packages/firewalld
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 0.9.4

Browse Source
This commit is contained in:
eaglegai 2021-07-22 15:23:27 +08:00
parent 0b0a10f4de
commit d144d014f5
10 changed files with 8 additions and 6595 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5993
0001-feat-implement-policy-objects-internally.patch
View File

File diff suppressed because it is too large Load Diff

35
0001-fix-build-distribute-new-python-files.patch
View File

@ -1,35 +0,0 @@
From e8714cb5e3ad20708b3d481d51c3aa26c04a52d3 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 6 Apr 2020 16:52:02 -0400
Subject: [PATCH] fix: build: distribute new python files
Make sure we distribute the new python files.
Fixes: 34bdee40aa61 ("feat: implement policy objects internally")
---
src/Makefile.am | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/Makefile.am b/src/Makefile.am
index 76589d6..985c46a 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -27,6 +27,7 @@ nobase_dist_python_DATA = \
firewall/core/fw_ipset.py \
firewall/core/fw_nm.py \
firewall/core/fw_policies.py \
+ firewall/core/fw_policy.py \
firewall/core/fw.py \
firewall/core/fw_service.py \
firewall/core/fw_transaction.py \
@@ -44,6 +45,7 @@ nobase_dist_python_DATA = \
firewall/core/io/io_object.py \
firewall/core/io/ipset.py \
firewall/core/io/lockdown_whitelist.py \
+ firewall/core/io/policy.py \
firewall/core/io/service.py \
firewall/core/io/zone.py \
firewall/core/ipset.py \
--
1.8.3.1

33
0001-fix-po-add-new-python-files-to-POTFILES.patch
View File

@ -1,33 +0,0 @@
From 1bac8783de46896b54161d8fe3cdbe7d1d7a1446 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Apr 2020 14:42:14 -0400
Subject: [PATCH] fix: po: add new python files to POTFILES
Fixes: 34bdee40aa61 ("feat: implement policy objects internally")
---
po/POTFILES.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 918f6f0..56952fe 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -242,6 +242,7 @@ src/firewall/core/fw_ifcfg.py
src/firewall/core/fw_ipset.py
src/firewall/core/fw_nm.py
src/firewall/core/fw_policies.py
+src/firewall/core/fw_policy.py
src/firewall/core/fw.py
src/firewall/core/fw_service.py
src/firewall/core/fw_transaction.py
@@ -259,6 +260,7 @@ src/firewall/core/io/__init__.py
src/firewall/core/io/io_object.py
src/firewall/core/io/ipset.py
src/firewall/core/io/lockdown_whitelist.py
+src/firewall/core/io/policy.py
src/firewall/core/io/service.py
src/firewall/core/io/zone.py
src/firewall/core/ipset.py
--
1.8.3.1

54
0001-fix-policy-ipXtables-calculate-max-name-len-properly.patch
View File

@ -1,54 +0,0 @@
From c6fe749fb75004c30818bcc0696ac23801239d0b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 21 Jul 2020 16:03:24 -0400
Subject: [PATCH] fix(policy): ipXtables: calculate max name len properly
Policy chain names still need the SHORTCUTS (POST, IN, etc) in the chain
name. As such, calculate the max name length appropriately.
This also drops the "pol_" prefix for policy chains. Retaining it would
restrict the policy name max length unreasonably so.
Fixes: 34bdee40aa61 ("feat: implement policy objects internally")
---
src/firewall/core/ipXtables.py | 2 +-
src/firewall/functions.py | 8 +++++---
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index b310a74..54c267b 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -32,7 +32,7 @@ from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark, \
Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock
import string
-POLICY_CHAIN_PREFIX = "pol_"
+POLICY_CHAIN_PREFIX = ""
BUILT_IN_CHAINS = {
"security": [ "INPUT", "OUTPUT", "FORWARD" ],
diff --git a/src/firewall/functions.py b/src/firewall/functions.py
index d4c5e90..de4e244 100644
--- a/src/firewall/functions.py
+++ b/src/firewall/functions.py
@@ -508,11 +508,13 @@ def ppid_of_pid(pid):
def max_policy_name_len():
"""
iptables limits length of chain to (currently) 28 chars.
- The longest chain we create is pol_<policy>_allow,
- which leaves 28 - 10 = 18 chars for <policy>.
+ The longest chain we create is POST_<policy>_allow,
+ which leaves 28 - 11 = 17 chars for <policy>.
"""
from firewall.core.ipXtables import POLICY_CHAIN_PREFIX
- return 28 - (len(POLICY_CHAIN_PREFIX) + len("_allow"))
+ from firewall.core.base import SHORTCUTS
+ longest_shortcut = max(map(len, SHORTCUTS.values()))
+ return 28 - (longest_shortcut + len(POLICY_CHAIN_PREFIX) + len("_allow"))
def max_zone_name_len():
"""
--
1.8.3.1

