rpms/firewalld
5
0
Fork 0
Code Issues Pull Requests Releases Activity

fix(rich): validate service name of rich rule

Browse Source 
Resolves: RHEL-5790
This commit is contained in:
Eric Garver 2024-06-13 17:04:34 -04:00
parent 7696780acb
commit 9c7750524f
2 changed files with 87 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
0022-v2.1.0-fix-rich-validate-service-name-of-rich-rule.patch Normal file
View File

@ -0,0 +1,82 @@
From 5266735bf4827178ddd9a12edc37b1b0a93e0d3a Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Tue, 12 Dec 2023 14:58:07 +0100
Subject: [PATCH 22/26] v2.1.0: fix(rich): validate service name of rich rule
Previously, validation of valid service names was not done.
That meant:
$ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent
success
$ firewall-cmd --reload
Error: INVALID_SERVICE: listen
which left firewalld in a bad state.
Now:
$ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent
Error: INVALID_SERVICE: Zone 'public': 'listen' not among existing services
https://issues.redhat.com/browse/RHEL-5790
(cherry picked from commit fbcdddd3e38c31a7b8325bf02764b84344c216b0)
---
src/firewall/core/io/policy.py | 11 +++++++++++
src/tests/features/rich_rules.at | 8 +++++++-
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py
index 3b951545e975..514a20251ef4 100644
--- a/src/firewall/core/io/policy.py
+++ b/src/firewall/core/io/policy.py
@@ -304,6 +304,8 @@ def common_endElement(obj, name):
obj._limit_ok = None
def common_check_config(obj, config, item, all_config):
+ obj_type = "Policy" if isinstance(obj, Policy) else "Zone"
+
if item == "services" and obj.fw_config:
existing_services = obj.fw_config.get_services()
for service in config:
@@ -360,6 +362,15 @@ def common_check_config(obj, config, item, all_config):
raise FirewallError(errors.INVALID_ICMPTYPE,
"rich rule family '%s' conflicts with icmp type '%s'" % \
(obj_rich.family, obj_rich.element.name))
+ elif obj.fw_config and isinstance(obj_rich.element, rich.Rich_Service):
+ existing_services = obj.fw_config.get_services()
+ if obj_rich.element.name not in existing_services:
+ raise FirewallError(
+ errors.INVALID_SERVICE,
+ "{} '{}': '{}' not among existing services".format(
+ obj_type, obj.name, obj_rich.element.name
+ ),
+ )
def common_writer(obj, handler):
# short
diff --git a/src/tests/features/rich_rules.at b/src/tests/features/rich_rules.at
index bb5e4b72a516..de98bf0ce268 100644
--- a/src/tests/features/rich_rules.at
+++ b/src/tests/features/rich_rules.at
@@ -46,6 +46,11 @@ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priorit
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=0 source address=10.10.10.13 drop'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=-1 source address=10.10.10.14 accept'], 0, ignore)
FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=1 source address=10.10.10.15 accept'], 0, ignore)
+
+dnl Invalid service name is rejected.
+FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="bogusservice" accept'], 101, ignore, ignore)
+FWD_CHECK([--policy foobar --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="bogusservice" accept'], 101, ignore, ignore)
+
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_IN_policy_foobar_pre], 0, [dnl
table inet firewalld {
@@ -289,4 +294,5 @@ IP6TABLES_LIST_RULES([filter], [IN_foobar_post], 0, [dnl
ACCEPT all ::/0 ::/0
])
-FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d'])
+FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d' dnl
+ -e "/ERROR: INVALID_SERVICE: Policy 'foobar': 'bogusservice' not among existing services/d"])
--
2.43.0

6
firewalld.spec
View File

@ -1,7 +1,7 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld Name: firewalld
Version: 0.9.11 Version: 0.9.11
Release: 6%{?dist} Release: 7%{?dist}
URL: http://www.firewalld.org URL: http://www.firewalld.org
License: GPLv2+ License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@ -26,6 +26,7 @@ Patch18: 0018-v1.0.0-feat-rich-support-using-ipset-in-destination.patch
Patch19: 0019-v1.0.0-test-rich-destination-ipset.patch Patch19: 0019-v1.0.0-test-rich-destination-ipset.patch
Patch20: 0020-v1.0.0-test-rich-destination-ipset-verify-policy-sup.patch Patch20: 0020-v1.0.0-test-rich-destination-ipset-verify-policy-sup.patch
Patch21: 0021-v2.1.0-feat-icmp-add-ICMPv6-Multicast-Listener-Disco.patch Patch21: 0021-v2.1.0-feat-icmp-add-ICMPv6-Multicast-Listener-Disco.patch
Patch22: 0022-v2.1.0-fix-rich-validate-service-name-of-rich-rule.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: autoconf BuildRequires: autoconf
@ -227,6 +228,9 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewall-config*.1* %{_mandir}/man1/firewall-config*.1*
%changelog %changelog
* Thu Jun 13 2024 Eric Garver <egarver@redhat.com> - 0.9.11-7
- fix(rich): validate service name of rich rule
* Thu Jun 13 2024 Eric Garver <egarver@redhat.com> - 0.9.11-6 * Thu Jun 13 2024 Eric Garver <egarver@redhat.com> - 0.9.11-6
- feat(icmp): add ICMPv6 Multicast Listener Discovery (MLD) types - feat(icmp): add ICMPv6 Multicast Listener Discovery (MLD) types