rpms/firewalld
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import firewalld-0.8.2-6.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-05-18 02:38:19 -04:00 committed by Andrew Lukoshko
parent af587a4f77
commit 2a5ace2bd9
22 changed files with 1227 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch Normal file
View File

@ -0,0 +1,29 @@
From 2a1a55209a95c5463e07cc3eb048d128ab7593ed Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 10 Aug 2020 09:29:05 -0400
Subject: [PATCH 48/62] test(regression/rhbz1541077): use FWD_OFFLINE_CHECK
macro
Fixes: 6e279ef6517a ("test(regression/rhbz1541077): correctly use macros")
Fixes: dddba7b9c276 ("fix(cli): add ipset type hash:mac is incompatible with the family parameter")
(cherry picked from commit fae16b550ed8b384ee24691e6442b7cbd6b776aa)
(cherry picked from commit 3efe0f30d4499763aacc573dc634b52ceb11a017)
---
src/tests/regression/rhbz1541077.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at
index 692ca8ecc892..73ad4b49cb3d 100644
--- a/src/tests/regression/rhbz1541077.at
+++ b/src/tests/regression/rhbz1541077.at
@@ -4,6 +4,6 @@ AT_KEYWORDS(ipset rhbz1541077)
FWD_CHECK([--permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
FWD_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
-AT_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+FWD_OFFLINE_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
FWD_END_TEST
--
2.28.0

30
SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch Normal file
View File

@ -0,0 +1,30 @@
From 5326d7a86d6e7413dee343b795a352d8b4e6ab0d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 10 Aug 2020 09:33:22 -0400
Subject: [PATCH 49/62] test(regression/rhbz1855140.at): avoid IPv6 tests if
IPv6 not available
Fixes: 87ec14dddd74 ("test(rich): icmptypes with one family")
(cherry picked from commit a47819d346fbd0f4d4d382a6a795c76c7f443a3b)
(cherry picked from commit 1b4fea7277c26026ecbe09f79928c794489424b9)
---
src/tests/regression/rhbz1855140.at | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
index 8059e29fe71a..cea943e0bf24 100644
--- a/src/tests/regression/rhbz1855140.at
+++ b/src/tests/regression/rhbz1855140.at
@@ -2,7 +2,9 @@ FWD_START_TEST([rich rule icmptypes with one family])
AT_KEYWORDS(rich icmp rhbz1855140)
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
+IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
+])
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
--
2.28.0

53
SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch Normal file
View File

@ -0,0 +1,53 @@
From 4d099f4c0866801e40e362090e6986c693386e2c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 27 Aug 2020 15:30:45 -0400
Subject: [PATCH 50/62] fix(icmptype): when applying rules get ict from perm
config
Otherwise we may get runtime errors because the running kernel doesn't
support the ict. Use the permanent ict definition so we allow the case
where ip6tables is missing or not available. Explicit usage of an ict
not supported by the kernel will still fail to apply at runtime
(iptables complains), but if ip6tables is missing we don't attempt to
apply the ipv6 rules thus avoiding the issue.
(cherry picked from commit fdc44800aef4ec166987d529ffaea51f13ff54c2)
(cherry picked from commit 0016ec8e4aefb6cf2a8986a91530eae25a28ead7)
---
src/firewall/core/fw_zone.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index b9fe1f6aae97..9d8bcf620251 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1526,7 +1526,7 @@ class FirewallZone(object):
if rule.family:
ipvs = [ rule.family ]
elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)):
- ict = self._fw.icmptype.get_icmptype(rule.element.name)
+ ict = self._fw.config.get_icmptype(rule.element.name)
if ict.destination:
ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination]
@@ -1698,7 +1698,7 @@ class FirewallZone(object):
# ICMP BLOCK and ICMP TYPE
elif type(rule.element) == Rich_IcmpBlock or \
type(rule.element) == Rich_IcmpType:
- ict = self._fw.icmptype.get_icmptype(rule.element.name)
+ ict = self._fw.config.get_icmptype(rule.element.name)
if type(rule.element) == Rich_IcmpBlock and \
rule.action and type(rule.action) == Rich_Accept:
@@ -1862,7 +1862,7 @@ class FirewallZone(object):
transaction.add_rules(backend, rules)
def _icmp_block(self, enable, zone, icmp, transaction):
- ict = self._fw.icmptype.get_icmptype(icmp)
+ ict = self._fw.config.get_icmptype(icmp)
if enable:
transaction.add_chain(zone, "filter", "INPUT")
--
2.28.0

50
SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch Normal file
View File

@ -0,0 +1,50 @@
From 0b69b4e464f02ea6fec50522b587a93092040b4d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 27 Aug 2020 15:59:13 -0400
Subject: [PATCH 51/62] fix(rich): clamp the IP families to those actually
enabled
One scenario is if IPv6 is not available, but we specify an icmp-type
that is ipv6 only, then we'll still attempt to call the IPv6 backend. We
should not do that.
(cherry picked from commit 4fcb27bdcf8be30d91d490ba2c0286af1cf299de)
(cherry picked from commit b8b0aeaaf853546f6990e8f635d7ea79233bbc79)
---
src/firewall/core/fw_zone.py | 5 ++++-
src/tests/regression/rhbz1855140.at | 2 --
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 9d8bcf620251..bd026222dce5 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1542,7 +1542,10 @@ class FirewallZone(object):
ipvs = [ source_ipv ]
if not ipvs:
- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
+ ipvs = ["ipv4", "ipv6"]
+
+ # clamp ipvs to those that are actually enabled.
+ ipvs = [ipv for ipv in ipvs if self._fw.is_ipv_enabled(ipv)]
# add an element to object to allow backends to know what ipvs this applies to
rule.ipvs = ipvs
diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
index cea943e0bf24..8059e29fe71a 100644
--- a/src/tests/regression/rhbz1855140.at
+++ b/src/tests/regression/rhbz1855140.at
@@ -2,9 +2,7 @@ FWD_START_TEST([rich rule icmptypes with one family])
AT_KEYWORDS(rich icmp rhbz1855140)
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
-IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
-])
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
--
2.28.0

