import UBI firewalld-1.3.4-7.el9

This commit is contained in:
eabdullin 2024-11-12 10:37:24 +00:00
parent c56d981db8
commit 536a59d2c6
19 changed files with 2478 additions and 1 deletions

View File

@ -0,0 +1,53 @@
From a27f6afa21de35aa98e5309430dbcab9e6056f9c Mon Sep 17 00:00:00 2001
From: Pat Riehecky <riehecky@fnal.gov>
Date: Wed, 1 Feb 2023 09:52:43 -0600
Subject: [PATCH 05/22] v2.0.0: feat(service): add OpenTelemetry (OTLP) service
(cherry picked from commit 77c7061cc191bec6d8a36d2666c2d3c3e0ccbb4a)
---
config/Makefile.am | 1 +
config/services/opentelemetry.xml | 7 +++++++
po/POTFILES.in | 1 +
3 files changed, 9 insertions(+)
create mode 100644 config/services/opentelemetry.xml
diff --git a/config/Makefile.am b/config/Makefile.am
index d66398563ff2..47f30c1566e0 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -247,6 +247,7 @@ CONFIG_FILES = \
services/ntp.xml \
services/nut.xml \
services/openvpn.xml \
+ services/opentelemetry.xml \
services/ovirt-imageio.xml \
services/ovirt-storageconsole.xml \
services/ovirt-vmconsole.xml \
diff --git a/config/services/opentelemetry.xml b/config/services/opentelemetry.xml
new file mode 100644
index 000000000000..46c0e5258957
--- /dev/null
+++ b/config/services/opentelemetry.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>OTLP</short>
+ <description>OpenTelemetry Protocol (OTLP) specification describes the encoding, transport, and delivery mechanism of telemetry data between telemetry sources, intermediate nodes such as collectors and telemetry backends.</description>
+ <port protocol="tcp" port="4317"/>
+ <port protocol="tcp" port="4318"/>
+</service>
diff --git a/po/POTFILES.in b/po/POTFILES.in
index f3c0595980f9..1c990542ac4d 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -180,6 +180,7 @@ config/services/nrpe.xml
config/services/ntp.xml
config/services/nut.xml
config/services/openvpn.xml
+config/services/opentelemetry.xml
config/services/ovirt-imageio.xml
config/services/ovirt-storageconsole.xml
config/services/ovirt-vmconsole.xml
--
2.43.5

View File

@ -0,0 +1,131 @@
From 6f221d65193cda838e241a18dd07b6da2ae22f78 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Wed, 29 Nov 2023 17:02:07 +0100
Subject: [PATCH 06/22] v2.1.0: feat(icmp): add ICMPv6 Multicast Listener
Discovery (MLD) types
Note that ip6tables does not support these ICMPv6 types. Currently,
the name of the ICMP types in firewalld must correspond to the names
in iptables. As ip6tables doesn't support it, it does not. If ip6tables
adds support for "mld-listener-query", but calls it differently, we have
a problem. Nothing that can be done about that.
`man nft` also lists an alias "mld-listener-reduction" (for
"mld-listener-done", type 132). That alias is not supported. Use the
name as from RFC 4890.
(cherry picked from commit dd88bbf812e0a50766b69c2bf12470ecf9d2466a)
---
config/Makefile.am | 4 ++++
config/icmptypes/mld-listener-done.xml | 7 +++++++
config/icmptypes/mld-listener-query.xml | 7 +++++++
config/icmptypes/mld-listener-report.xml | 7 +++++++
config/icmptypes/mld2-listener-report.xml | 7 +++++++
po/POTFILES.in | 4 ++++
src/firewall/core/nftables.py | 4 ++++
7 files changed, 40 insertions(+)
create mode 100644 config/icmptypes/mld-listener-done.xml
create mode 100644 config/icmptypes/mld-listener-query.xml
create mode 100644 config/icmptypes/mld-listener-report.xml
create mode 100644 config/icmptypes/mld2-listener-report.xml
diff --git a/config/Makefile.am b/config/Makefile.am
index 47f30c1566e0..edae25fd9de0 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -83,6 +83,10 @@ CONFIG_FILES = \
icmptypes/host-unknown.xml \
icmptypes/host-unreachable.xml \
icmptypes/ip-header-bad.xml \
+ icmptypes/mld-listener-done.xml \
+ icmptypes/mld-listener-query.xml \
+ icmptypes/mld-listener-report.xml \
+ icmptypes/mld2-listener-report.xml \
icmptypes/neighbour-advertisement.xml \
icmptypes/neighbour-solicitation.xml \
icmptypes/network-prohibited.xml \
diff --git a/config/icmptypes/mld-listener-done.xml b/config/icmptypes/mld-listener-done.xml
new file mode 100644
index 000000000000..09b8bbba5b90
--- /dev/null
+++ b/config/icmptypes/mld-listener-done.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<icmptype>
+ <short>MLD Listener Done</short>
+ <description>ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Done (type 132) (RFC 4890 section 4.4.1). Also known as mld-listener-reduction to nft.</description>
+ <destination ipv4="no"/>
+ <destination ipv6="yes"/>
+</icmptype>
diff --git a/config/icmptypes/mld-listener-query.xml b/config/icmptypes/mld-listener-query.xml
new file mode 100644
index 000000000000..418685578d1d
--- /dev/null
+++ b/config/icmptypes/mld-listener-query.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<icmptype>
+ <short>MLD Listener Query</short>
+ <description>ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Query (type 130) (RFC 4890 section 4.4.1).</description>
+ <destination ipv4="no"/>
+ <destination ipv6="yes"/>
+</icmptype>
diff --git a/config/icmptypes/mld-listener-report.xml b/config/icmptypes/mld-listener-report.xml
new file mode 100644
index 000000000000..98fb4161b298
--- /dev/null
+++ b/config/icmptypes/mld-listener-report.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<icmptype>
+ <short>MLD Listener Report</short>
+ <description>ICMPv6 Link-Local Multicast Listener Discovery (MDL) of type Multicast Listener Report (type 131) (RFC 4890 section 4.4.1).</description>
+ <destination ipv4="no"/>
+ <destination ipv6="yes"/>
+</icmptype>
diff --git a/config/icmptypes/mld2-listener-report.xml b/config/icmptypes/mld2-listener-report.xml
new file mode 100644
index 000000000000..faee68c95b20
--- /dev/null
+++ b/config/icmptypes/mld2-listener-report.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<icmptype>
+ <short>MLDv2 Multicast Listener Report</short>
+ <description>ICMPv6 Link-Local Multicast Listener Discovery (MDLv2) of type Multicast Listener Report (type 143) (RFC 4890 section 4.4.1).</description>
+ <destination ipv4="no"/>
+ <destination ipv6="yes"/>
+</icmptype>
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 1c990542ac4d..adeebdee3f55 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -15,6 +15,10 @@ config/icmptypes/host-redirect.xml
config/icmptypes/host-unknown.xml
config/icmptypes/host-unreachable.xml
config/icmptypes/ip-header-bad.xml
+config/icmptypes/mld-listener-done.xml
+config/icmptypes/mld-listener-query.xml
+config/icmptypes/mld-listener-report.xml
+config/icmptypes/mld2-listener-report.xml
config/icmptypes/neighbour-advertisement.xml
config/icmptypes/neighbour-solicitation.xml
config/icmptypes/network-prohibited.xml
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 6ad4b9168403..3df3fa3c3742 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -140,6 +140,10 @@ ICMP_TYPES_FRAGMENTS = {
"echo-reply": _icmp_types_fragments("icmpv6", "echo-reply"),
"echo-request": _icmp_types_fragments("icmpv6", "echo-request"),
"failed-policy": _icmp_types_fragments("icmpv6", "destination-unreachable", 5),
+ "mld-listener-done": _icmp_types_fragments("icmpv6", "mld-listener-done"),
+ "mld-listener-query": _icmp_types_fragments("icmpv6", "mld-listener-query"),
+ "mld-listener-report": _icmp_types_fragments("icmpv6", "mld-listener-report"),
+ "mld2-listener-report": _icmp_types_fragments("icmpv6", "mld2-listener-report"),
"neighbour-advertisement": _icmp_types_fragments("icmpv6", "nd-neighbor-advert"),
"neighbour-solicitation": _icmp_types_fragments("icmpv6", "nd-neighbor-solicit"),
"no-route": _icmp_types_fragments("icmpv6", "destination-unreachable", 0),
--
2.43.5

View File

@ -0,0 +1,71 @@
From 22b100b8ac9aeeacae851e2b9f11e4dc1741cd85 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Tue, 12 Dec 2023 14:58:07 +0100
Subject: [PATCH 07/22] v2.1.0: fix(rich): validate service name of rich rule
Previously, validation of valid service names was not done.
That meant:
$ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent
success
$ firewall-cmd --reload
Error: INVALID_SERVICE: listen
which left firewalld in a bad state.
Now:
$ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent
Error: INVALID_SERVICE: Zone 'public': 'listen' not among existing services
https://issues.redhat.com/browse/RHEL-5790
(cherry picked from commit fbcdddd3e38c31a7b8325bf02764b84344c216b0)
---
src/firewall/core/io/policy.py | 8 ++++++++
src/tests/features/rich_rules.at | 7 ++++++-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py
index 7d383abb0a2d..f9a1114d7969 100644
--- a/src/firewall/core/io/policy.py
+++ b/src/firewall/core/io/policy.py
@@ -471,6 +471,14 @@ def common_check_config(obj, config, item, all_config, all_io_objects):
log.debug1("{} (unsupported)".format(ex))
else:
raise ex
+ elif isinstance(obj_rich.element, rich.Rich_Service):
+ if obj_rich.element.name not in all_io_objects["services"]:
+ raise FirewallError(
+ errors.INVALID_SERVICE,
+ "{} '{}': '{}' not among existing services".format(
+ obj_type, obj.name, obj_rich.element.name
+ ),
+ )
def common_writer(obj, handler):
# short
diff --git a/src/tests/features/rich_rules.at b/src/tests/features/rich_rules.at
index aadc76da57b4..f7d1a1d0abf4 100644
--- a/src/tests/features/rich_rules.at
+++ b/src/tests/features/rich_rules.at
@@ -46,6 +46,10 @@ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priorit
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=0 source address=10.10.10.13 drop'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=-1 source address=10.10.10.14 accept'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=1 source address=10.10.10.15 accept'], 0, ignore)
+
+dnl Invalid service name is rejected.
+FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="bogusservice" accept'], 101, ignore, ignore)
+
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_pre], 0, [dnl
table inet firewalld {
@@ -319,4 +323,5 @@ IP6TABLES_LIST_RULES([filter], [IN_foobar_post], 0, [dnl
ACCEPT 0 -- ::/0 ::/0
])
-FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d'])
+FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d' dnl
+ -e "/ERROR: INVALID_SERVICE: Policy 'foobar': 'bogusservice' not among existing services/d"])
--
2.43.5

