packages/firewalld
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
overweight 2019-09-30 10:38:52 -04:00
commit 8b6920a2be
20 changed files with 1201 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
0001-Fix-translating-labels-392.patch Normal file
View File

@ -0,0 +1,35 @@
From 5494006021e83f27195dc902c3c9fd024e71dc3b Mon Sep 17 00:00:00 2001
From: MeggyCal <MeggyCal@users.noreply.github.com>
Date: Thu, 20 Sep 2018 15:37:17 +0200
Subject: [PATCH] Fix translating labels (#392)
Fix for #344 was incomplete, the "flags" were not translating and the reported bug was still active.
Fixes: #344
(cherry picked from commit e657200927a9f0f41fbed95640cd47e2a5836c6f)
---
src/firewall-config.glade | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/firewall-config.glade b/src/firewall-config.glade
index 22bed58aafaf..75c229b408fd 100644
--- a/src/firewall-config.glade
+++ b/src/firewall-config.glade
@@ -10135,10 +10135,10 @@
<property name="halign">start</property>
<property name="valign">start</property>
<items>
- <item>accept</item>
- <item>reject</item>
- <item>drop</item>
- <item>mark</item>
+ <item translatable="yes">accept</item>
+ <item translatable="yes">reject</item>
+ <item translatable="yes">drop</item>
+ <item translatable="yes">mark</item>
</items>
<signal name="changed" handler="on_richRuleDialog_changed" swapped="no"/>
</object>
--
2.18.0

116
0001-fedora-patch-to-default-to-iptables-backend.patch Normal file
View File

@ -0,0 +1,116 @@
From a628d6e3a710fb8379cf2fb319cdafc06dd2dad6 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 30 Aug 2018 16:34:19 -0400
Subject: [PATCH] fedora patch to default to iptables backend
---
config/firewalld.conf | 7 -------
src/firewall/config/__init__.py.in | 2 +-
src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++
src/tests/dbus/firewalld.conf.at | 2 +-
src/tests/functions.at | 4 ++--
5 files changed, 21 insertions(+), 11 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index b53c0aa50c53..63df409bf567 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -55,10 +55,3 @@ LogDenied=off
# will be used. Possible values are: yes, no and system.
# Default: system
AutomaticHelpers=system
-
-# FirewallBackend
-# Selects the firewall backend implementation.
-# Choices are:
-# - nftables (default)
-# - iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 955be32077e1..cff7c3fe9025 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True
FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "system"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 4d57bad693c1..6264f45a1913 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -240,6 +240,12 @@ class firewalld_conf(object):
if key not in done:
if (key in self._config and \
self._config[key] != value):
+ # Only write FirewallBackend if it's not the default.
+ # We will change the default in the future.
+ if key == "FirewallBackend" and \
+ self._config[key] == config.FALLBACK_FIREWALL_BACKEND:
+ done.append(key)
+ continue
empty = False
temp_file.write(u'%s=%s\n' %
(key, self._config[key]))
@@ -247,6 +253,12 @@ class firewalld_conf(object):
elif key in self._deleted:
modified = True
else:
+ # Only write FirewallBackend if it's not the default.
+ # We will change the default in the future.
+ if key == "FirewallBackend" and \
+ value == config.FALLBACK_FIREWALL_BACKEND:
+ done.append(key)
+ continue
empty = False
temp_file.write(line+u"\n")
done.append(key)
@@ -258,6 +270,11 @@ class firewalld_conf(object):
for (key,value) in self._config.items():
if key in done:
continue
+ # Only write FirewallBackend if it's not the default.
+ # We will change the default in the future.
+ if key == "FirewallBackend" and \
+ value == config.FALLBACK_FIREWALL_BACKEND:
+ continue
if not empty:
temp_file.write(u"\n")
empty = True
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 473210de10af..44e649111ffb 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -5,7 +5,7 @@ DBUS_GETALL([config], [config], 0, [dnl
string "AutomaticHelpers" : variant string "system"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
-string "FirewallBackend" : variant string "nftables"
+string "FirewallBackend" : variant string "iptables"
m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
string "IPv6_rpfilter" : variant string "no"],[dnl
string "IPv6_rpfilter" : variant string "yes"])
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 3b79a9f31305..dd7b43d9dac6 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -65,13 +65,13 @@ m4_define([FWD_START_TEST], [
fi
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
- m4_define_default([FIREWALL_BACKEND], [nftables])
+ m4_define_default([FIREWALL_BACKEND], [iptables])
dnl don't unload modules or bother cleaning up, the namespace will be deleted
AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
dnl set the appropriate backend
- AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
+ AT_CHECK([echo "FirewallBackend=FIREWALL_BACKEND" >> ./firewalld.conf])
dnl fib matching is pretty new in nftables. Don't use rpfilter on older
dnl kernels.
--
2.18.0

48
0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch Normal file
View File