62
SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch Normal file
View File

@ -0,0 +1,62 @@
From 5c18dbc41a2f59364fb495ef164dcc3c9147e408 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 28 Aug 2020 11:44:33 -0400
Subject: [PATCH 52/62] fix(rich icmptype): verify rule and icmptype families
don't conflict
Fixes: rhbz 1855140
(cherry picked from commit 11aac7755d9c8e338f72b5350329255937efd8e8)
(cherry picked from commit b49a88095b05bcf1bce36e989d7003948f1ee6f7)
---
src/firewall/core/fw_zone.py | 6 ++++++
src/firewall/core/io/zone.py | 17 ++++++++++++++++-
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index bd026222dce5..129306b6f969 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1703,6 +1703,12 @@ class FirewallZone(object):
type(rule.element) == Rich_IcmpType:
ict = self._fw.config.get_icmptype(rule.element.name)
+ if rule.family and ict.destination and \
+ rule.family not in ict.destination:
+ raise FirewallError(errors.INVALID_ICMPTYPE,
+ "rich rule family '%s' conflicts with icmp type '%s'" % \
+ (rule.family, rule.element.name))
+
if type(rule.element) == Rich_IcmpBlock and \
rule.action and type(rule.action) == Rich_Accept:
# icmp block might have reject or drop action, but not accept
diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
index 68b2a7c9567c..529b92c25b62 100644
--- a/src/firewall/core/io/zone.py
+++ b/src/firewall/core/io/zone.py
@@ -232,7 +232,22 @@ class Zone(IO_Object):
raise FirewallError(errors.INVALID_ADDR, source)
elif item == "rules_str":
for rule in config:
- rich.Rich_Rule(rule_str=rule)
+ obj_rich = rich.Rich_Rule(rule_str=rule)
+ if self.fw_config and obj_rich.element and (isinstance(obj_rich.element, rich.Rich_IcmpBlock) or
+ isinstance(obj_rich.element, rich.Rich_IcmpType)):
+ existing_icmptypes = self.fw_config.get_icmptypes()
+ if obj_rich.element.name not in existing_icmptypes:
+ raise FirewallError(errors.INVALID_ICMPTYPE,
+ "'%s' not among existing icmp types" % \
+ obj_rich.element.name)
+
+ elif obj_rich.family:
+ ict = self.fw_config.get_icmptype(obj_rich.element.name)
+ if ict.destination and obj_rich.family not in ict.destination:
+ raise FirewallError(errors.INVALID_ICMPTYPE,
+ "rich rule family '%s' conflicts with icmp type '%s'" % \
+ (obj_rich.family, obj_rich.element.name))
+
def check_name(self, name):
super(Zone, self).check_name(name)
--
2.28.0

48
SOURCES/0053-fix-nftables-packet-marks-with-masks.patch Normal file
View File

@ -0,0 +1,48 @@
From 08cb6f0c7abca95fa898020bb9f3ba3f4bfbf148 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 28 Aug 2020 13:15:34 -0400
Subject: [PATCH 53/62] fix(nftables): packet marks with masks
(cherry picked from commit e296b926ae5dc4cbc277b6dd755d045e73ed4411)
(cherry picked from commit 371efe757f2bde20b4301a78ed3c48ec1d31bf5e)
---
src/firewall/core/fw_zone.py | 2 ++
src/firewall/core/nftables.py | 9 +++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 129306b6f969..6eaed4232405 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1719,6 +1719,8 @@ class FirewallZone(object):
if enable:
transaction.add_chain(zone, table, "INPUT")
transaction.add_chain(zone, table, "FORWARD_IN")
+ if enable and type(rule.action) == Rich_Mark:
+ transaction.add_chain(zone, "mangle", "PREROUTING")
rules = backend.build_zone_icmp_block_rules(enable, zone, ict, rule)
transaction.add_rules(backend, rules)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 0198200b2372..76668a60468f 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1043,8 +1043,13 @@ class nftables(object):
zone=zone)
table = "mangle"
chain = "%s_%s_%s" % (table, target, chain_suffix)
- rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
- "value": rich_rule.action.set}}
+ value = rich_rule.action.set.split("/")
+ if len(value) > 1:
+ rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
+ "value": {"^": [{"&": [{"meta": {"key": "mark"}}, value[1]]}, value[0]]}}}
+ else:
+ rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
+ "value": value[0]}}
else:
raise FirewallError(INVALID_RULE,
"Unknown action %s" % type(rich_rule.action))
--
2.28.0

27
SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch Normal file
View File

@ -0,0 +1,27 @@
From 603ca9c2dd16f212a8b2fb43a9e9599fe3dd3abf Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 28 Aug 2020 14:22:18 -0400
Subject: [PATCH 54/62] fix(nftables): icmp types with code == 0
(cherry picked from commit 098e35168d6a15516cc76189a70df8db56bd1b13)
(cherry picked from commit 8dcfaa607329cd4c2bdaa3b101371a30a04ef858)
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 76668a60468f..daa7ace085a2 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -82,7 +82,7 @@ def _icmp_types_fragments(protocol, type, code=None):
fragments = [{"match": {"left": {"payload": {"protocol": protocol, "field": "type"}},
"op": "==",
"right": type}}]
- if code:
+ if code is not None:
fragments.append({"match": {"left": {"payload": {"protocol": protocol, "field": "code"}},
"op": "==",
"right": code}})
--
2.28.0