View File

@ -0,0 +1,66 @@
From 11ee9b9ed8da78bfc11edffc2c9386efa41be1cf Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 18 Dec 2023 18:22:38 -0500
Subject: [PATCH 08/22] v2.1.0: improvement(nftables): do not track rule
handles for policy table
It's not necessary. This table is transient and we simply delete the
entire table when we're done with it.
(cherry picked from commit 119dff1d86f841cd2f33ddbab278bc9257dae7b0)
---
src/firewall/core/nftables.py | 24 +++++++-----------------
1 file changed, 7 insertions(+), 17 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 3df3fa3c3742..690a5dc067ab 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -386,6 +386,11 @@ class nftables(object):
if verb not in output["nftables"][index]:
continue
+ # don't bother tracking handles for the policy table as we simply
+ # delete the entire table.
+ if TABLE_NAME_POLICY == output["nftables"][index][verb]["rule"]["table"]:
+ continue
+
self.rule_to_handle[rule_key] = output["nftables"][index][verb]["rule"]["handle"]
def set_rule(self, rule, log_denied):
@@ -408,18 +413,8 @@ class nftables(object):
"name": table}}}]
def build_flush_rules(self):
- # Policy is stashed in a separate table that we're _not_ going to
- # flush. As such, we retain the policy rule handles and ref counts.
- saved_rule_to_handle = {}
- saved_rule_ref_count = {}
- for rule in self._build_set_policy_rules_ct_rules(True):
- policy_key = self._get_rule_key(rule)
- if policy_key in self.rule_to_handle:
- saved_rule_to_handle[policy_key] = self.rule_to_handle[policy_key]
- saved_rule_ref_count[policy_key] = self.rule_ref_count[policy_key]
-
- self.rule_to_handle = saved_rule_to_handle
- self.rule_ref_count = saved_rule_ref_count
+ self.rule_to_handle = {}
+ self.rule_ref_count = {}
self.rich_rule_priority_counts = {}
self.policy_priority_counts = {}
self.zone_source_index_cache = {}
@@ -475,11 +470,6 @@ class nftables(object):
rules += self._build_set_policy_rules_ct_rules(True)
elif policy == "ACCEPT":
- for rule in self._build_set_policy_rules_ct_rules(False):
- policy_key = self._get_rule_key(rule)
- if policy_key in self.rule_to_handle:
- rules.append(rule)
-
rules += self._build_delete_table_rules(TABLE_NAME_POLICY)
else:
raise FirewallError(UNKNOWN_ERROR, "not implemented")
--
2.43.5

View File

@ -0,0 +1,203 @@
From c53dabcb9ca5c6d9ab2b076d961127a67afe8f8f Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Fri, 11 Aug 2023 18:16:20 +0200
Subject: [PATCH 09/22] v2.1.0: improvement(fw): make set_policy("DROP") more
flexible
We will add a reload-policy via
ReloadPolicy=OUTPUT:{ACCEPT,REJECT,DROP},INPUT:{ACCEPT,REJECT,DROP},FORWARD:{ACCEPT,REJECT,DROP}
Extend set_policy() so that the "DROP" policy can be overridden.
(cherry picked from commit e3bb468ff469373d193398b471a59f7ab7d29f27)
---
src/firewall/core/ebtables.py | 2 +-
src/firewall/core/fw.py | 27 +++++++++++++---
src/firewall/core/ipXtables.py | 11 +++++--
src/firewall/core/nftables.py | 56 ++++++++++++++++++++++++----------
4 files changed, 72 insertions(+), 24 deletions(-)
diff --git a/src/firewall/core/ebtables.py b/src/firewall/core/ebtables.py
index c1c0b8587a5c..f059975724a5 100644
--- a/src/firewall/core/ebtables.py
+++ b/src/firewall/core/ebtables.py
@@ -237,7 +237,7 @@ class ebtables(object):
rules.append(["-t", table, flag])
return rules
- def build_set_policy_rules(self, policy):
+ def build_set_policy_rules(self, policy, policy_details):
rules = []
_policy = "DROP" if policy == "PANIC" else policy
for table in BUILT_IN_CHAINS.keys():
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index f1bc124b9443..ccec875f3c3c 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -983,7 +983,18 @@ class Firewall(object):
if use_transaction is None:
transaction.execute(True)
- def set_policy(self, policy, use_transaction=None):
+ def _set_policy_build_rules(self, backend, policy, policy_details=None):
+ assert policy in ("ACCEPT", "DROP", "PANIC")
+ if policy_details is None:
+ dp = "ACCEPT" if policy == "ACCEPT" else "DROP"
+ policy_details = {
+ "INPUT": dp,
+ "OUTPUT": dp,
+ "FORWARD": dp,
+ }
+ return backend.build_set_policy_rules(policy, policy_details)
+
+ def set_policy(self, policy, policy_details=None, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
@@ -992,7 +1003,7 @@ class Firewall(object):
log.debug1("Setting policy to '%s'", policy)
for backend in self.enabled_backends():
- rules = backend.build_set_policy_rules(policy)
+ rules = self._set_policy_build_rules(backend, policy, policy_details)
transaction.add_rules(backend, rules)
if use_transaction is None:
@@ -1224,13 +1235,19 @@ class Firewall(object):
# for the old backend that was set to DROP above.
if not self._panic and old_firewall_backend != self._firewall_backend:
if old_firewall_backend == "nftables":
- for rule in self.nftables_backend.build_set_policy_rules("ACCEPT"):
+ for rule in self._set_policy_build_rules(
+ self.nftables_backend, "ACCEPT"
+ ):
self.nftables_backend.set_rule(rule, self._log_denied)
else:
- for rule in self.ip4tables_backend.build_set_policy_rules("ACCEPT"):
+ for rule in self._set_policy_build_rules(
+ self.ip4tables_backend, "ACCEPT"
+ ):
self.ip4tables_backend.set_rule(rule, self._log_denied)
if self.ip6tables_enabled:
- for rule in self.ip6tables_backend.build_set_policy_rules("ACCEPT"):
+ for rule in self._set_policy_build_rules(
+ self.ip6tables_backend, "ACCEPT"
+ ):
self.ip6tables_backend.set_rule(rule, self._log_denied)
if start_exception:
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index e05a2bd4d7ed..1a0cea7a3b4e 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -578,7 +578,7 @@ class ip4tables(object):
rules.append(["-t", table, flag])
return rules
- def build_set_policy_rules(self, policy):
+ def build_set_policy_rules(self, policy, policy_details):
rules = []
_policy = "DROP" if policy == "PANIC" else policy
for table in BUILT_IN_CHAINS.keys():
@@ -587,7 +587,14 @@ class ip4tables(object):
if table == "nat":
continue
for chain in BUILT_IN_CHAINS[table]:
- rules.append(["-t", table, "-P", chain, _policy])
+ if table == "filter":
+ p = policy_details[chain]
+ if p == "REJECT":
+ rules.append(["-t", table, "-A", chain, "-j", "REJECT"])
+ p = "DROP"
+ else:
+ p = _policy
+ rules.append(["-t", table, "-P", chain, p])
return rules
def supported_icmp_types(self, ipv=None):
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 690a5dc067ab..e9816147ef8e 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -421,20 +421,17 @@ class nftables(object):
return self._build_delete_table_rules(TABLE_NAME)
- def _build_set_policy_rules_ct_rules(self, enable):
+ def _build_set_policy_rules_ct_rule(self, enable, hook):
add_del = { True: "add", False: "delete" }[enable]
- rules = []
- for hook in ["input", "forward", "output"]:
- rules.append({add_del: {"rule": {"family": "inet",
- "table": TABLE_NAME_POLICY,
- "chain": "%s_%s" % ("filter", hook),
- "expr": [{"match": {"left": {"ct": {"key": "state"}},
- "op": "in",
- "right": {"set": ["established", "related"]}}},
- {"accept": None}]}}})
- return rules
-
- def build_set_policy_rules(self, policy):
+ return {add_del: {"rule": {"family": "inet",
+ "table": TABLE_NAME_POLICY,
+ "chain": "%s_%s" % ("filter", hook),
+ "expr": [{"match": {"left": {"ct": {"key": "state"}},
+ "op": "in",
+ "right": {"set": ["established", "related"]}}},
+ {"accept": None}]}}}
+
+ def build_set_policy_rules(self, policy, policy_details):
# Policy is not exposed to the user. It's only to make sure we DROP
# packets while reloading and for panic mode. As such, using hooks with
# a higher priority than our base chains is sufficient.
@@ -459,16 +456,43 @@ class nftables(object):
# To drop everything except existing connections we use
# "filter" because it occurs _after_ conntrack.
- for hook in ["input", "forward", "output"]:
+ for hook in ("INPUT", "FORWARD", "OUTPUT"):
+ d_policy = policy_details[hook]
+ assert d_policy in ("ACCEPT", "REJECT", "DROP")
+ hook = hook.lower()
+ chain_name = f"filter_{hook}"
+
rules.append({"add": {"chain": {"family": "inet",
"table": TABLE_NAME_POLICY,
- "name": "%s_%s" % ("filter", hook),
+ "name": chain_name,
"type": "filter",
"hook": hook,
"prio": 0 + NFT_HOOK_OFFSET - 1,
"policy": "drop"}}})
- rules += self._build_set_policy_rules_ct_rules(True)
+ rules.append(self._build_set_policy_rules_ct_rule(True, hook))
+
+ if d_policy == "ACCEPT":
+ expr_fragment = {"accept": None}
+ elif d_policy == "DROP":
+ expr_fragment = {"drop": None}
+ else:
+ expr_fragment = {
+ "reject": {"type": "icmpx", "expr": "admin-prohibited"}
+ }
+
+ rules.append(
+ {
+ "add": {
+ "rule": {
+ "family": "inet",
+ "table": TABLE_NAME_POLICY,
+ "chain": chain_name,
+ "expr": [expr_fragment],
+ }
+ }
+ }
+ )
elif policy == "ACCEPT":
rules += self._build_delete_table_rules(TABLE_NAME_POLICY)
else:
--
2.43.5

