packages/firewalld
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update version to 0.8.3

Browse Source
This commit is contained in:
sherlock2010 2020-07-29 20:18:05 +08:00
parent 10c9f0617e
commit a90bc1be6d
20 changed files with 61 additions and 866 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
0001-Fix-translating-labels-392.patch
View File

@ -1,35 +0,0 @@
From 5494006021e83f27195dc902c3c9fd024e71dc3b Mon Sep 17 00:00:00 2001
From: MeggyCal <MeggyCal@users.noreply.github.com>
Date: Thu, 20 Sep 2018 15:37:17 +0200
Subject: [PATCH] Fix translating labels (#392)
Fix for #344 was incomplete, the "flags" were not translating and the reported bug was still active.
Fixes: #344
(cherry picked from commit e657200927a9f0f41fbed95640cd47e2a5836c6f)
---
src/firewall-config.glade | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/firewall-config.glade b/src/firewall-config.glade
index 22bed58aafaf..75c229b408fd 100644
--- a/src/firewall-config.glade
+++ b/src/firewall-config.glade
@@ -10135,10 +10135,10 @@
<property name="halign">start</property>
<property name="valign">start</property>
<items>
- <item>accept</item>
- <item>reject</item>
- <item>drop</item>
- <item>mark</item>
+ <item translatable="yes">accept</item>
+ <item translatable="yes">reject</item>
+ <item translatable="yes">drop</item>
+ <item translatable="yes">mark</item>
</items>
<signal name="changed" handler="on_richRuleDialog_changed" swapped="no"/>
</object>
--
2.18.0

68
0001-fedora-patch-to-default-to-iptables-backend.patch
View File

@ -5,42 +5,34 @@ Subject: [PATCH] fedora patch to default to iptables backend
---
config/firewalld.conf | 7 -------
src/firewall/config/__init__.py.in | 2 +-
src/firewall/core/io/firewalld_conf.py | 17 +++++++++++++++++
src/tests/dbus/firewalld.conf.at | 2 +-
src/tests/functions.at | 4 ++--
5 files changed, 21 insertions(+), 11 deletions(-)
4 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index b53c0aa50c53..63df409bf567 100644
index 532f045..0f64a56 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -55,10 +55,3 @@ LogDenied=off
# will be used. Possible values are: yes, no and system.
# Default: system
AutomaticHelpers=system
-
@@ -40,13 +40,6 @@ IndividualCalls=no
# Default: off
LogDenied=off
-# FirewallBackend
-# Selects the firewall backend implementation.
-# Choices are:
-# - nftables (default)
-# - iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 955be32077e1..cff7c3fe9025 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -129,4 +129,4 @@ FALLBACK_IPV6_RPFILTER = True
FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "system"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
-
# FlushAllOnReload
# Flush all runtime rules on a reload. In previous releases some runtime
# configuration was retained during a reload, namely; interface to zone
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 4d57bad693c1..6264f45a1913 100644
index 7c70921..4e83d6e 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -240,6 +240,12 @@ class firewalld_conf(object):
@@ -268,6 +268,12 @@ class firewalld_conf(object):
if key not in done:
if (key in self._config and \
self._config[key] != value):
@ -53,7 +45,7 @@ index 4d57bad693c1..6264f45a1913 100644
empty = False
temp_file.write(u'%s=%s\n' %
(key, self._config[key]))
@@ -247,6 +253,12 @@ class firewalld_conf(object):
@@ -275,6 +281,12 @@ class firewalld_conf(object):
elif key in self._deleted:
modified = True
else:
@ -66,7 +58,7 @@ index 4d57bad693c1..6264f45a1913 100644
empty = False
temp_file.write(line+u"\n")
done.append(key)
@@ -258,6 +270,11 @@ class firewalld_conf(object):
@@ -286,6 +298,11 @@ class firewalld_conf(object):
for (key,value) in self._config.items():
if key in done:
continue
@ -75,34 +67,36 @@ index 4d57bad693c1..6264f45a1913 100644
+ if key == "FirewallBackend" and \
+ value == config.FALLBACK_FIREWALL_BACKEND:
+ continue
if key in ["MinimalMark", "AutomaticHelpers"]: # omit deprecated from new config
continue
if not empty:
temp_file.write(u"\n")
empty = True
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 473210de10af..44e649111ffb 100644
index cc15318..374312b 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -5,7 +5,7 @@ DBUS_GETALL([config], [config], 0, [dnl
string "AutomaticHelpers" : variant string "system"
@@ -19,7 +19,7 @@ string "AllowZoneDrifting" : variant string "no"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
-string "FirewallBackend" : variant string "nftables"
+string "FirewallBackend" : variant string "iptables"
m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
string "IPv6_rpfilter" : variant string "no"],[dnl
string "IPv6_rpfilter" : variant string "yes"])
string "FlushAllOnReload" : variant string "yes"
string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"])
string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"])
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 3b79a9f31305..dd7b43d9dac6 100644
index 582fdcc..5a1aad1 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -65,13 +65,13 @@ m4_define([FWD_START_TEST], [
fi
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
@@ -106,7 +106,7 @@ m4_define([FWD_START_TEST], [
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
AT_KEYWORDS(offline)
], [
- m4_define_default([FIREWALL_BACKEND], [nftables])
+ m4_define_default([FIREWALL_BACKEND], [iptables])
dnl don't unload modules or bother cleaning up, the namespace will be deleted
AT_KEYWORDS(FIREWALL_BACKEND)
@@ -114,7 +114,7 @@ m4_define([FWD_START_TEST], [
AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
dnl set the appropriate backend
@ -112,5 +106,5 @@ index 3b79a9f31305..dd7b43d9dac6 100644
dnl fib matching is pretty new in nftables. Don't use rpfilter on older
dnl kernels.
--
2.18.0
1.8.3.1