35
SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch Normal file
View File

@ -0,0 +1,35 @@
From d4f35b11f2edb1cf680ed2081a14b599ef3f3b63 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 31 Aug 2020 15:38:34 -0400
Subject: [PATCH 55/62] fix(ipXtables): rich: avoid duplicate rules for
icmp-type w/ mark action
This is a stable only fix. It does not occur on master.
(cherry picked from commit 9b7ba2fcedace408aae498fea1c973a988370808)
---
src/firewall/core/ipXtables.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index b1d6c202fda7..c4535f2e5818 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -1240,8 +1240,13 @@ class ip4tables(object):
proto = [ "-p", "ipv6-icmp" ]
match = [ "-m", "icmp6", "--icmpv6-type", ict.name ]
+ if rich_rule and rich_rule.action and isinstance(rich_rule.action, Rich_Mark):
+ chains = ["PREROUTING"]
+ else:
+ chains = ["INPUT", "FORWARD_IN"]
+
rules = []
- for chain in ["INPUT", "FORWARD_IN"]:
+ for chain in chains:
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
zone=zone)
if self._fw.zone.query_icmp_block_inversion(zone):
--
2.28.0

66
SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch Normal file
View File

@ -0,0 +1,66 @@
From 08cc79942e820d9ce86c5c0bd0249ec4335955ce Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 28 Aug 2020 10:48:35 -0400
Subject: [PATCH 56/62] test(regression/rhbz1855140): add negative tests
(cherry picked from commit b50032185422f5538a8a6211cfa43cfaa2d67ec4)
(cherry picked from commit 264375df35124b5920b9d3e690944aaad1e4790c)
---
src/tests/regression/rhbz1855140.at | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
index 8059e29fe71a..fbb33a419c56 100644
--- a/src/tests/regression/rhbz1855140.at
+++ b/src/tests/regression/rhbz1855140.at
@@ -4,7 +4,15 @@ AT_KEYWORDS(rich icmp rhbz1855140)
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
+FWD_CHECK([--permanent --zone public --add-rich-rule 'rule icmp-type name=bad-header mark set=0x86/0x86'], 0, ignore)
FWD_RELOAD
+NFT_LIST_RULES([inet], [mangle_PRE_public_allow], 0, [dnl
+ table inet firewalld {
+ chain mangle_PRE_public_allow {
+ icmpv6 type parameter-problem icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
+ }
+ }
+])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
table inet firewalld {
chain filter_IN_public_allow {
@@ -18,12 +26,17 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
}
}
])
+IPTABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
+])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13
])
+IP6TABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
+ MARK icmpv6 ::/0 ::/0 ipv6-icmptype 4 code 0 MARK or 0x86
+])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@@ -32,4 +45,12 @@ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136
])
-FWD_END_TEST
+dnl verify bad icmptypes are rejected
+FWD_CHECK([--permanent --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore])
+FWD_CHECK([ --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore])
+FWD_CHECK([--permanent --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore])
+IF_HOST_SUPPORTS_IPV6_RULES([
+FWD_CHECK([ --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore])
+])
+
+FWD_END_TEST([-e '/ERROR: INVALID_ICMPTYPE:/d'])
--
2.28.0

80
SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch Normal file
View File

@ -0,0 +1,80 @@
From 0f94133731fa497b04744fa4a37cfa5fd5e45fab Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 26 Aug 2020 11:38:36 -0400
Subject: [PATCH 57/62] fix(policy): cache rule_str for rich rules
There are various areas that we use list comprehensions to convert
Rich_Rule to rule_str. This isn't cheap. Let's just cache the rule_str
and avoid the cost.
Fixes: rhbz 1871298
(cherry picked from commit 5402724221a3dddc9c139663d28ababed4057cc6)
(cherry picked from commit 763b07972fd80e7b2f28b29efe812b92f6dff1d1)
---
src/firewall/core/io/zone.py | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
index 529b92c25b62..ec81762be100 100644
--- a/src/firewall/core/io/zone.py
+++ b/src/firewall/core/io/zone.py
@@ -120,6 +120,7 @@ class Zone(IO_Object):
self.sources = [ ]
self.fw_config = None # to be able to check services and a icmp_blocks
self.rules = [ ]
+ self.rules_str = [ ]
self.icmp_block_inversion = False
self.combined = False
self.applied = False
@@ -141,6 +142,7 @@ class Zone(IO_Object):
del self.sources[:]
self.fw_config = None # to be able to check services and a icmp_blocks
del self.rules[:]
+ del self.rules_str[:]
self.icmp_block_inversion = False
self.combined = False
self.applied = False
@@ -163,17 +165,13 @@ class Zone(IO_Object):
self.interfaces = [u2b_if_py2(i) for i in self.interfaces]
self.sources = [u2b_if_py2(s) for s in self.sources]
self.rules = [u2b_if_py2(s) for s in self.rules]
-
- def __getattr__(self, name):
- if name == "rules_str":
- rules_str = [str(rule) for rule in self.rules]
- return rules_str
- else:
- return getattr(super(Zone, self), name)
+ self.rules_str = [u2b_if_py2(s) for s in self.rules_str]
def __setattr__(self, name, value):
if name == "rules_str":
self.rules = [rich.Rich_Rule(rule_str=s) for s in value]
+ # must convert back to string to get the canonical string.
+ super(Zone, self).__setattr__(name, [str(s) for s in self.rules])
else:
super(Zone, self).__setattr__(name, value)
@@ -307,6 +305,7 @@ class Zone(IO_Object):
self.source_ports.append(port)
for rule in zone.rules:
self.rules.append(rule)
+ self.rules_str.append(str(rule))
if zone.icmp_block_inversion:
self.icmp_block_inversion = True
@@ -687,9 +686,9 @@ class zone_ContentHandler(IO_Object_ContentHandler):
except Exception as e:
log.warning("%s: %s", e, str(self._rule))
else:
- if str(self._rule) not in \
- [ str(x) for x in self.item.rules ]:
+ if str(self._rule) not in self.item.rules_str:
self.item.rules.append(self._rule)
+ self.item.rules_str.append(str(self._rule))
else:
log.warning("Rule '%s' already set, ignoring.",
str(self._rule))
--
2.28.0

