rpms/firewalld
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import firewalld-0.9.3-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-06-17 04:20:19 +00:00 committed by Andrew Lukoshko
parent 2aa0691fb0
commit 0d214f019b
9 changed files with 559 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
SOURCES/0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch Normal file
View File

@ -0,0 +1,167 @@
From 44dff592c200f81d74b64ba1c729ec8ec3b8612e Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 13 Apr 2021 14:35:31 -0400
Subject: [PATCH 23/30] fix(direct): rule order with multiple address with
-s/-d
Fixes: rhbz 1940928
Fixes: rhbz 1949552
(cherry picked from commit 2be50d366b9ba073e5f86edcd0b412ff48c3fed1)
(cherry picked from commit a545183d6916169cd16648707b9f876ea0833955)
---
src/firewall/core/fw_direct.py | 53 +++++++++++++++++++++++++++++-----
src/firewall/core/ipXtables.py | 32 --------------------
2 files changed, 46 insertions(+), 39 deletions(-)
diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
index e53a72e3326a..76aeda9f19cb 100644
--- a/src/firewall/core/fw_direct.py
+++ b/src/firewall/core/fw_direct.py
@@ -298,7 +298,7 @@ class FirewallDirect(object):
r.append((ipv, table, chain, priority, list(args)))
return r
- def _register_rule(self, rule_id, chain_id, priority, enable):
+ def _register_rule(self, rule_id, chain_id, priority, enable, count):
if enable:
if chain_id not in self._rules:
self._rules[chain_id] = LastUpdatedOrderedDict()
@@ -307,14 +307,14 @@ class FirewallDirect(object):
self._rule_priority_positions[chain_id] = { }
if priority in self._rule_priority_positions[chain_id]:
- self._rule_priority_positions[chain_id][priority] += 1
+ self._rule_priority_positions[chain_id][priority] += count
else:
- self._rule_priority_positions[chain_id][priority] = 1
+ self._rule_priority_positions[chain_id][priority] = count
else:
del self._rules[chain_id][rule_id]
if len(self._rules[chain_id]) == 0:
del self._rules[chain_id]
- self._rule_priority_positions[chain_id][priority] -= 1
+ self._rule_priority_positions[chain_id][priority] -= count
# DIRECT PASSTHROUGH (untracked)
@@ -376,6 +376,34 @@ class FirewallDirect(object):
r.append(list(args))
return r
+ def split_value(self, rules, opts):
+ """Split values combined with commas for options in opts"""
+
+ out_rules = [ ]
+ for rule in rules:
+ processed = False
+ for opt in opts:
+ try:
+ i = rule.index(opt)
+ except ValueError:
+ pass
+ else:
+ if len(rule) > i and "," in rule[i+1]:
+ # For all items in the comma separated list in index
+ # i of the rule, a new rule is created with a single
+ # item from this list
+ processed = True
+ items = rule[i+1].split(",")
+ for item in items:
+ _rule = rule[:]
+ _rule[i+1] = item
+ out_rules.append(_rule)
+ if not processed:
+ out_rules.append(rule)
+
+ return out_rules
+
+
def _rule(self, enable, ipv, table, chain, priority, args, transaction):
self._check_ipv_table(ipv, table)
# Do not create zone chains if we're using nftables. Only allow direct
@@ -458,6 +486,7 @@ class FirewallDirect(object):
# has index 1.
index = 1
+ count = 0
if chain_id in self._rule_priority_positions:
positions = sorted(self._rule_priority_positions[chain_id].keys())
j = 0
@@ -465,11 +494,21 @@ class FirewallDirect(object):
index += self._rule_priority_positions[chain_id][positions[j]]
j += 1
- transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, args))
+ # split the direct rule in some cases as iptables-restore can't handle
+ # compound args.
+ #
+ args_list = [list(args)]
+ args_list = self.split_value(args_list, [ "-s", "--source" ])
+ args_list = self.split_value(args_list, [ "-d", "--destination" ])
+
+ for _args in args_list:
+ transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, tuple(_args)))
+ index += 1
+ count += 1
- self._register_rule(rule_id, chain_id, priority, enable)
+ self._register_rule(rule_id, chain_id, priority, enable, count)
transaction.add_fail(self._register_rule,
- rule_id, chain_id, priority, not enable)
+ rule_id, chain_id, priority, not enable, count)
def _chain(self, add, ipv, table, chain, transaction):
self._check_ipv_table(ipv, table)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 968b75867849..818ce3f153d0 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -200,36 +200,6 @@ class ip4tables(object):
" ".join(_args), ret))
return ret
- def split_value(self, rules, opts=None):
- """Split values combined with commas for options in opts"""
-
- if opts is None:
- return rules
-
- out_rules = [ ]
- for rule in rules:
- processed = False
- for opt in opts:
- try:
- i = rule.index(opt)
- except ValueError:
- pass
- else:
- if len(rule) > i and "," in rule[i+1]:
- # For all items in the comma separated list in index
- # i of the rule, a new rule is created with a single
- # item from this list
- processed = True
- items = rule[i+1].split(",")
- for item in items:
- _rule = rule[:]
- _rule[i+1] = item
- out_rules.append(_rule)
- if not processed:
- out_rules.append(rule)
-
- return out_rules
-
def _rule_replace(self, rule, pattern, replacement):
try:
i = rule.index(pattern)
@@ -472,8 +442,6 @@ class ip4tables(object):
for table in table_rules:
rules = table_rules[table]
- rules = self.split_value(rules, [ "-s", "--source" ])
- rules = self.split_value(rules, [ "-d", "--destination" ])
temp_file.write("*%s\n" % table)
for rule in rules:
--
2.27.0