@ -0,0 +1,48 @@
From 2e53fab83ac844c1d2fb2781116ad47b8900ab85 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Fri, 21 Sep 2018 11:02:18 -0400
Subject: [PATCH 1/2] fw_transaction: On clear zone transaction, must clear fw
and other zones
Just like FirewallZoneTransaction.execute() that was spawned from a
FirewallTransaction must call FirewallTransaction.exectue() we should
also make sure the same is done for clear(). Otherwise we can end up
with a partially cleared transaction. This gets really hairy if the
FirewallTransaction contains many instances of FirewallZoneTransaction
which is common during startup with non-default configuration.
Fixes: #374
---
src/firewall/core/fw_transaction.py | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/fw_transaction.py b/src/firewall/core/fw_transaction.py
index f169e4a923dd..ad204c1991cf 100644
--- a/src/firewall/core/fw_transaction.py
+++ b/src/firewall/core/fw_transaction.py
@@ -231,9 +231,19 @@ class FirewallZoneTransaction(SimpleFirewallTransaction):
self.modules = [ ] # [ module,.. ]
def clear(self):
- super(FirewallZoneTransaction, self).clear()
- del self.chains[:]
- del self.modules[:]
+ # calling clear on a zone_transaction that was spawned from a
+ # FirewallTransaction needs to clear the fw_transaction and all the
+ # other zones otherwise we end up with a partially cleared transaction.
+ if self.fw_transaction:
+ super(FirewallTransaction, self.fw_transaction).clear()
+ for zone in self.fw_transaction.zone_transactions.keys():
+ super(FirewallZoneTransaction, self.fw_transaction.zone_transactions[zone]).clear()
+ del self.fw_transaction.zone_transactions[zone].chains[:]
+ del self.fw_transaction.zone_transactions[zone].modules[:]
+ else:
+ super(FirewallZoneTransaction, self).clear()
+ del self.chains[:]
+ del self.modules[:]
def prepare(self, enable, rules=None, modules=None):
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
--
2.18.0

135
firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch Normal file
View File

@ -0,0 +1,135 @@
From 7cdd8027d13677185b301f849d42957e635ffa67 Mon Sep 17 00:00:00 2001
From: StefanBruens <stefan.bruens@rwth-aachen.de>
Date: Tue, 25 Sep 2018 21:56:36 +0200
Subject: [PATCH 006/127] firewall/core/io/*.py: Let SAX handle the encoding of
XML files (#395)
SAX is able to determine the encoding of XML files itself if the file
contains a correct "encoding" pseudo attribute, e.g.:
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
For this to work, the file stream has to be opened in binary mode, and
the parser has to read the stream using a SAX InputStream, which
autodetects the encoding.
Fixes: #303
---
src/firewall/core/io/direct.py | 6 ++++--
src/firewall/core/io/helper.py | 6 ++++--
src/firewall/core/io/icmptype.py | 6 ++++--
src/firewall/core/io/ipset.py | 6 ++++--
src/firewall/core/io/service.py | 6 ++++--
src/firewall/core/io/zone.py | 6 ++++--
6 files changed, 24 insertions(+), 12 deletions(-)
diff --git a/src/firewall/core/io/direct.py b/src/firewall/core/io/direct.py
index 07e159da..b0c2cb52 100644
--- a/src/firewall/core/io/direct.py
+++ b/src/firewall/core/io/direct.py
@@ -360,9 +360,11 @@ class Direct(IO_Object):
handler = direct_ContentHandler(self)
parser = sax.make_parser()
parser.setContentHandler(handler)
- with open(self.filename, "r") as f:
+ with open(self.filename, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_TYPE,
"Not a valid file: %s" % \
diff --git a/src/firewall/core/io/helper.py b/src/firewall/core/io/helper.py
index 4a2420dd..a5c81b9f 100644
--- a/src/firewall/core/io/helper.py
+++ b/src/firewall/core/io/helper.py
@@ -156,9 +156,11 @@ def helper_reader(filename, path):
parser = sax.make_parser()
parser.setContentHandler(handler)
name = "%s/%s" % (path, filename)
- with open(name, "r") as f:
+ with open(name, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_HELPER,
"not a valid helper file: %s" % \
diff --git a/src/firewall/core/io/icmptype.py b/src/firewall/core/io/icmptype.py
index 91b48867..32103c59 100644
--- a/src/firewall/core/io/icmptype.py
+++ b/src/firewall/core/io/icmptype.py
@@ -121,9 +121,11 @@ def icmptype_reader(filename, path):
parser = sax.make_parser()
parser.setContentHandler(handler)
name = "%s/%s" % (path, filename)
- with open(name, "r") as f:
+ with open(name, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_ICMPTYPE,
"not a valid icmptype file: %s" % \
diff --git a/src/firewall/core/io/ipset.py b/src/firewall/core/io/ipset.py
index 0670677b..8cc6a1f9 100644
--- a/src/firewall/core/io/ipset.py
+++ b/src/firewall/core/io/ipset.py
@@ -390,9 +390,11 @@ def ipset_reader(filename, path):
parser = sax.make_parser()
parser.setContentHandler(handler)
name = "%s/%s" % (path, filename)
- with open(name, "r") as f:
+ with open(name, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_IPSET,
"not a valid ipset file: %s" % \
diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py
index c04d612e..487d5ba3 100644
--- a/src/firewall/core/io/service.py
+++ b/src/firewall/core/io/service.py
@@ -219,9 +219,11 @@ def service_reader(filename, path):
parser = sax.make_parser()
parser.setContentHandler(handler)
name = "%s/%s" % (path, filename)
- with open(name, "r") as f:
+ with open(name, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_SERVICE,
"not a valid service file: %s" % \
diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
index c048c867..05368e9c 100644
--- a/src/firewall/core/io/zone.py
+++ b/src/firewall/core/io/zone.py
@@ -696,9 +696,11 @@ def zone_reader(filename, path, no_check_name=False):
parser = sax.make_parser()
parser.setContentHandler(handler)
name = "%s/%s" % (path, filename)
- with open(name, "r") as f:
+ with open(name, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_ZONE,
"not a valid zone file: %s" % \
--
2.19.1

