From 53a98bc1d5e78efce48df990c08accc4df33f927 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Tue, 3 Jul 2018 16:01:07 -0400 Subject: [PATCH] backport fix for rhbz 1575431 Fixes: rhbz 1575431 --- ...plicitly-allow-neighbor-solicitation.patch | 48 +++++++++++++++++++ firewalld.spec | 11 +++-- 2 files changed, 54 insertions(+), 5 deletions(-) create mode 100644 0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch diff --git a/0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch b/0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch new file mode 100644 index 0000000..f0e3470 --- /dev/null +++ b/0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch @@ -0,0 +1,48 @@ +From 0cf02b4c0d4a3b7f55ded6d4d41cf184bc1881e0 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 3 Jul 2018 09:12:28 -0400 +Subject: [PATCH] IPv6 rpfilter: explicitly allow neighbor solicitation + +Some kernel versions (4.16-4.17) have a bug which causes the rpfilter +extension to not match neighbor solicitation frames. This causes the +IPv6 rpfilter to mistakenly drop them. Lets work around the buggy kernel +versions by explicitly allowing neighbor solicitation. + +Fixes: rhbz 1575431 +(cherry picked from commit 3d6a5063566319b5df58c6f738f203e88724961e) +--- + src/firewall/core/ipXtables.py | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index 437808027155..c2aac90d838c 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -474,16 +474,21 @@ class ip6tables(ip4tables): + + def apply_rpfilter_rules(self, transaction, log_denied=False): + transaction.add_rule(self.ipv, +- [ "-I", "PREROUTING", "1", "-t", "raw", ++ [ "-I", "PREROUTING", "1", "-t", "raw", ++ "-p", "ipv6-icmp", ++ "--icmpv6-type=neighbour-solicitation", ++ "-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17 ++ transaction.add_rule(self.ipv, ++ [ "-I", "PREROUTING", "2", "-t", "raw", + "-p", "ipv6-icmp", + "--icmpv6-type=router-advertisement", + "-j", "ACCEPT" ]) # RHBZ#1058505 + transaction.add_rule(self.ipv, +- [ "-I", "PREROUTING", "2", "-t", "raw", ++ [ "-I", "PREROUTING", "3", "-t", "raw", + "-m", "rpfilter", "--invert", "-j", "DROP" ]) + if log_denied != "off": + transaction.add_rule(self.ipv, +- [ "-I", "PREROUTING", "2", "-t", "raw", ++ [ "-I", "PREROUTING", "3", "-t", "raw", + "-m", "rpfilter", "--invert", + "-j", "LOG", + "--log-prefix", "rpfilter_DROP: " ]) +-- +2.16.3 + diff --git a/firewalld.spec b/firewalld.spec index 7bdf6ad..d301baf 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.5.3 -Release: 2%{?dist} +Release: 3%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -11,6 +11,7 @@ Source2: FedoraWorkstation.xml %endif %if 0%{?fedora} Patch0: firewalld-0.2.6-MDNS-default.patch +Patch1: 0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch %endif BuildArch: noarch BuildRequires: autoconf @@ -124,10 +125,7 @@ The firewall configuration application provides an configuration interface for firewalld. %prep -%setup -q -%if 0%{?fedora} -%patch0 -p1 -%endif +%autosetup -p1 ./autogen.sh sed -i -e 's|/usr/bin/python -Es|%{__python3} -Es|' ./fix_python_shebang.sh sed -i 's|/usr/bin/python|%{__python3}|' ./config/lockdown-whitelist.xml @@ -320,6 +318,9 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Tue Jul 03 2018 Eric Garver - 0.5.3-3 +- backport fix for rhbz 1575431 + * Tue Jun 19 2018 Miro HronĨok - 0.5.3-2 - Rebuilt for Python 3.7