48
0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch
View File

@ -1,48 +0,0 @@
From 2e53fab83ac844c1d2fb2781116ad47b8900ab85 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Fri, 21 Sep 2018 11:02:18 -0400
Subject: [PATCH 1/2] fw_transaction: On clear zone transaction, must clear fw
and other zones
Just like FirewallZoneTransaction.execute() that was spawned from a
FirewallTransaction must call FirewallTransaction.exectue() we should
also make sure the same is done for clear(). Otherwise we can end up
with a partially cleared transaction. This gets really hairy if the
FirewallTransaction contains many instances of FirewallZoneTransaction
which is common during startup with non-default configuration.
Fixes: #374
---
src/firewall/core/fw_transaction.py | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/fw_transaction.py b/src/firewall/core/fw_transaction.py
index f169e4a923dd..ad204c1991cf 100644
--- a/src/firewall/core/fw_transaction.py
+++ b/src/firewall/core/fw_transaction.py
@@ -231,9 +231,19 @@ class FirewallZoneTransaction(SimpleFirewallTransaction):
self.modules = [ ] # [ module,.. ]
def clear(self):
- super(FirewallZoneTransaction, self).clear()
- del self.chains[:]
- del self.modules[:]
+ # calling clear on a zone_transaction that was spawned from a
+ # FirewallTransaction needs to clear the fw_transaction and all the
+ # other zones otherwise we end up with a partially cleared transaction.
+ if self.fw_transaction:
+ super(FirewallTransaction, self.fw_transaction).clear()
+ for zone in self.fw_transaction.zone_transactions.keys():
+ super(FirewallZoneTransaction, self.fw_transaction.zone_transactions[zone]).clear()
+ del self.fw_transaction.zone_transactions[zone].chains[:]
+ del self.fw_transaction.zone_transactions[zone].modules[:]
+ else:
+ super(FirewallZoneTransaction, self).clear()
+ del self.chains[:]
+ del self.modules[:]
def prepare(self, enable, rules=None, modules=None):
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
--
2.18.0

