rpms/firewalld
6
0
Fork 0
Code Issues Pull Requests Releases Activity

fix(ipset): exception on overlap checking empty set

Browse Source 
Resolves: RHEL-8509
This commit is contained in:
Eric Garver 2023-11-03 12:54:18 -04:00
parent 1d77e3028b
commit a171167160
3 changed files with 86 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
0011-v1.1.0-fix-ipset-exception-on-overlap-checking-empty.patch Normal file
View File

@ -0,0 +1,32 @@
From e9e1edef3af8bd1a6b7c27fdd2d580e2f1571440 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Rigault?= <rigault.francois@gmail.com>
Date: Sun, 28 Aug 2022 10:25:33 +0200
Subject: [PATCH 11/17] v1.1.0: fix(ipset): exception on overlap checking empty
set
In the case of --remove-entries-from-file, check_for_overlapping_entries
can be called with no entry in input, which fails with an exception.
Fixes: rhbz2121985
(cherry picked from commit 1ea554e6263ed21aa9ae6e5f0abb629d53b4a7bc)
---
src/firewall/core/ipset.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
index b160d8345669..d8e0a1ab1e56 100644
--- a/src/firewall/core/ipset.py
+++ b/src/firewall/core/ipset.py
@@ -327,6 +327,9 @@ def check_for_overlapping_entries(entries):
# at least one entry can not be parsed
return
+ if len(entries) == 0:
+ return
+
# We can take advantage of some facts of IPv4Network/IPv6Network and
# how Python sorts the networks to quickly detect overlaps.
#
--
2.39.3

48
0012-v1.1.0-test-ipset-verify-remove-entries-from-file.patch Normal file
View File

@ -0,0 +1,48 @@
From a7b4212df4e1aa05d8dcb8fd4cf5e353a84d3481 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 29 Aug 2022 08:37:50 -0400
Subject: [PATCH 12/17] v1.1.0: test(ipset): verify --remove-entries-from-file
Specifically if it results in an empty set.
Coverage: rhbz2121985
(cherry picked from commit edea40189e10d3f7777e69746592fb5e2e0e36ea)
---
src/tests/regression/gh1011.at | 15 +++++++++++++++
src/tests/regression/regression.at | 1 +
2 files changed, 16 insertions(+)
create mode 100644 src/tests/regression/gh1011.at
diff --git a/src/tests/regression/gh1011.at b/src/tests/regression/gh1011.at
new file mode 100644
index 000000000000..037ab70648eb
--- /dev/null
+++ b/src/tests/regression/gh1011.at
@@ -0,0 +1,15 @@
+FWD_START_TEST([remove entries results in empty])
+AT_KEYWORDS(ipset gh1011 rhbz2121985)
+
+FWD_CHECK([--permanent --new-ipset foobar --type hash:net], 0, [ignore])
+AT_DATA([./empty], [dnl
+10.10.10.0/24
+])
+FWD_CHECK([--permanent --ipset foobar --add-entry 10.10.10.0/24], 0, [ignore])
+FWD_CHECK([--permanent --ipset foobar --remove-entries-from-file ./empty], 0, [ignore])
+
+FWD_RELOAD()
+FWD_CHECK([--ipset foobar --add-entry 10.10.10.0/24], 0, [ignore])
+FWD_CHECK([--ipset foobar --remove-entries-from-file ./empty], 0, [ignore])
+
+FWD_END_TEST()
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 143298d3235f..889c66dd175d 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -51,3 +51,4 @@ m4_include([regression/service_includes_for_builtin.at])
m4_include([regression/rhbz2181406.at])
m4_include([regression/ipset_scale.at])
m4_include([regression/gh881.at])
+m4_include([regression/gh1011.at])
--
2.39.3

7
firewalld.spec
View File

@ -1,7 +1,7 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld Name: firewalld
Version: 0.9.11 Version: 0.9.11
Release: 1%{?dist} Release: 2%{?dist}
URL: http://www.firewalld.org URL: http://www.firewalld.org
License: GPLv2+ License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@ -15,6 +15,8 @@ Patch7: 0007-RHEL-only-default-to-CleanupModulesOnExit-yes.patch
Patch8: 0008-v1.1.0-fix-ipset-reduce-cost-of-entry-overlap-detect.patch Patch8: 0008-v1.1.0-fix-ipset-reduce-cost-of-entry-overlap-detect.patch
Patch9: 0009-v1.1.0-test-ipset-huge-set-of-entries-benchmark.patch Patch9: 0009-v1.1.0-test-ipset-huge-set-of-entries-benchmark.patch
Patch10: 0010-v1.1.0-fix-ipset-further-reduce-cost-of-entry-overla.patch Patch10: 0010-v1.1.0-fix-ipset-further-reduce-cost-of-entry-overla.patch
Patch11: 0011-v1.1.0-fix-ipset-exception-on-overlap-checking-empty.patch
Patch12: 0012-v1.1.0-test-ipset-verify-remove-entries-from-file.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: autoconf BuildRequires: autoconf
@ -216,6 +218,9 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewall-config*.1* %{_mandir}/man1/firewall-config*.1*
%changelog %changelog
* Fri Nov 03 2023 Eric Garver <egarver@redhat.com> - 0.9.11-2
- fix(ipset): exception on overlap checking empty set
* Tue Apr 18 2023 Eric Garver <egarver@redhat.com> - 0.9.11-1 * Tue Apr 18 2023 Eric Garver <egarver@redhat.com> - 0.9.11-1
- rebase to v0.9.11 - rebase to v0.9.11