25
0001-fix-zone-listing-rich-rules-in-default-zone.patch
View File

@ -1,25 +0,0 @@
From 3d418e35afecf68ba955915f29a003ad81258037 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 28 Apr 2020 13:48:53 -0400
Subject: [PATCH] fix(zone): listing rich rules in default zone
Fixes: 34bdee40aa61 ("feat: implement policy objects internally")
---
src/firewall/core/fw_zone.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 6f6fba0..7048a90 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -744,6 +744,7 @@ class FirewallZone(object):
return ret
def list_rules(self, zone):
+ zone = self._fw.check_zone(zone)
ret = set()
for p_name in [self.policy_name_from_zones(zone, "ANY"),
self.policy_name_from_zones(zone, "HOST"),
--
1.8.3.1

390
0001-improvement-port-allow-coalescing-and-breaking-of-ra.patch
View File

@ -1,390 +0,0 @@
From a5291bcee84b56b30aac38544d85fb601fe6a25a Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 17 Mar 2020 13:51:43 -0400
Subject: [PATCH] improvement: port: allow coalescing and breaking of ranges
---
src/firewall/core/fw_zone.py | 106 +++++++++++++++++++++++++++----------
src/firewall/functions.py | 85 +++++++++++++++++++++++++++++
src/firewall/server/config_zone.py | 55 ++++++++++++++-----
3 files changed, 204 insertions(+), 42 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 2bc94e3..d32d7a8 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -25,7 +25,7 @@ from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET, \
from firewall.core.logger import log
from firewall.functions import portStr, checkIPnMask, checkIP6nMask, \
checkProtocol, enable_ip_forwarding, check_single_address, check_mac, \
- portInPortRange, get_nf_conntrack_short_name
+ portInPortRange, get_nf_conntrack_short_name, coalescePortRange, breakPortRange
from firewall.core.rich import Rich_Rule, Rich_Accept, \
Rich_Mark, Rich_Service, Rich_Port, Rich_Protocol, \
Rich_Masquerade, Rich_ForwardPort, Rich_SourcePort, Rich_IcmpBlock, \
@@ -857,11 +857,13 @@ class FirewallZone(object):
self._fw.check_panic()
_obj = self._zones[_zone]
- port_id = self.__port_id(port, protocol)
- if port_id in _obj.settings["ports"]:
- raise FirewallError(errors.ALREADY_ENABLED,
- "'%s:%s' already in '%s'" % (port, protocol,
- _zone))
+ existing_port_ids = list(filter(lambda x: x[1] == protocol, _obj.settings["ports"]))
+ for port_id in existing_port_ids:
+ if portInPortRange(port, port_id[0]):
+ raise FirewallError(errors.ALREADY_ENABLED,
+ "'%s:%s' already in '%s'" % (port, protocol, _zone))
+
+ added_ranges, removed_ranges = coalescePortRange(port, [_port for (_port, _protocol) in existing_port_ids])
if use_transaction is None:
transaction = self.new_transaction()
@@ -869,10 +871,18 @@ class FirewallZone(object):
transaction = use_transaction
if _obj.applied:
- self._port(True, _zone, port, protocol, transaction)
-
- self.__register_port(_obj, port_id, timeout, sender)
- transaction.add_fail(self.__unregister_port, _obj, port_id)
+ for range in added_ranges:
+ self._port(True, _zone, portStr(range, "-"), protocol, transaction)
+ for range in removed_ranges:
+ self._port(False, _zone, portStr(range, "-"), protocol, transaction)
+
+ for range in added_ranges:
+ port_id = self.__port_id(range, protocol)
+ self.__register_port(_obj, port_id, timeout, sender)
+ transaction.add_fail(self.__unregister_port, _obj, port_id)
+ for range in removed_ranges:
+ port_id = self.__port_id(range, protocol)
+ transaction.add_post(self.__unregister_port, _obj, port_id)
if use_transaction is None:
transaction.execute(True)
@@ -889,20 +899,34 @@ class FirewallZone(object):
self._fw.check_panic()
_obj = self._zones[_zone]
- port_id = self.__port_id(port, protocol)
- if port_id not in _obj.settings["ports"]:
+ existing_port_ids = list(filter(lambda x: x[1] == protocol, _obj.settings["ports"]))
+ for port_id in existing_port_ids:
+ if portInPortRange(port, port_id[0]):
+ break
+ else:
raise FirewallError(errors.NOT_ENABLED,
"'%s:%s' not in '%s'" % (port, protocol, _zone))