135
firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch
View File

@ -1,135 +0,0 @@
From 7cdd8027d13677185b301f849d42957e635ffa67 Mon Sep 17 00:00:00 2001
From: StefanBruens <stefan.bruens@rwth-aachen.de>
Date: Tue, 25 Sep 2018 21:56:36 +0200
Subject: [PATCH 006/127] firewall/core/io/*.py: Let SAX handle the encoding of
XML files (#395)
SAX is able to determine the encoding of XML files itself if the file
contains a correct "encoding" pseudo attribute, e.g.:
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
For this to work, the file stream has to be opened in binary mode, and
the parser has to read the stream using a SAX InputStream, which
autodetects the encoding.
Fixes: #303
---
src/firewall/core/io/direct.py | 6 ++++--
src/firewall/core/io/helper.py | 6 ++++--
src/firewall/core/io/icmptype.py | 6 ++++--
src/firewall/core/io/ipset.py | 6 ++++--
src/firewall/core/io/service.py | 6 ++++--
src/firewall/core/io/zone.py | 6 ++++--
6 files changed, 24 insertions(+), 12 deletions(-)
diff --git a/src/firewall/core/io/direct.py b/src/firewall/core/io/direct.py
index 07e159da..b0c2cb52 100644
--- a/src/firewall/core/io/direct.py
+++ b/src/firewall/core/io/direct.py
@@ -360,9 +360,11 @@ class Direct(IO_Object):
handler = direct_ContentHandler(self)
parser = sax.make_parser()
parser.setContentHandler(handler)
- with open(self.filename, "r") as f:
+ with open(self.filename, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_TYPE,
"Not a valid file: %s" % \
diff --git a/src/firewall/core/io/helper.py b/src/firewall/core/io/helper.py
index 4a2420dd..a5c81b9f 100644
--- a/src/firewall/core/io/helper.py
+++ b/src/firewall/core/io/helper.py
@@ -156,9 +156,11 @@ def helper_reader(filename, path):
parser = sax.make_parser()
parser.setContentHandler(handler)
name = "%s/%s" % (path, filename)
- with open(name, "r") as f:
+ with open(name, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_HELPER,
"not a valid helper file: %s" % \
diff --git a/src/firewall/core/io/icmptype.py b/src/firewall/core/io/icmptype.py
index 91b48867..32103c59 100644
--- a/src/firewall/core/io/icmptype.py
+++ b/src/firewall/core/io/icmptype.py
@@ -121,9 +121,11 @@ def icmptype_reader(filename, path):
parser = sax.make_parser()
parser.setContentHandler(handler)
name = "%s/%s" % (path, filename)
- with open(name, "r") as f:
+ with open(name, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_ICMPTYPE,
"not a valid icmptype file: %s" % \
diff --git a/src/firewall/core/io/ipset.py b/src/firewall/core/io/ipset.py
index 0670677b..8cc6a1f9 100644
--- a/src/firewall/core/io/ipset.py
+++ b/src/firewall/core/io/ipset.py
@@ -390,9 +390,11 @@ def ipset_reader(filename, path):
parser = sax.make_parser()
parser.setContentHandler(handler)
name = "%s/%s" % (path, filename)
- with open(name, "r") as f:
+ with open(name, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_IPSET,
"not a valid ipset file: %s" % \
diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py
index c04d612e..487d5ba3 100644
--- a/src/firewall/core/io/service.py
+++ b/src/firewall/core/io/service.py
@@ -219,9 +219,11 @@ def service_reader(filename, path):
parser = sax.make_parser()
parser.setContentHandler(handler)
name = "%s/%s" % (path, filename)
- with open(name, "r") as f:
+ with open(name, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_SERVICE,
"not a valid service file: %s" % \
diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
index c048c867..05368e9c 100644
--- a/src/firewall/core/io/zone.py
+++ b/src/firewall/core/io/zone.py
@@ -696,9 +696,11 @@ def zone_reader(filename, path, no_check_name=False):
parser = sax.make_parser()
parser.setContentHandler(handler)
name = "%s/%s" % (path, filename)
- with open(name, "r") as f:
+ with open(name, "rb") as f:
+ source = sax.InputSource(None)
+ source.setByteStream(f)
try:
- parser.parse(f)
+ parser.parse(source)
except sax.SAXParseException as msg:
raise FirewallError(errors.INVALID_ZONE,
"not a valid zone file: %s" % \
--
2.19.1

BIN
firewalld-0.6.2.tar.gz
View File

Binary file not shown.

BIN
firewalld-0.8.3.tar.gz Normal file
View File

Binary file not shown.

31
firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch
View File

@ -1,31 +0,0 @@
From 17adfe4137cfd1c1734ff1b77304f70e163313fa Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Tue, 9 Oct 2018 14:55:21 -0400
Subject: [PATCH 018/127] firewalld: fix --runtime-to-permanent if NM not in
use.
Due to scope "settings" was not defined.
Fixes: #404
Fixes: e7c00a4063ff ("ifcfg: Modify ZONE= on permanent config changes")
---
src/firewall/server/firewalld.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index 6810b68c..bc04f2d0 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -441,8 +441,8 @@ class FirewallD(slip.dbus.service.Object):
nm_bus_name = nm_get_bus_name()
for name in self.fw.zone.get_zones():
conf = self.getZoneSettings(name)
+ settings = FirewallClientZoneSettings(conf)
if nm_bus_name is not None:
- settings = FirewallClientZoneSettings(conf)
changed = False
for interface in settings.getInterfaces():
if self.fw.zone.interface_get_sender(name, interface) == nm_bus_name:
--
2.19.1

