54 lines
2.3 KiB
Diff
54 lines
2.3 KiB
Diff
|
From 4d099f4c0866801e40e362090e6986c693386e2c Mon Sep 17 00:00:00 2001
|
||
|
From: Eric Garver <eric@garver.life>
|
||
|
Date: Thu, 27 Aug 2020 15:30:45 -0400
|
||
|
Subject: [PATCH 50/62] fix(icmptype): when applying rules get ict from perm
|
||
|
config
|
||
|
|
||
|
Otherwise we may get runtime errors because the running kernel doesn't
|
||
|
support the ict. Use the permanent ict definition so we allow the case
|
||
|
where ip6tables is missing or not available. Explicit usage of an ict
|
||
|
not supported by the kernel will still fail to apply at runtime
|
||
|
(iptables complains), but if ip6tables is missing we don't attempt to
|
||
|
apply the ipv6 rules thus avoiding the issue.
|
||
|
|
||
|
(cherry picked from commit fdc44800aef4ec166987d529ffaea51f13ff54c2)
|
||
|
(cherry picked from commit 0016ec8e4aefb6cf2a8986a91530eae25a28ead7)
|
||
|
---
|
||
|
src/firewall/core/fw_zone.py | 6 +++---
|
||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
||
|
index b9fe1f6aae97..9d8bcf620251 100644
|
||
|
--- a/src/firewall/core/fw_zone.py
|
||
|
+++ b/src/firewall/core/fw_zone.py
|
||
|
@@ -1526,7 +1526,7 @@ class FirewallZone(object):
|
||
|
if rule.family:
|
||
|
ipvs = [ rule.family ]
|
||
|
elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)):
|
||
|
- ict = self._fw.icmptype.get_icmptype(rule.element.name)
|
||
|
+ ict = self._fw.config.get_icmptype(rule.element.name)
|
||
|
if ict.destination:
|
||
|
ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination]
|
||
|
|
||
|
@@ -1698,7 +1698,7 @@ class FirewallZone(object):
|
||
|
# ICMP BLOCK and ICMP TYPE
|
||
|
elif type(rule.element) == Rich_IcmpBlock or \
|
||
|
type(rule.element) == Rich_IcmpType:
|
||
|
- ict = self._fw.icmptype.get_icmptype(rule.element.name)
|
||
|
+ ict = self._fw.config.get_icmptype(rule.element.name)
|
||
|
|
||
|
if type(rule.element) == Rich_IcmpBlock and \
|
||
|
rule.action and type(rule.action) == Rich_Accept:
|
||
|
@@ -1862,7 +1862,7 @@ class FirewallZone(object):
|
||
|
transaction.add_rules(backend, rules)
|
||
|
|
||
|
def _icmp_block(self, enable, zone, icmp, transaction):
|
||
|
- ict = self._fw.icmptype.get_icmptype(icmp)
|
||
|
+ ict = self._fw.config.get_icmptype(icmp)
|
||
|
|
||
|
if enable:
|
||
|
transaction.add_chain(zone, "filter", "INPUT")
|
||
|
--
|
||
|
2.28.0
|
||
|
|