View File

@ -0,0 +1,303 @@
From 67c8a0010ba6244c40e48a93560eb66d91a2ca09 Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Mon, 14 Aug 2023 14:53:55 +0200
Subject: [PATCH 10/22] v2.1.0: feat(fw): add ReloadPolicy option in
firewalld.conf
One interesting aspect is that during `firewall-cmd --reload`, the code
first sets the policy to "DROP", before reloading "firewalld.conf". That
means, changing the value only takes effect after the next reload. But
that seems expected as we set the policy before starting to reload.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2149039
(cherry picked from commit 0019371a8f42d376ac9cce79cc5e1e7d2049f021)
---
config/firewalld.conf | 8 +++
doc/xml/firewalld.conf.xml | 16 ++++++
src/firewall/config/__init__.py.in | 1 +
src/firewall/core/fw.py | 13 ++++-
src/firewall/core/io/firewalld_conf.py | 56 ++++++++++++++++++++-
src/tests/features/features.at | 1 +
src/tests/features/reloadpolicy.at | 12 +++++
src/tests/unit/test_firewalld_conf.py | 68 ++++++++++++++++++++++++++
8 files changed, 172 insertions(+), 3 deletions(-)
create mode 100644 src/tests/features/reloadpolicy.at
create mode 100644 src/tests/unit/test_firewalld_conf.py
diff --git a/config/firewalld.conf b/config/firewalld.conf
index f8caf11c8a86..7a0be1ff1b76 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -66,6 +66,14 @@ FirewallBackend=nftables
# Default: yes
FlushAllOnReload=yes
+# ReloadPolicy
+# Policy during reload. By default all traffic except for established
+# connections is dropped while the rules are updated. Set to "DROP", "REJECT"
+# or "ACCEPT". Alternatively, specify it per table, like
+# "OUTPUT:ACCEPT,INPUT:DROP,FORWARD:REJECT".
+# Default: ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP
+ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP
+
# RFC3964_IPv4
# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
# correspond to IPv4 addresses that should not be routed over the public
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index e4312acc8e1c..022569ccf502 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -195,6 +195,22 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>ReloadPolicy</option></term>
+ <listitem>
+ <para>
+ The policy during reload. By default, all traffic except
+ established connections is dropped while reloading the
+ firewall rules. This can be overridden for INPUT, FORWARD
+ and OUTPUT. The accepted values are "DROP", "REJECT" and
+ "ACCEPT", which then applies to all tables. Alternatively,
+ the policy can be specified per table, like
+ "INPUT:REJECT,FORWARD:DROP,OUTPUT:ACCEPT".
+ Defaults to "INPUT:DROP,FORWARD:DROP,OUTPUT:DROP".
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>RFC3964_IPv4</option></term>
<listitem>
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index d982384a0382..da1e31e10e58 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -133,5 +133,6 @@ FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "no"
FALLBACK_FIREWALL_BACKEND = "nftables"
FALLBACK_FLUSH_ALL_ON_RELOAD = True
+FALLBACK_RELOAD_POLICY = "INPUT:DROP,FORWARD:DROP,OUTPUT:DROP"
FALLBACK_RFC3964_IPV4 = True
FALLBACK_ALLOW_ZONE_DRIFTING = False
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index ccec875f3c3c..ac13be122b66 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -1000,7 +1000,13 @@ class Firewall(object):
else:
transaction = use_transaction
- log.debug1("Setting policy to '%s'", policy)
+ log.debug1(
+ "Setting policy to '%s'%s",
+ policy,
+ f" (ReloadPolicy={firewalld_conf._unparse_reload_policy(policy_details)})"
+ if policy == "DROP"
+ else "",
+ )
for backend in self.enabled_backends():
rules = self._set_policy_build_rules(backend, policy, policy_details)
@@ -1146,7 +1152,10 @@ class Firewall(object):
_ipset_objs.append(self.ipset.get_ipset(_name))
if not _panic:
- self.set_policy("DROP")
+ reload_policy = firewalld_conf._parse_reload_policy(
+ self._firewalld_conf.get("ReloadPolicy")
+ )
+ self.set_policy("DROP", policy_details=reload_policy)
self.flush()
self.cleanup()
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index b907c5b1e60b..d2879b319d1f 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -31,7 +31,7 @@ valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
"IndividualCalls", "LogDenied", "AutomaticHelpers",
"FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
- "AllowZoneDrifting" ]
+ "AllowZoneDrifting", "ReloadPolicy" ]
class firewalld_conf(object):
def __init__(self, filename):
@@ -77,6 +77,7 @@ class firewalld_conf(object):
self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no")
+ self.set("ReloadPolicy", config.FALLBACK_RELOAD_POLICY)
self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no")
self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no")
@@ -208,6 +209,17 @@ class firewalld_conf(object):
config.FALLBACK_FLUSH_ALL_ON_RELOAD)
self.set("FlushAllOnReload", str(config.FALLBACK_FLUSH_ALL_ON_RELOAD))
+ value = self.get("ReloadPolicy")
+ try:
+ value = self._parse_reload_policy(value)
+ except ValueError:
+ log.warning(
+ "ReloadPolicy '%s' is not valid, using default value '%s'",
+ value,
+ config.FALLBACK_RELOAD_POLICY,
+ )
+ self.set("ReloadPolicy", config.FALLBACK_RELOAD_POLICY)
+
value = self.get("RFC3964_IPv4")
if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
if value is not None:
@@ -330,3 +342,45 @@ class firewalld_conf(object):
raise IOError("Failed to create '%s': %s" % (self.filename, msg))
else:
os.chmod(self.filename, 0o600)
+
+ @staticmethod
+ def _parse_reload_policy(value):
+ valid = True
+ result = {
+ "INPUT": "DROP",
+ "FORWARD": "DROP",
+ "OUTPUT": "DROP",
+ }
+ if value:
+ value = value.strip()
+ v = value.upper()
+ if v in ("ACCEPT", "REJECT", "DROP"):
+ for k in result:
+ result[k] = v
+ else:
+ for a in value.replace(";", ",").split(","):
+ a = a.strip()
+ if not a:
+ continue
+ a2 = a.replace("=", ":").split(":", 2)
+ if len(a2) != 2:
+ valid = False
+ continue
+ k = a2[0].strip().upper()
+ if k not in result:
+ valid = False
+ continue
+ v = a2[1].strip().upper()
+ if v not in ("ACCEPT", "REJECT", "DROP"):
+ valid = False
+ continue
+ result[k] = v
+
+ if not valid:
+ raise ValueError("Invalid ReloadPolicy")
+
+ return result
+
+ @staticmethod
+ def _unparse_reload_policy(value):
+ return ",".join(f"{k}:{v}" for k, v in value.items())
diff --git a/src/tests/features/features.at b/src/tests/features/features.at
index f59baea1cd70..065cb2872e88 100644
--- a/src/tests/features/features.at
+++ b/src/tests/features/features.at
@@ -20,3 +20,4 @@ m4_include([features/startup_failsafe.at])
m4_include([features/ipset.at])
m4_include([features/reset_defaults.at])
m4_include([features/iptables_no_flush_on_shutdown.at])
+m4_include([features/reloadpolicy.at])
diff --git a/src/tests/features/reloadpolicy.at b/src/tests/features/reloadpolicy.at
new file mode 100644
index 000000000000..fea1aa26aab4
--- /dev/null
+++ b/src/tests/features/reloadpolicy.at
@@ -0,0 +1,12 @@
+FWD_START_TEST([check ReloadPolicy])
+AT_KEYWORDS(reloadpolicy rhbz2149039)
+
+AT_CHECK([sed -i 's/^ReloadPolicy=.*/ReloadPolicy=INPUT:REJECT,FORWARD:ACCEPT/' ./firewalld.conf])
+dnl call RELOAD twice, to see more action about the ReloadPolicy.
+FWD_RELOAD()
+FWD_RELOAD()
+
+AT_CHECK([sed -i 's/^ReloadPolicy=.*/ReloadPolicy=REJECT/' ./firewalld.conf])
+FWD_RELOAD()
+
+FWD_END_TEST()
diff --git a/src/tests/unit/test_firewalld_conf.py b/src/tests/unit/test_firewalld_conf.py
new file mode 100644
index 000000000000..0ce1fd279f91
--- /dev/null
+++ b/src/tests/unit/test_firewalld_conf.py
@@ -0,0 +1,68 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+import firewall.core.io.firewalld_conf
+import firewall.config
+
+
+def test_reload_policy():
+ def t(value, expected_valid=True, **kw):
+
+ expected = {
+ "INPUT": "DROP",
+ "FORWARD": "DROP",
+ "OUTPUT": "DROP",
+ }
+ for k, v in kw.items():
+ assert k in expected
+ expected[k] = v
+
+ try:
+ parsed = (
+ firewall.core.io.firewalld_conf.firewalld_conf._parse_reload_policy(
+ value
+ )
+ )
+ except ValueError:
+ assert not expected_valid
+ return
+
+ assert parsed == expected
+ assert expected_valid
+
+ unparsed = (
+ firewall.core.io.firewalld_conf.firewalld_conf._unparse_reload_policy(
+ parsed
+ )
+ )
+ parsed2 = firewall.core.io.firewalld_conf.firewalld_conf._parse_reload_policy(
+ unparsed
+ )
+ assert parsed2 == parsed
+
+ t(None)
+ t("")
+ t(" ")
+ t(" input: ACCept ", INPUT="ACCEPT")
+ t(
+ "forward:DROP, forward : REJEct; input: ACCept ",
+ INPUT="ACCEPT",
+ FORWARD="REJECT",
+ )
+ t(" accept ", INPUT="ACCEPT", FORWARD="ACCEPT", OUTPUT="ACCEPT")
+ t("REJECT", INPUT="REJECT", FORWARD="REJECT", OUTPUT="REJECT")
+ t("forward=REJECT", FORWARD="REJECT")
+ t("forward=REJECT , input=accept", FORWARD="REJECT", INPUT="ACCEPT")
+ t("forward=REJECT , xinput=accept", expected_valid=False)
+ t("forward=REJECT, ACCEPT", expected_valid=False)
+
+ def _norm(reload_policy):
+ parsed = firewall.core.io.firewalld_conf.firewalld_conf._parse_reload_policy(
+ reload_policy
+ )
+ return firewall.core.io.firewalld_conf.firewalld_conf._unparse_reload_policy(
+ parsed
+ )
+
+ assert firewall.config.FALLBACK_RELOAD_POLICY == _norm(
+ firewall.config.FALLBACK_RELOAD_POLICY
+ )
--
2.43.5

View File

@ -0,0 +1,27 @@
From 55e40954a8c596fabe03371e9a508d3518273ac1 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 14 May 2024 16:27:54 -0400
Subject: [PATCH 11/22] v2.2.0: test(functions): add macro CHECK_NFTABLES_FIB
(cherry picked from commit 0aeebef07bc57b1f56b107632cdfdd809384398c)
---
src/tests/functions.at | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index f454ca980046..65a4ce078e05 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -748,3 +748,9 @@ m4_define([CHECK_NM_CAPABILITY_OVS], [
m4_define([IF_BACKEND_IS_DEFAULT], [
m4_if(nftables, FIREWALL_BACKEND, [$1], [])
])
+
+m4_define([CHECK_NFTABLES_FIB], [
+ m4_if(nftables, FIREWALL_BACKEND, [
+ IF_HOST_SUPPORTS_NFT_FIB([], [AT_SKIP_IF([:])])
+ ])
+])
--
2.43.5

View File

@ -0,0 +1,31 @@
From d368d579c78652a68273897d5f8b5099d251a9b5 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 14 May 2024 16:21:06 -0400
Subject: [PATCH 12/22] v2.2.0: test(functions): add macro
CHECK_NFTABLES_FIB_IN_FORWARD
(cherry picked from commit b9cf7b75c7d94efa98545a3b7ad5020b1896b22a)
---
src/tests/functions.at | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 65a4ce078e05..b2372dd4075b 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -754,3 +754,12 @@ m4_define([CHECK_NFTABLES_FIB], [
IF_HOST_SUPPORTS_NFT_FIB([], [AT_SKIP_IF([:])])
])
])
+
+m4_define([CHECK_NFTABLES_FIB_IN_FORWARD], [
+ m4_if(nftables, FIREWALL_BACKEND, [
+ NS_CHECK([nft add table inet firewalld_check])
+ NS_CHECK([nft add chain inet firewalld_check foobar { type filter hook forward priority 0 \; }])
+ AT_SKIP_IF([! NS_CMD([nft add rule inet firewalld_check foobar meta nfproto ipv6 fib saddr . mark . iif oif missing drop >/dev/null 2>&1])])
+ NS_CHECK([nft delete table inet firewalld_check])
+ ])
+])
--
2.43.5

View File

@ -0,0 +1,51 @@
From c1620d5ad4c151382373a138ab0c36dd7561a4bb Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 14 May 2024 16:29:50 -0400
Subject: [PATCH 13/22] v2.2.0: test(rpfilter): use CHECK macros
(cherry picked from commit 352f3fc7fc00b675178de1eff8f0197607741de7)
---
src/tests/features/rpfilter.at | 27 +++++++++++----------------
1 file changed, 11 insertions(+), 16 deletions(-)
diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at
index 01fb81ea75ef..ccc8a6cf5e80 100644
--- a/src/tests/features/rpfilter.at
+++ b/src/tests/features/rpfilter.at
@@ -1,22 +1,17 @@
-FWD_START_TEST([rpfilter])
+FWD_START_TEST([rpfilter - strict])
AT_KEYWORDS(rpfilter)
+CHECK_NFTABLES_FIB()
-IF_HOST_SUPPORTS_NFT_FIB([
- NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
- table inet firewalld {
- chain filter_PREROUTING {
- icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
- meta nfproto ipv6 fib saddr . mark . iif oif missing drop
- }
- }
- ])
-], [
- NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
- table inet firewalld {
- chain filter_PREROUTING {
- }
+AT_CHECK([sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=yes/' ./firewalld.conf])
+FWD_RELOAD()
+
+NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain filter_PREROUTING {
+ icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+ meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
- ])
+ }
])
IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
--
2.43.5