40
firewalld-0.2.6-MDNS-default.patch Normal file
View File

@ -0,0 +1,40 @@
From 0e9306e9df41142503b4efc90032043183a3cb7b Mon Sep 17 00:00:00 2001
From: Stef Walter <stefw@gnome.org>
Date: Mon, 6 Aug 2012 10:01:09 +0200
Subject: [PATCH] Make MDNS work in all but the most restrictive zones
* MDNS is a discovery protocol, and much like DNS or DHCP should
be available for the network to function as expected.
* Avahi (the main MDNS) implementation has taken steps to make sure
no private information is published by default.
* See: https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault
---
config/zones/public.xml | 1 +
config/zones/work.xml | 1 +
2 files changed, 2 insertions(+)
diff --git a/config/zones/public.xml b/config/zones/public.xml
index 929ad72..a56e95c 100644
--- a/config/zones/public.xml
+++ b/config/zones/public.xml
@@ -3,5 +3,6 @@
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
+ <service name="mdns"/>
<service name="dhcpv6-client"/>
</zone>
diff --git a/config/zones/work.xml b/config/zones/work.xml
index 7e750fc..77f13c8 100644
--- a/config/zones/work.xml
+++ b/config/zones/work.xml
@@ -3,5 +3,6 @@
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
+ <service name="mdns"/>
<service name="dhcpv6-client"/>
</zone>
--
1.7.11.2

BIN
firewalld-0.6.2.tar.gz Normal file
View File

Binary file not shown.

31
firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch Normal file
View File

@ -0,0 +1,31 @@
From 17adfe4137cfd1c1734ff1b77304f70e163313fa Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Tue, 9 Oct 2018 14:55:21 -0400
Subject: [PATCH 018/127] firewalld: fix --runtime-to-permanent if NM not in
use.
Due to scope "settings" was not defined.
Fixes: #404
Fixes: e7c00a4063ff ("ifcfg: Modify ZONE= on permanent config changes")
---
src/firewall/server/firewalld.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index 6810b68c..bc04f2d0 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -441,8 +441,8 @@ class FirewallD(slip.dbus.service.Object):
nm_bus_name = nm_get_bus_name()
for name in self.fw.zone.get_zones():
conf = self.getZoneSettings(name)
+ settings = FirewallClientZoneSettings(conf)
if nm_bus_name is not None:
- settings = FirewallClientZoneSettings(conf)
changed = False
for interface in settings.getInterfaces():
if self.fw.zone.interface_get_sender(name, interface) == nm_bus_name:
--
2.19.1