55
SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch Normal file
View File

@ -0,0 +1,55 @@
From ed42b8048e97040802da727f77cad4a1bb5ff42b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 26 Aug 2020 14:28:45 -0400
Subject: [PATCH 58/62] test(zone): rich rule parsing bottleneck
Coverage for rhbz 1871298.
Verify we can parse a large amount of rich rules in a reasonable time.
This test took 3m before the fix and now takes 18s after the fix.
Considering it "failed" after 45s should give us plenty of headroom.
(cherry picked from commit ece30971412eedb9032b0d87233ca21ef9154830)
(cherry picked from commit b21f071851ffec6d3a382b6e60eb88dcda7df467)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1871298.at | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
create mode 100644 src/tests/regression/rhbz1871298.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index d7b4d56239d1..65540840f50e 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -34,3 +34,4 @@ m4_include([regression/rhbz1689429.at])
m4_include([regression/rhbz1483921.at])
m4_include([regression/rhbz1541077.at])
m4_include([regression/rhbz1855140.at])
+m4_include([regression/rhbz1871298.at])
diff --git a/src/tests/regression/rhbz1871298.at b/src/tests/regression/rhbz1871298.at
new file mode 100644
index 000000000000..0689399d85ec
--- /dev/null
+++ b/src/tests/regression/rhbz1871298.at
@@ -0,0 +1,18 @@
+FWD_START_TEST([rich rule parsing bottleneck])
+AT_KEYWORDS(rich offline rhbz1871298)
+
+AT_SKIP_IF([! NS_CMD([which timeout >/dev/null 2>&1])])
+
+NS_CHECK([mkdir -p ./zones])
+NS_CHECK([echo '<?xml version="1.0" encoding="utf-8"?>' > ./zones/foobar.xml])
+NS_CHECK([echo "<zone>" >> ./zones/foobar.xml])
+NS_CHECK([echo "<short>foobar</short>" >> ./zones/foobar.xml])
+NS_CHECK([sh -c 'for I in $(seq 10000); do echo "<rule family=\"ipv4\"><port protocol=\"tcp\" port=\"$I\" /><accept/></rule>" >> ./zones/foobar.xml; done'])
+NS_CHECK([echo "</zone>" >> ./zones/foobar.xml])
+
+if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
+ FIREWALL_OFFLINE_CMD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}"
+fi
+NS_CHECK([timeout 45 firewall-offline-cmd --system-config ./ $FIREWALL_OFFLINE_CMD_ARGS --check-config], 0, [ignore])
+
+FWD_END_TEST
--
2.28.0