View File

@ -0,0 +1,41 @@
From 0ba1eed533e4cd1dd77771ba7c16dc0edcea841e Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 13 May 2024 13:53:55 -0400
Subject: [PATCH 14/22] v2.2.0: test(IPv6_rpfilter): verify valid values
Including the deprecated "yes" value.
(cherry picked from commit 1e91792157d36355669b4f02a82c1ee603a9467d)
---
src/tests/features/rpfilter.at | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at
index ccc8a6cf5e80..755d9dfd33cc 100644
--- a/src/tests/features/rpfilter.at
+++ b/src/tests/features/rpfilter.at
@@ -22,4 +22,20 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
PREROUTING_ZONES 0 -- ::/0 ::/0
])
-FWD_END_TEST
+FWD_END_TEST()
+
+FWD_START_TEST([rpfilter - config values])
+AT_KEYWORDS(rpfilter)
+CHECK_NFTABLES_FIB()
+
+dnl Verify other/deprecated configuration values are accepted.
+dnl
+m4_foreach([VALUE], [[no], [yes], [false], [true]], [
+ AT_CHECK([sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=VALUE/' ./firewalld.conf])
+ FWD_RELOAD()
+])
+dnl And a bogus one.
+AT_CHECK([sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=bogus/' ./firewalld.conf])
+FWD_RELOAD()
+
+FWD_END_TEST([-e "/^WARNING: IPv6_rpfilter 'bogus' is not valid/d"])
--
2.43.5

View File

@ -0,0 +1,336 @@
From 7973ddf8d9f972f0292c8c865da9e0ebaefd77cb Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 16 May 2024 09:26:43 -0400
Subject: [PATCH 15/22] v2.2.0: chore(IPv6_rpfilter): prepare for new config
values
This is just prep work for supporting other configuration values. This
commits supports using "strict" as a value which is synonymous with
"yes" and is the current default behavior.
(cherry picked from commit cd959f21a5ceb41057b76f817b0456c281408ae0)
---
config/firewalld.conf | 15 ++++++++++-----
doc/xml/firewalld.conf.xml | 12 +++++++++---
doc/xml/firewalld.dbus.xml | 8 ++++++--
src/firewall/config/__init__.py.in | 3 ++-
src/firewall/core/fw.py | 19 ++++++++-----------
src/firewall/core/io/firewalld_conf.py | 14 ++++++++------
src/firewall/server/config.py | 22 ++++++++++++++++++----
src/firewall/server/firewalld.py | 2 +-
src/tests/dbus/firewalld.conf.at | 4 ++++
src/tests/features/rpfilter.at | 2 +-
10 files changed, 67 insertions(+), 34 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index 7a0be1ff1b76..48e2a5a6527a 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -26,14 +26,19 @@ CleanupModulesOnExit=no
Lockdown=no
# IPv6_rpfilter
-# Performs a reverse path filter test on a packet for IPv6. If a reply to the
-# packet would be sent via the same interface that the packet arrived on, the
-# packet will match and be accepted, otherwise dropped.
+# Performs reverse path filtering (RPF) on IPv6 packets as per RFC 3704.
+# Possible values:
+# - strict: Performs "strict" filtering as per RFC 3704. This check
+# verifies that the in ingress interface is the same interface
+# that would be used to send a packet reply to the source. That
+# is, ingress == egress.
+# - no: RPF is completely disabled.
+#
# The rp_filter for IPv4 is controlled using sysctl.
# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
# for details.
-# Default: yes
-IPv6_rpfilter=yes
+# Default: strict
+IPv6_rpfilter=strict
# IndividualCalls
# Do not use combined -restore calls, but individual calls. This increases the
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index 022569ccf502..be6972aa0d8a 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -121,9 +121,15 @@
<term><option>IPv6_rpfilter</option></term>
<listitem>
<para>
- If this option is enabled (it is by default), reverse path filter test on a packet for IPv6 is performed.
- If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.
- For IPv4 the rp_filter is controlled using sysctl.
+ Performs reverse path filtering (RPF) on IPv6 packets as per RFC 3704.
+ Possible values:
+ - strict: Performs "strict" filtering as per RFC 3704. This check
+ verifies that the in ingress interface is the same interface
+ that would be used to send a packet reply to the source. That
+ is, ingress == egress.
+ - no: RPF is completely disabled.
+
+ The rp_filter for IPv4 is controlled using sysctl.
</para>
<para>
<emphasis role="bold">Note</emphasis>: This feature has a performance
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index a3196ea4af38..f04cf5ae757b 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2858,8 +2858,12 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.Properties.IPv6_rpfilter">
- <term><parameter>IPv6_rpfilter</parameter> - s - (rw)</term>
- <listitem><para>Indicates whether the reverse path filter test on a packet for IPv6 is enabled. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.</para></listitem>
+ <term><parameter>IPv6_rpfilter</parameter> - b - (rw)</term>
+ <listitem><para>Deprecated. See <link linkend="FirewallD1.config.Properties.IPv6_rpfilter2">org.fedoraproject.FirewallD1.config.Properties.IPv6_rpfilter2</link>.</para></listitem>
+ </varlistentry>
+ <varlistentry id="FirewallD1.config.Properties.IPv6_rpfilter2">
+ <term><parameter>IPv6_rpfilter2</parameter> - s - (rw)</term>
+ <listitem><para>Indicates whether the reverse path filter (RFE 3704) test on a packet for IPv6 is enabled.</para></listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.Properties.IndividualCalls">
<term><parameter>IndividualCalls</parameter> - s - (ro)</term>
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index da1e31e10e58..68e9bddce5a8 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -120,6 +120,7 @@ COMMANDS = {
LOG_DENIED_VALUES = [ "all", "unicast", "broadcast", "multicast", "off" ]
AUTOMATIC_HELPERS_VALUES = [ "yes", "no", "system" ]
FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
+IPV6_RPFILTER_VALUES = ["yes", "true", "no", "false", "strict"]
# fallbacks: will be overloaded by firewalld.conf
FALLBACK_ZONE = "public"
@@ -127,7 +128,7 @@ FALLBACK_MINIMAL_MARK = 100
FALLBACK_CLEANUP_ON_EXIT = True
FALLBACK_CLEANUP_MODULES_ON_EXIT = False
FALLBACK_LOCKDOWN = False
-FALLBACK_IPV6_RPFILTER = True
+FALLBACK_IPV6_RPFILTER = "strict"
FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "no"
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index ac13be122b66..b2e150077958 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -98,7 +98,7 @@ class Firewall(object):
self.ebtables_enabled, self._state, self._panic,
self._default_zone, self._module_refcount, self._marks,
self.cleanup_on_exit, self.cleanup_modules_on_exit,
- self.ipv6_rpfilter_enabled, self.ipset_enabled,
+ self._ipv6_rpfilter, self.ipset_enabled,
self._individual_calls, self._log_denied)
def __init_vars(self):
@@ -112,7 +112,7 @@ class Firewall(object):
# fallback settings will be overloaded by firewalld.conf
self.cleanup_on_exit = config.FALLBACK_CLEANUP_ON_EXIT
self.cleanup_modules_on_exit = config.FALLBACK_CLEANUP_MODULES_ON_EXIT
- self.ipv6_rpfilter_enabled = config.FALLBACK_IPV6_RPFILTER
+ self._ipv6_rpfilter = config.FALLBACK_IPV6_RPFILTER
self._individual_calls = config.FALLBACK_INDIVIDUAL_CALLS
self._log_denied = config.FALLBACK_LOG_DENIED
self._firewall_backend = config.FALLBACK_FIREWALL_BACKEND
@@ -329,14 +329,11 @@ class Firewall(object):
if self._firewalld_conf.get("IPv6_rpfilter"):
value = self._firewalld_conf.get("IPv6_rpfilter")
if value is not None:
- if value.lower() in [ "no", "false" ]:
- self.ipv6_rpfilter_enabled = False
- if value.lower() in [ "yes", "true" ]:
- self.ipv6_rpfilter_enabled = True
- if self.ipv6_rpfilter_enabled:
- log.debug1("IPv6 rpfilter is enabled")
- else:
- log.debug1("IPV6 rpfilter is disabled")
+ if value.lower() in ["no", "false"]:
+ self._ipv6_rpfilter = "no"
+ elif value.lower() in ["yes", "true", "strict"]:
+ self._ipv6_rpfilter = "strict"
+ log.debug1(f"IPv6_rpfilter is set to '{self._ipv6_rpfilter}'")
if self._firewalld_conf.get("IndividualCalls"):
value = self._firewalld_conf.get("IndividualCalls")
@@ -933,7 +930,7 @@ class Firewall(object):
if self.is_ipv_enabled("ipv6"):
ipv6_backend = self.get_backend_by_ipv("ipv6")
if "raw" in ipv6_backend.get_available_tables():
- if self.ipv6_rpfilter_enabled:
+ if self._ipv6_rpfilter != "no":
rules = ipv6_backend.build_rpfilter_rules(self._log_denied)
transaction.add_rules(ipv6_backend, rules)
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index d2879b319d1f..9ad64883b656 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -71,7 +71,7 @@ class firewalld_conf(object):
self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no")
self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no")
- self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no")
+ self.set("IPv6_rpfilter", config.FALLBACK_IPV6_RPFILTER)
self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
self.set("LogDenied", config.FALLBACK_LOG_DENIED)
self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
@@ -160,12 +160,14 @@ class firewalld_conf(object):
# check ipv6_rpfilter
value = self.get("IPv6_rpfilter")
- if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
+ if not value or value.lower() not in config.IPV6_RPFILTER_VALUES:
if value is not None:
- log.warning("IPv6_rpfilter '%s' is not valid, using default "
- "value %s", value if value else '',
- config.FALLBACK_IPV6_RPFILTER)
- self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no")
+ log.warning(
+ "IPv6_rpfilter '%s' is not valid, using default " "value %s",
+ value if value else "",
+ config.FALLBACK_IPV6_RPFILTER,
+ )
+ self.set("IPv6_rpfilter", config.FALLBACK_IPV6_RPFILTER)
# check individual calls
value = self.get("IndividualCalls")
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index dfbbb889b520..b805e497bb05 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -100,6 +100,7 @@ class FirewallDConfig(DbusServiceObject):
"CleanupOnExit": "readwrite",
"CleanupModulesOnExit": "readwrite",
"IPv6_rpfilter": "readwrite",
+ "IPv6_rpfilter2": "readwrite",
"Lockdown": "readwrite",
"MinimalMark": "readwrite",
"IndividualCalls": "readwrite",
@@ -564,7 +565,7 @@ class FirewallDConfig(DbusServiceObject):
"CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
"IndividualCalls", "LogDenied", "AutomaticHelpers",
"FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
- "AllowZoneDrifting" ]:
+ "AllowZoneDrifting", "IPv6_rpfilter2" ]:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
"Property '%s' does not exist" % prop)
@@ -594,8 +595,13 @@ class FirewallDConfig(DbusServiceObject):
value = "yes" if config.FALLBACK_LOCKDOWN else "no"
return dbus.String(value)
elif prop == "IPv6_rpfilter":
+ if value is None or value != "no":
+ return dbus.String("yes")
+ else:
+ return dbus.String("no")
+ elif prop == "IPv6_rpfilter2":
if value is None:
- value = "yes" if config.FALLBACK_IPV6_RPFILTER else "no"
+ value = config.FALLBACK_IPV6_RPFILTER
return dbus.String(value)
elif prop == "IndividualCalls":
if value is None:
@@ -640,6 +646,8 @@ class FirewallDConfig(DbusServiceObject):
return dbus.String(self._get_property(prop))
elif prop == "IPv6_rpfilter":
return dbus.String(self._get_property(prop))
+ elif prop == "IPv6_rpfilter2":
+ return dbus.String(self._get_property(prop))
elif prop == "IndividualCalls":
return dbus.String(self._get_property(prop))
elif prop == "LogDenied":
@@ -693,7 +701,7 @@ class FirewallDConfig(DbusServiceObject):
"CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
"IndividualCalls", "LogDenied", "AutomaticHelpers",
"FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
- "AllowZoneDrifting" ]:
+ "AllowZoneDrifting", "IPv6_rpfilter2" ]:
ret[x] = self._get_property(x)
elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
@@ -722,7 +730,7 @@ class FirewallDConfig(DbusServiceObject):
"IPv6_rpfilter", "IndividualCalls",
"LogDenied",
"FirewallBackend", "FlushAllOnReload",
- "RFC3964_IPv4"]:
+ "RFC3964_IPv4", "IPv6_rpfilter2"]:
if property_name in [ "CleanupOnExit", "CleanupModulesOnExit",
"Lockdown", "IPv6_rpfilter",
"IndividualCalls", "FlushAllOnReload",
@@ -742,6 +750,12 @@ class FirewallDConfig(DbusServiceObject):
raise FirewallError(errors.INVALID_VALUE,
"'%s' for %s" % \
(new_value, property_name))
+ elif property_name == "IPv6_rpfilter2":
+ if new_value not in config.IPV6_RPFILTER_VALUES:
+ raise FirewallError(
+ errors.INVALID_VALUE,
+ "'%s' for %s" % (new_value, property_name),
+ )
else:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index e43ddb959f41..8b9593a22fd8 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -165,7 +165,7 @@ class FirewallD(DbusServiceObject):
return dbus.Boolean(self.fw.is_ipv_enabled("ipv6"))
elif prop == "IPv6_rpfilter":
- return dbus.Boolean(self.fw.ipv6_rpfilter_enabled)
+ return dbus.Boolean(False if self.fw._ipv6_rpfilter == "no" else True)
elif prop == "IPv6ICMPTypes":
return dbus.Array(self.fw.ipv6_supported_icmp_types, "s")
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 10b16cd9e06f..61c220f3e59c 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -3,8 +3,10 @@ AT_KEYWORDS(dbus)
IF_HOST_SUPPORTS_NFT_FIB([
EXPECTED_IPV6_RPFILTER_VALUE=yes
+ EXPECTED_IPV6_RPFILTER2_VALUE=strict
], [
EXPECTED_IPV6_RPFILTER_VALUE=no
+ EXPECTED_IPV6_RPFILTER2_VALUE=no
])
IF_HOST_SUPPORTS_NFT_RULE_INDEX([
@@ -23,6 +25,7 @@ string "DefaultZone" : variant string "public"
string "FirewallBackend" : variant string "nftables"
string "FlushAllOnReload" : variant string "yes"
string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"])
+string "IPv6_rpfilter2" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER2_VALUE}"])
string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"])
string "Lockdown" : variant string "no"
string "LogDenied" : variant string "off"
@@ -43,6 +46,7 @@ _helper([AutomaticHelpers], [string:"yes"], [variant string "no"])
_helper([Lockdown], [string:"yes"], [variant string "yes"])
_helper([LogDenied], [string:"all"], [variant string "all"])
_helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
+_helper([IPv6_rpfilter2], [string:"no"], [variant string "no"])
_helper([IndividualCalls], [string:"yes"], [variant string "yes"])
_helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
_helper([FlushAllOnReload], [string:"no"], [variant string "no"])
diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at
index 755d9dfd33cc..58a4b4500330 100644
--- a/src/tests/features/rpfilter.at
+++ b/src/tests/features/rpfilter.at
@@ -2,7 +2,7 @@ FWD_START_TEST([rpfilter - strict])
AT_KEYWORDS(rpfilter)
CHECK_NFTABLES_FIB()
-AT_CHECK([sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=yes/' ./firewalld.conf])
+AT_CHECK([sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=strict/' ./firewalld.conf])
FWD_RELOAD()
NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
--
2.43.5