217
firewalld.spec Normal file
View File

@ -0,0 +1,217 @@
Name: firewalld
Version: 0.6.2
Release: 3
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
License: GPLv2+
URL: http://www.firewalld.org
Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
#backport from gnome
Patch0: firewalld-0.2.6-MDNS-default.patch
#backport from Eric Garver <e@erig.me>
Patch1: 0001-fedora-patch-to-default-to-iptables-backend.patch
#Patch2,3 backport from upstream
Patch2: 0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch
Patch3: 0001-Fix-translating-labels-392.patch
Patch6000: firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch
Patch6001: nftables-fix-destination-checks-not-allowing-masks.patch
Patch6002: firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch
Patch6003: nftables-fix-reject-statement-in-block-zone.patch
Patch6004: ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch
Patch6005: rich-rules-fix-mark-action.patch
Patch6006: nftables-fix-panic-mode-not-filtering-output-packets.patch
Patch6007: fw_zone-fix-rich-rule-masquerading.patch
Patch6008: fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch
Patch6009: nftables-fix-rich-rule-masquerade.patch
Patch6010: nftables-fix-ipv6-rich-rule-forward-ports.patch
Patch6011: ipset-fix-set-apply-if-IndividualCalls-yes.patch
Patch6012: fix-issue-457.patch
Patch9000: repair-test-cases.patch
BuildArch: noarch
BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl
BuildRequires: libxslt iptables ebtables ipset nftables python3-devel
Requires: iptables ebtables ipset systemd hicolor-icon-theme python3-gobject NetworkManager-libnm dbus-x11 gtk3
Requires: nftables >= 0.9.0 kernel >= 4.18.0 python3-firewall = %{version}-%{release}
Obsoletes: firewalld-selinux < 0.4.4.2-2
Conflicts: selinux-policy < 3.14.1-28
Conflicts: cockpit-ws < 173-2
Provides: variant_config(Server)
Provides: variant_config(Workstation)
Obsoletes: firewalld-config-standard <= 0.3.15
Obsoletes: firewalld-config-cloud <= 0.3.15
Obsoletes: firewalld-config-server <= 0.3.15
Obsoletes: firewalld-config-workstation <= 0.3.15
Provides: firewalld-filesystem = %{version}-%{release} firewall-config = %{version}-%{release}
Obsoletes: firewalld-filesystem < %{version}-%{release} firewall-config < %{version}-%{release}
%description
firewalld is a firewall service daemon that provides a dynamic customizable
firewall with a D-Bus interface.
%package doc
Summary: Documentation for firewalld
%description doc
Documentation for firewalld.
%package -n python3-firewall
Summary: Python3 bindings for firewalld
%{?python_provide:%python_provide python3-firewall}
Obsoletes: python-firewall < 0.5.2-2 Obsoletes: python2-firewall < 0.5.2-2
Requires: python3-dbus python3-slip-dbus python3-decorator python3-gobject-base
%description -n python3-firewall
Python3 bindings for firewalld.
%prep
%autosetup -n %{name}-%{version} -p1
./autogen.sh
%build
%configure --enable-sysconfig --enable-rpmmacros PYTHON=%{__python3}
%make_build
%install
%make_install
desktop-file-install --delete-original \
--dir %{buildroot}%{_sysconfdir}/xdg/autostart \
%{buildroot}%{_sysconfdir}/xdg/autostart/firewall-applet.desktop
desktop-file-install --delete-original \
--dir %{buildroot}%{_datadir}/applications \
%{buildroot}%{_datadir}/applications/firewall-config.desktop
mv %{buildroot}%{_sysconfdir}/firewalld/firewalld.conf \
%{buildroot}%{_sysconfdir}/firewalld/firewalld-standard.conf
%find_lang %{name} --all-name
%check
%pre
%preun
%systemd_preun firewalld.service
%post
%systemd_post firewalld.service
%postun
%systemd_postun_with_restart firewalld.service
%posttrans
# If we don't yet have a symlink or existing file for firewalld.conf,
# create it. Note: this will intentionally reset the policykit policy
# at the same time, so they are in sync.
# Import /etc/os-release to get the variant definition
. /etc/os-release || :
if [ ! -e %{_sysconfdir}/firewalld/firewalld.conf ]; then
case "$VARIANT_ID" in
server)
ln -sf firewalld-server.conf %{_sysconfdir}/firewalld/firewalld.conf || :
;;
workstation)
ln -sf firewalld-workstation.conf %{_sysconfdir}/firewalld/firewalld.conf || :
;;
*)
ln -sf firewalld-standard.conf %{_sysconfdir}/firewalld/firewalld.conf
;;
esac
fi
if [ ! -e %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy ]; then
case "$VARIANT_ID" in
workstation)
ln -sf org.fedoraproject.FirewallD1.desktop.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
;;
*)
# For all other editions, we'll use the Server polkit policy
ln -sf org.fedoraproject.FirewallD1.server.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || :
esac
fi
%files -f %{name}.lang
%doc COPYING README
%{_sbindir}/firewalld
%{_bindir}/firewall-config
%{_bindir}/firewall-cmd
%{_bindir}/firewall-offline-cmd
%{_datadir}/bash-completion/completions/firewall-cmd
%{_prefix}/lib/firewalld/*
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/
%config(noreplace) %{_sysconfdir}/firewalld/firewalld-standard.conf
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones
%ghost %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf
%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml
%defattr(0644,root,root)
%config(noreplace) %{_sysconfdir}/sysconfig/firewalld
%{_unitdir}/firewalld.service
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf
%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice
%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice
%ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
%{_rpmconfigdir}/macros.d/macros.firewalld
#we don't need applet
%exclude %{_bindir}/firewall-applet
%exclude %{_sysconfdir}/xdg/autostart/firewall-applet.desktop
%exclude %dir %{_sysconfdir}/firewall
%exclude %{_sysconfdir}/firewall/applet.conf
%exclude %{_datadir}/icons/hicolor/*/apps/firewall-applet*.*
%exclude %{_mandir}/man1/firewall-applet*.1*
%defattr(0644,root,root)
%{_datadir}/firewalld/*
%{_datadir}/applications/firewall-config.desktop
%{_datadir}/metainfo/firewall-config.appdata.xml
%{_datadir}/icons/hicolor/*/apps/firewall-config*.*
%{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml
%files doc
%{_mandir}/man1/firewall*
%{_mandir}/man5/firewall*
%files -n python3-firewall
%defattr(-,root,root)
%{python3_sitelib}/firewall/*
%changelog
* Sat Sep 28 2019 huzhiyu <huzhiyu1@huawei.com> - 0.6.2-3
-create firewalld.conf file
* Thu Sep 5 2019 hufeng <solar.hu@huawei.com> - 0.6.2.2
-Create firewalld spec.