158
SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch Normal file
View File

@ -0,0 +1,158 @@
From 244d1bfe190f2cc32c10d0fecaf81536761ecc09 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 1 Sep 2020 13:16:23 -0400
Subject: [PATCH 59/62] fix(icmptype): nftables: runtimeToPermanent if
ip6tables not available
We were not filling the runtime ipv6 icmptypes list if the active
backend was nftables and ip6tables wasn't available. This caused "ipv6"
to be dropped from the supported ipvs/destinations for the icmptype.
This also caused runtimeToPermanent to fail because the runtime
icmptypes definition dropped "ipv6" causing runtimeToPermanent to copy
the runtime icmptype to permanent because they were different... this
caused sanity checks on the permanent configuration to fail.
(cherry picked from commit c92d43dcdf5622e82e28454652acd6a981b015f9)
(cherry picked from commit 6f23f727be818f356625e39682fb226a81925647)
---
src/firewall/core/fw.py | 24 ++++++++++++++----------
src/firewall/core/fw_icmptype.py | 8 ++++----
src/firewall/core/ipXtables.py | 2 +-
src/firewall/core/nftables.py | 6 +++---
src/firewall/server/firewalld.py | 4 ++--
5 files changed, 24 insertions(+), 20 deletions(-)
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index c767f416f3d2..1df916efb10f 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -76,10 +76,10 @@ class Firewall(object):
else:
self.ip4tables_backend = ipXtables.ip4tables(self)
self.ip4tables_enabled = True
- self.ip4tables_supported_icmp_types = [ ]
+ self.ipv4_supported_icmp_types = [ ]
self.ip6tables_backend = ipXtables.ip6tables(self)
self.ip6tables_enabled = True
- self.ip6tables_supported_icmp_types = [ ]
+ self.ipv6_supported_icmp_types = [ ]
self.ebtables_backend = ebtables.ebtables()
self.ebtables_enabled = True
self.ipset_backend = ipset.ipset()
@@ -172,11 +172,13 @@ class Firewall(object):
log.warning("iptables-restore and iptables are missing, "
"disabling IPv4 firewall.")
self.ip4tables_enabled = False
- if self.ip4tables_enabled:
- self.ip4tables_supported_icmp_types = \
- self.ip4tables_backend.supported_icmp_types()
+ if self.nftables_enabled:
+ self.ipv4_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv4")
else:
- self.ip4tables_supported_icmp_types = [ ]
+ if self.ip4tables_enabled:
+ self.ipv4_supported_icmp_types = self.ip4tables_backend.supported_icmp_types()
+ else:
+ self.ipv4_supported_icmp_types = [ ]
self.ip6tables_backend.fill_exists()
if not self.ip6tables_backend.restore_command_exists:
if self.ip6tables_backend.command_exists:
@@ -186,11 +188,13 @@ class Firewall(object):
log.warning("ip6tables-restore and ip6tables are missing, "
"disabling IPv6 firewall.")
self.ip6tables_enabled = False
- if self.ip6tables_enabled:
- self.ip6tables_supported_icmp_types = \
- self.ip6tables_backend.supported_icmp_types()
+ if self.nftables_enabled:
+ self.ipv6_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv6")
else:
- self.ip6tables_supported_icmp_types = [ ]
+ if self.ip6tables_enabled:
+ self.ipv6_supported_icmp_types = self.ip6tables_backend.supported_icmp_types()
+ else:
+ self.ipv6_supported_icmp_types = [ ]
self.ebtables_backend.fill_exists()
if not self.ebtables_backend.restore_command_exists:
if self.ebtables_backend.command_exists:
diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py
index afe9f91d6bf6..a565bb6d8733 100644
--- a/src/firewall/core/fw_icmptype.py
+++ b/src/firewall/core/fw_icmptype.py
@@ -57,13 +57,13 @@ class FirewallIcmpType(object):
ipvs = orig_ipvs[:]
for ipv in orig_ipvs:
if ipv == "ipv4":
- if not self._fw.ip4tables_enabled:
+ if not self._fw.ip4tables_enabled and not self._fw.nftables_enabled:
continue
- supported_icmps = self._fw.ip4tables_supported_icmp_types
+ supported_icmps = self._fw.ipv4_supported_icmp_types
elif ipv == "ipv6":
- if not self._fw.ip6tables_enabled:
+ if not self._fw.ip6tables_enabled and not self._fw.nftables_enabled:
continue
- supported_icmps = self._fw.ip6tables_supported_icmp_types
+ supported_icmps = self._fw.ipv6_supported_icmp_types
else:
supported_icmps = [ ]
if obj.name.lower() not in supported_icmps:
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index c4535f2e5818..450e427c08b5 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -612,7 +612,7 @@ class ip4tables(object):
rules.append(["-t", table, "-P", chain, _policy])
return rules
- def supported_icmp_types(self):
+ def supported_icmp_types(self, ipv=None):
"""Return ICMP types that are supported by the iptables/ip6tables command and kernel"""
ret = [ ]
output = ""
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index daa7ace085a2..0a73c2c2669d 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -480,13 +480,13 @@ class nftables(object):
return rules
- def supported_icmp_types(self):
+ def supported_icmp_types(self, ipv=None):
# nftables supports any icmp_type via arbitrary type/code matching.
# We just need a translation for it in ICMP_TYPES_FRAGMENTS.
supported = set()
- for ipv in ICMP_TYPES_FRAGMENTS.keys():
- supported.update(ICMP_TYPES_FRAGMENTS[ipv].keys())
+ for _ipv in [ipv] if ipv else ICMP_TYPES_FRAGMENTS.keys():
+ supported.update(ICMP_TYPES_FRAGMENTS[_ipv].keys())
return list(supported)
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index 10b085d48660..949f577053cc 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -162,7 +162,7 @@ class FirewallD(slip.dbus.service.Object):
return dbus.Boolean(self.fw.ip4tables_enabled)
elif prop == "IPv4ICMPTypes":
- return dbus.Array(self.fw.ip4tables_supported_icmp_types, "s")
+ return dbus.Array(self.fw.ipv4_supported_icmp_types, "s")
elif prop == "IPv6":
return dbus.Boolean(self.fw.ip6tables_enabled)
@@ -171,7 +171,7 @@ class FirewallD(slip.dbus.service.Object):
return dbus.Boolean(self.fw.ipv6_rpfilter_enabled)
elif prop == "IPv6ICMPTypes":
- return dbus.Array(self.fw.ip6tables_supported_icmp_types, "s")
+ return dbus.Array(self.fw.ipv6_supported_icmp_types, "s")
elif prop == "BRIDGE":
return dbus.Boolean(self.fw.ebtables_enabled)
--
2.28.0

29
SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch Normal file
View File

@ -0,0 +1,29 @@
From 8a520d8343ab1567f0f3df39e4fc45dbaf9c6f77 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 24 Sep 2020 15:24:41 -0400
Subject: [PATCH 60/62] docs(firewall-cmd): clarify lockdown whitelist command
paths
Reported-by: D. Hugh Redelmeier <hugh@mimosa.com>
(cherry picked from commit a7b12b8eb87dd3bd2bb342cf5d74bf089cf3b9a6)
(cherry picked from commit 7e9b1a02cc7aa12f9c499b2acad584dbabf9a518)
---
doc/xml/firewall-cmd.xml.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
index 8bc389acae6c..702c549ab9d9 100644
--- a/doc/xml/firewall-cmd.xml.in
+++ b/doc/xml/firewall-cmd.xml.in
@@ -2104,7 +2104,7 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.
</para>
<para>
- Commands for user root and others is not always the same. Example: As root <command>/bin/firewall-cmd</command> is used, as a normal user <command>/usr/bin/firewall-cmd</command> is be used on Fedora.
+ Command paths for users are not always the same and depends on the users PATH. Some distributions symlink <command>/bin</command> to <command>/usr/bin</command> in which case it depends on the order they appear in the PATH environment variable.
</para>
<para>
The context is the security (SELinux) context of a running application or service. To get the context of a running application use <command>ps -e --context</command>.
--
2.28.0

39
SOURCES/0061-docs-dbus-fix-invalid-method-names.patch Normal file
View File

@ -0,0 +1,39 @@
From b82e2cf588916624c5f45c10e7c929f24ff84e9a Mon Sep 17 00:00:00 2001
From: Donald Yandt <10255876+TorontoMedia@users.noreply.github.com>
Date: Sun, 27 Sep 2020 20:19:35 -0400
Subject: [PATCH 61/62] docs(dbus): fix invalid method names
Replace invalid method names for both 'queryEntry' and 'queryIPSet'.
Fixes: #693
(cherry picked from commit 6fc82d2d34b436a1f1921b36930169c965f3ff4b)
(cherry picked from commit 24fb2b2424107cd88e331b8f8edae0dc1671c504)
---
doc/xml/firewalld.dbus.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 1625b9d50576..3bf4f53b108d 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -579,7 +579,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.ipset.Methods.queryEntry">
- <term><methodname>queryService</methodname>(s: ipset, s: entry) &rarr; b</term>
+ <term><methodname>queryEntry</methodname>(s: ipset, s: entry) &rarr; b</term>
<listitem>
<para>
Return whether <replaceable>entry</replaceable> has been added to <replaceable>ipset</replaceable>.
@@ -591,7 +591,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.ipset.Methods.queryIPSet">
- <term><methodname>queryService</methodname>(s: ipset) &rarr; b</term>
+ <term><methodname>queryIPSet</methodname>(s: ipset) &rarr; b</term>
<listitem>
<para>
Return whether <replaceable>ipset</replaceable> is defined in runtime configuration.
--
2.28.0

