firewalld/SOURCES/0039-RHEL-only-default-to-AllowZoneDrifting-yes.patch

148 lines
6.2 KiB
Diff
Raw Normal View History

2020-04-28 09:42:01 +00:00
From d31326a93b0dc1e203f4696aca4a7c0f8118d2e8 Mon Sep 17 00:00:00 2001
2020-04-07 09:15:33 +00:00
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Feb 2020 09:12:17 -0500
2020-04-28 09:42:01 +00:00
Subject: [PATCH 39/39] RHEL only: default to AllowZoneDrifting=yes
2020-04-07 09:15:33 +00:00
---
config/firewalld.conf | 4 ++--
doc/xml/firewalld.conf.xml | 2 +-
doc/xml/firewalld.dbus.xml | 2 +-
src/firewall/config/__init__.py.in | 2 +-
2020-04-28 09:42:01 +00:00
src/tests/cli/firewall-cmd.at | 4 ++++
src/tests/dbus/firewalld.conf.at | 4 ++--
2020-04-07 09:15:33 +00:00
src/tests/features/rfc3964_ipv4.at | 4 ++++
src/tests/functions.at | 1 +
src/tests/regression/rhbz1514043.at | 4 ++++
2020-04-28 09:42:01 +00:00
9 files changed, 20 insertions(+), 7 deletions(-)
2020-04-07 09:15:33 +00:00
diff --git a/config/firewalld.conf b/config/firewalld.conf
2020-04-28 09:42:01 +00:00
index 532f0452212e..f791b2358ab8 100644
2020-04-07 09:15:33 +00:00
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
2020-04-28 09:42:01 +00:00
@@ -71,5 +71,5 @@ RFC3964_IPv4=yes
2020-04-07 09:15:33 +00:00
# Note: If "yes" packets will only drift from source based zones to interface
# based zones (including the default zone). Packets never drift from interface
# based zones to other interfaces based zones (including the default zone).
-# Possible values; "yes", "no". Defaults to "no".
-AllowZoneDrifting=no
+# Possible values; "yes", "no". Defaults to "yes".
+AllowZoneDrifting=yes
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
2020-04-28 09:42:01 +00:00
index fcfbfd2b68c1..c21ef87813bc 100644
2020-04-07 09:15:33 +00:00
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -197,7 +197,7 @@
to interface based zones (including the default zone). Packets
never drift from interface based zones to other interfaces
based zones (including the default zone).
- Valid values; "yes", "no". Defaults to "no".
+ Valid values; "yes", "no". Defaults to "yes".
</para>
</listitem>
</varlistentry>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
2020-04-28 09:42:01 +00:00
index 5d77af976443..77ad77c01675 100644
2020-04-07 09:15:33 +00:00
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
2020-04-28 09:42:01 +00:00
@@ -2591,7 +2591,7 @@
2020-04-07 09:15:33 +00:00
to interface based zones (including the default zone). Packets
never drift from interface based zones to other interfaces
based zones (including the default zone).
- Valid values; "yes", "no". Defaults to "no".
+ Valid values; "yes", "no". Defaults to "yes".
</para></listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
2020-04-28 09:42:01 +00:00
index 481eb8de758d..645c76b66c8d 100644
2020-04-07 09:15:33 +00:00
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
2020-04-28 09:42:01 +00:00
@@ -130,4 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"
2020-04-07 09:15:33 +00:00
FALLBACK_FIREWALL_BACKEND = "nftables"
FALLBACK_FLUSH_ALL_ON_RELOAD = True
FALLBACK_RFC3964_IPV4 = True
-FALLBACK_ALLOW_ZONE_DRIFTING = False
+FALLBACK_ALLOW_ZONE_DRIFTING = True
2020-04-28 09:42:01 +00:00
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index 51b367e7a0f0..3590cb23d600 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -1054,6 +1054,10 @@ FWD_START_TEST([rich rules priority])
CHECK_LOG_AUDIT
+ dnl Expected test results assume this is set to "no"
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+ FWD_RELOAD
+
dnl Verify generic layout of zone
NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl
table inet firewalld {
2020-04-07 09:15:33 +00:00
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
2020-04-28 09:42:01 +00:00
index 35aead759a9c..4eefa3286f9f 100644
2020-04-07 09:15:33 +00:00
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
2020-04-28 09:42:01 +00:00
@@ -4,7 +4,7 @@ AT_KEYWORDS(dbus)
2020-04-07 09:15:33 +00:00
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
2020-04-28 09:42:01 +00:00
IF_HOST_SUPPORTS_NFT_FIB([
DBUS_GETALL([config], [config], 0, [dnl
-string "AllowZoneDrifting" : variant string "no"
+string "AllowZoneDrifting" : variant string "yes"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
@@ -18,7 +18,7 @@ string "MinimalMark" : variant int32 100
string "RFC3964_IPv4" : variant string "yes"
])], [
2020-04-07 09:15:33 +00:00
DBUS_GETALL([config], [config], 0, [dnl
-string "AllowZoneDrifting" : variant string "no"
+string "AllowZoneDrifting" : variant string "yes"
2020-04-28 09:42:01 +00:00
string "AutomaticHelpers" : variant string "no"
2020-04-07 09:15:33 +00:00
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at
index 54f5f756270b..15fef52612cc 100644
--- a/src/tests/features/rfc3964_ipv4.at
+++ b/src/tests/features/rfc3964_ipv4.at
@@ -1,6 +1,10 @@
FWD_START_TEST([RFC3964_IPv4])
AT_KEYWORDS(rfc3964_ipv4)
+dnl Expected test results assume this is set to "no"
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+FWD_RELOAD
+
AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf])
AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
FWD_RELOAD
diff --git a/src/tests/functions.at b/src/tests/functions.at
2020-04-28 09:42:01 +00:00
index cd4e31c7f9d4..0e28420d7123 100644
2020-04-07 09:15:33 +00:00
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
2020-04-28 09:42:01 +00:00
@@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [
IF_HOST_SUPPORTS_IP6TABLES([], [
2020-04-07 09:15:33 +00:00
sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
])
+ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log
if test x"$1" != x"ignore"; then
if test -n "$1"; then
sed -i $1 ./firewalld.log
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
index 241cf547f7f3..8e4846a078b8 100644
--- a/src/tests/regression/rhbz1514043.at
+++ b/src/tests/regression/rhbz1514043.at
@@ -1,6 +1,10 @@
FWD_START_TEST([--set-log-denied does not zero config])
AT_KEYWORDS(log_denied rhbz1514043)
+dnl Expected test results assume this is set to "no"
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+FWD_RELOAD
+
FWD_CHECK([-q --set-log-denied=all])
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
FWD_RELOAD
--
2.23.0