26
fix-issue-457.patch Normal file
View File

@ -0,0 +1,26 @@
From 7da05eff467244f0da6a4e7c1370dd6c7605e9f4 Mon Sep 17 00:00:00 2001
From: Daniel Nicolai <dalanicolai@gmail.com>
Date: Mon, 11 Feb 2019 12:16:31 +0100
Subject: [PATCH 102/127] fix issue #457
I found out I did not set a value for invert when adding the rich rule via firewall-cmd. Then I got the error as mentioned in issue #457 because the invert attribute was given a default value None. I corrected it here so that it gets the default value False. This fixed the issue for me.
---
src/firewall/core/rich.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index 91f53fd9..dacaeb9c 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -394,7 +394,7 @@ class Rich_Rule(object):
elif element in ['not', 'NOT']:
attrs['invert'] = True
else:
- self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert'))
+ self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert', False))
in_elements.pop() # source
attrs.clear()
index = index -1 # return token to input
--
2.19.1

39
fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch Normal file
View File

@ -0,0 +1,39 @@
From 2210822a2450a7b9ed853593c3d88aca1c43c2fc Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 5 Dec 2018 16:29:49 -0500
Subject: [PATCH 048/127] fw_zone: fix IPv6 rich rule forward-port without
toaddr
Using a rich rule with family=ipv6 and no toaddr specified was silently
not applying any rules.
---
src/firewall/core/fw_zone.py | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 816fa503..db90c32b 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1702,17 +1702,10 @@ class FirewallZone(object):
for ipv in ipvs:
if backend.is_ipv_supported(ipv):
self.check_forward_port(ipv, port, protocol, toport, toaddr)
-
- if check_single_address("ipv6", toaddr):
- ipv = "ipv6"
- else:
- ipv = "ipv4"
-
- if not backend.is_ipv_supported(ipv):
- continue
+ if enable:
+ zone_transaction.add_post(enable_ip_forwarding, ipv)
if enable:
- zone_transaction.add_post(enable_ip_forwarding, ipv)
mark_id = self._fw.new_mark()
filter_chain = "INPUT" if not toaddr else "FORWARD_IN"
--
2.19.1

27
fw_zone-fix-rich-rule-masquerading.patch Normal file
View File

@ -0,0 +1,27 @@
From 14acf26afe09ff9092bebbfc7ffe718b1758c573 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 5 Dec 2018 13:09:28 -0500
Subject: [PATCH 047/127] fw_zone: fix rich rule masquerading
We weren't passing the rich rule to the backend so filtering on
source/destination would not work.
---
src/firewall/core/fw_zone.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index ca90f7fb..816fa503 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1690,7 +1690,7 @@ class FirewallZone(object):
if backend.is_ipv_supported(ipv):
zone_transaction.add_post(enable_ip_forwarding, ipv)
- rules = backend.build_zone_masquerade_rules(enable, zone)
+ rules = backend.build_zone_masquerade_rules(enable, zone, rule)
zone_transaction.add_rules(backend, rules)
# FORWARD PORT
--
2.19.1

43
ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch Normal file
View File

@ -0,0 +1,43 @@
From 93824072768f989991a11069ac75f1cd3d56ae34 Mon Sep 17 00:00:00 2001
From: Federico Cuello <fedux@fedux.com.ar>
Date: Sat, 20 Oct 2018 15:47:28 +0200
Subject: [PATCH 023/127] ipXtables/nftables: Fix "object has no attribute
'_log_denied'"
This fixes nftables and ipXtables (when IndividualCalls=yes),
as _log_denied is not an attribute of the class but a param.
---
src/firewall/core/ipXtables.py | 3 +--
src/firewall/core/nftables.py | 2 +-
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 02a518d2..11aebec6 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -492,8 +492,7 @@ class ip4tables(object):
if log_denied == "off":
return ""
if log_denied in [ "unicast", "broadcast", "multicast" ]:
- rule[i:i+1] = [ "-m", "pkttype", "--pkt-type",
- self._log_denied ]
+ rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", log_denied ]
else:
rule.pop(i)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 3c871069..cd05b2c3 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -290,7 +290,7 @@ class nftables(object):
if log_denied == "off":
return ""
if log_denied in ["unicast", "broadcast", "multicast"]:
- rule[i:i+1] = ["pkttype", self._log_denied]
+ rule[i:i+1] = ["pkttype", log_denied]
else:
rule.pop(i)
--
2.19.1

