul 2020 16:03:24 -0400
Subject: [PATCH] fix(policy): ipXtables: calculate max name len properly

Policy chain names still need the SHORTCUTS (POST, IN, etc) in the chain
name. As such, calculate the max name length appropriately.

This also drops the "pol_" prefix for policy chains. Retaining it would
restrict the policy name max length unreasonably so.

Fixes: 34bdee40aa61 ("feat: implement policy objects internally")
---
 src/firewall/core/ipXtables.py | 2 +-
 src/firewall/functions.py      | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index b310a74..54c267b 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -32,7 +32,7 @@ from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark, \
                                Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock
 import string
 
-POLICY_CHAIN_PREFIX = "pol_"
+POLICY_CHAIN_PREFIX = ""
 
 BUILT_IN_CHAINS = {
     "security": [ "INPUT", "OUTPUT", "FORWARD" ],
diff --git a/src/firewall/functions.py b/src/firewall/functions.py
index d4c5e90..de4e244 100644
--- a/src/firewall/functions.py
+++ b/src/firewall/functions.py
@@ -508,11 +508,13 @@ def ppid_of_pid(pid):
 def max_policy_name_len():
     """
     iptables limits length of chain to (currently) 28 chars.
-    The longest chain we create is pol_<policy>_allow,
-    which leaves 28 - 10 = 18 chars for <policy>.
+    The longest chain we create is POST_<policy>_allow,
+    which leaves 28 - 11 = 17 chars for <policy>.
     """
     from firewall.core.ipXtables import POLICY_CHAIN_PREFIX
-    return 28 - (len(POLICY_CHAIN_PREFIX) + len("_allow"))
+    from firewall.core.base import SHORTCUTS
+    longest_shortcut = max(map(len, SHORTCUTS.values()))
+    return 28 - (longest_shortcut + len(POLICY_CHAIN_PREFIX) + len("_allow"))
 
 def max_zone_name_len():
     """
-- 
1.8.3.1
add new featuer to fix command error when use with non-existen ipset 2020-09-09 14:30:11 +08:00			`From c6fe749fb75004c30818bcc0696ac23801239d0b Mon Sep 17 00:00:00 2001`
			`From: Eric Garver <eric@garver.life>`
			`Date: Tue, 21 Jul 2020 16:03:24 -0400`
			`Subject: [PATCH] fix(policy): ipXtables: calculate max name len properly`

			`Policy chain names still need the SHORTCUTS (POST, IN, etc) in the chain`
			`name. As such, calculate the max name length appropriately.`

			`This also drops the "pol_" prefix for policy chains. Retaining it would`
			`restrict the policy name max length unreasonably so.`

			`Fixes: 34bdee40aa61 ("feat: implement policy objects internally")`
			`---`
			`src/firewall/core/ipXtables.py \| 2 +-`
			`src/firewall/functions.py \| 8 +++++---`
			`2 files changed, 6 insertions(+), 4 deletions(-)`

			`diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py`
			`index b310a74..54c267b 100644`
			`--- a/src/firewall/core/ipXtables.py`
			`+++ b/src/firewall/core/ipXtables.py`
			`@@ -32,7 +32,7 @@ from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark, \`
			`Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock`
			`import string`

			`-POLICY_CHAIN_PREFIX = "pol_"`
			`+POLICY_CHAIN_PREFIX = ""`

			`BUILT_IN_CHAINS = {`
			`"security": [ "INPUT", "OUTPUT", "FORWARD" ],`
			`diff --git a/src/firewall/functions.py b/src/firewall/functions.py`
			`index d4c5e90..de4e244 100644`
			`--- a/src/firewall/functions.py`
			`+++ b/src/firewall/functions.py`
			`@@ -508,11 +508,13 @@ def ppid_of_pid(pid):`
			`def max_policy_name_len():`
			`"""`
			`iptables limits length of chain to (currently) 28 chars.`
			`- The longest chain we create is pol_<policy>_allow,`
			`- which leaves 28 - 10 = 18 chars for <policy>.`
			`+ The longest chain we create is POST_<policy>_allow,`
			`+ which leaves 28 - 11 = 17 chars for <policy>.`
			`"""`
			`from firewall.core.ipXtables import POLICY_CHAIN_PREFIX`
			`- return 28 - (len(POLICY_CHAIN_PREFIX) + len("_allow"))`
			`+ from firewall.core.base import SHORTCUTS`
			`+ longest_shortcut = max(map(len, SHORTCUTS.values()))`
			`+ return 28 - (longest_shortcut + len(POLICY_CHAIN_PREFIX) + len("_allow"))`

			`def max_zone_name_len():`
			`"""`
			`--`
			`1.8.3.1`