firewalld/nftables-fix-reject-statement-in-block-zone.patch

From a9abba630333970cc59d5fdcb1e92968b38f5eaa Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 11 Oct 2018 11:58:22 -0400
Subject: [PATCH 020/127] nftables: fix reject statement in "block" zone

Also add test coverage.

Fixes: #406
---
 src/firewall/core/nftables.py | 3 ++-
 src/tests/firewall-cmd.at     | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 8a305539..3c871069 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -619,7 +619,8 @@ class nftables(object):
            target in ["ACCEPT", "REJECT", "%%REJECT%%", "DROP"] and \
            chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]:
             rules.append(["add", "rule", family, "%s" % TABLE_NAME,
-                          "%s_%s" % (table, _zone), target.lower()])
+                          "%s_%s" % (table, _zone),
+                          target.lower() if target != "%%REJECT%%" else "%%REJECT%%"])
 
         return rules
 
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index ef45110c..b7ec3816 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -69,6 +69,8 @@ FWD_START_TEST([zone interfaces])
     FWD_CHECK([--zone=public --change-interface=dummy], 0, ignore)
     FWD_CHECK([--get-zone-of-interface=dummy], 0, [public
 ])
+    FWD_CHECK([--zone=block --add-interface=dummy1], 0, ignore)
+    FWD_CHECK([--zone=block --remove-interface=dummy1], 0, ignore)
 
     FWD_CHECK([--zone=dmz --change-zone=dummy], 0, ignore)
     FWD_CHECK([--get-zone-of-interface=dummy], 0, [dmz
-- 
2.19.1
Package init 2019-09-30 10:38:52 -04:00			`From a9abba630333970cc59d5fdcb1e92968b38f5eaa Mon Sep 17 00:00:00 2001`
			`From: Eric Garver <e@erig.me>`
			`Date: Thu, 11 Oct 2018 11:58:22 -0400`
			`Subject: [PATCH 020/127] nftables: fix reject statement in "block" zone`

			`Also add test coverage.`

			`Fixes: #406`
			`---`
			`src/firewall/core/nftables.py \| 3 ++-`
			`src/tests/firewall-cmd.at \| 2 ++`
			`2 files changed, 4 insertions(+), 1 deletion(-)`

			`diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py`
			`index 8a305539..3c871069 100644`
			`--- a/src/firewall/core/nftables.py`
			`+++ b/src/firewall/core/nftables.py`
			`@@ -619,7 +619,8 @@ class nftables(object):`
			`target in ["ACCEPT", "REJECT", "%%REJECT%%", "DROP"] and \`
			`chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]:`
			`rules.append(["add", "rule", family, "%s" % TABLE_NAME,`
			`- "%s_%s" % (table, _zone), target.lower()])`
			`+ "%s_%s" % (table, _zone),`
			`+ target.lower() if target != "%%REJECT%%" else "%%REJECT%%"])`

			`return rules`

			`diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at`
			`index ef45110c..b7ec3816 100644`
			`--- a/src/tests/firewall-cmd.at`
			`+++ b/src/tests/firewall-cmd.at`
			`@@ -69,6 +69,8 @@ FWD_START_TEST([zone interfaces])`
			`FWD_CHECK([--zone=public --change-interface=dummy], 0, ignore)`
			`FWD_CHECK([--get-zone-of-interface=dummy], 0, [public`
			`])`
			`+ FWD_CHECK([--zone=block --add-interface=dummy1], 0, ignore)`
			`+ FWD_CHECK([--zone=block --remove-interface=dummy1], 0, ignore)`

			`FWD_CHECK([--zone=dmz --change-zone=dummy], 0, ignore)`
			`FWD_CHECK([--get-zone-of-interface=dummy], 0, [dmz`
			`--`
			`2.19.1`