45
firewalld.spec
View File

@ -1,42 +1,26 @@
Name: firewalld
Version: 0.6.2
Release: 4
Version: 0.8.3
Release: 1
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
License: GPLv2+
URL: http://www.firewalld.org
Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
#backport from gnome
Patch0: firewalld-0.2.6-MDNS-default.patch
Patch0: firewalld-0.2.6-MDNS-default.patch
#backport from Eric Garver <e@erig.me>
Patch1: 0001-fedora-patch-to-default-to-iptables-backend.patch
#Patch2,3 backport from upstream
Patch2: 0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch
Patch3: 0001-Fix-translating-labels-392.patch
Patch1: 0001-fedora-patch-to-default-to-iptables-backend.patch
Patch6000: firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch
Patch6001: nftables-fix-destination-checks-not-allowing-masks.patch
Patch6002: firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch
Patch6003: nftables-fix-reject-statement-in-block-zone.patch
Patch6004: ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch
Patch6005: rich-rules-fix-mark-action.patch
Patch6006: nftables-fix-panic-mode-not-filtering-output-packets.patch
Patch6007: fw_zone-fix-rich-rule-masquerading.patch
Patch6008: fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch
Patch6009: nftables-fix-rich-rule-masquerade.patch
Patch6010: nftables-fix-ipv6-rich-rule-forward-ports.patch
Patch6011: ipset-fix-set-apply-if-IndividualCalls-yes.patch
Patch6012: fix-issue-457.patch
Patch9000: repair-test-cases.patch
Patch2: repair-test-cases.patch
BuildArch: noarch
BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl
BuildRequires: libxslt iptables ebtables ipset nftables python3-devel
BuildRequires: libxslt iptables ebtables ipset python3-devel
Requires: iptables ebtables ipset systemd hicolor-icon-theme python3-gobject NetworkManager-libnm dbus-x11 gtk3
Requires: nftables >= 0.9.0 kernel >= 4.18.0 python3-firewall = %{version}-%{release}
Requires: python3-firewall = %{version}-%{release}
Suggests: iptables-nft
Obsoletes: firewalld-selinux < 0.4.4.2-2
Conflicts: selinux-policy < 3.14.1-28
@ -70,7 +54,7 @@ Summary: Python3 bindings for firewalld
Obsoletes: python-firewall < 0.5.2-2
Obsoletes: python2-firewall < 0.5.2-2
Requires: python3-dbus python3-slip-dbus python3-decorator python3-gobject-base
Requires: python3-dbus python3-slip-dbus python3-decorator python3-gobject-base python3-nftables
%description -n python3-firewall
Python3 bindings for firewalld.
@ -163,6 +147,7 @@ fi
%{_bindir}/firewall-cmd
%{_bindir}/firewall-offline-cmd
%{_datadir}/bash-completion/completions/firewall-cmd
%{_datadir}/zsh/site-functions/_firewalld
%{_prefix}/lib/firewalld/*
%attr(0750,root,root) %dir %{_sysconfdir}/firewalld/
%config(noreplace) %{_sysconfdir}/firewalld/firewalld-standard.conf
@ -176,12 +161,12 @@ fi
%defattr(0644,root,root)
%config(noreplace) %{_sysconfdir}/sysconfig/firewalld
%{_unitdir}/firewalld.service
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf
%config(noreplace) %{_datadir}/dbus-1/system.d/FirewallD.conf
%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice
%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice
%ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy
%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
%{_sysconfdir}/logrotate.d/firewalld
%{_rpmconfigdir}/macros.d/macros.firewalld
#we don't need applet
@ -211,6 +196,12 @@ fi
%changelog
* Wed Apr 29 2020 zhouyihang <zhouyihang3@huawei.com> - 0.8.3-1
- Type:requirement
- ID:NA
- SUG:NA
- DESC:update firewalld version to 0.8.3
* Wed Jan 15 2020 zhangrui <zhangrui182@huawei.com> - 0.6.2-4
- create firewalld.conf file

26
fix-issue-457.patch
View File

@ -1,26 +0,0 @@
From 7da05eff467244f0da6a4e7c1370dd6c7605e9f4 Mon Sep 17 00:00:00 2001
From: Daniel Nicolai <dalanicolai@gmail.com>
Date: Mon, 11 Feb 2019 12:16:31 +0100
Subject: [PATCH 102/127] fix issue #457
I found out I did not set a value for invert when adding the rich rule via firewall-cmd. Then I got the error as mentioned in issue #457 because the invert attribute was given a default value None. I corrected it here so that it gets the default value False. This fixed the issue for me.
---
src/firewall/core/rich.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index 91f53fd9..dacaeb9c 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -394,7 +394,7 @@ class Rich_Rule(object):
elif element in ['not', 'NOT']:
attrs['invert'] = True
else:
- self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert'))
+ self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert', False))
in_elements.pop() # source
attrs.clear()
index = index -1 # return token to input
--
2.19.1