View File

@ -0,0 +1,166 @@
From 41828e0723b1ad195a33c535918a2fb6fabaf88f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 6 May 2024 10:22:09 -0400
Subject: [PATCH 16/22] v2.2.0: feat(IPv6_rpfilter): support loose rpfilter
Support "loose" mode as per RFC 3704. This guarantees only that there is
a patch back to the source, but does NOT guarantee that ingress ==
egress.
(cherry picked from commit 669524a10658761f614e1f199970844db7259960)
---
config/firewalld.conf | 4 ++++
doc/xml/firewalld.conf.xml | 4 ++++
src/firewall/config/__init__.py.in | 2 +-
src/firewall/core/fw.py | 2 ++
src/firewall/core/ipXtables.py | 16 ++++++++++------
src/firewall/core/nftables.py | 8 +++++++-
src/tests/features/rpfilter.at | 26 ++++++++++++++++++++++++++
7 files changed, 54 insertions(+), 8 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index 48e2a5a6527a..c35caf9f152b 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -32,6 +32,10 @@ Lockdown=no
# verifies that the in ingress interface is the same interface
# that would be used to send a packet reply to the source. That
# is, ingress == egress.
+# - loose: Performs "loose" filtering as per RFC 3704. This check only
+# verifies that there is a route back to the source through any
+# interface; even if it's not the same one on which the packet
+# arrived.
# - no: RPF is completely disabled.
#
# The rp_filter for IPv4 is controlled using sysctl.
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index be6972aa0d8a..279a149ab2a1 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -127,6 +127,10 @@
verifies that the in ingress interface is the same interface
that would be used to send a packet reply to the source. That
is, ingress == egress.
+ - loose: Performs "loose" filtering as per RFC 3704. This check only
+ verifies that there is a route back to the source through any
+ interface; even if it's not the same one on which the packet
+ arrived.
- no: RPF is completely disabled.
The rp_filter for IPv4 is controlled using sysctl.
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 68e9bddce5a8..6bfe96be35a6 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -120,7 +120,7 @@ COMMANDS = {
LOG_DENIED_VALUES = [ "all", "unicast", "broadcast", "multicast", "off" ]
AUTOMATIC_HELPERS_VALUES = [ "yes", "no", "system" ]
FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
-IPV6_RPFILTER_VALUES = ["yes", "true", "no", "false", "strict"]
+IPV6_RPFILTER_VALUES = ["yes", "true", "no", "false", "strict", "loose"]
# fallbacks: will be overloaded by firewalld.conf
FALLBACK_ZONE = "public"
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index b2e150077958..d9724e9c8534 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -333,6 +333,8 @@ class Firewall(object):
self._ipv6_rpfilter = "no"
elif value.lower() in ["yes", "true", "strict"]:
self._ipv6_rpfilter = "strict"
+ elif value.lower() in ["loose"]:
+ self._ipv6_rpfilter = "loose"
log.debug1(f"IPv6_rpfilter is set to '{self._ipv6_rpfilter}'")
if self._firewalld_conf.get("IndividualCalls"):
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 1a0cea7a3b4e..339840c37ba4 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -1456,13 +1456,17 @@ class ip6tables(ip4tables):
def build_rpfilter_rules(self, log_denied=False):
rules = []
- rules.append([ "-I", "PREROUTING", "-t", "mangle",
- "-m", "rpfilter", "--invert", "--validmark",
- "-j", "DROP" ])
+ rpfilter_fragment = ["-m", "rpfilter", "--invert", "--validmark"]
+ if self._fw._ipv6_rpfilter == "loose":
+ rpfilter_fragment += ["--loose"]
+
+ rules.append([ "-I", "PREROUTING", "-t", "mangle" ]
+ + rpfilter_fragment +
+ [ "-j", "DROP" ])
if log_denied != "off":
- rules.append([ "-I", "PREROUTING", "-t", "mangle",
- "-m", "rpfilter", "--invert", "--validmark",
- "-j", "LOG",
+ rules.append([ "-I", "PREROUTING", "-t", "mangle" ]
+ + rpfilter_fragment +
+ [ "-j", "LOG",
"--log-prefix", "rpfilter_DROP: " ])
rules.append([ "-I", "PREROUTING", "-t", "mangle",
"-p", "ipv6-icmp",
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index e9816147ef8e..9827e84042ef 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1614,10 +1614,16 @@ class nftables(object):
def build_rpfilter_rules(self, log_denied=False):
rules = []
+
+ if self._fw._ipv6_rpfilter == "loose":
+ fib_flags = ["saddr", "mark"]
+ else:
+ fib_flags = ["saddr", "mark", "iif"]
+
expr_fragments = [{"match": {"left": {"meta": {"key": "nfproto"}},
"op": "==",
"right": "ipv6"}},
- {"match": {"left": {"fib": {"flags": ["saddr", "iif", "mark"],
+ {"match": {"left": {"fib": {"flags": fib_flags,
"result": "oif"}},
"op": "==",
"right": False}}]
diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at
index 58a4b4500330..23cd9e0e8d7f 100644
--- a/src/tests/features/rpfilter.at
+++ b/src/tests/features/rpfilter.at
@@ -24,6 +24,32 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
FWD_END_TEST()
+FWD_START_TEST([rpfilter - loose])
+AT_KEYWORDS(rpfilter)
+CHECK_NFTABLES_FIB()
+
+AT_CHECK([sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=loose/' ./firewalld.conf])
+FWD_RELOAD()
+
+NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain filter_PREROUTING {
+ icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+ meta nfproto ipv6 fib saddr . mark oif missing drop
+ }
+ }
+])
+
+IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
+ ACCEPT 58 -- ::/0 ::/0 ipv6-icmptype 134
+ ACCEPT 58 -- ::/0 ::/0 ipv6-icmptype 135
+ DROP 0 -- ::/0 ::/0 rpfilter loose validmark invert
+ PREROUTING_direct 0 -- ::/0 ::/0
+ PREROUTING_ZONES 0 -- ::/0 ::/0
+])
+
+FWD_END_TEST()
+
FWD_START_TEST([rpfilter - config values])
AT_KEYWORDS(rpfilter)
CHECK_NFTABLES_FIB()
--
2.43.5