+ added_ranges, removed_ranges = breakPortRange(port, [_port for (_port, _protocol) in existing_port_ids])
+
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
if _obj.applied:
- self._port(False, _zone, port, protocol, transaction)
-
- transaction.add_post(self.__unregister_port, _obj, port_id)
+ for range in added_ranges:
+ self._port(True, _zone, portStr(range, "-"), protocol, transaction)
+ for range in removed_ranges:
+ self._port(False, _zone, portStr(range, "-"), protocol, transaction)
+
+ for range in added_ranges:
+ port_id = self.__port_id(range, protocol)
+ self.__register_port(_obj, port_id, 0, None)
+ transaction.add_fail(self.__unregister_port, _obj, port_id)
+ for range in removed_ranges:
+ port_id = self.__port_id(range, protocol)
+ transaction.add_post(self.__unregister_port, _obj, port_id)
if use_transaction is None:
transaction.execute(True)
@@ -1015,11 +1039,13 @@ class FirewallZone(object):
self._fw.check_panic()
_obj = self._zones[_zone]
- port_id = self.__source_port_id(port, protocol)
- if port_id in _obj.settings["source_ports"]:
- raise FirewallError(errors.ALREADY_ENABLED,
- "'%s:%s' already in '%s'" % (port, protocol,
- _zone))
+ existing_port_ids = list(filter(lambda x: x[1] == protocol, _obj.settings["source_ports"]))
+ for port_id in existing_port_ids:
+ if portInPortRange(port, port_id[0]):
+ raise FirewallError(errors.ALREADY_ENABLED,
+ "'%s:%s' already in '%s'" % (port, protocol, _zone))
+
+ added_ranges, removed_ranges = coalescePortRange(port, [_port for (_port, _protocol) in existing_port_ids])
if use_transaction is None:
transaction = self.new_transaction()
@@ -1027,10 +1053,18 @@ class FirewallZone(object):
transaction = use_transaction
if _obj.applied:
- self._source_port(True, _zone, port, protocol, transaction)
-
- self.__register_source_port(_obj, port_id, timeout, sender)
- transaction.add_fail(self.__unregister_source_port, _obj, port_id)
+ for range in added_ranges:
+ self._source_port(True, _zone, portStr(range, "-"), protocol, transaction)
+ for range in removed_ranges:
+ self._source_port(False, _zone, portStr(range, "-"), protocol, transaction)
+
+ for range in added_ranges:
+ port_id = self.__source_port_id(range, protocol)
+ self.__register_source_port(_obj, port_id, timeout, sender)
+ transaction.add_fail(self.__unregister_source_port, _obj, port_id)
+ for range in removed_ranges:
+ port_id = self.__source_port_id(range, protocol)
+ transaction.add_post(self.__unregister_source_port, _obj, port_id)
if use_transaction is None:
transaction.execute(True)
@@ -1047,20 +1081,34 @@ class FirewallZone(object):
self._fw.check_panic()
_obj = self._zones[_zone]
- port_id = self.__source_port_id(port, protocol)
- if port_id not in _obj.settings["source_ports"]:
+ existing_port_ids = list(filter(lambda x: x[1] == protocol, _obj.settings["source_ports"]))
+ for port_id in existing_port_ids:
+ if portInPortRange(port, port_id[0]):
+ break
+ else:
raise FirewallError(errors.NOT_ENABLED,
"'%s:%s' not in '%s'" % (port, protocol, _zone))
+ added_ranges, removed_ranges = breakPortRange(port, [_port for (_port, _protocol) in existing_port_ids])
+
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
if _obj.applied:
- self._source_port(False, _zone, port, protocol, transaction)
-
- transaction.add_post(self.__unregister_source_port, _obj, port_id)
+ for range in added_ranges:
+ self._source_port(True, _zone, portStr(range, "-"), protocol, transaction)
+ for range in removed_ranges:
+ self._source_port(False, _zone, portStr(range, "-"), protocol, transaction)
+
+ for range in added_ranges:
+ port_id = self.__source_port_id(range, protocol)
+ self.__register_source_port(_obj, port_id, 0, None)
+ transaction.add_fail(self.__unregister_source_port, _obj, port_id)
+ for range in removed_ranges:
+ port_id = self.__source_port_id(range, protocol)
+ transaction.add_post(self.__unregister_source_port, _obj, port_id)
if use_transaction is None:
transaction.execute(True)
diff --git a/src/firewall/functions.py b/src/firewall/functions.py
