commit 8b6920a2befe310b0050e7caa31aba8640fb6551 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:38:52 2019 -0400 Package init diff --git a/0001-Fix-translating-labels-392.patch b/0001-Fix-translating-labels-392.patch new file mode 100644 index 0000000..1eb06cc --- /dev/null +++ b/0001-Fix-translating-labels-392.patch @@ -0,0 +1,35 @@ +From 5494006021e83f27195dc902c3c9fd024e71dc3b Mon Sep 17 00:00:00 2001 +From: MeggyCal +Date: Thu, 20 Sep 2018 15:37:17 +0200 +Subject: [PATCH] Fix translating labels (#392) + +Fix for #344 was incomplete, the "flags" were not translating and the reported bug was still active. + +Fixes: #344 +(cherry picked from commit e657200927a9f0f41fbed95640cd47e2a5836c6f) +--- + src/firewall-config.glade | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/firewall-config.glade b/src/firewall-config.glade +index 22bed58aafaf..75c229b408fd 100644 +--- a/src/firewall-config.glade ++++ b/src/firewall-config.glade +@@ -10135,10 +10135,10 @@ + start + start + +- accept +- reject +- drop +- mark ++ accept ++ reject ++ drop ++ mark + + + +-- +2.18.0 + diff --git a/0001-fedora-patch-to-default-to-iptables-backend.patch b/0001-fedora-patch-to-default-to-iptables-backend.patch new file mode 100644 index 0000000..d33324d --- /dev/null +++ b/0001-fedora-patch-to-default-to-iptables-backend.patch @@ -0,0 +1,116 @@ +From a628d6e3a710fb8379cf2fb319cdafc06dd2dad6 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 30 Aug 2018 16:34:19 -0400 +Subject: [PATCH] fedora patch to default to iptables backend + +--- + config/firewalld.conf | 7 ------- + src/firewall/config/__init__.py.in | 2 +- + src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++ + src/tests/dbus/firewalld.conf.at | 2 +- + src/tests/functions.at | 4 ++-- + 5 files changed, 21 insertions(+), 11 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index b53c0aa50c53..63df409bf567 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -55,10 +55,3 @@ LogDenied=off + # will be used. Possible values are: yes, no and system. + # Default: system + AutomaticHelpers=system +- +-# FirewallBackend +-# Selects the firewall backend implementation. +-# Choices are: +-# - nftables (default) +-# - iptables (iptables, ip6tables, ebtables and ipset) +-FirewallBackend=nftables +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 955be32077e1..cff7c3fe9025 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True + FALLBACK_INDIVIDUAL_CALLS = False + FALLBACK_LOG_DENIED = "off" + FALLBACK_AUTOMATIC_HELPERS = "system" +-FALLBACK_FIREWALL_BACKEND = "nftables" ++FALLBACK_FIREWALL_BACKEND = "iptables" +diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py +index 4d57bad693c1..6264f45a1913 100644 +--- a/src/firewall/core/io/firewalld_conf.py ++++ b/src/firewall/core/io/firewalld_conf.py +@@ -240,6 +240,12 @@ class firewalld_conf(object): + if key not in done: + if (key in self._config and \ + self._config[key] != value): ++ # Only write FirewallBackend if it's not the default. ++ # We will change the default in the future. ++ if key == "FirewallBackend" and \ ++ self._config[key] == config.FALLBACK_FIREWALL_BACKEND: ++ done.append(key) ++ continue + empty = False + temp_file.write(u'%s=%s\n' % + (key, self._config[key])) +@@ -247,6 +253,12 @@ class firewalld_conf(object): + elif key in self._deleted: + modified = True + else: ++ # Only write FirewallBackend if it's not the default. ++ # We will change the default in the future. ++ if key == "FirewallBackend" and \ ++ value == config.FALLBACK_FIREWALL_BACKEND: ++ done.append(key) ++ continue + empty = False + temp_file.write(line+u"\n") + done.append(key) +@@ -258,6 +270,11 @@ class firewalld_conf(object): + for (key,value) in self._config.items(): + if key in done: + continue ++ # Only write FirewallBackend if it's not the default. ++ # We will change the default in the future. ++ if key == "FirewallBackend" and \ ++ value == config.FALLBACK_FIREWALL_BACKEND: ++ continue + if not empty: + temp_file.write(u"\n") + empty = True +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 473210de10af..44e649111ffb 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -5,7 +5,7 @@ DBUS_GETALL([config], [config], 0, [dnl + string "AutomaticHelpers" : variant string "system" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +-string "FirewallBackend" : variant string "nftables" ++string "FirewallBackend" : variant string "iptables" + m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl + string "IPv6_rpfilter" : variant string "no"],[dnl + string "IPv6_rpfilter" : variant string "yes"]) +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 3b79a9f31305..dd7b43d9dac6 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -65,13 +65,13 @@ m4_define([FWD_START_TEST], [ + fi + + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [ +- m4_define_default([FIREWALL_BACKEND], [nftables]) ++ m4_define_default([FIREWALL_BACKEND], [iptables]) + + dnl don't unload modules or bother cleaning up, the namespace will be deleted + AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf]) + + dnl set the appropriate backend +- AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf]) ++ AT_CHECK([echo "FirewallBackend=FIREWALL_BACKEND" >> ./firewalld.conf]) + + dnl fib matching is pretty new in nftables. Don't use rpfilter on older + dnl kernels. +-- +2.18.0 + diff --git a/0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch b/0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch new file mode 100644 index 0000000..c0373ef --- /dev/null +++ b/0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch @@ -0,0 +1,48 @@ +From 2e53fab83ac844c1d2fb2781116ad47b8900ab85 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 21 Sep 2018 11:02:18 -0400 +Subject: [PATCH 1/2] fw_transaction: On clear zone transaction, must clear fw + and other zones + +Just like FirewallZoneTransaction.execute() that was spawned from a +FirewallTransaction must call FirewallTransaction.exectue() we should +also make sure the same is done for clear(). Otherwise we can end up +with a partially cleared transaction. This gets really hairy if the +FirewallTransaction contains many instances of FirewallZoneTransaction +which is common during startup with non-default configuration. + +Fixes: #374 +--- + src/firewall/core/fw_transaction.py | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/core/fw_transaction.py b/src/firewall/core/fw_transaction.py +index f169e4a923dd..ad204c1991cf 100644 +--- a/src/firewall/core/fw_transaction.py ++++ b/src/firewall/core/fw_transaction.py +@@ -231,9 +231,19 @@ class FirewallZoneTransaction(SimpleFirewallTransaction): + self.modules = [ ] # [ module,.. ] + + def clear(self): +- super(FirewallZoneTransaction, self).clear() +- del self.chains[:] +- del self.modules[:] ++ # calling clear on a zone_transaction that was spawned from a ++ # FirewallTransaction needs to clear the fw_transaction and all the ++ # other zones otherwise we end up with a partially cleared transaction. ++ if self.fw_transaction: ++ super(FirewallTransaction, self.fw_transaction).clear() ++ for zone in self.fw_transaction.zone_transactions.keys(): ++ super(FirewallZoneTransaction, self.fw_transaction.zone_transactions[zone]).clear() ++ del self.fw_transaction.zone_transactions[zone].chains[:] ++ del self.fw_transaction.zone_transactions[zone].modules[:] ++ else: ++ super(FirewallZoneTransaction, self).clear() ++ del self.chains[:] ++ del self.modules[:] + + def prepare(self, enable, rules=None, modules=None): + log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "...")) +-- +2.18.0 + diff --git a/firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch b/firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch new file mode 100644 index 0000000..0aed67c --- /dev/null +++ b/firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch @@ -0,0 +1,135 @@ +From 7cdd8027d13677185b301f849d42957e635ffa67 Mon Sep 17 00:00:00 2001 +From: StefanBruens +Date: Tue, 25 Sep 2018 21:56:36 +0200 +Subject: [PATCH 006/127] firewall/core/io/*.py: Let SAX handle the encoding of + XML files (#395) + +SAX is able to determine the encoding of XML files itself if the file +contains a correct "encoding" pseudo attribute, e.g.: + + +For this to work, the file stream has to be opened in binary mode, and +the parser has to read the stream using a SAX InputStream, which +autodetects the encoding. + +Fixes: #303 +--- + src/firewall/core/io/direct.py | 6 ++++-- + src/firewall/core/io/helper.py | 6 ++++-- + src/firewall/core/io/icmptype.py | 6 ++++-- + src/firewall/core/io/ipset.py | 6 ++++-- + src/firewall/core/io/service.py | 6 ++++-- + src/firewall/core/io/zone.py | 6 ++++-- + 6 files changed, 24 insertions(+), 12 deletions(-) + +diff --git a/src/firewall/core/io/direct.py b/src/firewall/core/io/direct.py +index 07e159da..b0c2cb52 100644 +--- a/src/firewall/core/io/direct.py ++++ b/src/firewall/core/io/direct.py +@@ -360,9 +360,11 @@ class Direct(IO_Object): + handler = direct_ContentHandler(self) + parser = sax.make_parser() + parser.setContentHandler(handler) +- with open(self.filename, "r") as f: ++ with open(self.filename, "rb") as f: ++ source = sax.InputSource(None) ++ source.setByteStream(f) + try: +- parser.parse(f) ++ parser.parse(source) + except sax.SAXParseException as msg: + raise FirewallError(errors.INVALID_TYPE, + "Not a valid file: %s" % \ +diff --git a/src/firewall/core/io/helper.py b/src/firewall/core/io/helper.py +index 4a2420dd..a5c81b9f 100644 +--- a/src/firewall/core/io/helper.py ++++ b/src/firewall/core/io/helper.py +@@ -156,9 +156,11 @@ def helper_reader(filename, path): + parser = sax.make_parser() + parser.setContentHandler(handler) + name = "%s/%s" % (path, filename) +- with open(name, "r") as f: ++ with open(name, "rb") as f: ++ source = sax.InputSource(None) ++ source.setByteStream(f) + try: +- parser.parse(f) ++ parser.parse(source) + except sax.SAXParseException as msg: + raise FirewallError(errors.INVALID_HELPER, + "not a valid helper file: %s" % \ +diff --git a/src/firewall/core/io/icmptype.py b/src/firewall/core/io/icmptype.py +index 91b48867..32103c59 100644 +--- a/src/firewall/core/io/icmptype.py ++++ b/src/firewall/core/io/icmptype.py +@@ -121,9 +121,11 @@ def icmptype_reader(filename, path): + parser = sax.make_parser() + parser.setContentHandler(handler) + name = "%s/%s" % (path, filename) +- with open(name, "r") as f: ++ with open(name, "rb") as f: ++ source = sax.InputSource(None) ++ source.setByteStream(f) + try: +- parser.parse(f) ++ parser.parse(source) + except sax.SAXParseException as msg: + raise FirewallError(errors.INVALID_ICMPTYPE, + "not a valid icmptype file: %s" % \ +diff --git a/src/firewall/core/io/ipset.py b/src/firewall/core/io/ipset.py +index 0670677b..8cc6a1f9 100644 +--- a/src/firewall/core/io/ipset.py ++++ b/src/firewall/core/io/ipset.py +@@ -390,9 +390,11 @@ def ipset_reader(filename, path): + parser = sax.make_parser() + parser.setContentHandler(handler) + name = "%s/%s" % (path, filename) +- with open(name, "r") as f: ++ with open(name, "rb") as f: ++ source = sax.InputSource(None) ++ source.setByteStream(f) + try: +- parser.parse(f) ++ parser.parse(source) + except sax.SAXParseException as msg: + raise FirewallError(errors.INVALID_IPSET, + "not a valid ipset file: %s" % \ +diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py +index c04d612e..487d5ba3 100644 +--- a/src/firewall/core/io/service.py ++++ b/src/firewall/core/io/service.py +@@ -219,9 +219,11 @@ def service_reader(filename, path): + parser = sax.make_parser() + parser.setContentHandler(handler) + name = "%s/%s" % (path, filename) +- with open(name, "r") as f: ++ with open(name, "rb") as f: ++ source = sax.InputSource(None) ++ source.setByteStream(f) + try: +- parser.parse(f) ++ parser.parse(source) + except sax.SAXParseException as msg: + raise FirewallError(errors.INVALID_SERVICE, + "not a valid service file: %s" % \ +diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py +index c048c867..05368e9c 100644 +--- a/src/firewall/core/io/zone.py ++++ b/src/firewall/core/io/zone.py +@@ -696,9 +696,11 @@ def zone_reader(filename, path, no_check_name=False): + parser = sax.make_parser() + parser.setContentHandler(handler) + name = "%s/%s" % (path, filename) +- with open(name, "r") as f: ++ with open(name, "rb") as f: ++ source = sax.InputSource(None) ++ source.setByteStream(f) + try: +- parser.parse(f) ++ parser.parse(source) + except sax.SAXParseException as msg: + raise FirewallError(errors.INVALID_ZONE, + "not a valid zone file: %s" % \ +-- +2.19.1 + diff --git a/firewalld-0.2.6-MDNS-default.patch b/firewalld-0.2.6-MDNS-default.patch new file mode 100644 index 0000000..0316962 --- /dev/null +++ b/firewalld-0.2.6-MDNS-default.patch @@ -0,0 +1,40 @@ +From 0e9306e9df41142503b4efc90032043183a3cb7b Mon Sep 17 00:00:00 2001 +From: Stef Walter +Date: Mon, 6 Aug 2012 10:01:09 +0200 +Subject: [PATCH] Make MDNS work in all but the most restrictive zones + + * MDNS is a discovery protocol, and much like DNS or DHCP should + be available for the network to function as expected. + * Avahi (the main MDNS) implementation has taken steps to make sure + no private information is published by default. + * See: https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault +--- + config/zones/public.xml | 1 + + config/zones/work.xml | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/config/zones/public.xml b/config/zones/public.xml +index 929ad72..a56e95c 100644 +--- a/config/zones/public.xml ++++ b/config/zones/public.xml +@@ -3,5 +3,6 @@ + Public + For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + ++ + + +diff --git a/config/zones/work.xml b/config/zones/work.xml +index 7e750fc..77f13c8 100644 +--- a/config/zones/work.xml ++++ b/config/zones/work.xml +@@ -3,5 +3,6 @@ + Work + For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + ++ + + +-- +1.7.11.2 + diff --git a/firewalld-0.6.2.tar.gz b/firewalld-0.6.2.tar.gz new file mode 100644 index 0000000..7fcfbac Binary files /dev/null and b/firewalld-0.6.2.tar.gz differ diff --git a/firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch b/firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch new file mode 100644 index 0000000..a287851 --- /dev/null +++ b/firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch @@ -0,0 +1,31 @@ +From 17adfe4137cfd1c1734ff1b77304f70e163313fa Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 9 Oct 2018 14:55:21 -0400 +Subject: [PATCH 018/127] firewalld: fix --runtime-to-permanent if NM not in + use. + +Due to scope "settings" was not defined. + +Fixes: #404 +Fixes: e7c00a4063ff ("ifcfg: Modify ZONE= on permanent config changes") +--- + src/firewall/server/firewalld.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 6810b68c..bc04f2d0 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -441,8 +441,8 @@ class FirewallD(slip.dbus.service.Object): + nm_bus_name = nm_get_bus_name() + for name in self.fw.zone.get_zones(): + conf = self.getZoneSettings(name) ++ settings = FirewallClientZoneSettings(conf) + if nm_bus_name is not None: +- settings = FirewallClientZoneSettings(conf) + changed = False + for interface in settings.getInterfaces(): + if self.fw.zone.interface_get_sender(name, interface) == nm_bus_name: +-- +2.19.1 + diff --git a/firewalld.spec b/firewalld.spec new file mode 100644 index 0000000..acb74bd --- /dev/null +++ b/firewalld.spec @@ -0,0 +1,217 @@ +Name: firewalld +Version: 0.6.2 +Release: 3 +Summary: A firewall daemon with D-Bus interface providing a dynamic firewall +License: GPLv2+ +URL: http://www.firewalld.org +Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +#backport from gnome +Patch0: firewalld-0.2.6-MDNS-default.patch +#backport from Eric Garver +Patch1: 0001-fedora-patch-to-default-to-iptables-backend.patch +#Patch2,3 backport from upstream +Patch2: 0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch +Patch3: 0001-Fix-translating-labels-392.patch + +Patch6000: firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch +Patch6001: nftables-fix-destination-checks-not-allowing-masks.patch +Patch6002: firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch +Patch6003: nftables-fix-reject-statement-in-block-zone.patch +Patch6004: ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch +Patch6005: rich-rules-fix-mark-action.patch +Patch6006: nftables-fix-panic-mode-not-filtering-output-packets.patch +Patch6007: fw_zone-fix-rich-rule-masquerading.patch +Patch6008: fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch +Patch6009: nftables-fix-rich-rule-masquerade.patch +Patch6010: nftables-fix-ipv6-rich-rule-forward-ports.patch +Patch6011: ipset-fix-set-apply-if-IndividualCalls-yes.patch +Patch6012: fix-issue-457.patch + +Patch9000: repair-test-cases.patch + + +BuildArch: noarch +BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl +BuildRequires: libxslt iptables ebtables ipset nftables python3-devel + + +Requires: iptables ebtables ipset systemd hicolor-icon-theme python3-gobject NetworkManager-libnm dbus-x11 gtk3 +Requires: nftables >= 0.9.0 kernel >= 4.18.0 python3-firewall = %{version}-%{release} + +Obsoletes: firewalld-selinux < 0.4.4.2-2 +Conflicts: selinux-policy < 3.14.1-28 +Conflicts: cockpit-ws < 173-2 + +Provides: variant_config(Server) +Provides: variant_config(Workstation) + +Obsoletes: firewalld-config-standard <= 0.3.15 +Obsoletes: firewalld-config-cloud <= 0.3.15 +Obsoletes: firewalld-config-server <= 0.3.15 +Obsoletes: firewalld-config-workstation <= 0.3.15 + +Provides: firewalld-filesystem = %{version}-%{release} firewall-config = %{version}-%{release} +Obsoletes: firewalld-filesystem < %{version}-%{release} firewall-config < %{version}-%{release} + +%description +firewalld is a firewall service daemon that provides a dynamic customizable +firewall with a D-Bus interface. + +%package doc +Summary: Documentation for firewalld +%description doc +Documentation for firewalld. + + +%package -n python3-firewall +Summary: Python3 bindings for firewalld + +%{?python_provide:%python_provide python3-firewall} + +Obsoletes: python-firewall < 0.5.2-2 Obsoletes: python2-firewall < 0.5.2-2 +Requires: python3-dbus python3-slip-dbus python3-decorator python3-gobject-base + +%description -n python3-firewall +Python3 bindings for firewalld. + + + + +%prep +%autosetup -n %{name}-%{version} -p1 +./autogen.sh + + + +%build +%configure --enable-sysconfig --enable-rpmmacros PYTHON=%{__python3} + +%make_build + +%install +%make_install + +desktop-file-install --delete-original \ + --dir %{buildroot}%{_sysconfdir}/xdg/autostart \ + %{buildroot}%{_sysconfdir}/xdg/autostart/firewall-applet.desktop +desktop-file-install --delete-original \ + --dir %{buildroot}%{_datadir}/applications \ + %{buildroot}%{_datadir}/applications/firewall-config.desktop + + +mv %{buildroot}%{_sysconfdir}/firewalld/firewalld.conf \ + %{buildroot}%{_sysconfdir}/firewalld/firewalld-standard.conf + + +%find_lang %{name} --all-name + + +%check + +%pre + +%preun +%systemd_preun firewalld.service + + +%post +%systemd_post firewalld.service + + +%postun +%systemd_postun_with_restart firewalld.service + +%posttrans +# If we don't yet have a symlink or existing file for firewalld.conf, +# create it. Note: this will intentionally reset the policykit policy +# at the same time, so they are in sync. + +# Import /etc/os-release to get the variant definition +. /etc/os-release || : + +if [ ! -e %{_sysconfdir}/firewalld/firewalld.conf ]; then + case "$VARIANT_ID" in + server) + ln -sf firewalld-server.conf %{_sysconfdir}/firewalld/firewalld.conf || : + ;; + workstation) + ln -sf firewalld-workstation.conf %{_sysconfdir}/firewalld/firewalld.conf || : + ;; + *) + ln -sf firewalld-standard.conf %{_sysconfdir}/firewalld/firewalld.conf + ;; + esac +fi + +if [ ! -e %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy ]; then + case "$VARIANT_ID" in + workstation) + ln -sf org.fedoraproject.FirewallD1.desktop.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || : + ;; + *) + # For all other editions, we'll use the Server polkit policy + ln -sf org.fedoraproject.FirewallD1.server.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || : + esac +fi + + +%files -f %{name}.lang +%doc COPYING README +%{_sbindir}/firewalld +%{_bindir}/firewall-config +%{_bindir}/firewall-cmd +%{_bindir}/firewall-offline-cmd +%{_datadir}/bash-completion/completions/firewall-cmd +%{_prefix}/lib/firewalld/* +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ +%config(noreplace) %{_sysconfdir}/firewalld/firewalld-standard.conf +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/helpers +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/icmptypes +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/ipsets +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/services +%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/zones +%ghost %config(noreplace) %{_sysconfdir}/firewalld/firewalld.conf +%config(noreplace) %{_sysconfdir}/firewalld/lockdown-whitelist.xml +%defattr(0644,root,root) +%config(noreplace) %{_sysconfdir}/sysconfig/firewalld +%{_unitdir}/firewalld.service +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice +%ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy +%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf + +%{_rpmconfigdir}/macros.d/macros.firewalld + +#we don't need applet +%exclude %{_bindir}/firewall-applet +%exclude %{_sysconfdir}/xdg/autostart/firewall-applet.desktop +%exclude %dir %{_sysconfdir}/firewall +%exclude %{_sysconfdir}/firewall/applet.conf +%exclude %{_datadir}/icons/hicolor/*/apps/firewall-applet*.* +%exclude %{_mandir}/man1/firewall-applet*.1* + +%defattr(0644,root,root) +%{_datadir}/firewalld/* +%{_datadir}/applications/firewall-config.desktop +%{_datadir}/metainfo/firewall-config.appdata.xml +%{_datadir}/icons/hicolor/*/apps/firewall-config*.