View File

@ -0,0 +1,229 @@
From a965defecfad03530f3374271fb4889ff895ab1c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 14 May 2024 12:16:44 -0400
Subject: [PATCH 17/22] v2.2.0: feat(IPv6_rpfilter): support loose-forward
rpfilter
This adds a new config value for IPv6_rpfilter, loose-forward. In this
mode the rpfilter occurs only for forwarded packets using the "loose"
algorithm from RFC 3704. This is a significant performance improvement
for end-stations that have a single default route because the RPF check
is completely absent on INPUT.
This new value is NOT compatible with the iptables backend. This is
enforced by configuration checks.
(cherry picked from commit fb692d2e560253c97c7fdd1e9fdbfcc8c61d0eba)
---
config/firewalld.conf | 2 ++
doc/xml/firewalld.conf.xml | 2 ++
src/firewall/config/__init__.py.in | 3 ++-
src/firewall/core/fw.py | 2 ++
src/firewall/core/io/firewalld_conf.py | 15 +++++++++++
src/firewall/core/nftables.py | 30 ++++++++++++++-------
src/tests/features/rpfilter.at | 36 ++++++++++++++++++++++++++
7 files changed, 79 insertions(+), 11 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index c35caf9f152b..5d0777d54b15 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -36,6 +36,8 @@ Lockdown=no
# verifies that there is a route back to the source through any
# interface; even if it's not the same one on which the packet
# arrived.
+# - loose-forward: This is almost identical to "loose", but does not perform
+# RPF for packets targeted to the host (INPUT).
# - no: RPF is completely disabled.
#
# The rp_filter for IPv4 is controlled using sysctl.
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index 279a149ab2a1..1303758347e2 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -131,6 +131,8 @@
verifies that there is a route back to the source through any
interface; even if it's not the same one on which the packet
arrived.
+ - loose-forward: This is almost identical to "loose", but does not perform
+ RPF for packets targeted to the host (INPUT).
- no: RPF is completely disabled.
The rp_filter for IPv4 is controlled using sysctl.
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 6bfe96be35a6..f2c4c9f5afa1 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -120,7 +120,8 @@ COMMANDS = {
LOG_DENIED_VALUES = [ "all", "unicast", "broadcast", "multicast", "off" ]
AUTOMATIC_HELPERS_VALUES = [ "yes", "no", "system" ]
FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
-IPV6_RPFILTER_VALUES = ["yes", "true", "no", "false", "strict", "loose"]
+IPV6_RPFILTER_VALUES = ["yes", "true", "no", "false", "strict", "loose",
+ "loose-forward"]
# fallbacks: will be overloaded by firewalld.conf
FALLBACK_ZONE = "public"
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index d9724e9c8534..8c20a4a606e2 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -335,6 +335,8 @@ class Firewall(object):
self._ipv6_rpfilter = "strict"
elif value.lower() in ["loose"]:
self._ipv6_rpfilter = "loose"
+ elif value.lower() in ["loose-forward"]:
+ self._ipv6_rpfilter = "loose-forward"
log.debug1(f"IPv6_rpfilter is set to '{self._ipv6_rpfilter}'")
if self._firewalld_conf.get("IndividualCalls"):
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 9ad64883b656..159715df7ede 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -26,6 +26,7 @@ import shutil
from firewall import config
from firewall.core.logger import log
+from firewall import errors
valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
@@ -81,6 +82,18 @@ class firewalld_conf(object):
self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no")
self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no")
+ def sanity_check(self):
+ if (
+ self.get("FirewallBackend") == "iptables"
+ and self.get("IPv6_rpfilter") == "loose-forward"
+ ):
+ raise errors.FirewallError(
+ errors.INVALID_VALUE,
+ "IPv6_rpfilter=loose-forward is incompatible "
+ "with FirewallBackend=iptables. This is a limitation "
+ "of the iptables backend.",
+ )
+
# load self.filename
def read(self):
self.clear()
@@ -238,6 +251,8 @@ class firewalld_conf(object):
config.FALLBACK_ALLOW_ZONE_DRIFTING)
self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no")
+ self.sanity_check()
+
# save to self.filename if there are key/value changes
def write(self):
if len(self._config) < 1:
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 9827e84042ef..da2d8eb8ec29 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1614,9 +1614,13 @@ class nftables(object):
def build_rpfilter_rules(self, log_denied=False):
rules = []
+ rpfilter_chain = "filter_PREROUTING"
if self._fw._ipv6_rpfilter == "loose":
fib_flags = ["saddr", "mark"]
+ elif self._fw._ipv6_rpfilter == "loose-forward":
+ fib_flags = ["saddr", "mark"]
+ rpfilter_chain = "filter_FORWARD"
else:
fib_flags = ["saddr", "mark", "iif"]
@@ -1633,17 +1637,19 @@ class nftables(object):
rules.append({"insert": {"rule": {"family": "inet",
"table": TABLE_NAME,
- "chain": "filter_PREROUTING",
+ "chain": rpfilter_chain,
"expr": expr_fragments}}})
# RHBZ#1058505, RHBZ#1575431 (bug in kernel 4.16-4.17)
- rules.append({"insert": {"rule": {"family": "inet",
- "table": TABLE_NAME,
- "chain": "filter_PREROUTING",
- "expr": [{"match": {"left": {"payload": {"protocol": "icmpv6",
- "field": "type"}},
- "op": "==",
- "right": {"set": ["nd-router-advert", "nd-neighbor-solicit"]}}},
- {"accept": None}]}}})
+ if self._fw._ipv6_rpfilter != "loose-forward":
+ # this rule doesn't make sense for forwarded packets
+ rules.append({"insert": {"rule": {"family": "inet",
+ "table": TABLE_NAME,
+ "chain": rpfilter_chain,
+ "expr": [{"match": {"left": {"payload": {"protocol": "icmpv6",
+ "field": "type"}},
+ "op": "==",
+ "right": {"set": ["nd-router-advert", "nd-neighbor-solicit"]}}},
+ {"accept": None}]}}})
return rules
def build_rfc3964_ipv4_rules(self):
@@ -1674,7 +1680,11 @@ class nftables(object):
"chain": "filter_OUTPUT",
"index": 1,
"expr": expr_fragments}}})
- forward_index = 4 if self._fw.get_log_denied() != "off" else 3
+ forward_index = 3
+ if self._fw.get_log_denied() != "off":
+ forward_index += 1
+ if self._fw._ipv6_rpfilter == "loose-forward":
+ forward_index += 1
rules.append({"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
"chain": "filter_FORWARD",
diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at
index 23cd9e0e8d7f..5c25ed7e16f0 100644
--- a/src/tests/features/rpfilter.at
+++ b/src/tests/features/rpfilter.at
@@ -50,6 +50,42 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
FWD_END_TEST()
+FWD_START_TEST([rpfilter - loose-forward])
+AT_KEYWORDS(rpfilter)
+CHECK_NFTABLES_FIB()
+CHECK_NFTABLES_FIB_IN_FORWARD()
+
+AT_CHECK([sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=loose-forward/' ./firewalld.conf])
+m4_if(iptables, FIREWALL_BACKEND, [
+FWD_RELOAD(114, [ignore], [ignore])
+], [
+FWD_RELOAD()
+])
+
+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD {
+ meta nfproto ipv6 fib saddr . mark oif missing drop
+ ct state established,related accept
+ ct status dnat accept
+ iifname "lo" accept
+ ct state invalid drop
+ ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
+ jump filter_FORWARD_ZONES
+ reject with icmpx admin-prohibited
+ }
+ }
+])
+
+NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain filter_PREROUTING {
+ }
+ }
+])
+
+FWD_END_TEST([-e "/^ERROR: INVALID_VALUE:/d"])
+
FWD_START_TEST([rpfilter - config values])
AT_KEYWORDS(rpfilter)
CHECK_NFTABLES_FIB()
--
2.43.5

View File

@ -0,0 +1,183 @@
From 7629e1c24b73d8c1e56d275c07076bc3bf99caad Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 17 May 2024 10:05:04 -0400
Subject: [PATCH 18/22] v2.2.0: feat(IPv6_rpfilter): support strict-forward
rpfilter
(cherry picked from commit 98e5cbb862885e00981611a79f7a3186da5d1050)
---
config/firewalld.conf | 2 ++
doc/xml/firewalld.conf.xml | 5 +++-
src/firewall/config/__init__.py.in | 2 +-
src/firewall/core/fw.py | 2 ++
src/firewall/core/io/firewalld_conf.py | 8 +++---
src/firewall/core/nftables.py | 7 +++--
src/tests/features/rpfilter.at | 36 ++++++++++++++++++++++++++
7 files changed, 54 insertions(+), 8 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index 5d0777d54b15..cf95af3eea8e 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -36,6 +36,8 @@ Lockdown=no
# verifies that there is a route back to the source through any
# interface; even if it's not the same one on which the packet
# arrived.
+# - strict-forward: This is almost identical to "strict", but does not perform
+# RPF for packets targeted to the host (INPUT).
# - loose-forward: This is almost identical to "loose", but does not perform
# RPF for packets targeted to the host (INPUT).
# - no: RPF is completely disabled.
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index 1303758347e2..4b9bfdad15be 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -131,6 +131,8 @@
verifies that there is a route back to the source through any
interface; even if it's not the same one on which the packet
arrived.
+ - strict-forward: This is almost identical to "loose", but does not perform
+ RPF for packets targeted to the host (INPUT).
- loose-forward: This is almost identical to "loose", but does not perform
RPF for packets targeted to the host (INPUT).
- no: RPF is completely disabled.
@@ -144,7 +146,8 @@
the established connections fast path. As such it can have a
significant performance impact if there is a lot of traffic. It's
enabled by default for security, but can be disabled if performance is
- a concern.
+ a concern. Alternatively one of the variants that only does RPF on
+ forwarded packets may be used.
</para>
</listitem>
</varlistentry>
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index f2c4c9f5afa1..2eda337e8180 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -121,7 +121,7 @@ LOG_DENIED_VALUES = [ "all", "unicast", "broadcast", "multicast", "off" ]
AUTOMATIC_HELPERS_VALUES = [ "yes", "no", "system" ]
FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
IPV6_RPFILTER_VALUES = ["yes", "true", "no", "false", "strict", "loose",
- "loose-forward"]
+ "loose-forward", "strict-forward"]
# fallbacks: will be overloaded by firewalld.conf
FALLBACK_ZONE = "public"
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 8c20a4a606e2..f91ff53fc37a 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -337,6 +337,8 @@ class Firewall(object):
self._ipv6_rpfilter = "loose"
elif value.lower() in ["loose-forward"]:
self._ipv6_rpfilter = "loose-forward"
+ elif value.lower() in ["strict-forward"]:
+ self._ipv6_rpfilter = "strict-forward"
log.debug1(f"IPv6_rpfilter is set to '{self._ipv6_rpfilter}'")
if self._firewalld_conf.get("IndividualCalls"):
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 159715df7ede..20072e26cfcd 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -83,13 +83,13 @@ class firewalld_conf(object):
self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no")
def sanity_check(self):
- if (
- self.get("FirewallBackend") == "iptables"
- and self.get("IPv6_rpfilter") == "loose-forward"
+ if self.get("FirewallBackend") == "iptables" and self.get("IPv6_rpfilter") in (
+ "loose-forward",
+ "strict-forward",
):
raise errors.FirewallError(
errors.INVALID_VALUE,
- "IPv6_rpfilter=loose-forward is incompatible "
+ f"IPv6_rpfilter={self.get('IPv6_rpfilter')} is incompatible "
"with FirewallBackend=iptables. This is a limitation "
"of the iptables backend.",
)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index da2d8eb8ec29..5a49b34e3a4f 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1621,6 +1621,9 @@ class nftables(object):
elif self._fw._ipv6_rpfilter == "loose-forward":
fib_flags = ["saddr", "mark"]
rpfilter_chain = "filter_FORWARD"
+ elif self._fw._ipv6_rpfilter == "strict-forward":
+ fib_flags = ["saddr", "mark", "iif"]
+ rpfilter_chain = "filter_FORWARD"
else:
fib_flags = ["saddr", "mark", "iif"]
@@ -1640,7 +1643,7 @@ class nftables(object):
"chain": rpfilter_chain,
"expr": expr_fragments}}})
# RHBZ#1058505, RHBZ#1575431 (bug in kernel 4.16-4.17)
- if self._fw._ipv6_rpfilter != "loose-forward":
+ if self._fw._ipv6_rpfilter not in ("loose-forward", "strict-forward"):
# this rule doesn't make sense for forwarded packets
rules.append({"insert": {"rule": {"family": "inet",
"table": TABLE_NAME,
@@ -1683,7 +1686,7 @@ class nftables(object):
forward_index = 3
if self._fw.get_log_denied() != "off":
forward_index += 1
- if self._fw._ipv6_rpfilter == "loose-forward":
+ if self._fw._ipv6_rpfilter in ("loose-forward", "strict-forward"):
forward_index += 1
rules.append({"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
diff --git a/src/tests/features/rpfilter.at b/src/tests/features/rpfilter.at
index 5c25ed7e16f0..9ad50c993ba0 100644
--- a/src/tests/features/rpfilter.at
+++ b/src/tests/features/rpfilter.at
@@ -50,6 +50,42 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
FWD_END_TEST()
+FWD_START_TEST([rpfilter - strict-forward])
+AT_KEYWORDS(rpfilter)
+CHECK_NFTABLES_FIB()
+CHECK_NFTABLES_FIB_IN_FORWARD()
+
+AT_CHECK([sed -i 's/^IPv6_rpfilter.*/IPv6_rpfilter=strict-forward/' ./firewalld.conf])
+m4_if(iptables, FIREWALL_BACKEND, [
+FWD_RELOAD(114, [ignore], [ignore])
+], [
+FWD_RELOAD()
+])
+
+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD {
+ meta nfproto ipv6 fib saddr . mark . iif oif missing drop
+ ct state established,related accept
+ ct status dnat accept
+ iifname "lo" accept
+ ct state invalid drop
+ ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
+ jump filter_FORWARD_ZONES
+ reject with icmpx admin-prohibited
+ }
+ }
+])
+
+NFT_LIST_RULES([inet], [filter_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain filter_PREROUTING {
+ }
+ }
+])
+
+FWD_END_TEST([-e "/^ERROR: INVALID_VALUE:/d"])
+
FWD_START_TEST([rpfilter - loose-forward])
AT_KEYWORDS(rpfilter)
CHECK_NFTABLES_FIB()
--
2.43.5