27
SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch Normal file
View File

@ -0,0 +1,27 @@
From cd158a2880734c5da329e9a5c9c075ba5bceced6 Mon Sep 17 00:00:00 2001
From: diegoe <diegoe@gnome.org>
Date: Wed, 21 Oct 2020 21:19:52 -0500
Subject: [PATCH 62/62] docs(firewall-cmd): small description grammar fix
(cherry picked from commit 9ae97bb2b65fbafa0ed5c0bfd9ebd5945bc6bea9)
(cherry picked from commit 9b4664fca4d3551dbb758a53b212a5aab043ccd9)
---
doc/xml/firewall-cmd.xml.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
index 702c549ab9d9..1789f513d8ee 100644
--- a/doc/xml/firewall-cmd.xml.in
+++ b/doc/xml/firewall-cmd.xml.in
@@ -56,7 +56,7 @@
<title>Description</title>
<para>
- firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.
+ firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the runtime and permanent configurations.
</para>
<para>
--
2.28.0

107
SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch Normal file
View File

@ -0,0 +1,107 @@
From dbce20e28a898c394274109904d471d84cfa7fea Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Fri, 13 Nov 2020 10:40:51 -0500
Subject: [PATCH 65/66] fix(rich): non-printable characters removed from rich
rules
Fixes: rhbz 1596304
Fixes: #480
(cherry picked from commit ac5960856991a00ddf7a558e31fd3248c8279a1f)
(cherry picked from commit a55416ea5f79f1a7cb1a97b6ee39524a542a8663)
---
src/firewall/core/rich.py | 2 ++
src/firewall/functions.py | 9 ++++++++-
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1596304.at | 23 +++++++++++++++++++++++
4 files changed, 34 insertions(+), 1 deletion(-)
create mode 100644 src/tests/regression/rhbz1596304.at
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index 86c0c998a478..03bc194c2b28 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -307,6 +307,8 @@ class Rich_Rule(object):
if not rule_str:
raise FirewallError(errors.INVALID_RULE, 'empty rule')
+ rule_str = functions.stripNonPrintableCharacters(rule_str)
+
self.priority = 0
self.family = None
self.source = None
diff --git a/src/firewall/functions.py b/src/firewall/functions.py
index 6af220619f17..d20b702e047e 100644
--- a/src/firewall/functions.py
+++ b/src/firewall/functions.py
@@ -27,7 +27,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName",
"check_single_address", "check_mac", "uniqify", "ppid_of_pid",
"max_zone_name_len", "checkUser", "checkUid", "checkCommand",
"checkContext", "joinArgs", "splitArgs",
- "b2u", "u2b", "u2b_if_py2" ]
+ "b2u", "u2b", "u2b_if_py2", "stripNonPrintableCharacters"]
import socket
import os
@@ -42,6 +42,10 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
PY2 = sys.version < '3'
+NOPRINT_TRANS_TABLE = {
+ i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
+}
+
def getPortID(port):
""" Check and Get port id from port string or port id using socket.getservbyname
@@ -226,6 +230,9 @@ def checkIPnMask(ip):
return False
return True
+def stripNonPrintableCharacters(rule_str):
+ return rule_str.translate(NOPRINT_TRANS_TABLE)
+
def checkIP6nMask(ip):
if "/" in ip:
addr = ip[:ip.index("/")]
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 65540840f50e..c1e8620ee700 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -35,3 +35,4 @@ m4_include([regression/rhbz1483921.at])
m4_include([regression/rhbz1541077.at])
m4_include([regression/rhbz1855140.at])
m4_include([regression/rhbz1871298.at])
+m4_include([regression/rhbz1596304.at])
diff --git a/src/tests/regression/rhbz1596304.at b/src/tests/regression/rhbz1596304.at
new file mode 100644
index 000000000000..98a33934e271
--- /dev/null
+++ b/src/tests/regression/rhbz1596304.at
@@ -0,0 +1,23 @@
+FWD_START_TEST([rich rules strip non-printable characters])
+AT_KEYWORDS(rich rhbz1596304)
+
+dnl source address contains a tab character
+FWD_CHECK([--permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="104.243.250.0/22 " port port=80 protocol=tcp accept'],0,ignore)
+FWD_RELOAD
+FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ public
+ target: default
+ icmp-block-inversion: no
+ interfaces:
+ sources:
+ services: cockpit dhcpv6-client ssh
+ ports:
+ protocols:
+ masquerade: no
+ forward-ports:
+ source-ports:
+ icmp-blocks:
+ rich rules:
+ rule family="ipv4" source address="104.243.250.0/22" port port="80" protocol="tcp" accept
+ ])])
+FWD_END_TEST
--
2.28.0