86
SOURCES/0024-test-direct-verify-rule-order-with-multiple-address-.patch Normal file
View File

@ -0,0 +1,86 @@
From ed0b0a7f967f33729e4ec7472b4229f0317fd92d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 9 Apr 2021 13:34:31 -0400
Subject: [PATCH 24/30] test(direct): verify rule order with multiple address
with -s/-d
Coverage: rhbz 1940928
Coverage: rhbz 1949552
(cherry picked from commit 80c30dacc066af4d6d71d298b5e47625ecee5bdf)
(cherry picked from commit c1262441db90108eb8044053ae1b93f66f0c2839)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1940928.at | 52 +++++++++++++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 src/tests/regression/rhbz1940928.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index a49bb3b756e7..8156ee608189 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -39,3 +39,4 @@ m4_include([regression/rhbz1871298.at])
m4_include([regression/rhbz1596304.at])
m4_include([regression/gh703.at])
m4_include([regression/ipset_netmask_allowed.at])
+m4_include([regression/rhbz1940928.at])
diff --git a/src/tests/regression/rhbz1940928.at b/src/tests/regression/rhbz1940928.at
new file mode 100644
index 000000000000..0a4367080b5e
--- /dev/null
+++ b/src/tests/regression/rhbz1940928.at
@@ -0,0 +1,52 @@
+FWD_START_TEST([direct -s/-d multiple addresses])
+AT_KEYWORDS(direct rhbz1940928 rhbz1949552)
+CHECK_IPTABLES
+
+dnl test triggers a limitation in iptables-restore
+dnl
+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=no/' ./firewalld.conf])
+FWD_RELOAD
+
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore])
+
+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
+ ACCEPT tcp -- 0.0.0.0/0 10.0.0.0/8
+ ACCEPT tcp -- 0.0.0.0/0 172.16.0.0/16
+ ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/24
+ ACCEPT udp -- 0.0.0.0/0 10.0.0.0/8
+ ACCEPT udp -- 0.0.0.0/0 172.16.0.0/16
+ ACCEPT udp -- 0.0.0.0/0 192.168.0.0/24
+ DROP all -- 0.0.0.0/0 0.0.0.0/0
+])
+
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+
+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
+ ACCEPT sctp -- 0.0.0.0/0 10.0.0.0/8
+ ACCEPT sctp -- 0.0.0.0/0 172.16.0.0/16
+ ACCEPT sctp -- 0.0.0.0/0 192.168.0.0/24
+ ACCEPT tcp -- 0.0.0.0/0 10.0.0.0/8
+ ACCEPT tcp -- 0.0.0.0/0 172.16.0.0/16
+ ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/24
+ ACCEPT udp -- 0.0.0.0/0 10.0.0.0/8
+ ACCEPT udp -- 0.0.0.0/0 172.16.0.0/16
+ ACCEPT udp -- 0.0.0.0/0 192.168.0.0/24
+ DROP all -- 0.0.0.0/0 0.0.0.0/0
+])
+
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore])
+
+
+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
+])
+
+FWD_END_TEST
--
2.27.0