81
ipset-fix-set-apply-if-IndividualCalls-yes.patch Normal file
View File

@ -0,0 +1,81 @@
From 4157393136bbaff53e812029376b2a0a5113cedb Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Tue, 11 Dec 2018 11:32:54 -0500
Subject: [PATCH 070/127] ipset: fix set apply if IndividualCalls=yes
Fixes: rhbz 1644834
Fixes: e6188ec98ff4 ("FirewallIPSet: Support restore in apply_ipsets, use it in Firewall")
---
src/firewall/core/fw_ipset.py | 2 +-
src/tests/regression/rhbz1601610.at | 43 +++++++++++++++++++++++++++++
2 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
index b06a60d0..54ace39e 100644
--- a/src/firewall/core/fw_ipset.py
+++ b/src/firewall/core/fw_ipset.py
@@ -125,7 +125,7 @@ class FirewallIPSet(object):
raise FirewallError(errors.COMMAND_FAILED, msg)
else:
obj.applied = True
- if "timeout" not in obj.options or \
+ if "timeout" in obj.options and \
obj.options["timeout"] != "0":
# no entries visible for ipsets with timeout
continue
diff --git a/src/tests/regression/rhbz1601610.at b/src/tests/regression/rhbz1601610.at
index 0676bb82..5ba0cee4 100644
--- a/src/tests/regression/rhbz1601610.at
+++ b/src/tests/regression/rhbz1601610.at
@@ -57,5 +57,48 @@ FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22])
FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [
])
+dnl rhbz 1644834
+FWD_CHECK([-q --ipset=foobar --add-entry=10.1.0.0/16])
+FWD_CHECK([-q --runtime-to-permanent])
+FWD_RELOAD
+m4_if(nftables, FIREWALL_BACKEND, [
+NFT_LIST_SET([foobar], 0, [dnl
+table inet firewalld {
+set foobar {
+type ipv4_addr
+flags interval
+elements = { 10.1.0.0/16, 10.2.0.0/22 }
+}
+}
+])], [
+IPSET_LIST_SET([foobar], 0, [dnl
+Name: foobar
+Type: hash:net
+Members:
+10.1.0.0/16
+10.2.0.0/22
+])])
+
+dnl rhbz 1644834, again with IndividualCalls=yes
+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf])
+FWD_RELOAD
+m4_if(nftables, FIREWALL_BACKEND, [
+NFT_LIST_SET([foobar], 0, [dnl
+table inet firewalld {
+set foobar {
+type ipv4_addr
+flags interval
+elements = { 10.1.0.0/16, 10.2.0.0/22 }
+}
+}
+])], [
+IPSET_LIST_SET([foobar], 0, [dnl
+Name: foobar
+Type: hash:net
+Members:
+10.1.0.0/16
+10.2.0.0/22
+])])
+
FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl
-e '/ERROR: COMMAND_FAILED:.*element.*exists/d'])
--
2.19.1

63
nftables-fix-destination-checks-not-allowing-masks.patch Normal file
View File

@ -0,0 +1,63 @@
From b3c43ee7be2411a8d17416b98616378078f21eef Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 27 Sep 2018 08:52:22 -0400
Subject: [PATCH 009/127] nftables: fix destination checks not allowing masks
Some destination checks were using check_single_address() which make it
impossible to use a mask. This was discovered in issue #399.
---
src/firewall/core/nftables.py | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 811f4e71..64191d1f 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -753,7 +753,7 @@ class nftables(object):
return []
rule_fragment = []
- if check_single_address("ipv4", rich_dest.addr):
+ if check_address("ipv4", rich_dest.addr):
rule_fragment += ["ip"]
else:
rule_fragment += ["ip6"]
@@ -803,7 +803,7 @@ class nftables(object):
if rich_rule:
rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
if destination:
- if check_single_address("ipv4", destination):
+ if check_address("ipv4", destination):
rule_fragment += ["ip"]
else:
rule_fragment += ["ip6"]
@@ -835,7 +835,7 @@ class nftables(object):
if rich_rule:
rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
if destination:
- if check_single_address("ipv4", destination):
+ if check_address("ipv4", destination):
rule_fragment += ["ip"]
else:
rule_fragment += ["ip6"]
@@ -869,7 +869,7 @@ class nftables(object):
if rich_rule:
rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
if destination:
- if check_single_address("ipv4", destination):
+ if check_address("ipv4", destination):
rule_fragment += ["ip"]
else:
rule_fragment += ["ip6"]
@@ -900,7 +900,7 @@ class nftables(object):
rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,
"raw_%s_allow" % (target), proto]
if destination:
- if check_single_address("ipv4", destination):
+ if check_address("ipv4", destination):
rule += ["ip"]
else:
rule += ["ip6"]
--
2.19.1

29
nftables-fix-ipv6-rich-rule-forward-ports.patch Normal file
View File

@ -0,0 +1,29 @@
From 628657cdafa7ba3217fb031c748f5a7d32924c90 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 5 Dec 2018 19:11:06 -0500
Subject: [PATCH 050/127] nftables: fix ipv6 rich rule forward-ports
The were mistakenly being added to the ipv4 nat tables as well.
Fixes: #422
Fixes: b630abd8e901 ("backend: introduce nftables support")
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 00a02ad1..a1cb2c47 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -980,7 +980,7 @@ class nftables(object):
or toaddr and check_single_address("ipv6", toaddr)):
rules.extend(self._build_zone_forward_port_nat_rules(enable, zone,
protocol, mark_fragment, toaddr, toport, "ip6"))
- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
+ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
or toaddr and check_single_address("ipv4", toaddr)):
rules.extend(self._build_zone_forward_port_nat_rules(enable, zone,
protocol, mark_fragment, toaddr, toport, "ip"))
--
2.19.1