View File

@ -0,0 +1,31 @@
From e031ce8e41d2fc23735be91f7070127f8812b490 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 21 Jun 2024 16:17:44 -0400
Subject: [PATCH 19/22] v2.2.0: test(functions): start firewalld with file
logging
This is a test environment. Trying to log to syslog does not make sense.
The default, mixed, sends to both file and syslog, but with different
log level settings.
(cherry picked from commit 5e0c28d5f7f71a216485169610d8c72a3a3518d1)
---
src/tests/functions.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index b2372dd4075b..d1c89ed5b982 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -9,7 +9,7 @@ m4_define([FWD_STOP_FIREWALLD], [
])
m4_define([FWD_START_FIREWALLD], [
- FIREWALLD_ARGS="--nofork --nopid --log-file ./firewalld.log --system-config ./"
+ FIREWALLD_ARGS="--nofork --nopid --log-file ./firewalld.log --log-target file --system-config ./"
dnl if testsuite ran with debug flag, add debug output
${at_debug_p} && FIREWALLD_ARGS="--debug=9 ${FIREWALLD_ARGS}"
if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
--
2.43.5

View File

@ -0,0 +1,417 @@
From ce75ad2920f457d5b2ce578ead5d8c64f0daa490 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 21 Jun 2024 17:38:29 -0400
Subject: [PATCH 20/22] v2.2.0: feat(nftables): table ownership
This allows using the nftables table flags "owner" and "persist". When
these are in use ONLY firewalld will be able to change the firewalld
table/rules. All other processes will be blocked. This enhances
firewalld robustness by guaranteeing that firewalld's rules can not be
modified without it's knowledge, e.g. by other entities.
This also allows firewalld and nftables services to coexist. An "nft
flush ruleset" will NOT flush the "firewalld" table.
Fixes: RHEL-17002
(cherry picked from commit becd083fc2905921651af73cb15ce8c9aba9203b)
---
config/firewalld.conf | 8 +++
doc/xml/firewalld.conf.xml | 13 ++++
doc/xml/firewalld.dbus.xml | 11 ++++
src/firewall/config/__init__.py.in | 1 +
src/firewall/core/fw.py | 22 +++++++
src/firewall/core/io/firewalld_conf.py | 6 +-
src/firewall/core/nftables.py | 83 ++++++++++++++++++++++----
src/firewall/server/config.py | 16 +++--
src/tests/dbus/firewalld.conf.at | 2 +
src/tests/regression/rhbz2222044.at | 5 ++
10 files changed, 150 insertions(+), 17 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index cf95af3eea8e..28345a13d54e 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -93,3 +93,11 @@ ReloadPolicy=INPUT:DROP,FORWARD:DROP,OUTPUT:DROP
# internet.
# Defaults to "yes".
RFC3964_IPv4=yes
+
+# NftablesTableOwner
+# If set to yes, the generated nftables rule set will be owned exclusively by
+# firewalld. This prevents other entities from mistakenly (or maliciously)
+# modifying firewalld's rule set. If you intentionally modify firewalld's
+# rules, then you will have to set this to "no".
+# Defaults to "yes".
+NftablesTableOwner=yes
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index 4b9bfdad15be..cf7134c04012 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -247,6 +247,19 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>NftablesTableOwner</option></term>
+ <listitem>
+ <para>
+ If set to yes, the generated nftables rule set will be owned exclusively by
+ firewalld. This prevents other entities from mistakenly (or maliciously)
+ modifying firewalld's rule set. If you intentionally modify firewalld's
+ rules, then you will have to set this to "no".
+ Defaults to "yes".
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index f04cf5ae757b..00d7e8fbe5b1 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2905,6 +2905,17 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry id="FirewallD1.config.Properties.NftablesTableOwner">
+ <term>NftablesTableOwner - s - (rw)</term>
+ <listitem>
+ <para>
+ If set to yes, the generated nftables rule set will be owned exclusively by
+ firewalld. This prevents other entities from mistakenly (or maliciously)
+ modifying firewalld's rule set. If you intentionally modify firewalld's
+ rules, then you will have to set this to "no".
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect3>
</refsect2>
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 2eda337e8180..16291fcf795a 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -138,3 +138,4 @@ FALLBACK_FLUSH_ALL_ON_RELOAD = True
FALLBACK_RELOAD_POLICY = "INPUT:DROP,FORWARD:DROP,OUTPUT:DROP"
FALLBACK_RFC3964_IPV4 = True
FALLBACK_ALLOW_ZONE_DRIFTING = False
+FALLBACK_NFTABLES_TABLE_OWNER = True
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index f91ff53fc37a..557b6e527dbd 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -119,6 +119,7 @@ class Firewall(object):
self._flush_all_on_reload = config.FALLBACK_FLUSH_ALL_ON_RELOAD
self._rfc3964_ipv4 = config.FALLBACK_RFC3964_IPV4
self._allow_zone_drifting = config.FALLBACK_ALLOW_ZONE_DRIFTING
+ self._nftables_table_owner = config.FALLBACK_NFTABLES_TABLE_OWNER
if self._offline:
self.ip4tables_enabled = False
@@ -290,6 +291,17 @@ class Firewall(object):
log.debug1("ebtables-restore is not supporting the --noflush "
"option, will therefore not be used")
+ self.nftables_backend.probe_support()
+
+ if (
+ self._nftables_table_owner
+ and not self.nftables_backend.supports_table_owner
+ ):
+ log.info1(
+ "Configuration has NftablesTableOwner=True, but it's "
+ "not supported by nftables. Table ownership will be disabled."
+ )
+
def _start_load_firewalld_conf(self):
# load firewalld config
log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF)
@@ -378,6 +390,16 @@ class Firewall(object):
log.debug1("RFC3964_IPv4 is set to '%s'",
self._rfc3964_ipv4)
+ if self._firewalld_conf.get("NftablesTableOwner"):
+ value = self._firewalld_conf.get("NftablesTableOwner")
+ if value.lower() in ["no", "false"]:
+ self._nftables_table_owner = False
+ else:
+ self._nftables_table_owner = True
+ log.debug1(
+ "NftablesTableOwner is set to '%s'", self._nftables_table_owner
+ )
+
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
def _start_load_lockdown_whitelist(self):
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 20072e26cfcd..d5b47666c0f0 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -32,7 +32,7 @@ valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
"IndividualCalls", "LogDenied", "AutomaticHelpers",
"FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
- "AllowZoneDrifting", "ReloadPolicy" ]
+ "AllowZoneDrifting", "ReloadPolicy", "NftablesTableOwner" ]
class firewalld_conf(object):
def __init__(self, filename):
@@ -81,6 +81,10 @@ class firewalld_conf(object):
self.set("ReloadPolicy", config.FALLBACK_RELOAD_POLICY)
self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no")
self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no")
+ self.set(
+ "NftablesTableOwner",
+ "yes" if config.FALLBACK_NFTABLES_TABLE_OWNER else "no",
+ )
def sanity_check(self):
if self.get("FirewallBackend") == "iptables" and self.get("IPv6_rpfilter") in (
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 5a49b34e3a4f..8115bcb9d7f4 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -36,6 +36,7 @@ from nftables.nftables import Nftables
TABLE_NAME = "firewalld"
TABLE_NAME_POLICY = TABLE_NAME + "_" + "policy_drop"
+TABLE_NAME_PROBE = TABLE_NAME + "_" + "probe"
POLICY_CHAIN_PREFIX = "policy_"
# Map iptables (table, chain) to hooks and priorities.
@@ -169,6 +170,7 @@ class nftables(object):
def __init__(self, fw):
self._fw = fw
self.restore_command_exists = True
+ self.supports_table_owner = False
self.available_tables = []
self.rule_to_handle = {}
self.rule_ref_count = {}
@@ -180,6 +182,57 @@ class nftables(object):
self.nftables.set_echo_output(True)
self.nftables.set_handle_output(True)
+ def _probe_support_table_owner(self):
+ try:
+ rules = {
+ "nftables": [
+ {"metainfo": {"json_schema_version": 1}},
+ {
+ "add": {
+ "table": {
+ "family": "inet",
+ "name": TABLE_NAME_PROBE,
+ "flags": ["owner", "persist"],
+ }
+ }
+ },
+ ]
+ }
+
+ rc, output, _ = self.nftables.json_cmd(rules)
+ if rc:
+ raise ValueError("nftables probe table owner failed")
+
+ # old nftables versions would ignore table flags in JSON, so we
+ # must parse back and verify the flags are set.
+ rules = {
+ "nftables": [
+ {"metainfo": {"json_schema_version": 1}},
+ {"list": {"table": {"family": "inet", "name": TABLE_NAME_PROBE}}},
+ ]
+ }
+ self.nftables.set_echo_output(False)
+ rc, output, _ = self.nftables.json_cmd(rules)
+ self.nftables.set_echo_output(True)
+ flags = output["nftables"][1]["table"]["flags"]
+
+ self.set_rule(
+ {"delete": {"table": {"family": "inet", "name": TABLE_NAME_PROBE}}},
+ self._fw.get_log_denied(),
+ )
+
+ if "owner" not in flags or "persist" not in flags:
+ raise ValueError("nftables probe table owner failed")
+
+ log.debug2("nftables: probe_support(): owner flag is supported.")
+ self.supports_table_owner = True
+ except:
+ log.debug2("nftables: probe_support(): owner flag is NOT supported.")
+ self.supports_table_owner = False
+
+ def probe_support(self):
+ self._probe_support_table_owner()
+
def _run_replace_zone_source(self, rule, zone_source_index_cache):
for verb in ["add", "insert", "delete"]:
if verb in rule:
@@ -401,16 +454,27 @@ class nftables(object):
# Tables always exist in nftables
return [table] if table else IPTABLES_TO_NFT_HOOK.keys()
+ def _build_add_table_rules(self, table):
+ rule = {"add": {"table": {"family": "inet", "name": table}}}
+
+ if (
+ table == TABLE_NAME
+ and self._fw._nftables_table_owner
+ and self.supports_table_owner
+ ):
+ rule["add"]["table"]["flags"] = ["owner", "persist"]
+
+ return [rule]
+
def _build_delete_table_rules(self, table):
# To avoid nftables returning ENOENT we always add the table before
# deleting to guarantee it will exist.
#
# In the future, this add+delete should be replaced with "destroy", but
# that verb is too new to rely upon.
- return [{"add": {"table": {"family": "inet",
- "name": table}}},
- {"delete": {"table": {"family": "inet",
- "name": table}}}]
+ return self._build_add_table_rules(table) + [
+ {"delete": {"table": {"family": "inet", "name": table}}},
+ ]
def build_flush_rules(self):
self.rule_to_handle = {}
@@ -437,8 +501,7 @@ class nftables(object):
# a higher priority than our base chains is sufficient.
rules = []
if policy == "PANIC":
- rules.append({"add": {"table": {"family": "inet",
- "name": TABLE_NAME_POLICY}}})
+ rules.extend(self._build_add_table_rules(TABLE_NAME_POLICY))
# Use "raw" priority for panic mode. This occurs before
# conntrack, mangle, nat, etc
@@ -451,8 +514,7 @@ class nftables(object):
"prio": -300 + NFT_HOOK_OFFSET - 1,
"policy": "drop"}}})
elif policy == "DROP":
- rules.append({"add": {"table": {"family": "inet",
- "name": TABLE_NAME_POLICY}}})
+ rules.extend(self._build_add_table_rules(TABLE_NAME_POLICY))
# To drop everything except existing connections we use
# "filter" because it occurs _after_ conntrack.
@@ -511,10 +573,7 @@ class nftables(object):
return list(supported)
def build_default_tables(self):
- default_tables = []
- default_tables.append({"add": {"table": {"family": "inet",
- "name": TABLE_NAME}}})
- return default_tables
+ return self._build_add_table_rules(TABLE_NAME)
def build_default_rules(self, log_denied="off"):
default_rules = []
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index b805e497bb05..c07a1e6a2503 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -110,6 +110,7 @@ class FirewallDConfig(DbusServiceObject):
"FlushAllOnReload": "readwrite",
"RFC3964_IPv4": "readwrite",
"AllowZoneDrifting": "readwrite",
+ "NftablesTableOwner": "readwrite",
}
)
@@ -565,7 +566,7 @@ class FirewallDConfig(DbusServiceObject):
"CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
"IndividualCalls", "LogDenied", "AutomaticHelpers",
"FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
- "AllowZoneDrifting", "IPv6_rpfilter2" ]:
+ "AllowZoneDrifting", "IPv6_rpfilter2", "NftablesTableOwner" ]:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
"Property '%s' does not exist" % prop)
@@ -631,6 +632,10 @@ class FirewallDConfig(DbusServiceObject):
if value is None:
value = "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no"
return dbus.String(value)
+ elif prop == "NftablesTableOwner":
+ if value is None:
+ value = "yes" if config.FALLBACK_NFTABLES_TABLE_OWNER else "no"
+ return dbus.String(value)
@dbus_handle_exceptions
def _get_dbus_property(self, prop):
@@ -662,6 +667,8 @@ class FirewallDConfig(DbusServiceObject):
return dbus.String(self._get_property(prop))
elif prop == "AllowZoneDrifting":
return dbus.String(self._get_property(prop))
+ elif prop == "NftablesTableOwner":
+ return dbus.String(self._get_property(prop))
else:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
@@ -701,7 +708,7 @@ class FirewallDConfig(DbusServiceObject):
"CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
"IndividualCalls", "LogDenied", "AutomaticHelpers",
"FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
- "AllowZoneDrifting", "IPv6_rpfilter2" ]:
+ "AllowZoneDrifting", "IPv6_rpfilter2", "NftablesTableOwner" ]:
ret[x] = self._get_property(x)
elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
@@ -730,11 +737,12 @@ class FirewallDConfig(DbusServiceObject):
"IPv6_rpfilter", "IndividualCalls",
"LogDenied",
"FirewallBackend", "FlushAllOnReload",
- "RFC3964_IPv4", "IPv6_rpfilter2"]:
+ "RFC3964_IPv4", "IPv6_rpfilter2",
+ "NftablesTableOwner" ]:
if property_name in [ "CleanupOnExit", "CleanupModulesOnExit",
"Lockdown", "IPv6_rpfilter",
"IndividualCalls", "FlushAllOnReload",
- "RFC3964_IPv4"]:
+ "RFC3964_IPv4", "NftablesTableOwner" ]:
if new_value.lower() not in [ "yes", "no",
"true", "false" ]:
raise FirewallError(errors.INVALID_VALUE,
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 61c220f3e59c..2ead41baa00a 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -30,6 +30,7 @@ string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALL
string "Lockdown" : variant string "no"
string "LogDenied" : variant string "off"
string "MinimalMark" : variant int32 100
+string "NftablesTableOwner" : variant string "yes"
string "RFC3964_IPv4" : variant string "yes"
])
@@ -54,6 +55,7 @@ _helper([CleanupModulesOnExit], [string:"yes"], [variant string "yes"])
_helper([CleanupOnExit], [string:"no"], [variant string "no"])
_helper([RFC3964_IPv4], [string:"no"], [variant string "no"])
_helper([AllowZoneDrifting], [string:"yes"], [variant string "no"])
+_helper([NftablesTableOwner], [string:"no"], [variant string "no"])
dnl Note: DefaultZone is RO
m4_undefine([_helper])
diff --git a/src/tests/regression/rhbz2222044.at b/src/tests/regression/rhbz2222044.at
index 7e3454509188..2d0333865076 100644
--- a/src/tests/regression/rhbz2222044.at
+++ b/src/tests/regression/rhbz2222044.at
@@ -2,6 +2,11 @@ FWD_START_TEST([duplicate rules after restart])
AT_KEYWORDS(rhbz2222044)
AT_SKIP_IF([! NS_CMD([command -v wc >/dev/null 2>&1])])
+dnl Disable for this test because CI do not support table owner. It's very new
+dnl in nftables.
+AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=no/' ./firewalld.conf])
+FWD_RELOAD()
+
dnl rules have not changed so rule count should not change
m4_define([check_rule_count], [
m4_if(nftables, FIREWALL_BACKEND, [
--
2.43.5

