From 0505b2f97d337a96a64fbd5e79416f1fc91be471 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Fri, 3 Apr 2020 15:40:23 -0400 Subject: [PATCH] add missing patches --- ...et-port-ranges-for-non-default-proto.patch | 28 +++++++++++ ...y-port-ranges-for-non-default-protoc.patch | 43 ++++++++++++++++ ...y-logging-still-works-after-truncate.patch | 50 +++++++++++++++++++ 3 files changed, 121 insertions(+) create mode 100644 0002-fix-nftables-ipset-port-ranges-for-non-default-proto.patch create mode 100644 0003-test-ipset-verify-port-ranges-for-non-default-protoc.patch create mode 100644 0004-test-log-verify-logging-still-works-after-truncate.patch diff --git a/0002-fix-nftables-ipset-port-ranges-for-non-default-proto.patch b/0002-fix-nftables-ipset-port-ranges-for-non-default-proto.patch new file mode 100644 index 0000000..7b5d0a9 --- /dev/null +++ b/0002-fix-nftables-ipset-port-ranges-for-non-default-proto.patch @@ -0,0 +1,28 @@ +From 6a2fd018666ab8c4877291f8f807a9943db74de3 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 2 Apr 2020 14:42:22 -0400 +Subject: [PATCH 2/4] fix: nftables: ipset: port ranges for non-default + protocols + +Fixes: 2d1b0fe9fe74 ("fix: nftables: allow set intervals with concatenations") +(cherry picked from commit e80f4fccfc771128affdc578ed37842d5d469ca9) +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index a9d5a45337bd..69ee63b32f8b 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1680,7 +1680,7 @@ class nftables(object): + port_str = entry_tokens[i][index+1:] + + try: +- index = entry_tokens[i].index("-") ++ index = port_str.index("-") + except ValueError: + fragment.append(port_str) + else: +-- +2.23.0 + diff --git a/0003-test-ipset-verify-port-ranges-for-non-default-protoc.patch b/0003-test-ipset-verify-port-ranges-for-non-default-protoc.patch new file mode 100644 index 0000000..c7a97e1 --- /dev/null +++ b/0003-test-ipset-verify-port-ranges-for-non-default-protoc.patch @@ -0,0 +1,43 @@ +From a2b8a09b929901e14620aa802fd423f958c56188 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 2 Apr 2020 14:38:45 -0400 +Subject: [PATCH 3/4] test: ipset: verify port ranges for non-default protocol + +(cherry picked from commit c0ad3a0b3340a27c34b33128f756f64acc3a771b) +--- + src/tests/cli/firewall-cmd.at | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index 806af74221b6..0c008bc0d666 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -739,6 +739,7 @@ FWD_START_TEST([ipset]) + dnl multi dimensional set with non default protocol + FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip,port], 0, ignore) + FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,sctp:1234], 0, ignore) ++ FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,udp:1000-1002], 0, ignore) + FWD_RELOAD + FWD_CHECK([--ipset=foobar --add-entry=20.20.20.20,8080], 0, ignore) + FWD_CHECK([--zone internal --add-source=ipset:foobar], 0, ignore) +@@ -748,6 +749,7 @@ FWD_START_TEST([ipset]) + type ipv4_addr . inet_proto . inet_service + flags interval + elements = { 10.10.10.10 . sctp . 1234, ++ 10.10.10.10 . udp . 1000-1002, + 20.20.20.20 . tcp . 8080 } + } + } +@@ -765,6 +767,9 @@ FWD_START_TEST([ipset]) + Type: hash:ip,port + Members: + 10.10.10.10,sctp:1234 ++ 10.10.10.10,udp:1000 ++ 10.10.10.10,udp:1001 ++ 10.10.10.10,udp:1002 + 20.20.20.20,tcp:8080 + ]) + FWD_CHECK([--ipset=foobar --add-entry=1.2.3.4,sctp:8080], 0, ignore) +-- +2.23.0 + diff --git a/0004-test-log-verify-logging-still-works-after-truncate.patch b/0004-test-log-verify-logging-still-works-after-truncate.patch new file mode 100644 index 0000000..37ae347 --- /dev/null +++ b/0004-test-log-verify-logging-still-works-after-truncate.patch @@ -0,0 +1,50 @@ +From 2ab7f9e793a51c9aebe08fff6226c38159ae2312 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 2 Apr 2020 15:21:58 -0400 +Subject: [PATCH 4/4] test: log: verify logging still works after truncate + +The log policy we ship presumes firewalld opens log files in append +mode. This is because the logrotate policy uses "copytruncate". Lets +verify that it actually works as expected. + +(cherry picked from commit e887c16512abd6a3051b0519ee9af344c9f08827) +--- + src/tests/regression/gh599.at | 16 ++++++++++++++++ + src/tests/regression/regression.at | 1 + + 2 files changed, 17 insertions(+) + create mode 100644 src/tests/regression/gh599.at + +diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at +new file mode 100644 +index 000000000000..472f228ba2a9 +--- /dev/null ++++ b/src/tests/regression/gh599.at +@@ -0,0 +1,16 @@ ++FWD_START_TEST([writing to log after copytruncate]) ++AT_KEYWORDS(gh599) ++ ++AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])]) ++AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])]) ++ ++dnl Verify we continue to write to the log file after it's truncated. That is, ++dnl simulate logrotate's copytruncate. ++NS_CHECK([truncate -s 0 ./firewalld.log]) ++ ++dnl generate some logs, anything will do since we have debug enabled. ++FWD_CHECK([--list-all], 0, [ignore], [ignore]) ++ ++NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"']) ++ ++FWD_END_TEST +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 8042c3a27f89..2528ddd3fede 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -27,3 +27,4 @@ m4_include([regression/gh509.at]) + m4_include([regression/gh567.at]) + m4_include([regression/rhbz1779835.at]) + m4_include([regression/gh330.at]) ++m4_include([regression/gh599.at]) +-- +2.23.0 +