2020-04-28 09:42:01 +00:00
|
|
|
From d31326a93b0dc1e203f4696aca4a7c0f8118d2e8 Mon Sep 17 00:00:00 2001
|
2020-04-07 09:15:33 +00:00
|
|
|
From: Eric Garver <eric@garver.life>
|
|
|
|
Date: Tue, 4 Feb 2020 09:12:17 -0500
|
2020-04-28 09:42:01 +00:00
|
|
|
Subject: [PATCH 39/39] RHEL only: default to AllowZoneDrifting=yes
|
2020-04-07 09:15:33 +00:00
|
|
|
|
|
|
|
---
|
|
|
|
config/firewalld.conf | 4 ++--
|
|
|
|
doc/xml/firewalld.conf.xml | 2 +-
|
|
|
|
doc/xml/firewalld.dbus.xml | 2 +-
|
|
|
|
src/firewall/config/__init__.py.in | 2 +-
|
2020-04-28 09:42:01 +00:00
|
|
|
src/tests/cli/firewall-cmd.at | 4 ++++
|
|
|
|
src/tests/dbus/firewalld.conf.at | 4 ++--
|
2020-04-07 09:15:33 +00:00
|
|
|
src/tests/features/rfc3964_ipv4.at | 4 ++++
|
|
|
|
src/tests/functions.at | 1 +
|
|
|
|
src/tests/regression/rhbz1514043.at | 4 ++++
|
2020-04-28 09:42:01 +00:00
|
|
|
9 files changed, 20 insertions(+), 7 deletions(-)
|
2020-04-07 09:15:33 +00:00
|
|
|
|
|
|
|
diff --git a/config/firewalld.conf b/config/firewalld.conf
|
2020-04-28 09:42:01 +00:00
|
|
|
index 532f0452212e..f791b2358ab8 100644
|
2020-04-07 09:15:33 +00:00
|
|
|
--- a/config/firewalld.conf
|
|
|
|
+++ b/config/firewalld.conf
|
2020-04-28 09:42:01 +00:00
|
|
|
@@ -71,5 +71,5 @@ RFC3964_IPv4=yes
|
2020-04-07 09:15:33 +00:00
|
|
|
# Note: If "yes" packets will only drift from source based zones to interface
|
|
|
|
# based zones (including the default zone). Packets never drift from interface
|
|
|
|
# based zones to other interfaces based zones (including the default zone).
|
|
|
|
-# Possible values; "yes", "no". Defaults to "no".
|
|
|
|
-AllowZoneDrifting=no
|
|
|
|
+# Possible values; "yes", "no". Defaults to "yes".
|
|
|
|
+AllowZoneDrifting=yes
|
|
|
|
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
|
2020-04-28 09:42:01 +00:00
|
|
|
index fcfbfd2b68c1..c21ef87813bc 100644
|
2020-04-07 09:15:33 +00:00
|
|
|
--- a/doc/xml/firewalld.conf.xml
|
|
|
|
+++ b/doc/xml/firewalld.conf.xml
|
|
|
|
@@ -197,7 +197,7 @@
|
|
|
|
to interface based zones (including the default zone). Packets
|
|
|
|
never drift from interface based zones to other interfaces
|
|
|
|
based zones (including the default zone).
|
|
|
|
- Valid values; "yes", "no". Defaults to "no".
|
|
|
|
+ Valid values; "yes", "no". Defaults to "yes".
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
|
2020-04-28 09:42:01 +00:00
|
|
|
index 5d77af976443..77ad77c01675 100644
|
2020-04-07 09:15:33 +00:00
|
|
|
--- a/doc/xml/firewalld.dbus.xml
|
|
|
|
+++ b/doc/xml/firewalld.dbus.xml
|
2020-04-28 09:42:01 +00:00
|
|
|
@@ -2591,7 +2591,7 @@
|
2020-04-07 09:15:33 +00:00
|
|
|
to interface based zones (including the default zone). Packets
|
|
|
|
never drift from interface based zones to other interfaces
|
|
|
|
based zones (including the default zone).
|
|
|
|
- Valid values; "yes", "no". Defaults to "no".
|
|
|
|
+ Valid values; "yes", "no". Defaults to "yes".