39
fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch
View File

@ -1,39 +0,0 @@
From 2210822a2450a7b9ed853593c3d88aca1c43c2fc Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 5 Dec 2018 16:29:49 -0500
Subject: [PATCH 048/127] fw_zone: fix IPv6 rich rule forward-port without
toaddr
Using a rich rule with family=ipv6 and no toaddr specified was silently
not applying any rules.
---
src/firewall/core/fw_zone.py | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 816fa503..db90c32b 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1702,17 +1702,10 @@ class FirewallZone(object):
for ipv in ipvs:
if backend.is_ipv_supported(ipv):
self.check_forward_port(ipv, port, protocol, toport, toaddr)
-
- if check_single_address("ipv6", toaddr):
- ipv = "ipv6"
- else:
- ipv = "ipv4"
-
- if not backend.is_ipv_supported(ipv):
- continue
+ if enable:
+ zone_transaction.add_post(enable_ip_forwarding, ipv)
if enable:
- zone_transaction.add_post(enable_ip_forwarding, ipv)
mark_id = self._fw.new_mark()
filter_chain = "INPUT" if not toaddr else "FORWARD_IN"
--
2.19.1

27
fw_zone-fix-rich-rule-masquerading.patch
View File

@ -1,27 +0,0 @@
From 14acf26afe09ff9092bebbfc7ffe718b1758c573 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 5 Dec 2018 13:09:28 -0500
Subject: [PATCH 047/127] fw_zone: fix rich rule masquerading
We weren't passing the rich rule to the backend so filtering on
source/destination would not work.
---
src/firewall/core/fw_zone.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index ca90f7fb..816fa503 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1690,7 +1690,7 @@ class FirewallZone(object):
if backend.is_ipv_supported(ipv):
zone_transaction.add_post(enable_ip_forwarding, ipv)
- rules = backend.build_zone_masquerade_rules(enable, zone)
+ rules = backend.build_zone_masquerade_rules(enable, zone, rule)
zone_transaction.add_rules(backend, rules)
# FORWARD PORT
--
2.19.1

43
ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch
View File

@ -1,43 +0,0 @@
From 93824072768f989991a11069ac75f1cd3d56ae34 Mon Sep 17 00:00:00 2001
From: Federico Cuello <fedux@fedux.com.ar>
Date: Sat, 20 Oct 2018 15:47:28 +0200
Subject: [PATCH 023/127] ipXtables/nftables: Fix "object has no attribute
'_log_denied'"
This fixes nftables and ipXtables (when IndividualCalls=yes),
as _log_denied is not an attribute of the class but a param.
---
src/firewall/core/ipXtables.py | 3 +--
src/firewall/core/nftables.py | 2 +-
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 02a518d2..11aebec6 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -492,8 +492,7 @@ class ip4tables(object):
if log_denied == "off":
return ""
if log_denied in [ "unicast", "broadcast", "multicast" ]:
- rule[i:i+1] = [ "-m", "pkttype", "--pkt-type",
- self._log_denied ]
+ rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", log_denied ]
else:
rule.pop(i)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 3c871069..cd05b2c3 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -290,7 +290,7 @@ class nftables(object):
if log_denied == "off":
return ""
if log_denied in ["unicast", "broadcast", "multicast"]:
- rule[i:i+1] = ["pkttype", self._log_denied]
+ rule[i:i+1] = ["pkttype", log_denied]
else:
rule.pop(i)
--
2.19.1

81
ipset-fix-set-apply-if-IndividualCalls-yes.patch
View File

@ -1,81 +0,0 @@
From 4157393136bbaff53e812029376b2a0a5113cedb Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Tue, 11 Dec 2018 11:32:54 -0500
Subject: [PATCH 070/127] ipset: fix set apply if IndividualCalls=yes
Fixes: rhbz 1644834
Fixes: e6188ec98ff4 ("FirewallIPSet: Support restore in apply_ipsets, use it in Firewall")
---
src/firewall/core/fw_ipset.py | 2 +-
src/tests/regression/rhbz1601610.at | 43 +++++++++++++++++++++++++++++
2 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
index b06a60d0..54ace39e 100644
--- a/src/firewall/core/fw_ipset.py
+++ b/src/firewall/core/fw_ipset.py
@@ -125,7 +125,7 @@ class FirewallIPSet(object):
raise FirewallError(errors.COMMAND_FAILED, msg)
else:
obj.applied = True
- if "timeout" not in obj.options or \
+ if "timeout" in obj.options and \
obj.options["timeout"] != "0":
# no entries visible for ipsets with timeout
continue
diff --git a/src/tests/regression/rhbz1601610.at b/src/tests/regression/rhbz1601610.at
index 0676bb82..5ba0cee4 100644
--- a/src/tests/regression/rhbz1601610.at
+++ b/src/tests/regression/rhbz1601610.at
@@ -57,5 +57,48 @@ FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22])
FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [
])
+dnl rhbz 1644834
+FWD_CHECK([-q --ipset=foobar --add-entry=10.1.0.0/16])
+FWD_CHECK([-q --runtime-to-permanent])
+FWD_RELOAD
+m4_if(nftables, FIREWALL_BACKEND, [
+NFT_LIST_SET([foobar], 0, [dnl
+table inet firewalld {
+set foobar {
+type ipv4_addr
+flags interval
+elements = { 10.1.0.0/16, 10.2.0.0/22 }
+}
+}
+])], [
+IPSET_LIST_SET([foobar], 0, [dnl
+Name: foobar
+Type: hash:net
+Members:
+10.1.0.0/16
+10.2.0.0/22
+])])
+
+dnl rhbz 1644834, again with IndividualCalls=yes
+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf])
+FWD_RELOAD
+m4_if(nftables, FIREWALL_BACKEND, [
+NFT_LIST_SET([foobar], 0, [dnl
+table inet firewalld {
+set foobar {
+type ipv4_addr
+flags interval
+elements = { 10.1.0.0/16, 10.2.0.0/22 }
+}
+}
+])], [
+IPSET_LIST_SET([foobar], 0, [dnl
+Name: foobar
+Type: hash:net
+Members:
+10.1.0.0/16
+10.2.0.0/22
+])])
+
FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl
-e '/ERROR: COMMAND_FAILED:.*element.*exists/d'])
--
2.19.1