38
SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch Normal file
View File

@ -0,0 +1,38 @@
From ff6e65737413d54b6f6964f72827a92fdbecc182 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 8 Jan 2021 13:38:15 -0500
Subject: [PATCH 68/68] fix(rich): limit table to strip non-printables to C0
and C1
Generating the table was taking an unreasonable amount of memory.
Stripping C0 and C1 should cover most scenarios while limiting memory
usage.
Fixes: ac5960856991 ("fix(rich): non-printable characters removed from rich rules")
(cherry picked from commit 015704b44f81d535a868fe28368f977cefd28638)
(cherry picked from commit 629a53ef027146f8e4e486c40c8bde04cda830d3)
---
src/firewall/functions.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/firewall/functions.py b/src/firewall/functions.py
index d20b702e047e..1ea9f4309234 100644
--- a/src/firewall/functions.py
+++ b/src/firewall/functions.py
@@ -43,7 +43,12 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
PY2 = sys.version < '3'
NOPRINT_TRANS_TABLE = {
- i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
+ # Limit to C0 and C1 code points. Building entries for all unicode code
+ # points requires too much memory.
+ # C0 = [0, 31]
+ # C1 = [127, 159]
+ #
+ i: None for i in range(0, 160) if not (i > 31 and i < 127)
}
def getPortID(port):
--
2.27.0

93
SOURCES/0067-fix-zone-add-source-with-mac-address.patch Normal file
View File

@ -0,0 +1,93 @@
From 2871abfceceba37c6ba38aa0ef25e23a059294ec Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Wed, 18 Nov 2020 13:14:44 -0500
Subject: [PATCH 67/68] fix(zone): add source with mac address
nftables supports matching the destination MAC, but iptables does not.
As such, lift the restriction from nftables. For iptables, gracefully
ignore the scenarios in which we attempt to match destination MAC.
Fixes: #703
Fixes: df4aefcbe7b7 ("improvement(ipXtables): add utility function match sources")
Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface")
Co-authored-by: Eric Garver <eric@garver.life>
(cherry picked from commit 20151fbb5c5104e3d4dbc4ea938b9a68bdbcf225)
(cherry picked from commit 79bb113a2a108ce1c69dc7bc7af60297b8ec2ad0)
---
src/firewall/core/ipXtables.py | 4 ++++
src/firewall/core/nftables.py | 2 --
src/tests/regression/gh703.at | 23 +++++++++++++++++++++++
src/tests/regression/regression.at | 1 +
4 files changed, 28 insertions(+), 2 deletions(-)
create mode 100644 src/tests/regression/gh703.at
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 450e427c08b5..b28146edd060 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -814,6 +814,10 @@ class ip4tables(object):
else:
zone_dispatch_chain = "%s_ZONES" % (chain)
+ # iptables can not match destination MAC
+ if check_mac(address) and chain in ["POSTROUTING", "FORWARD_OUT", "OUTPUT"]:
+ return []
+
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
action = "-g"
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 0a73c2c2669d..a0a899dd3eef 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1067,8 +1067,6 @@ class nftables(object):
return self._set_match_fragment(address[len("ipset:"):], True if "daddr" == addr_field else False, invert)
else:
if check_mac(address):
- if addr_field == "daddr":
- raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__))
family = "ether"
elif check_single_address("ipv4", address):
family = "ip"
diff --git a/src/tests/regression/gh703.at b/src/tests/regression/gh703.at
new file mode 100644
index 000000000000..af724a7713a7
--- /dev/null
+++ b/src/tests/regression/gh703.at
@@ -0,0 +1,23 @@
+FWD_START_TEST([add source with mac address])
+AT_KEYWORDS(gh703)
+
+FWD_CHECK([--zone=home --add-source=34:7e:5c:3a:4c:32], 0, [ignore])
+
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES_SOURCE {
+ ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING_ZONES_SOURCE {
+ ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
+ }
+ }
+])
+
+dnl NOTE: iptables does _not_ support matching mac destination.
+
+FWD_END_TEST
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index c1e8620ee700..7597a458076c 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -36,3 +36,4 @@ m4_include([regression/rhbz1541077.at])
m4_include([regression/rhbz1855140.at])
m4_include([regression/rhbz1871298.at])
m4_include([regression/rhbz1596304.at])
+m4_include([regression/gh703.at])
--
2.27.0

52
SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch Normal file
View File

@ -0,0 +1,52 @@
From 4aa1e421dae3ece1de075ef538f709d6388f8811 Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Wed, 10 Jun 2020 16:14:43 -0400
Subject: [PATCH 63/64] feat(service): add collectd service Fixes: rhbz 1837368
(cherry picked from commit 8b974e75d9100b17568a55c4962dfe09d34f03dc)
---
config/Makefile.am | 1 +
config/services/collectd.xml | 6 ++++++
po/POTFILES.in | 1 +
3 files changed, 8 insertions(+)
create mode 100644 config/services/collectd.xml
diff --git a/config/Makefile.am b/config/Makefile.am
index 702592e6a685..5f44678841f3 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -134,6 +134,7 @@ CONFIG_FILES = \
services/ceph.xml \
services/cfengine.xml \
services/cockpit.xml \
+ services/collectd.xml \
services/condor-collector.xml \
services/ctdb.xml \
services/dhcpv6-client.xml \
diff --git a/config/services/collectd.xml b/config/services/collectd.xml
new file mode 100644
index 000000000000..fb2483e0e716
--- /dev/null
+++ b/config/services/collectd.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>Collectd</short>
+ <description>Collectd is a monitoring system that allows metrics to be sent over the network. This rule allows incoming collectd traffic from remote boxes.</description>
+ <port protocol="udp" port="25826"/>
+</service>
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 918f6f0986ae..92323b03fc17 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -67,6 +67,7 @@ config/services/ceph.xml
config/services/cfengine.xml
config/services/cockpit.xml
config/services/condor-collector.xml
+config/services/collectd.xml
config/services/ctdb.xml
config/services/dhcpv6-client.xml
config/services/dhcpv6.xml
--
2.28.0