* +%{_datadir}/glib-2.0/schemas/org.fedoraproject.FirewallConfig.gschema.xml + +%files doc +%{_mandir}/man1/firewall* +%{_mandir}/man5/firewall* + + +%files -n python3-firewall +%defattr(-,root,root) +%{python3_sitelib}/firewall/* + + + +%changelog +* Sat Sep 28 2019 huzhiyu - 0.6.2-3 +-create firewalld.conf file + +* Thu Sep 5 2019 hufeng - 0.6.2.2 +-Create firewalld spec. diff --git a/fix-issue-457.patch b/fix-issue-457.patch new file mode 100644 index 0000000..967163d --- /dev/null +++ b/fix-issue-457.patch @@ -0,0 +1,26 @@ +From 7da05eff467244f0da6a4e7c1370dd6c7605e9f4 Mon Sep 17 00:00:00 2001 +From: Daniel Nicolai +Date: Mon, 11 Feb 2019 12:16:31 +0100 +Subject: [PATCH 102/127] fix issue #457 + +I found out I did not set a value for invert when adding the rich rule via firewall-cmd. Then I got the error as mentioned in issue #457 because the invert attribute was given a default value None. I corrected it here so that it gets the default value False. This fixed the issue for me. +--- + src/firewall/core/rich.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py +index 91f53fd9..dacaeb9c 100644 +--- a/src/firewall/core/rich.py ++++ b/src/firewall/core/rich.py +@@ -394,7 +394,7 @@ class Rich_Rule(object): + elif element in ['not', 'NOT']: + attrs['invert'] = True + else: +- self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert')) ++ self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert', False)) + in_elements.pop() # source + attrs.clear() + index = index -1 # return token to input +-- +2.19.1 + diff --git a/fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch b/fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch new file mode 100644 index 0000000..62d742d --- /dev/null +++ b/fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch @@ -0,0 +1,39 @@ +From 2210822a2450a7b9ed853593c3d88aca1c43c2fc Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 5 Dec 2018 16:29:49 -0500 +Subject: [PATCH 048/127] fw_zone: fix IPv6 rich rule forward-port without + toaddr + +Using a rich rule with family=ipv6 and no toaddr specified was silently +not applying any rules. +--- + src/firewall/core/fw_zone.py | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 816fa503..db90c32b 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1702,17 +1702,10 @@ class FirewallZone(object): + for ipv in ipvs: + if backend.is_ipv_supported(ipv): + self.check_forward_port(ipv, port, protocol, toport, toaddr) +- +- if check_single_address("ipv6", toaddr): +- ipv = "ipv6" +- else: +- ipv = "ipv4" +- +- if not backend.is_ipv_supported(ipv): +- continue ++ if enable: ++ zone_transaction.add_post(enable_ip_forwarding, ipv) + + if enable: +- zone_transaction.add_post(enable_ip_forwarding, ipv) + mark_id = self._fw.new_mark() + + filter_chain = "INPUT" if not toaddr else "FORWARD_IN" +-- +2.19.1 + diff --git a/fw_zone-fix-rich-rule-masquerading.patch b/fw_zone-fix-rich-rule-masquerading.patch new file mode 100644 index 0000000..37dd5e6 --- /dev/null +++ b/fw_zone-fix-rich-rule-masquerading.patch @@ -0,0 +1,27 @@ +From 14acf26afe09ff9092bebbfc7ffe718b1758c573 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 5 Dec 2018 13:09:28 -0500 +Subject: [PATCH 047/127] fw_zone: fix rich rule masquerading + +We weren't passing the rich rule to the backend so filtering on +source/destination would not work. +--- + src/firewall/core/fw_zone.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index ca90f7fb..816fa503 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1690,7 +1690,7 @@ class FirewallZone(object): + if backend.is_ipv_supported(ipv): + zone_transaction.add_post(enable_ip_forwarding, ipv) + +- rules = backend.build_zone_masquerade_rules(enable, zone) ++ rules = backend.build_zone_masquerade_rules(enable, zone, rule) + zone_transaction.add_rules(backend, rules) + + # FORWARD PORT +-- +2.19.1 + diff --git a/ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch b/ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch new file mode 100644 index 0000000..333eb29 --- /dev/null +++ b/ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch @@ -0,0 +1,43 @@ +From 93824072768f989991a11069ac75f1cd3d56ae34 Mon Sep 17 00:00:00 2001 +From: Federico Cuello +Date: Sat, 20 Oct 2018 15:47:28 +0200 +Subject: [PATCH 023/127] ipXtables/nftables: Fix "object has no attribute + '_log_denied'" + +This fixes nftables and ipXtables (when IndividualCalls=yes), +as _log_denied is not an attribute of the class but a param. +--- + src/firewall/core/ipXtables.py | 3 +-- + src/firewall/core/nftables.py | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index 02a518d2..11aebec6 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -492,8 +492,7 @@ class ip4tables(object): + if log_denied == "off": + return "" + if log_denied in [ "unicast", "broadcast", "multicast" ]: +- rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", +- self._log_denied ] ++ rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", log_denied ] + else: + rule.pop(i) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 3c871069..cd05b2c3 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -290,7 +290,7 @@ class nftables(object): + if log_denied == "off": + return "" + if log_denied in ["unicast", "broadcast", "multicast"]: +- rule[i:i+1] = ["pkttype", self._log_denied] ++ rule[i:i+1] = ["pkttype", log_denied] + else: + rule.pop(i) + +-- +2.19.1 + diff --git a/ipset-fix-set-apply-if-IndividualCalls-yes.patch b/ipset-fix-set-apply-if-IndividualCalls-yes.patch new file mode 100644 index 0000000..8f8a027 --- /dev/null +++ b/ipset-fix-set-apply-if-IndividualCalls-yes.patch @@ -0,0 +1,81 @@ +From 4157393136bbaff53e812029376b2a0a5113cedb Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 11 Dec 2018 11:32:54 -0500 +Subject: [PATCH 070/127] ipset: fix set apply if IndividualCalls=yes + +Fixes: rhbz 1644834 +Fixes: e6188ec98ff4 ("FirewallIPSet: Support restore in apply_ipsets, use it in Firewall") +--- + src/firewall/core/fw_ipset.py | 2 +- + src/tests/regression/rhbz1601610.at | 43 +++++++++++++++++++++++++++++ + 2 files changed, 44 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py +index b06a60d0..54ace39e 100644 +--- a/src/firewall/core/fw_ipset.py ++++ b/src/firewall/core/fw_ipset.py +@@ -125,7 +125,7 @@ class FirewallIPSet(object): + raise FirewallError(errors.COMMAND_FAILED, msg) + else: + obj.applied = True +- if "timeout" not in obj.options or \ ++ if "timeout" in obj.options and \ + obj.options["timeout"] != "0": + # no entries visible for ipsets with timeout + continue +diff --git a/src/tests/regression/rhbz1601610.at b/src/tests/regression/rhbz1601610.at +index 0676bb82..5ba0cee4 100644 +--- a/src/tests/regression/rhbz1601610.at ++++ b/src/tests/regression/rhbz1601610.at +@@ -57,5 +57,48 @@ FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22]) + FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [ + ]) + ++dnl rhbz 1644834 ++FWD_CHECK([-q --ipset=foobar --add-entry=10.1.0.0/16]) ++FWD_CHECK([-q --runtime-to-permanent]) ++FWD_RELOAD ++m4_if(nftables, FIREWALL_BACKEND, [ ++NFT_LIST_SET([foobar], 0, [dnl ++table inet firewalld { ++set foobar { ++type ipv4_addr ++flags interval ++elements = { 10.1.0.0/16, 10.2.0.0/22 } ++} ++} ++])], [ ++IPSET_LIST_SET([foobar], 0, [dnl ++Name: foobar ++Type: hash:net ++Members: ++10.1.0.0/16 ++10.2.0.0/22 ++])]) ++ ++dnl rhbz 1644834, again with IndividualCalls=yes ++AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf]) ++FWD_RELOAD ++m4_if(nftables, FIREWALL_BACKEND, [ ++NFT_LIST_SET([foobar], 0, [dnl ++table inet firewalld { ++set foobar { ++type ipv4_addr ++flags interval ++elements = { 10.1.0.0/16, 10.2.0.0/22 } ++} ++} ++])], [ ++IPSET_LIST_SET([foobar], 0, [dnl ++Name: foobar ++Type: hash:net ++Members: ++10.1.0.0/16 ++10.2.0.0/22 ++])]) ++ + FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl + -e '/ERROR: COMMAND_FAILED:.*element.*exists/d']) +-- +2.19.1 + diff --git a/nftables-fix-destination-checks-not-allowing-masks.patch b/nftables-fix-destination-checks-not-allowing-masks.patch new file mode 100644 index 0000000..2841198 --- /dev/null +++ b/nftables-fix-destination-checks-not-allowing-masks.patch @@ -0,0 +1,63 @@ +From b3c43ee7be2411a8d17416b98616378078f21eef Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 27 Sep 2018 08:52:22 -0400 +Subject: [PATCH 009/127] nftables: fix destination checks not allowing masks + +Some destination checks were using check_single_address() which make it +impossible to use a mask. This was discovered in issue #399. +--- + src/firewall/core/nftables.py | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 811f4e71..64191d1f 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -753,7 +753,7 @@ class nftables(object): + return [] + + rule_fragment = [] +- if check_single_address("ipv4", rich_dest.addr): ++ if check_address("ipv4", rich_dest.addr): + rule_fragment += ["ip"] + else: + rule_fragment += ["ip6"] +@@ -803,7 +803,7 @@ class nftables(object): + if rich_rule: + rule_fragment += self._rich_rule_family_fragment(rich_rule.family) + if destination: +- if check_single_address("ipv4", destination): ++ if check_address("ipv4", destination): + rule_fragment += ["ip"] + else: + rule_fragment += ["ip6"] +@@ -835,7 +835,7 @@ class nftables(object): + if rich_rule: + rule_fragment += self._rich_rule_family_fragment(rich_rule.family) + if destination: +- if check_single_address("ipv4", destination): ++ if check_address("ipv4", destination): + rule_fragment += ["ip"] + else: + rule_fragment += ["ip6"] +@@ -869,7 +869,7 @@ class nftables(object): + if rich_rule: + rule_fragment += self._rich_rule_family_fragment(rich_rule.family) + if destination: +- if check_single_address("ipv4", destination): ++ if check_address("ipv4", destination): + rule_fragment += ["ip"] + else: + rule_fragment += ["ip6"] +@@ -900,7 +900,7 @@ class nftables(object): + rule = [add_del, "rule", "inet", "%s" % TABLE_NAME, + "raw_%s_allow" % (target), proto] + if destination: +- if check_single_address("ipv4", destination): ++ if check_address("ipv4", destination): + rule += ["ip"] + else: + rule += ["ip6"] +-- +2.19.1 + diff --git a/nftables-fix-ipv6-rich-rule-forward-ports.patch b/nftables-fix-ipv6-rich-rule-forward-ports.patch new file mode 100644 index 0000000..882242d --- /dev/null +++ b/nftables-fix-ipv6-rich-rule-forward-ports.patch @@ -0,0 +1,29 @@ +From 628657cdafa7ba3217fb031c748f5a7d32924c90 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 5 Dec 2018 19:11:06 -0500 +Subject: [PATCH 050/127] nftables: fix ipv6 rich rule forward-ports + +The were mistakenly being added to the ipv4 nat tables as well. + +Fixes: #422 +Fixes: b630abd8e901 ("backend: introduce nftables support") +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 00a02ad1..a1cb2c47 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -980,7 +980,7 @@ class nftables(object): + or toaddr and