63
nftables-fix-destination-checks-not-allowing-masks.patch
View File

@ -1,63 +0,0 @@
From b3c43ee7be2411a8d17416b98616378078f21eef Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 27 Sep 2018 08:52:22 -0400
Subject: [PATCH 009/127] nftables: fix destination checks not allowing masks
Some destination checks were using check_single_address() which make it
impossible to use a mask. This was discovered in issue #399.
---
src/firewall/core/nftables.py | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 811f4e71..64191d1f 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -753,7 +753,7 @@ class nftables(object):
return []
rule_fragment = []
- if check_single_address("ipv4", rich_dest.addr):
+ if check_address("ipv4", rich_dest.addr):
rule_fragment += ["ip"]
else:
rule_fragment += ["ip6"]
@@ -803,7 +803,7 @@ class nftables(object):
if rich_rule:
rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
if destination:
- if check_single_address("ipv4", destination):
+ if check_address("ipv4", destination):
rule_fragment += ["ip"]
else:
rule_fragment += ["ip6"]
@@ -835,7 +835,7 @@ class nftables(object):
if rich_rule:
rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
if destination:
- if check_single_address("ipv4", destination):
+ if check_address("ipv4", destination):
rule_fragment += ["ip"]
else:
rule_fragment += ["ip6"]
@@ -869,7 +869,7 @@ class nftables(object):
if rich_rule:
rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
if destination:
- if check_single_address("ipv4", destination):
+ if check_address("ipv4", destination):
rule_fragment += ["ip"]
else:
rule_fragment += ["ip6"]
@@ -900,7 +900,7 @@ class nftables(object):
rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,
"raw_%s_allow" % (target), proto]
if destination:
- if check_single_address("ipv4", destination):
+ if check_address("ipv4", destination):
rule += ["ip"]
else:
rule += ["ip6"]
--
2.19.1

29
nftables-fix-ipv6-rich-rule-forward-ports.patch
View File

@ -1,29 +0,0 @@
From 628657cdafa7ba3217fb031c748f5a7d32924c90 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 5 Dec 2018 19:11:06 -0500
Subject: [PATCH 050/127] nftables: fix ipv6 rich rule forward-ports
The were mistakenly being added to the ipv4 nat tables as well.
Fixes: #422
Fixes: b630abd8e901 ("backend: introduce nftables support")
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 00a02ad1..a1cb2c47 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -980,7 +980,7 @@ class nftables(object):
or toaddr and check_single_address("ipv6", toaddr)):
rules.extend(self._build_zone_forward_port_nat_rules(enable, zone,
protocol, mark_fragment, toaddr, toport, "ip6"))
- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
+ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
or toaddr and check_single_address("ipv4", toaddr)):
rules.extend(self._build_zone_forward_port_nat_rules(enable, zone,
protocol, mark_fragment, toaddr, toport, "ip"))
--
2.19.1