|
|
|
|
</para></listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
|
|
|
|
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
|
2020-04-28 09:42:01 +00:00
|
|
|
index 481eb8de758d..645c76b66c8d 100644
|
2020-04-07 09:15:33 +00:00
|
|
|
--- a/src/firewall/config/__init__.py.in
|
|
|
|
+++ b/src/firewall/config/__init__.py.in
|
2020-04-28 09:42:01 +00:00
|
|
|
@@ -130,4 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"
|
2020-04-07 09:15:33 +00:00
|
|
|
FALLBACK_FIREWALL_BACKEND = "nftables"
|
|
|
|
FALLBACK_FLUSH_ALL_ON_RELOAD = True
|
|
|
|
FALLBACK_RFC3964_IPV4 = True
|
|
|
|
-FALLBACK_ALLOW_ZONE_DRIFTING = False
|
|
|
|
+FALLBACK_ALLOW_ZONE_DRIFTING = True
|
2020-04-28 09:42:01 +00:00
|
|
|
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
|
|
|
|
index 51b367e7a0f0..3590cb23d600 100644
|
|
|
|
--- a/src/tests/cli/firewall-cmd.at
|
|
|
|
+++ b/src/tests/cli/firewall-cmd.at
|
|
|
|
@@ -1054,6 +1054,10 @@ FWD_START_TEST([rich rules priority])
|
|
|
|
|
|
|
|
CHECK_LOG_AUDIT
|
|
|
|
|
|
|
|
+ dnl Expected test results assume this is set to "no"
|
|
|
|
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
|
|
|
|
+ FWD_RELOAD
|
|
|
|
+
|
|
|
|
dnl Verify generic layout of zone
|
|
|
|
NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl
|
|
|
|
table inet firewalld {
|
2020-04-07 09:15:33 +00:00
|
|
|
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
|
2020-04-28 09:42:01 +00:00
|
|
|
index 35aead759a9c..4eefa3286f9f 100644
|
2020-04-07 09:15:33 +00:00
|
|
|
--- a/src/tests/dbus/firewalld.conf.at
|
|
|
|
+++ b/src/tests/dbus/firewalld.conf.at
|
2020-04-28 09:42:01 +00:00
|
|
|
@@ -4,7 +4,7 @@ AT_KEYWORDS(dbus)
|
2020-04-07 09:15:33 +00:00
|
|
|
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
|
2020-04-28 09:42:01 +00:00
|
|
|
IF_HOST_SUPPORTS_NFT_FIB([
|
|
|
|
DBUS_GETALL([config], [config], 0, [dnl
|
|
|
|
-string "AllowZoneDrifting" : variant string "no"
|
|
|
|
+string "AllowZoneDrifting" : variant string "yes"
|
|
|
|
string "AutomaticHelpers" : variant string "no"
|
|
|
|
string "CleanupOnExit" : variant string "no"
|
|
|
|
string "DefaultZone" : variant string "public"
|
|
|
|
@@ -18,7 +18,7 @@ string "MinimalMark" : variant int32 100
|
|
|
|
string "RFC3964_IPv4" : variant string "yes"
|
|
|
|
])], [
|
2020-04-07 09:15:33 +00:00
|
|
|
DBUS_GETALL([config], [config], 0, [dnl
|
|
|
|
-string "AllowZoneDrifting" : variant string "no"
|
|
|
|
+string "AllowZoneDrifting" : variant string "yes"
|
2020-04-28 09:42:01 +00:00
|
|
|
string "AutomaticHelpers" : variant string "no"
|
2020-04-07 09:15:33 +00:00
|
|
|
string "CleanupOnExit" : variant string "no"
|
|
|
|
string "DefaultZone" : variant string "public"
|
|
|
|
diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at
|
|
|
|
index 54f5f756270b..15fef52612cc 100644
|
|
|
|
--- a/src/tests/features/rfc3964_ipv4.at
|
|
|
|
+++ b/src/tests/features/rfc3964_ipv4.at
|
|
|
|
@@ -1,6 +1,10 @@
|
|
|
|
FWD_START_TEST([RFC3964_IPv4])
|
|
|
|
AT_KEYWORDS(rfc3964_ipv4)
|
|
|
|
|
|
|
|
+dnl Expected test results assume this is set to "no"
|
|
|
|
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
|
|
|
|
+FWD_RELOAD
|
|
|
|
+
|
|
|
|
AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf])
|
|
|
|
AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
|
|
|
|
FWD_RELOAD
|
|
|
|
diff --git a/src/tests/functions.at b/src/tests/functions.at
|
2020-04-28 09:42:01 +00:00
|
|
|
index cd4e31c7f9d4..0e28420d7123 100644
|
2020-04-07 09:15:33 +00:00
|
|
|
--- a/src/tests/functions.at
|
|
|
|
+++ b/src/tests/functions.at
|
2020-04-28 09:42:01 +00:00
|
|
|
@@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [
|
|
|
|
IF_HOST_SUPPORTS_IP6TABLES([], [
|
2020-04-07 09:15:33 +00:00
|
|
|
sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
|
|
|
|
])
|
|
|
|
+ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log
|
|
|
|
if test x"$1" != x"ignore"; then
|
|
|
|
if test -n "$1"; then
|
|
|
|
sed -i $1 ./firewalld.log
|
|
|
|
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
|
|
|
|
index 241cf547f7f3..8e4846a078b8 100644
|
|
|
|
--- a/src/tests/regression/rhbz1514043.at
|
|
|
|
+++ b/src/tests/regression/rhbz1514043.at
|
|
|
|
@@ -1,6 +1,10 @@
|
|
|
|
FWD_START_TEST([--set-log-denied does not zero config])
|
|
|
|
AT_KEYWORDS(log_denied rhbz1514043)
|
|
|
|
|
|
|
|
+dnl Expected test results assume this is set to "no"
|
|
|
|
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
|
|
|
|
+FWD_RELOAD
|
|
|
|
+
|
|
|
|
FWD_CHECK([-q --set-log-denied=all])
|
|
|
|
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
|
|
|
|
FWD_RELOAD
|
|
|
|
--
|
|
|
|
2.23.0
|
|
|
|
|