View File

@ -0,0 +1,69 @@
From bf91ea35e7faf66484bdae7d0b3260c4717ee39a Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 18 Jun 2024 16:20:06 -0400
Subject: [PATCH 21/22] v2.2.0: test(nftables): table ownership
Coverage: RHEL-17002
(cherry picked from commit e7728b843c2ec3a61dbe436575c977e2ad9c8674)
---
src/tests/features/features.at | 1 +
src/tests/features/nftables_table_owner.at | 38 ++++++++++++++++++++++
2 files changed, 39 insertions(+)
create mode 100644 src/tests/features/nftables_table_owner.at
diff --git a/src/tests/features/features.at b/src/tests/features/features.at
index 065cb2872e88..83ad9d122189 100644
--- a/src/tests/features/features.at
+++ b/src/tests/features/features.at
@@ -21,3 +21,4 @@ m4_include([features/ipset.at])
m4_include([features/reset_defaults.at])
m4_include([features/iptables_no_flush_on_shutdown.at])
m4_include([features/reloadpolicy.at])
+m4_include([features/nftables_table_owner.at])
diff --git a/src/tests/features/nftables_table_owner.at b/src/tests/features/nftables_table_owner.at
new file mode 100644
index 000000000000..abc946da0ad7
--- /dev/null
+++ b/src/tests/features/nftables_table_owner.at
@@ -0,0 +1,38 @@
+m4_if(nftables, FIREWALL_BACKEND, [
+FWD_START_TEST([nftables table owner])
+AT_KEYWORDS(RHEL-17002)
+
+AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=yes/' ./firewalld.conf])
+FWD_RELOAD()
+
+AT_SKIP_IF([grep "Configuration has NftablesTableOwner=True, but it's not supported by nftables." ./firewalld.log])
+
+NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl
+ table inet firewalld { # progname firewalld
+ flags owner,persist
+])])
+
+dnl Test the transitions from On to Off
+dnl
+
+AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=no/' ./firewalld.conf])
+FWD_RELOAD()
+
+NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl
+ table inet firewalld {
+ chain mangle_PREROUTING {
+])])
+
+dnl Test the transitions from Off to On
+dnl
+
+AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=yes/' ./firewalld.conf])
+FWD_RELOAD()
+
+NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl
+ table inet firewalld { # progname firewalld
+ flags owner,persist
+])])
+
+FWD_END_TEST()
+])
--
2.43.5

View File

@ -0,0 +1,29 @@
From 8d87974a34c055e0daee3a83f11c539fc98fd6bf Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 26 Jun 2024 15:31:38 -0400
Subject: [PATCH 22/22] v2.2.0: chore(service): remove Conflicts with nftables
Now that firewalld uses the table owner flag it can coexist with the
nftables service.
(cherry picked from commit 9c6cb982981ad0aee5b85773823614ca7fd69073)
---
config/firewalld.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/firewalld.service.in b/config/firewalld.service.in
index afbe0ac5def7..b757a08f28dc 100644
--- a/config/firewalld.service.in
+++ b/config/firewalld.service.in
@@ -4,7 +4,7 @@ Before=network-pre.target
Wants=network-pre.target
After=dbus.service
After=polkit.service
-Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service
+Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
Documentation=man:firewalld(1)
[Service]
--
2.43.5

View File

@ -1,7 +1,7 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld Name: firewalld
Version: 1.3.4 Version: 1.3.4
Release: 1%{?dist} Release: 7%{?dist}
URL: http://www.firewalld.org URL: http://www.firewalld.org
License: GPLv2+ License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2
@ -9,6 +9,24 @@ Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
Patch2: 0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch Patch2: 0002-v1.4.0-test-atlocal-pass-EBTABLES-to-testsuite.patch
Patch3: 0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch Patch3: 0003-v1.4.0-feat-direct-avoid-iptables-flush-if-using-nft.patch
Patch4: 0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch Patch4: 0004-v1.4.0-test-direct-avoid-iptables-flush-if-using-nft.patch
Patch5: 0005-v2.0.0-feat-service-add-OpenTelemetry-OTLP-service.patch
Patch6: 0006-v2.1.0-feat-icmp-add-ICMPv6-Multicast-Listener-Disco.patch
Patch7: 0007-v2.1.0-fix-rich-validate-service-name-of-rich-rule.patch
Patch8: 0008-v2.1.0-improvement-nftables-do-not-track-rule-handle.patch
Patch9: 0009-v2.1.0-improvement-fw-make-set_policy-DROP-more-flex.patch
Patch10: 0010-v2.1.0-feat-fw-add-ReloadPolicy-option-in-firewalld..patch
Patch11: 0011-v2.2.0-test-functions-add-macro-CHECK_NFTABLES_FIB.patch
Patch12: 0012-v2.2.0-test-functions-add-macro-CHECK_NFTABLES_FIB_I.patch
Patch13: 0013-v2.2.0-test-rpfilter-use-CHECK-macros.patch
Patch14: 0014-v2.2.0-test-IPv6_rpfilter-verify-valid-values.patch
Patch15: 0015-v2.2.0-chore-IPv6_rpfilter-prepare-for-new-config-va.patch
Patch16: 0016-v2.2.0-feat-IPv6_rpfilter-support-loose-rpfilter.patch
Patch17: 0017-v2.2.0-feat-IPv6_rpfilter-support-loose-forward-rpfi.patch
Patch18: 0018-v2.2.0-feat-IPv6_rpfilter-support-strict-forward-rpf.patch
Patch19: 0019-v2.2.0-test-functions-start-firewalld-with-file-logg.patch
Patch20: 0020-v2.2.0-feat-nftables-table-ownership.patch
Patch21: 0021-v2.2.0-test-nftables-table-ownership.patch
Patch22: 0022-v2.2.0-chore-service-remove-Conflicts-with-nftables.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -111,6 +129,8 @@ end
%autosetup -p1 %autosetup -p1
%build %build
# must run automake since patches touch .am files
./autogen.sh
%configure --enable-sysconfig --enable-rpmmacros PYTHON="%{__python3} %{py3_shbang_opts}" %configure --enable-sysconfig --enable-rpmmacros PYTHON="%{__python3} %{py3_shbang_opts}"
make %{?_smp_mflags} make %{?_smp_mflags}
@ -230,6 +250,26 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite
%{_mandir}/man1/firewall-config*.1* %{_mandir}/man1/firewall-config*.1*
%changelog %changelog
* Mon Jul 01 2024 Eric Garver <egarver@redhat.com> - 1.3.4-7
- feat(nftables): table ownership
* Mon Jul 01 2024 Eric Garver <egarver@redhat.com> - 1.3.4-6
- feat(IPv6_rpfilter): support loose rpfilter
- feat(IPv6_rpfilter): support loose-forward rpfilter
- feat(IPv6_rpfilter): support strict-forward rpfilter
* Mon Jul 01 2024 Eric Garver <egarver@redhat.com> - 1.3.4-5
- feat(fw): add ReloadPolicy option in firewalld.conf
* Mon Jul 01 2024 Eric Garver <egarver@redhat.com> - 1.3.4-4
- fix(rich): validate service name of rich rule
* Mon Jul 01 2024 Eric Garver <egarver@redhat.com> - 1.3.4-3
- feat(icmp): add ICMPv6 Multicast Listener Discovery (MLD) types
* Mon Jul 01 2024 Eric Garver <egarver@redhat.com> - 1.3.4-2
- feat(service): add OpenTelemetry (OTLP) service
* Thu Oct 26 2023 Eric Garver <egarver@redhat.com> - 1.3.4-1 * Thu Oct 26 2023 Eric Garver <egarver@redhat.com> - 1.3.4-1
- package rebase to v1.3.4 - package rebase to v1.3.4