73
nftables-fix-panic-mode-not-filtering-output-packets.patch
View File

@ -1,73 +0,0 @@
From 2f5608b4897ff99afbb1c2425a94df035031c1a2 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Mon, 3 Dec 2018 12:40:41 -0500
Subject: [PATCH 043/127] nftables: fix panic mode not filtering output packets
This simplifies policy in the nftables backend by filtering only on the
prerouting and output hooks. The others hooks are unnecessary since
we're using a higher precedence.
Also fixes an issue when re-enabling panic mode multiple times. Due to
rule de-duplication the policy drop rule was not being re-added.
Fixes: rhbz 1579740
Fixes: a0f683dfef2c ("nftables: fix policy")
---
src/firewall/core/nftables.py | 36 +++++++++--------------------------
1 file changed, 9 insertions(+), 27 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 69236a96..44cd4f9e 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -314,38 +314,20 @@ class nftables(object):
# packets while initially starting and for panic mode. As such, using
# hooks with a higher priority than our base chains is sufficient.
#
- table_chains = []
- for table in list(IPTABLES_TO_NFT_HOOK.keys()):
- for chain in IPTABLES_TO_NFT_HOOK[table]:
- table_chains.append((table, chain))
-
table_name = TABLE_NAME + "_" + "policy_drop"
- def _policy_drop_helper(table, chain, family, rules):
- _chain = "%s_%s" % (table, chain)
- _hook = IPTABLES_TO_NFT_HOOK[table][chain][0]
- # add hooks with priority -1, only contain drop rule
- _priority = IPTABLES_TO_NFT_HOOK[table][chain][1] - 1
- _add_chain = "add chain %s %s %s '{ type filter hook %s priority %d ; }'" % \
- (family, table_name, _chain, _hook, _priority)
- rules.append(splitArgs(_add_chain))
- rules.append(["add", "rule", family, table_name, _chain, "drop"])
-
rules = []
if policy == "DROP":
- for family in ["inet", "ip", "ip6"]:
- rules.append(["add", "table", family, table_name])
-
- for table,chain in table_chains:
- if table == "nat":
- # nat requires two families
- for family in ["ip", "ip6"]:
- _policy_drop_helper(table, chain, family, rules)
- else:
- _policy_drop_helper(table, chain, "inet", rules)
+ rules.append(["add", "table", "inet", table_name])
+
+ # To drop everything we need to use the "raw" priority. These occur
+ # before conntrack, mangle, nat, etc
+ for hook in ["prerouting", "output"]:
+ _add_chain = "add chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'" % \
+ (table_name, "raw", hook, hook, -300 + NFT_HOOK_OFFSET - 1)
+ rules.append(splitArgs(_add_chain))
elif policy == "ACCEPT":
- for family in ["inet", "ip", "ip6"]:
- rules.append(["delete", "table", family, table_name])
+ rules.append(["delete", "table", "inet", table_name])
else:
FirewallError(UNKNOWN_ERROR, "not implemented")
--
2.19.1

43
nftables-fix-reject-statement-in-block-zone.patch
View File

@ -1,43 +0,0 @@
From a9abba630333970cc59d5fdcb1e92968b38f5eaa Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 11 Oct 2018 11:58:22 -0400
Subject: [PATCH 020/127] nftables: fix reject statement in "block" zone
Also add test coverage.
Fixes: #406
---
src/firewall/core/nftables.py | 3 ++-
src/tests/firewall-cmd.at | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 8a305539..3c871069 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -619,7 +619,8 @@ class nftables(object):
target in ["ACCEPT", "REJECT", "%%REJECT%%", "DROP"] and \
chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]:
rules.append(["add", "rule", family, "%s" % TABLE_NAME,
- "%s_%s" % (table, _zone), target.lower()])
+ "%s_%s" % (table, _zone),
+ target.lower() if target != "%%REJECT%%" else "%%REJECT%%"])
return rules
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index ef45110c..b7ec3816 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -69,6 +69,8 @@ FWD_START_TEST([zone interfaces])
FWD_CHECK([--zone=public --change-interface=dummy], 0, ignore)
FWD_CHECK([--get-zone-of-interface=dummy], 0, [public
])
+ FWD_CHECK([--zone=block --add-interface=dummy1], 0, ignore)
+ FWD_CHECK([--zone=block --remove-interface=dummy1], 0, ignore)
FWD_CHECK([--zone=dmz --change-zone=dummy], 0, ignore)
FWD_CHECK([--get-zone-of-interface=dummy], 0, [dmz
--
2.19.1

38
nftables-fix-rich-rule-masquerade.patch
View File

@ -1,38 +0,0 @@
From aee4948e86fde6df8205b07f4da58e2a8c07377c Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 5 Dec 2018 17:16:30 -0500
Subject: [PATCH 049/127] nftables: fix rich rule masquerade
---
src/firewall/core/nftables.py | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 44cd4f9e..00a02ad1 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -900,7 +900,6 @@ class nftables(object):
rule_fragment = []
if rich_rule:
- rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
@@ -912,10 +911,10 @@ class nftables(object):
# nat tables needs to use ip/ip6 family
rules = []
if rich_rule and (rich_rule.family and rich_rule.family == "ipv6"
- or rich_rule.source and check_address("ipv6", rich_rule.source)):
+ or rich_rule.source and check_address("ipv6", rich_rule.source.addr)):
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
- or rich_rule.source and check_address("ipv4", rich_rule.source)):
+ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
+ or rich_rule.source and check_address("ipv4", rich_rule.source.addr)):
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))
else:
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
--
2.19.1