31
SOURCES/0025-fix-ipset-fix-hash-net-net-functionality.patch Normal file
View File

@ -0,0 +1,31 @@
From 44442eace5a5a4330fb40d47cd9fb3c561d38c56 Mon Sep 17 00:00:00 2001
From: Fabrizio D'Angelo <fdangelo@redhat.com>
Date: Mon, 12 Apr 2021 13:56:00 -0400
Subject: [PATCH 25/30] fix(ipset): fix hash:net,net functionality
Fixes: rhbz 1936896
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
(cherry picked from commit 36f3d50d729d3329ce99653d8227e3f52a02a43f)
(cherry picked from commit 3ea4779dc4a957f9c0eb795ab0b00e67d653b772)
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index e6907421e111..e3ae988bbdab 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1742,8 +1742,8 @@ class nftables(object):
"hash:ip,mark" : [ipv_addr[ipv], "mark"],
"hash:net" : ipv_addr[ipv],
+ "hash:net,net" : [ipv_addr[ipv], ipv_addr[ipv]],
"hash:net,port" : [ipv_addr[ipv], "inet_proto", "inet_service"],
- "hash:net,port,ip" : [ipv_addr[ipv], "inet_proto", "inet_service", ipv_addr[ipv]],
"hash:net,port,net" : [ipv_addr[ipv], "inet_proto", "inet_service", ipv_addr[ipv]],
"hash:net,iface" : [ipv_addr[ipv], "ifname"],
--
2.27.0

64
SOURCES/0026-test-ipset-add-test-to-verify-hash-net-net.patch Normal file
View File

@ -0,0 +1,64 @@
From 6d19a0bdb26f0eeb08dfdd9957c184e90db8766e Mon Sep 17 00:00:00 2001
From: Fabrizio D'Angelo <fdangelo@redhat.com>
Date: Mon, 12 Apr 2021 14:05:36 -0400
Subject: [PATCH 26/30] test(ipset): add test to verify hash:net,net
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
(cherry picked from commit f3bd1297f656217031957eee7cfb4b3ee5ef42f2)
(cherry picked from commit 690ad9abf26f8ec3486704553d891d7d2ce11a80)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1936896.at | 32 +++++++++++++++++++++++++++++
2 files changed, 33 insertions(+)
create mode 100644 src/tests/regression/rhbz1936896.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 8156ee608189..2a5ad9ef995a 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -40,3 +40,4 @@ m4_include([regression/rhbz1596304.at])
m4_include([regression/gh703.at])
m4_include([regression/ipset_netmask_allowed.at])
m4_include([regression/rhbz1940928.at])
+m4_include([regression/rhbz1936896.at])
diff --git a/src/tests/regression/rhbz1936896.at b/src/tests/regression/rhbz1936896.at
new file mode 100644
index 000000000000..911db0bc448d
--- /dev/null
+++ b/src/tests/regression/rhbz1936896.at
@@ -0,0 +1,32 @@
+FWD_START_TEST([ipset type hash:net,net])
+AT_KEYWORDS(rhbz1936896)
+CHECK_IPSET
+
+FWD_CHECK([-q --permanent --new-ipset testset --type hash:net,net])
+FWD_CHECK([--permanent --ipset=testset --add-entry=192.168.0.0/24,10.0.1.0/24], 0, ignore)
+FWD_RELOAD
+FWD_CHECK([--permanent --info-ipset=testset | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ testset
+ type: hash:net,net
+ options:
+ entries: 192.168.0.0/24,10.0.1.0/24
+])])
+
+IPSET_LIST_SET([testset], 0, [dnl
+ Name: testset
+ Type: hash:net,net
+ Members:
+ 192.168.0.0/24,10.0.1.0/24
+])
+
+NFT_LIST_SET([testset], 0, [dnl
+ table inet firewalld {
+ set testset {
+ type ipv4_addr . ipv4_addr
+ flags interval
+ elements = { 192.168.0.0/24 . 10.0.1.0/24 }
+ }
+ }
+])
+
+FWD_END_TEST
--
2.27.0