index 6af2206..6bc52d9 100644
--- a/src/firewall/functions.py
+++ b/src/firewall/functions.py
@@ -72,6 +72,10 @@ def getPortRange(ports):
@return Array containing start and end port id for a valid range or -1 if port can not be found and -2 if port is too big for integer input or -1 for invalid ranges or None if the range is ambiguous.
"""
+ # (port, port) or [port, port] case
+ if isinstance(ports, tuple) or isinstance(ports, list):
+ return ports
+
# "<port-id>" case
if isinstance(ports, int) or ports.isdigit():
id1 = getPortID(ports)
@@ -155,6 +159,87 @@ def portInPortRange(port, range):
return False
+def coalescePortRange(new_range, ranges):
+ """ Coalesce a port range with existing list of port ranges
+
+ @param new_range tuple/list/string
+ @param ranges list of tuple/list/string
+ @return tuple of (list of ranges added after coalescing, list of removed original ranges)
+ """
+
+ coalesced_range = getPortRange(new_range)
+ # normalize singleton ranges, e.g. (x,) --> (x,x)
+ if len(coalesced_range) == 1:
+ coalesced_range = (coalesced_range[0], coalesced_range[0])
+ _ranges = map(getPortRange, ranges)
+ _ranges = sorted(map(lambda x: (x[0],x[0]) if len(x) == 1 else x, _ranges), key=lambda x: x[0])
+
+ removed_ranges = []
+ for range in _ranges:
+ if coalesced_range[0] <= range[0] and coalesced_range[1] >= range[1]:
+ # new range covers this
+ removed_ranges.append(range)
+ elif coalesced_range[0] <= range[0] and coalesced_range[1] < range[1] and \
+ coalesced_range[1] >= range[0]:
+ # expand beginning of range
+ removed_ranges.append(range)
+ coalesced_range = (coalesced_range[0], range[1])
+ elif coalesced_range[0] > range[0] and coalesced_range[1] >= range[1] and \
+ coalesced_range[0] <= range[1]:
+ # expand end of range
+ removed_ranges.append(range)
+ coalesced_range = (range[0], coalesced_range[1])
+
+ # normalize singleton ranges, e.g. (x,x) --> (x,)
+ removed_ranges = list(map(lambda x: (x[0],) if x[0] == x[1] else x, removed_ranges))
+ if coalesced_range[0] == coalesced_range[1]:
+ coalesced_range = (coalesced_range[0],)
+
+ return ([coalesced_range], removed_ranges)
+
+def breakPortRange(remove_range, ranges):
+ """ break a port range from existing list of port ranges
+
+ @param remove_range tuple/list/string
+ @param ranges list of tuple/list/string
+ @return tuple of (list of ranges added after breaking up, list of removed original ranges)
+ """
+
+ remove_range = getPortRange(remove_range)
+ # normalize singleton ranges, e.g. (x,) --> (x,x)
+ if len(remove_range) == 1:
+ remove_range = (remove_range[0], remove_range[0])
+ _ranges = map(getPortRange, ranges)
+ _ranges = sorted(map(lambda x: (x[0],x[0]) if len(x) == 1 else x, _ranges), key=lambda x: x[0])
+
+ removed_ranges = []
+ added_ranges = []
+ for range in _ranges:
+ if remove_range[0] <= range[0] and remove_range[1] >= range[1]:
+ # remove entire range
+ removed_ranges.append(range)
+ elif remove_range[0] <= range[0] and remove_range[1] < range[1] and \
+ remove_range[1] >= range[0]:
+ # remove from beginning of range
+ removed_ranges.append(range)
+ added_ranges.append((remove_range[1] + 1, range[1]))
+ elif remove_range[0] > range[0] and remove_range[1] >= range[1] and \
+ remove_range[0] <= range[1]:
+ # remove from end of range
+ removed_ranges.append(range)
+ added_ranges.append((range[0], remove_range[0] - 1))
+ elif remove_range[0] > range[0] and remove_range[1] < range[1]:
+ # remove inside range
+ removed_ranges.append(range)
+ added_ranges.append((range[0], remove_range[0] - 1))
+ added_ranges.append((remove_range[1] + 1, range[1]))
+
+ # normalize singleton ranges, e.g. (x,x) --> (x,)
+ removed_ranges = list(map(lambda x: (x[0],) if x[0] == x[1] else x, removed_ranges))
+ added_ranges = list(map(lambda x: (x[0],) if x[0] == x[1] else x, added_ranges))
+
+ return (added_ranges, removed_ranges)
+
def getServiceName(port, proto):
""" Check and Get service name from port and proto string combination using socket.getservbyport