54
SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch Normal file
View File

@ -0,0 +1,54 @@
From 7edc99c9aca9c1416a05c117ab65598dc3095c35 Mon Sep 17 00:00:00 2001
From: Kenneth D'souza <kdsouza@redhat.com>
Date: Tue, 16 Jun 2020 01:14:52 +0530
Subject: [PATCH 64/64] feat(service): Add rpc-rquotad.service
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
(cherry picked from commit 35e58d6fca6fbf44c34629dc058f3f1f727e7783)
---
config/Makefile.am | 1 +
config/services/rquotad.xml | 7 +++++++
po/POTFILES.in | 1 +
3 files changed, 9 insertions(+)
create mode 100644 config/services/rquotad.xml
diff --git a/config/Makefile.am b/config/Makefile.am
index 5f44678841f3..178c2358b117 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -233,6 +233,7 @@ CONFIG_FILES = \
services/redis.xml \
services/RH-Satellite-6.xml \
services/rpc-bind.xml \
+ services/rquotad.xml \
services/rsh.xml \
services/rsyncd.xml \
services/rtsp.xml \
diff --git a/config/services/rquotad.xml b/config/services/rquotad.xml
new file mode 100644
index 000000000000..adcd233ebd4d
--- /dev/null
+++ b/config/services/rquotad.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>rquotad</short>
+ <description>Remote Quota Server Daemon</description>
+ <port protocol="tcp" port="875"/>
+ <port protocol="udp" port="875"/>
+</service>
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 92323b03fc17..8552b8eca4ab 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -166,6 +166,7 @@ config/services/redis-sentinel.xml
config/services/redis.xml
config/services/RH-Satellite-6.xml
config/services/rpc-bind.xml
+config/services/rquotad.xml
config/services/rsh.xml
config/services/rsyncd.xml
config/services/rtsp.xml
--
2.28.0

55
SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch Normal file
View File

@ -0,0 +1,55 @@
From 8d0823923302da39bb1f28e55b907db29b03f664 Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Tue, 1 Dec 2020 11:58:19 -0500
Subject: [PATCH 66/66] feat(service): add galera service Fixes: rhbz1696260
(cherry picked from commit 11632147677464cb7121d17526ead242e68be041)
---
config/Makefile.am | 1 +
config/services/galera.xml | 9 +++++++++
po/POTFILES.in | 1 +
3 files changed, 11 insertions(+)
create mode 100644 config/services/galera.xml
diff --git a/config/Makefile.am b/config/Makefile.am
index 178c2358b117..4b849bd54e32 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -156,6 +156,7 @@ CONFIG_FILES = \
services/freeipa-replication.xml \
services/freeipa-trust.xml \
services/ftp.xml \
+ services/galera.xml \
services/ganglia-client.xml \
services/ganglia-master.xml \
services/git.xml \
diff --git a/config/services/galera.xml b/config/services/galera.xml
new file mode 100644
index 000000000000..2305713fbcab
--- /dev/null
+++ b/config/services/galera.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>Galera</short>
+ <description>MariaDB-Galera Database Server</description>
+ <port protocol="tcp" port="3306"/>
+ <port protocol="tcp" port="4567"/>
+ <port protocol="tcp" port="4568"/>
+ <port protocol="tcp" port="4444"/>
+</service>
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 8552b8eca4ab..27003c5ce1ef 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -88,6 +88,7 @@ config/services/freeipa-ldap.xml
config/services/freeipa-replication.xml
config/services/freeipa-trust.xml
config/services/ftp.xml
+config/services/galera.xml
config/services/ganglia-client.xml
config/services/ganglia-master.xml
config/services/git.xml
--
2.28.0

41
SPECS/firewalld.spec
View File

@ -1,7 +1,7 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 0.8.2
Release: 2%{?dist}
Release: 6%{?dist}
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@ -52,6 +52,27 @@ Patch44: 0044-test-regression-rhbz1483921-correctly-use-macros.patch
Patch45: 0045-test-regression-rhbz1541077-correctly-use-macros.patch
Patch46: 0046-fix-rich-use-correct-error-code-for-invalid-priority.patch
Patch47: 0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch
Patch48: 0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch
Patch49: 0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch
Patch50: 0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch
Patch51: 0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch
Patch52: 0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch
Patch53: 0053-fix-nftables-packet-marks-with-masks.patch
Patch54: 0054-fix-nftables-icmp-types-with-code-0.patch
Patch55: 0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch
Patch56: 0056-test-regression-rhbz1855140-add-negative-tests.patch
Patch57: 0057-fix-policy-cache-rule_str-for-rich-rules.patch
Patch58: 0058-test-zone-rich-rule-parsing-bottleneck.patch
Patch59: 0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch
Patch60: 0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch
Patch61: 0061-docs-dbus-fix-invalid-method-names.patch
Patch62: 0062-docs-firewall-cmd-small-description-grammar-fix.patch
Patch63: v0.9.0-0063-feat-service-add-collectd-service.patch
Patch64: v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch
Patch65: 0065-fix-rich-non-printable-characters-removed-from-rich-.patch
Patch66: 0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch
Patch67: 0067-fix-zone-add-source-with-mac-address.patch
Patch68: v1.0.0-0068-feat-service-add-galera-service.patch
BuildArch: noarch
BuildRequires: autoconf
@ -250,6 +271,24 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewall-config*.1*
%changelog
* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-6
- feat(service): add galera service
* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-5
- fix(zone): add source with mac address
* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-4
- fix(rich): non-printable characters removed from rich
* Mon Oct 26 2020 Eric Garver <egarver@redhat.com> - 0.8.2-3
- fix(nftables): packet marks with masks
- fix(nftables): icmp types with code == 0
- fix(rich icmptype): verify rule and icmptype families
- fix(zone): cache rule_str for rich rules
- improvement(service): IPsec: Update description and add TCP port 4500
- feat(service): add collectd service
- feat(service): Add rpc-rquotad.service
* Tue Aug 04 2020 Eric Garver <egarver@redhat.com> - 0.8.2-2
- fix(cli): add ipset type hash:mac is incompatible with the family parameter
- fix(cli): add --zone is an invalid option with --direct