38
repair-test-cases.patch
View File

@ -1,52 +1,38 @@
From a43ae627eeb4f99bb15ed737fd58f0ec15d55dea Mon Sep 17 00:00:00 2001
From: yanghua <yanghua21@huawei.com>
Date: Mon, 6 May 2019 16:28:01 +0800
Subject: [PATCH] Repair test cases gh366 rhbz1514043 rhbz1601610
From 9904b48fdce1e28b122d8f64961d2dda81d4c546 Mon Sep 17 00:00:00 2001
From: sherlock2010 <15151851377@163.com>
Date: Wed, 29 Jul 2020 17:29:59 +0800
Subject: [PATCH 3/3] third commit
---
src/tests/functions.at | 2 +-
src/tests/regression/gh366.at | 1 +
src/tests/regression/rhbz1514043.at | 2 +-
3 files changed, 3 insertions(+), 2 deletions(-)
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index d1f3429..243724f 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -244,7 +244,7 @@ m4_define([NFT_LIST_RULES], [
m4_define([IPSET_LIST_SET], [
NS_CHECK([ipset list $1 | TRIM_WHITESPACE |dnl
grep -v "^\(Revision\|Header\|Size\|References\|Number\)" |dnl
- awk 'NR <= 4; NR > 4 {print | "sort"}'],
+ awk 'NR <= 3; NR > 3 {print | "sort"}'],
[$2], [$3], [$4], [$5], [$6])
])
diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at
index dd6963f..46307cf 100644
index 1441a6b..be33ed7 100644
--- a/src/tests/regression/gh366.at
+++ b/src/tests/regression/gh366.at
@@ -22,6 +22,7 @@ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
])])])
])])
+FWD_CHECK([-q --zone=public --remove-service=mdns])
FWD_CHECK([-q --zone=public --add-service=mdns])
check_firewall_backend_output
FWD_CHECK([-q --zone=public --remove-service=mdns])
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
index 4831460..077c007 100644
index efc33e0..694a198 100644
--- a/src/tests/regression/rhbz1514043.at
+++ b/src/tests/regression/rhbz1514043.at
@@ -3,7 +3,7 @@ FWD_CHECK([-q --set-log-denied=all])
@@ -5,7 +5,7 @@ FWD_CHECK([-q --set-log-denied=all])
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
FWD_RELOAD
FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl
-services: ssh dhcpv6-client samba
-services: dhcpv6-client samba ssh
+services: ssh mdns dhcpv6-client samba
])
dnl check that log denied actually took effect
m4_if(iptables, FIREWALL_BACKEND, [
--
2.19.1
1.8.3.1

65
rich-rules-fix-mark-action.patch
View File

@ -1,65 +0,0 @@
From 5d36e0f55887c6204e07bd8095ead1ce2d535ddb Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Fri, 2 Nov 2018 14:10:38 -0400
Subject: [PATCH 025/127] rich rules: fix mark action
They were being placed in the wrong (and nonexistent) chain. Also add
test coverage for the "mark" action.
Fixes: 7c5f5f4d12ee ("fw_zone: push rich rule generation to backend")
Tested-by: Felix Kaechele <heffer@fedoraproject.org>
---
src/firewall/core/ipXtables.py | 4 ++--
src/firewall/core/nftables.py | 4 ++--
src/tests/firewall-cmd.at | 1 +
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 11aebec6..b98ba522 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -807,10 +807,10 @@ class ip4tables(object):
chain = "%s_deny" % target
rule_action = [ "-j", "DROP" ]
elif type(rich_rule.action) == Rich_Mark:
- chain = "%s_allow" % target
- table = "mangle"
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
+ table = "mangle"
+ chain = "%s_allow" % target
rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ]
else:
raise FirewallError(INVALID_RULE,
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index cd05b2c3..69236a96 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -723,10 +723,10 @@ class nftables(object):
chain = "%s_%s_deny" % (table, target)
rule_action = ["drop"]
elif type(rich_rule.action) == Rich_Mark:
- table = "mangle"
- chain = "%s_%s_allow" % (table, target)
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
+ table = "mangle"
+ chain = "%s_%s_allow" % (table, target)
rule_action = ["meta", "mark", "set", rich_rule.action.set]
else:
raise FirewallError(INVALID_RULE,
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index b7ec3816..f31c8955 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -863,6 +863,7 @@ FWD_START_TEST([rich rules good])
rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"])
rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
+ rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"])
FWD_END_TEST
FWD_START_TEST([rich rules audit])
CHECK_LOG_AUDIT
--
2.19.1