73
nftables-fix-panic-mode-not-filtering-output-packets.patch Normal file
View File

@ -0,0 +1,73 @@
From 2f5608b4897ff99afbb1c2425a94df035031c1a2 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Mon, 3 Dec 2018 12:40:41 -0500
Subject: [PATCH 043/127] nftables: fix panic mode not filtering output packets
This simplifies policy in the nftables backend by filtering only on the
prerouting and output hooks. The others hooks are unnecessary since
we're using a higher precedence.
Also fixes an issue when re-enabling panic mode multiple times. Due to
rule de-duplication the policy drop rule was not being re-added.
Fixes: rhbz 1579740
Fixes: a0f683dfef2c ("nftables: fix policy")
---
src/firewall/core/nftables.py | 36 +++++++++--------------------------
1 file changed, 9 insertions(+), 27 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 69236a96..44cd4f9e 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -314,38 +314,20 @@ class nftables(object):
# packets while initially starting and for panic mode. As such, using
# hooks with a higher priority than our base chains is sufficient.
#
- table_chains = []
- for table in list(IPTABLES_TO_NFT_HOOK.keys()):
- for chain in IPTABLES_TO_NFT_HOOK[table]:
- table_chains.append((table, chain))
-
table_name = TABLE_NAME + "_" + "policy_drop"
- def _policy_drop_helper(table, chain, family, rules):
- _chain = "%s_%s" % (table, chain)
- _hook = IPTABLES_TO_NFT_HOOK[table][chain][0]
- # add hooks with priority -1, only contain drop rule
- _priority = IPTABLES_TO_NFT_HOOK[table][chain][1] - 1
- _add_chain = "add chain %s %s %s '{ type filter hook %s priority %d ; }'" % \
- (family, table_name, _chain, _hook, _priority)
- rules.append(splitArgs(_add_chain))
- rules.append(["add", "rule", family, table_name, _chain, "drop"])
-
rules = []
if policy == "DROP":
- for family in ["inet", "ip", "ip6"]:
- rules.append(["add", "table", family, table_name])
-
- for table,chain in table_chains:
- if table == "nat":
- # nat requires two families
- for family in ["ip", "ip6"]:
- _policy_drop_helper(table, chain, family, rules)
- else:
- _policy_drop_helper(table, chain, "inet", rules)
+ rules.append(["add", "table", "inet", table_name])
+
+ # To drop everything we need to use the "raw" priority. These occur
+ # before conntrack, mangle, nat, etc
+ for hook in ["prerouting", "output"]:
+ _add_chain = "add chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'" % \
+ (table_name, "raw", hook, hook, -300 + NFT_HOOK_OFFSET - 1)
+ rules.append(splitArgs(_add_chain))
elif policy == "ACCEPT":
- for family in ["inet", "ip", "ip6"]:
- rules.append(["delete", "table", family, table_name])
+ rules.append(["delete", "table", "inet", table_name])
else:
FirewallError(UNKNOWN_ERROR, "not implemented")
--
2.19.1

43
nftables-fix-reject-statement-in-block-zone.patch Normal file
View File

@ -0,0 +1,43 @@
From a9abba630333970cc59d5fdcb1e92968b38f5eaa Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 11 Oct 2018 11:58:22 -0400
Subject: [PATCH 020/127] nftables: fix reject statement in "block" zone
Also add test coverage.
Fixes: #406
---
src/firewall/core/nftables.py | 3 ++-
src/tests/firewall-cmd.at | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 8a305539..3c871069 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -619,7 +619,8 @@ class nftables(object):
target in ["ACCEPT", "REJECT", "%%REJECT%%", "DROP"] and \
chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]:
rules.append(["add", "rule", family, "%s" % TABLE_NAME,
- "%s_%s" % (table, _zone), target.lower()])
+ "%s_%s" % (table, _zone),
+ target.lower() if target != "%%REJECT%%" else "%%REJECT%%"])
return rules
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index ef45110c..b7ec3816 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -69,6 +69,8 @@ FWD_START_TEST([zone interfaces])
FWD_CHECK([--zone=public --change-interface=dummy], 0, ignore)
FWD_CHECK([--get-zone-of-interface=dummy], 0, [public
])
+ FWD_CHECK([--zone=block --add-interface=dummy1], 0, ignore)
+ FWD_CHECK([--zone=block --remove-interface=dummy1], 0, ignore)
FWD_CHECK([--zone=dmz --change-zone=dummy], 0, ignore)
FWD_CHECK([--get-zone-of-interface=dummy], 0, [dmz
--
2.19.1

