import firewalld-0.9.3-7.el8

This commit is contained in:
CentOS Sources 2021-10-06 10:06:19 -04:00 committed by Stepan Oksanichenko
parent 05a83bb38e
commit aab7309973
104 changed files with 3876 additions and 5156 deletions

View File

@ -1 +1 @@
785c4062248b95a85ddc023eba075b66109e254b SOURCES/firewalld-0.8.2.tar.gz
69d687526f2d2483470e5175b246f462fd84ee0b SOURCES/firewalld-0.9.3.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/firewalld-0.8.2.tar.gz
SOURCES/firewalld-0.9.3.tar.gz

View File

@ -1,21 +1,16 @@
From 52d53cc4ab0503ad484330b2121f85094a7903de Mon Sep 17 00:00:00 2001
From 87ecae78c07da6db1faa18504b06345ab3ba51a0 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Mon, 9 Jul 2018 11:29:33 -0400
Subject: [PATCH 1/6] RHEL only: Add cockpit by default to some zones
Subject: [PATCH 01/22] RHEL only: Add cockpit by default to some zones
Fixes: #1581578
---
config/zones/home.xml | 1 +
config/zones/internal.xml | 1 +
config/zones/public.xml | 1 +
config/zones/work.xml | 1 +
src/tests/cli/firewall-cmd.at | 14 +++++++++++++-
src/tests/features/helpers_custom.at | 9 +++++++++
src/tests/features/service_include.at | 2 +-
src/tests/regression/gh366.at | 3 +++
src/tests/regression/gh453.at | 2 ++
src/tests/regression/rhbz1514043.at | 2 +-
10 files changed, 33 insertions(+), 3 deletions(-)
config/zones/home.xml | 1 +
config/zones/internal.xml | 1 +
config/zones/public.xml | 1 +
config/zones/work.xml | 1 +
src/tests/functions.at | 19 +++++++++++++++++++
5 files changed, 23 insertions(+)
diff --git a/config/zones/home.xml b/config/zones/home.xml
index 42b29b2f2d50..8aa8afa0e8aa 100644
@ -57,263 +52,43 @@ index 6ea5550a40bd..9609ee6f65c2 100644
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
</zone>
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index 806af74221b6..74f480f8730f 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -1285,6 +1285,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 1122 ct state new,untracked accept
tcp dport 3333 ct state new,untracked accept
tcp dport 4444 ct state new,untracked accept
@@ -1300,6 +1301,7 @@ FWD_START_TEST([rich rules priority])
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 582fdcc19314..6b1263b178dc 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -105,6 +105,13 @@ m4_define([FWD_START_TEST], [
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
AT_KEYWORDS(offline)
+ dnl cockpit is added by default downstream, but upstream tests don't expect
+ dnl it. Simply remove it at the start of every test.
+ dnl
+ FWD_OFFLINE_CHECK([--zone home --remove-service-from-zone cockpit], 0, [ignore])
+ FWD_OFFLINE_CHECK([--zone internal --remove-service-from-zone cockpit], 0, [ignore])
+ FWD_OFFLINE_CHECK([--zone public --remove-service-from-zone cockpit], 0, [ignore])
+ FWD_OFFLINE_CHECK([--zone work --remove-service-from-zone cockpit], 0, [ignore])
], [
m4_define_default([FIREWALL_BACKEND], [nftables])
@@ -226,6 +233,18 @@ m4_define([FWD_START_TEST], [
])
FWD_START_FIREWALLD
+
+ dnl cockpit is added by default downstream, but upstream tests don't expect
+ dnl it. Simply remove it at the start of every test.
+ dnl
+ FWD_CHECK([--permanent --zone home --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone home --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([--permanent --zone internal --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone internal --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([--permanent --zone public --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone public --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([--permanent --zone work --remove-service cockpit], 0, [ignore])
+ FWD_CHECK([ --zone work --remove-service cockpit], 0, [ignore])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 ctstate NEW,UNTRACKED
@@ -1314,6 +1316,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:3333 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:4444 ctstate NEW,UNTRACKED
@@ -1395,6 +1398,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
}
}
])
@@ -1498,6 +1502,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
])
@@ -1532,6 +1537,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
])
@@ -1579,6 +1585,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
icmp type echo-request accept
icmpv6 type echo-request accept
}
@@ -1619,6 +1626,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
])
IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
@@ -1641,6 +1649,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
])
IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
@@ -1697,6 +1706,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
}
}
])
@@ -1734,6 +1744,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
])
@@ -1754,6 +1765,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
])
@@ -1779,7 +1791,7 @@ FWD_START_TEST([rich rules priority])
icmp-block-inversion: no
interfaces:
sources:
- services: dhcpv6-client ssh
+ services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index 41d0f17b1d9e..bd4b52cfb1d6 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -37,6 +37,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -47,6 +48,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -55,6 +57,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -91,6 +94,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -101,6 +105,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -109,6 +114,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -126,6 +132,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
@@ -139,6 +146,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
@@ -149,6 +157,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
index 7f02701a9419..070f1578fc2b 100644
--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
@@ -120,7 +120,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl
])
FWD_CHECK([--zone=public --list-services], 0, [dnl
-dhcpv6-client ssh
+cockpit dhcpv6-client ssh
])
FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist])
FWD_RELOAD
diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at
index 1441a6be53bf..51ff504e6a9d 100644
--- a/src/tests/regression/gh366.at
+++ b/src/tests/regression/gh366.at
@@ -7,6 +7,7 @@ table inet firewalld {
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+tcp dport 9090 ct state new,untracked accept
ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
}
@@ -14,11 +15,13 @@ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
])])
diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at
index 36a6fce5f22a..61bc90aae673 100644
--- a/src/tests/regression/gh453.at
+++ b/src/tests/regression/gh453.at
@@ -18,6 +18,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 21 ct state new,untracked accept
}
@@ -42,6 +43,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 21 ct state new,untracked accept
tcp dport 5060 ct helper set "helper-sip-tcp"
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
index efc33e09478b..241cf547f7f3 100644
--- a/src/tests/regression/rhbz1514043.at
+++ b/src/tests/regression/rhbz1514043.at
@@ -5,7 +5,7 @@ FWD_CHECK([-q --set-log-denied=all])
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
FWD_RELOAD
FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl
-services: dhcpv6-client samba ssh
+services: cockpit dhcpv6-client samba ssh
])
dnl check that log denied actually took effect
--
2.23.0
2.27.0