diff --git a/src/firewall/server/config_zone.py b/src/firewall/server/config_zone.py
index 1ae20ce..1c05318 100644
--- a/src/firewall/server/config_zone.py
+++ b/src/firewall/server/config_zone.py
@@ -41,7 +41,8 @@ from firewall.server.decorators import handle_exceptions, \
dbus_handle_exceptions, dbus_service_method
from firewall import errors
from firewall.errors import FirewallError
-from firewall.functions import portInPortRange
+from firewall.functions import portStr, portInPortRange, coalescePortRange, \
+ breakPortRange
############################################################################
#
@@ -455,10 +456,16 @@ class FirewallDConfigZone(slip.dbus.service.Object):
protocol)
self.parent.accessCheck(sender)
settings = list(self.getSettings())
- if (port,protocol) in settings[6]:
- raise FirewallError(errors.ALREADY_ENABLED,
- "%s:%s" % (port, protocol))
- settings[6].append((port,protocol))
+ existing_port_ids = list(filter(lambda x: x[1] == protocol, settings[6]))
+ for port_id in existing_port_ids:
+ if portInPortRange(port, port_id[0]):
+ raise FirewallError(errors.ALREADY_ENABLED,
+ "%s:%s" % (port, protocol))
+ added_ranges, removed_ranges = coalescePortRange(port, [_port for (_port, _protocol) in existing_port_ids])
+ for range in removed_ranges:
+ settings[6].remove((portStr(range, "-"), protocol))
+ for range in added_ranges:
+ settings[6].append((portStr(range, "-"), protocol))
self.update(settings)
@dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE,
@@ -471,9 +478,17 @@ class FirewallDConfigZone(slip.dbus.service.Object):
protocol)
self.parent.accessCheck(sender)
settings = list(self.getSettings())
- if (port,protocol) not in settings[6]:
+ existing_port_ids = list(filter(lambda x: x[1] == protocol, settings[6]))
+ for port_id in existing_port_ids:
+ if portInPortRange(port, port_id[0]):
+ break
+ else:
raise FirewallError(errors.NOT_ENABLED, "%s:%s" % (port, protocol))
- settings[6].remove((port,protocol))
+ added_ranges, removed_ranges = breakPortRange(port, [_port for (_port, _protocol) in existing_port_ids])
+ for range in removed_ranges:
+ settings[6].remove((portStr(range, "-"), protocol))
+ for range in added_ranges:
+ settings[6].append((portStr(range, "-"), protocol))
self.update(settings)
@dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE,
@@ -583,10 +598,16 @@ class FirewallDConfigZone(slip.dbus.service.Object):
protocol)
self.parent.accessCheck(sender)
settings = list(self.getSettings())
- if (port,protocol) in settings[14]:
- raise FirewallError(errors.ALREADY_ENABLED,
- "%s:%s" % (port, protocol))
- settings[14].append((port,protocol))
+ existing_port_ids = list(filter(lambda x: x[1] == protocol, settings[14]))
+ for port_id in existing_port_ids:
+ if portInPortRange(port, port_id[0]):
+ raise FirewallError(errors.ALREADY_ENABLED,
+ "%s:%s" % (port, protocol))
+ added_ranges, removed_ranges = coalescePortRange(port, [_port for (_port, _protocol) in existing_port_ids])
+ for range in removed_ranges:
+ settings[14].remove((portStr(range, "-"), protocol))
+ for range in added_ranges:
+ settings[14].append((portStr(range, "-"), protocol))
self.update(settings)
@dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE,
@@ -599,9 +620,17 @@ class FirewallDConfigZone(slip.dbus.service.Object):
protocol)
self.parent.accessCheck(sender)
settings = list(self.getSettings())
- if (port,protocol) not in settings[14]:
+ existing_port_ids = list(filter(lambda x: x[1] == protocol, settings[14]))
+ for port_id in existing_port_ids:
+ if portInPortRange(port, port_id[0]):
+ break
+ else:
raise FirewallError(errors.NOT_ENABLED, "%s:%s" % (port, protocol))
- settings[14].remove((port,protocol))
+ added_ranges, removed_ranges = breakPortRange(port, [_port for (_port, _protocol) in existing_port_ids])
+ for range in removed_ranges:
+ settings[14].remove((portStr(range, "-"), protocol))
+ for range in added_ranges:
+ settings[14].append((portStr(range, "-"), protocol))
self.update(settings)
@dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE,
--
1.8.3.1