38
nftables-fix-rich-rule-masquerade.patch Normal file
View File

@ -0,0 +1,38 @@
From aee4948e86fde6df8205b07f4da58e2a8c07377c Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 5 Dec 2018 17:16:30 -0500
Subject: [PATCH 049/127] nftables: fix rich rule masquerade
---
src/firewall/core/nftables.py | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 44cd4f9e..00a02ad1 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -900,7 +900,6 @@ class nftables(object):
rule_fragment = []
if rich_rule:
- rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
@@ -912,10 +911,10 @@ class nftables(object):
# nat tables needs to use ip/ip6 family
rules = []
if rich_rule and (rich_rule.family and rich_rule.family == "ipv6"
- or rich_rule.source and check_address("ipv6", rich_rule.source)):
+ or rich_rule.source and check_address("ipv6", rich_rule.source.addr)):
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
- or rich_rule.source and check_address("ipv4", rich_rule.source)):
+ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
+ or rich_rule.source and check_address("ipv4", rich_rule.source.addr)):
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))
else:
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
--
2.19.1

52
repair-test-cases.patch Normal file
View File

@ -0,0 +1,52 @@
From a43ae627eeb4f99bb15ed737fd58f0ec15d55dea Mon Sep 17 00:00:00 2001
From: yanghua <yanghua21@huawei.com>
Date: Mon, 6 May 2019 16:28:01 +0800
Subject: [PATCH] Repair test cases gh366 rhbz1514043 rhbz1601610
---
src/tests/functions.at | 2 +-
src/tests/regression/gh366.at | 1 +
src/tests/regression/rhbz1514043.at | 2 +-
3 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index d1f3429..243724f 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -244,7 +244,7 @@ m4_define([NFT_LIST_RULES], [
m4_define([IPSET_LIST_SET], [
NS_CHECK([ipset list $1 | TRIM_WHITESPACE |dnl
grep -v "^\(Revision\|Header\|Size\|References\|Number\)" |dnl
- awk 'NR <= 4; NR > 4 {print | "sort"}'],
+ awk 'NR <= 3; NR > 3 {print | "sort"}'],
[$2], [$3], [$4], [$5], [$6])
])
diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at
index dd6963f..46307cf 100644
--- a/src/tests/regression/gh366.at
+++ b/src/tests/regression/gh366.at
@@ -22,6 +22,7 @@ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
])])])
+FWD_CHECK([-q --zone=public --remove-service=mdns])
FWD_CHECK([-q --zone=public --add-service=mdns])
check_firewall_backend_output
FWD_CHECK([-q --zone=public --remove-service=mdns])
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
index 4831460..077c007 100644
--- a/src/tests/regression/rhbz1514043.at
+++ b/src/tests/regression/rhbz1514043.at
@@ -3,7 +3,7 @@ FWD_CHECK([-q --set-log-denied=all])
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
FWD_RELOAD
FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl
-services: ssh dhcpv6-client samba
+services: ssh mdns dhcpv6-client samba
])
dnl check that log denied actually took effect
m4_if(iptables, FIREWALL_BACKEND, [
--
2.19.1

65
rich-rules-fix-mark-action.patch Normal file
View File

@ -0,0 +1,65 @@
From 5d36e0f55887c6204e07bd8095ead1ce2d535ddb Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Fri, 2 Nov 2018 14:10:38 -0400
Subject: [PATCH 025/127] rich rules: fix mark action
They were being placed in the wrong (and nonexistent) chain. Also add
test coverage for the "mark" action.
Fixes: 7c5f5f4d12ee ("fw_zone: push rich rule generation to backend")
Tested-by: Felix Kaechele <heffer@fedoraproject.org>
---
src/firewall/core/ipXtables.py | 4 ++--
src/firewall/core/nftables.py | 4 ++--
src/tests/firewall-cmd.at | 1 +
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 11aebec6..b98ba522 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -807,10 +807,10 @@ class ip4tables(object):
chain = "%s_deny" % target
rule_action = [ "-j", "DROP" ]
elif type(rich_rule.action) == Rich_Mark:
- chain = "%s_allow" % target
- table = "mangle"
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
+ table = "mangle"
+ chain = "%s_allow" % target
rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ]
else:
raise FirewallError(INVALID_RULE,
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index cd05b2c3..69236a96 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -723,10 +723,10 @@ class nftables(object):
chain = "%s_%s_deny" % (table, target)
rule_action = ["drop"]
elif type(rich_rule.action) == Rich_Mark:
- table = "mangle"
- chain = "%s_%s_allow" % (table, target)
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
+ table = "mangle"
+ chain = "%s_%s_allow" % (table, target)
rule_action = ["meta", "mark", "set", rich_rule.action.set]
else:
raise FirewallError(INVALID_RULE,
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index b7ec3816..f31c8955 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -863,6 +863,7 @@ FWD_START_TEST([rich rules good])
rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"])
rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
+ rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"])
FWD_END_TEST
FWD_START_TEST([rich rules audit])
CHECK_LOG_AUDIT
--
2.19.1