45
SOURCES/0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch Normal file
View File

@ -0,0 +1,45 @@
From 1cbe39d4260c633da4b7110d6e2e7722b8454af4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 27 Apr 2021 08:56:13 -0400
Subject: [PATCH 27/30] fix(nm): reload: only consider NM connections with a
real interface
Where real interface means linux interface capable of having an IP
address and does not exceed IFNAMSIZ.
Fixes: rhbz 1928860
(cherry picked from commit f18f1cc96503fbc5d42f30ecdc6f0da4c56aac4d)
(cherry picked from commit 7e9c4a5072ee3fd1aaf4162ef6ef1bf84b8a82eb)
---
src/firewall/core/fw_nm.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py
index 37282a1a7711..0e38dd47e927 100644
--- a/src/firewall/core/fw_nm.py
+++ b/src/firewall/core/fw_nm.py
@@ -141,7 +141,9 @@ def nm_get_connections(connections, connections_name):
connections_name[uuid] = name
for dev in devices:
- connections[dev.get_iface()] = uuid
+ ip_iface = dev.get_ip_iface()
+ if ip_iface:
+ connections[ip_iface] = uuid
def nm_get_interfaces():
"""Get active interfaces from NM
@@ -169,7 +171,9 @@ def nm_get_interfaces():
continue
for dev in active_con.get_devices():
- active_interfaces.append(dev.get_iface())
+ ip_iface = dev.get_ip_iface()
+ if ip_iface:
+ active_interfaces.append(ip_iface)
return active_interfaces
--
2.27.0

81
SOURCES/0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch Normal file
View File

@ -0,0 +1,81 @@
From 1a2c50e5cf165a5392764ff435b7183a6d6610a7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 27 Apr 2021 09:06:22 -0400
Subject: [PATCH 28/30] test(nm): reload: only consider NM connections with a
real interface
Coverage: rhbz 1928860
(cherry picked from commit 7566d3dc5664955064b14314b3d3ef20bcebd6e4)
(cherry picked from commit e936e005898e18caa628b5b61d7589c2bbc461cb)
---
src/tests/Makefile.am | 4 ++--
src/tests/integration/networkmanager.at | 1 +
src/tests/integration/rhbz1928860.at | 26 +++++++++++++++++++++++++
3 files changed, 29 insertions(+), 2 deletions(-)
create mode 100644 src/tests/integration/rhbz1928860.at
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index b7556b30ecc8..e936454faf6a 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -71,7 +71,7 @@ check-container-fedora-rawhide-image: check-container-%-image:
iptables iptables-nft libtool libxml2 libxslt make nftables \
python3-nftables python3-slip-dbus python3-gobject-base \
diffutils procps-ng iproute which dbus-daemon \
- NetworkManager" && \
+ NetworkManager NetworkManager-ovs" && \
echo "RUN alternatives --set ebtables /usr/sbin/ebtables-nft" && \
echo "COPY . /tmp/firewalld"; \
} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
@@ -86,7 +86,7 @@ check-container-centos8-stream-image: check-container-%-image:
iptables iptables-ebtables nftables libtool libxml2 \
libxslt make nftables python3-nftables python3-slip-dbus \
python3-gobject-base diffutils procps-ng iproute which dbus-daemon \
- NetworkManager" && \
+ NetworkManager NetworkManager-ovs" && \
echo "COPY . /tmp/firewalld"; \
} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
diff --git a/src/tests/integration/networkmanager.at b/src/tests/integration/networkmanager.at
index 08cf6d28451a..0b20adce0462 100644
--- a/src/tests/integration/networkmanager.at
+++ b/src/tests/integration/networkmanager.at
@@ -1,2 +1,3 @@
AT_BANNER([NetworkManager (FIREWALL_BACKEND)])
m4_include([integration/rhbz1773809.at])
+m4_include([integration/rhbz1928860.at])
diff --git a/src/tests/integration/rhbz1928860.at b/src/tests/integration/rhbz1928860.at
new file mode 100644
index 000000000000..8ef2a1dcbd01
--- /dev/null
+++ b/src/tests/integration/rhbz1928860.at
@@ -0,0 +1,26 @@
+FWD_START_TEST([reload don't consider non IP capable interfaces])
+AT_KEYWORDS(reload rhbz1928860)
+
+START_NETWORKMANAGER
+
+dnl OVS bridge and port
+NMCLI_CHECK([connection add type ovs-bridge conn.interface ovs-br con-name ovs-br], 0, [ignore])
+NMCLI_CHECK([connection add type ovs-port conn.interface ovs-interface-port master ovs-br con-name ovs-interface-port], 0, [ignore])
+echo NS_CMD([nmcli connection delete ovs-br]) >> ./cleanup
+echo NS_CMD([nmcli connection delete ovs-interface-port]) >> ./cleanup
+
+dnl Up them
+NMCLI_CHECK([connection up ovs-br], 0, [ignore])
+NMCLI_CHECK([connection up ovs-interface-port], 0, [ignore])
+
+dnl Omit the actual linux interface because it requires the OVS daemon to be
+dnl running. The bug is reproducible without it.
+dnl
+dnl NMCLI_CHECK([connection add type ovs-interface slave-type ovs-port conn.interface ovs-br master ovs-interface-port con-name ovs-interface ipv4.method disabled ipv6.method disabled], 0, [ignore])
+dnl echo NS_CMD([nmcli connection delete ovs-interface]) >> ./cleanup
+dnl NMCLI_CHECK([connection up ovs-interface], 0, [ignore])
+
+dnl just need to verify reload
+FWD_RELOAD
+
+FWD_END_TEST
--
2.27.0