check_single_address("ipv6", toaddr)): + rules.extend(self._build_zone_forward_port_nat_rules(enable, zone, + protocol, mark_fragment, toaddr, toport, "ip6")) +- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4" ++ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4" + or toaddr and check_single_address("ipv4", toaddr)): + rules.extend(self._build_zone_forward_port_nat_rules(enable, zone, + protocol, mark_fragment, toaddr, toport, "ip")) +-- +2.19.1 + diff --git a/nftables-fix-panic-mode-not-filtering-output-packets.patch b/nftables-fix-panic-mode-not-filtering-output-packets.patch new file mode 100644 index 0000000..2bddc47 --- /dev/null +++ b/nftables-fix-panic-mode-not-filtering-output-packets.patch @@ -0,0 +1,73 @@ +From 2f5608b4897ff99afbb1c2425a94df035031c1a2 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 3 Dec 2018 12:40:41 -0500 +Subject: [PATCH 043/127] nftables: fix panic mode not filtering output packets + +This simplifies policy in the nftables backend by filtering only on the +prerouting and output hooks. The others hooks are unnecessary since +we're using a higher precedence. + +Also fixes an issue when re-enabling panic mode multiple times. Due to +rule de-duplication the policy drop rule was not being re-added. + +Fixes: rhbz 1579740 +Fixes: a0f683dfef2c ("nftables: fix policy") +--- + src/firewall/core/nftables.py | 36 +++++++++-------------------------- + 1 file changed, 9 insertions(+), 27 deletions(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 69236a96..44cd4f9e 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -314,38 +314,20 @@ class nftables(object): + # packets while initially starting and for panic mode. As such, using + # hooks with a higher priority than our base chains is sufficient. + # +- table_chains = [] +- for table in list(IPTABLES_TO_NFT_HOOK.keys()): +- for chain in IPTABLES_TO_NFT_HOOK[table]: +- table_chains.append((table, chain)) +- + table_name = TABLE_NAME + "_" + "policy_drop" + +- def _policy_drop_helper(table, chain, family, rules): +- _chain = "%s_%s" % (table, chain) +- _hook = IPTABLES_TO_NFT_HOOK[table][chain][0] +- # add hooks with priority -1, only contain drop rule +- _priority = IPTABLES_TO_NFT_HOOK[table][chain][1] - 1 +- _add_chain = "add chain %s %s %s '{ type filter hook %s priority %d ; }'" % \ +- (family, table_name, _chain, _hook, _priority) +- rules.append(splitArgs(_add_chain)) +- rules.append(["add", "rule", family, table_name, _chain, "drop"]) +- + rules = [] + if policy == "DROP": +- for family in ["inet", "ip", "ip6"]: +- rules.append(["add", "table", family, table_name]) +- +- for table,chain in table_chains: +- if table == "nat": +- # nat requires two families +- for family in ["ip", "ip6"]: +- _policy_drop_helper(table, chain, family, rules) +- else: +- _policy_drop_helper(table, chain, "inet", rules) ++ rules.append(["add", "table", "inet", table_name]) ++ ++ # To drop everything we need to use the "raw" priority. These occur ++ # before conntrack, mangle, nat, etc ++ for hook in ["prerouting", "output"]: ++ _add_chain = "add chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'" % \ ++ (table_name, "raw", hook, hook, -300 + NFT_HOOK_OFFSET - 1) ++ rules.append(splitArgs(_add_chain)) + elif policy == "ACCEPT": +- for family in ["inet", "ip", "ip6"]: +- rules.append(["delete", "table", family, table_name]) ++ rules.append(["delete", "table", "inet", table_name]) + else: + FirewallError(UNKNOWN_ERROR, "not implemented") + +-- +2.19.1 + diff --git a/nftables-fix-reject-statement-in-block-zone.patch b/nftables-fix-reject-statement-in-block-zone.patch new file mode 100644 index 0000000..ab0ad8f --- /dev/null +++ b/nftables-fix-reject-statement-in-block-zone.patch @@ -0,0 +1,43 @@ +From a9abba630333970cc59d5fdcb1e92968b38f5eaa Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 11 Oct 2018 11:58:22 -0400 +Subject: [PATCH 020/127] nftables: fix reject statement in "block" zone + +Also add test coverage. + +Fixes: #406 +--- + src/firewall/core/nftables.py | 3 ++- + src/tests/firewall-cmd.at | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 8a305539..3c871069 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -619,7 +619,8 @@ class nftables(object): + target in ["ACCEPT", "REJECT", "%%REJECT%%", "DROP"] and \ + chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]: + rules.append(["add", "rule", family, "%s" % TABLE_NAME, +- "%s_%s" % (table, _zone), target.lower()]) ++ "%s_%s" % (table, _zone), ++ target.lower() if target != "%%REJECT%%" else "%%REJECT%%"]) + + return rules + +diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at +index ef45110c..b7ec3816 100644 +--- a/src/tests/firewall-cmd.at ++++ b/src/tests/firewall-cmd.at +@@ -69,6 +69,8 @@ FWD_START_TEST([zone interfaces]) + FWD_CHECK([--zone=public --change-interface=dummy], 0, ignore) + FWD_CHECK([--get-zone-of-interface=dummy], 0, [public + ]) ++ FWD_CHECK([--zone=block --add-interface=dummy1], 0, ignore) ++ FWD_CHECK([--zone=block --remove-interface=dummy1], 0, ignore) + + FWD_CHECK([--zone=dmz --change-zone=dummy], 0, ignore) + FWD_CHECK([--get-zone-of-interface=dummy], 0, [dmz +-- +2.19.1 + diff --git a/nftables-fix-rich-rule-masquerade.patch b/nftables-fix-rich-rule-masquerade.patch new file mode 100644 index 0000000..960d90d --- /dev/null +++ b/nftables-fix-rich-rule-masquerade.patch @@ -0,0 +1,38 @@ +From aee4948e86fde6df8205b07f4da58e2a8c07377c Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 5 Dec 2018 17:16:30 -0500 +Subject: [PATCH 049/127] nftables: fix rich rule masquerade + +--- + src/firewall/core/nftables.py | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 44cd4f9e..00a02ad1 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -900,7 +900,6 @@ class nftables(object): + + rule_fragment = [] + if rich_rule: +- rule_fragment += self._rich_rule_family_fragment(rich_rule.family) + rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) + rule_fragment += self._rich_rule_source_fragment(rich_rule.source) + +@@ -912,10 +911,10 @@ class nftables(object): + # nat tables needs to use ip/ip6 family + rules = [] + if rich_rule and (rich_rule.family and rich_rule.family == "ipv6" +- or rich_rule.source and check_address("ipv6", rich_rule.source)): ++ or rich_rule.source and check_address("ipv6", rich_rule.source.addr)): + rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule)) +- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4" +- or rich_rule.source and check_address("ipv4", rich_rule.source)): ++ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4" ++ or rich_rule.source and check_address("ipv4", rich_rule.source.addr)): + rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule)) + else: + rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule)) +-- +2.19.1 + diff --git a/repair-test-cases.patch b/repair-test-cases.patch new file mode 100644 index 0000000..321d8eb --- /dev/null +++ b/repair-test-cases.patch @@ -0,0 +1,52 @@ +From a43ae627eeb4f99bb15ed737fd58f0ec15d55dea Mon Sep 17 00:00:00 2001 +From: yanghua +Date: Mon, 6 May 2019 16:28:01 +0800 +Subject: [PATCH] Repair test cases gh366 rhbz1514043 rhbz1601610 + +--- + src/tests/functions.at | 2 +- + src/tests/regression/gh366.at | 1 + + src/tests/regression/rhbz1514043.at | 2 +- + 3 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index d1f3429..243724f 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -244,7 +244,7 @@ m4_define([NFT_LIST_RULES], [ + m4_define([IPSET_LIST_SET], [ + NS_CHECK([ipset list $1 | TRIM_WHITESPACE |dnl + grep -v "^\(Revision\|Header\|Size\|References\|Number\)" |dnl +- awk 'NR <= 4; NR > 4 {print | "sort"}'], ++ awk 'NR <= 3; NR > 3 {print | "sort"}'], + [$2], [$3], [$4], [$5], [$6]) + ]) + +diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at +index dd6963f..46307cf 100644 +--- a/src/tests/regression/gh366.at ++++ b/src/tests/regression/gh366.at +@@ -22,6 +22,7 @@ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED + ])])]) + ++FWD_CHECK([-q --zone=public --remove-service=mdns]) + FWD_CHECK([-q --zone=public --add-service=mdns]) + check_firewall_backend_output + FWD_CHECK([-q --zone=public --remove-service=mdns]) +diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at +index 4831460..077c007 100644 +--- a/src/tests/regression/rhbz1514043.at ++++ b/src/tests/regression/rhbz1514043.at +@@ -3,7 +3,7 @@ FWD_CHECK([-q --set-log-denied=all]) + FWD_CHECK([-q --permanent --zone=public --add-service=samba]) + FWD_RELOAD + FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl +-services: ssh dhcpv6-client samba ++services: ssh mdns dhcpv6-client samba + ]) + dnl check that log denied actually took effect + m4_if(iptables, FIREWALL_BACKEND, [ +-- +2.19.1 + diff --git a/rich-rules-fix-mark-action.patch b/rich-rules-fix-mark-action.patch new file mode 100644 index 0000000..3c978f7 --- /dev/null +++ b/rich-rules-fix-mark-action.patch @@ -0,0 +1,65 @@ +From 5d36e0f55887c6204e07bd8095ead1ce2d535ddb Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 2 Nov 2018 14:10:38 -0400 +Subject: [PATCH 025/127] rich rules: fix mark action + +They were being placed in the wrong (and nonexistent) chain. Also add +test coverage for the "mark" action. + +Fixes: 7c5f5f4d12ee ("fw_zone: push rich rule generation to backend") +Tested-by: Felix Kaechele +--- + src/firewall/core/ipXtables.py | 4 ++-- + src/firewall/core/nftables.py | 4 ++-- + src/tests/firewall-cmd.at | 1 + + 3 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index 11aebec6..b98ba522 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -807,10 +807,10 @@ class ip4tables(object): + chain = "%s_deny" % target + rule_action = [ "-j", "DROP" ] + elif type(rich_rule.action) == Rich_Mark: +- chain = "%s_allow" % target +- table = "mangle" + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], + zone=zone) ++ table = "mangle" ++ chain = "%s_allow" % target + rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ] + else: + raise FirewallError(INVALID_RULE, +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index cd05b2c3..69236a96 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -723,10 +723,10 @@ class nftables(object): + chain = "%s_%s_deny" % (table, target) + rule_action = ["drop"] + elif type(rich_rule.action) == Rich_Mark: +- table = "mangle" +- chain = "%s_%s_allow" % (table, target) + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], + zone=zone) ++ table = "mangle" ++ chain = "%s_%s_allow" % (table, target) + rule_action = ["meta", "mark", "set", rich_rule.action.set] + else: + raise FirewallError(INVALID_RULE, +diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at +index b7ec3816..f31c8955 100644 +--- a/src/tests/firewall-cmd.at ++++ b/src/tests/firewall-cmd.at +@@ -863,6 +863,7 @@ FWD_START_TEST([rich rules good]) + rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"]) + rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"]) + rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"]) ++ rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"]) + FWD_END_TEST + FWD_START_TEST([rich rules audit]) + CHECK_LOG_AUDIT +-- +2.19.1 +