55
0001-improvement-port-simplify-queryPort.patch
View File

@ -1,55 +0,0 @@
From cd8e0c3774a6c7ca6679fd50a0fb6f211528d9cc Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 19 Mar 2020 16:22:18 -0400
Subject: [PATCH] improvement: port: simplify queryPort
---
src/firewall/core/fw_zone.py | 10 +++-------
src/firewall/server/config_zone.py | 10 +++-------
2 files changed, 6 insertions(+), 14 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 5cda560..59d7a44 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -914,13 +914,9 @@ class FirewallZone(object):
del _obj.settings["ports"][port_id]
def query_port(self, zone, port, protocol):
- if self.__port_id(port, protocol) in self.get_settings(zone)["ports"]:
- return True
- else:
- # It might be a single port query that is inside a range
- for (_port, _protocol) in self.get_settings(zone)["ports"]:
- if portInPortRange(port, _port) and protocol == _protocol:
- return True
+ for (_port, _protocol) in self.get_settings(zone)["ports"]:
+ if portInPortRange(port, _port) and protocol == _protocol:
+ return True
return False
diff --git a/src/firewall/server/config_zone.py b/src/firewall/server/config_zone.py
index ed4eaba..bbbe7b5 100644
--- a/src/firewall/server/config_zone.py
+++ b/src/firewall/server/config_zone.py
@@ -484,13 +484,9 @@ class FirewallDConfigZone(slip.dbus.service.Object):
protocol = dbus_to_python(protocol, str)
log.debug1("%s.queryPort('%s', '%s')", self._log_prefix, port,
protocol)
- if (port,protocol) in self.getSettings()[6]:
- return True
- else:
- # It might be a single port query that is inside a range
- for (_port, _protocol) in self.getSettings()[6]:
- if portInPortRange(port, _port) and protocol == _protocol:
- return True
+ for (_port, _protocol) in self.getSettings()[6]:
+ if portInPortRange(port, _port) and protocol == _protocol:
+ return True
return False
--
1.8.3.1

BIN
firewalld-0.8.3.tar.gz
View File

Binary file not shown.

BIN
firewalld-0.9.4.tar.gz Normal file
View File

Binary file not shown.

18
firewalld.spec
View File

@ -1,6 +1,6 @@
Name: firewalld
Version: 0.8.3
Release: 3
Version: 0.9.4
Release: 1
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
License: GPLv2+
URL: http://www.firewalld.org
@ -9,14 +9,6 @@ Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{
Patch0: firewalld-0.2.6-MDNS-default.patch
Patch1: repair-test-cases.patch
Patch2: 0001-improvement-port-simplify-queryPort.patch
Patch3: 0001-improvement-port-allow-coalescing-and-breaking-of-ra.patch
Patch4: 0001-feat-implement-policy-objects-internally.patch
Patch5: 0001-fix-build-distribute-new-python-files.patch
Patch6: 0001-fix-po-add-new-python-files-to-POTFILES.patch
Patch7: 0001-fix-zone-listing-rich-rules-in-default-zone.patch
Patch8: 0001-fix-policy-ipXtables-calculate-max-name-len-properly.patch
BuildArch: noarch
BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl
BuildRequires: libxslt iptables ebtables ipset python3-devel
@ -202,6 +194,12 @@ fi
%changelog
* Thu Jul 22 2021 gaihuiying <gaihuiying1@huawei.com> - 0.9.4-1
- Type:requirement
- ID:NA
- SUG:NA
- DESC:update to 0.9.4
* Thu Dec 17 2020 Anakin Zhang <benjamin93@163.com> - 0.8.3-3
- Type:requirement
- ID:NA