36
SOURCES/0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch Normal file
View File

@ -0,0 +1,36 @@
From 6e97c635d2bfe9ef73f72aa165443cfcefc6c82c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 17 May 2021 15:43:13 -0400
Subject: [PATCH 29/30] docs(conf): note that IPv6_rpfilter has a performance
penalty
Fixes: rhbz 1871860
(cherry picked from commit aad59154e16f669bf85e9894e7e0e19061d370d4)
(cherry picked from commit 5391c26d3e730f283d1f00f7ac1869aeb2251837)
---
doc/xml/firewalld.conf.xml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index c21ef87813bc..0bf4c2d4d011 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -114,6 +114,15 @@
If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.
For IPv4 the rp_filter is controlled using sysctl.
</para>
+ <para>
+ <emphasis role="bold">Note</emphasis>: This feature has a performance
+ impact. In most cases the impact is not enough to cause a noticeable
+ difference. It requires route lookups and its execution occurs before
+ the established connections fast path. As such it can have a
+ significant performance impact if there is a lot of traffic. It's
+ enabled by default for security, but can be disabled if performance is
+ a concern.
+ </para>
</listitem>
</varlistentry>
--
2.27.0

28
SOURCES/0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch Normal file
View File

@ -0,0 +1,28 @@
From 60e4181ca9ac8dbd1acb6baf85b42b0666aa56b7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 19 May 2021 12:52:52 -0400
Subject: [PATCH 30/30] improvement(conf): note that IPv6_rpfilter has a
performance penalty
(cherry picked from commit cf8e0df944322f1ad283946c64bf7f933c25340d)
(cherry picked from commit 1a8bb7e5dcee3bcd691219104427daf39ead1f82)
---
config/firewalld.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index f791b2358ab8..a0556c0bbf5b 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -23,6 +23,8 @@ Lockdown=no
# packet would be sent via the same interface that the packet arrived on, the
# packet will match and be accepted, otherwise dropped.
# The rp_filter for IPv4 is controlled using sysctl.
+# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
+# for details.
# Default: yes
IPv6_rpfilter=yes
--
2.27.0

22
SPECS/firewalld.spec
View File

@ -1,7 +1,7 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 0.9.3
Release: 1%{?dist}
Release: 5%{?dist}
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@ -27,6 +27,14 @@ Patch19: 0019-fix-fw-when-checking-tables-make-sure-to-check-the-a.patch
Patch20: 0020-fix-ipset-nftables-use-interval-flag-for-ip-types.patch
Patch21: 0021-test-ipset-verify-ipset-netmask-allowed-for-hash-ip.patch
Patch22: 0022-test-offline-always-allow-ipset-tests.patch
Patch23: 0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch
Patch24: 0024-test-direct-verify-rule-order-with-multiple-address-.patch
Patch25: 0025-fix-ipset-fix-hash-net-net-functionality.patch
Patch26: 0026-test-ipset-add-test-to-verify-hash-net-net.patch
Patch27: 0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch
Patch28: 0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch
Patch29: 0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch
Patch30: 0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch
BuildArch: noarch
BuildRequires: autoconf
@ -228,6 +236,18 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewall-config*.1*
%changelog
* Wed May 19 2021 Eric Garver <egarver@redhat.com> - 0.9.3-5
- docs(conf): note that IPv6_rpfilter has a performance penalty
* Wed May 19 2021 Eric Garver <egarver@redhat.com> - 0.9.3-4
- fix(nm): reload: only consider NM connections with a real interface
* Wed May 19 2021 Eric Garver <egarver@redhat.com> - 0.9.3-3
- fix(ipset): fix hash:net,net functionality
* Wed May 19 2021 Eric Garver <egarver@redhat.com> - 0.9.3-2
- fix(direct): rule order with multiple address with -s/-d
* Thu Feb 25 2021 Eric Garver <egarver@redhat.com> - 0.9.3-1
- rebase to v0.9.3
- fixes from upstream branch stable-0.9