View File

@ -1,20 +1,15 @@
From 42c3c63410d53f1f1eef8a756202231a7872aafa Mon Sep 17 00:00:00 2001
From bccc66877af7baa95e70c4314e3016ac78c4bbc7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Feb 2020 09:12:17 -0500
Subject: [PATCH 2/6] RHEL only: default to AllowZoneDrifting=yes
Subject: [PATCH 02/22] RHEL only: default to AllowZoneDrifting=yes
---
config/firewalld.conf | 4 ++--
doc/xml/firewalld.conf.xml | 2 +-
doc/xml/firewalld.dbus.xml | 2 +-
src/firewall/config/__init__.py.in | 2 +-
src/tests/cli/firewall-cmd.at | 8 ++++++++
src/tests/dbus/firewalld.conf.at | 4 ++--
src/tests/features/rfc3964_ipv4.at | 4 ++++
src/tests/functions.at | 1 +
src/tests/regression/rhbz1514043.at | 4 ++++
src/tests/regression/rhbz1715977.at | 9 +++++++++
10 files changed, 33 insertions(+), 7 deletions(-)
config/firewalld.conf | 4 ++--
doc/xml/firewalld.conf.xml | 2 +-
doc/xml/firewalld.dbus.xml | 2 +-
src/firewall/config/__init__.py.in | 2 +-
src/tests/functions.at | 5 +++++
5 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index 532f0452212e..f791b2358ab8 100644
@ -42,10 +37,10 @@ index fcfbfd2b68c1..c21ef87813bc 100644
</listitem>
</varlistentry>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 5d77af976443..77ad77c01675 100644
index b75067e12c51..d68c775ee5bf 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2591,7 +2591,7 @@
@@ -2787,7 +2787,7 @@
to interface based zones (including the default zone). Packets
never drift from interface based zones to other interfaces
based zones (including the default zone).
@ -55,181 +50,31 @@ index 5d77af976443..77ad77c01675 100644
</varlistentry>
<varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 481eb8de758d..645c76b66c8d 100644
index e875e849dec1..0dec7913f694 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -130,4 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"
@@ -133,4 +133,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"
FALLBACK_FIREWALL_BACKEND = "nftables"
FALLBACK_FLUSH_ALL_ON_RELOAD = True
FALLBACK_RFC3964_IPV4 = True
-FALLBACK_ALLOW_ZONE_DRIFTING = False
+FALLBACK_ALLOW_ZONE_DRIFTING = True
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index 74f480f8730f..c47c14ea1fc2 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -696,6 +696,10 @@ FWD_START_TEST([ipset])
CHECK_IPSET
CHECK_IPSET_HASH_MAC
+ dnl Expected test results assume this is set to "no"
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+ FWD_RELOAD
+
FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, ignore)
FWD_CHECK([--reload], 0, ignore)
FWD_CHECK([--ipset=foobar --get-entries], 0, [
@@ -1197,6 +1201,10 @@ FWD_START_TEST([rich rules priority])
CHECK_LOG_AUDIT
+ dnl Expected test results assume this is set to "no"
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+ FWD_RELOAD
+
dnl Verify generic layout of zone
NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl
table inet firewalld {
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 35aead759a9c..4eefa3286f9f 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -4,7 +4,7 @@ AT_KEYWORDS(dbus)
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
IF_HOST_SUPPORTS_NFT_FIB([
DBUS_GETALL([config], [config], 0, [dnl
-string "AllowZoneDrifting" : variant string "no"
+string "AllowZoneDrifting" : variant string "yes"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
@@ -18,7 +18,7 @@ string "MinimalMark" : variant int32 100
string "RFC3964_IPv4" : variant string "yes"
])], [
DBUS_GETALL([config], [config], 0, [dnl
-string "AllowZoneDrifting" : variant string "no"
+string "AllowZoneDrifting" : variant string "yes"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at
index 54f5f756270b..15fef52612cc 100644
--- a/src/tests/features/rfc3964_ipv4.at
+++ b/src/tests/features/rfc3964_ipv4.at
@@ -1,6 +1,10 @@
FWD_START_TEST([RFC3964_IPv4])
AT_KEYWORDS(rfc3964_ipv4)
+dnl Expected test results assume this is set to "no"
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+FWD_RELOAD
+
AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf])
AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
FWD_RELOAD
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 5b3ed3ee4a5a..8f5ceba4d3f2 100644
index 6b1263b178dc..7ac28d514233 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [
IF_HOST_SUPPORTS_IP6TABLES([], [
sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
])
+ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log
if test x"$1" != x"ignore"; then
if test -n "$1"; then
sed -i $1 ./firewalld.log
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
index 241cf547f7f3..8e4846a078b8 100644
--- a/src/tests/regression/rhbz1514043.at
+++ b/src/tests/regression/rhbz1514043.at
@@ -1,6 +1,10 @@
FWD_START_TEST([--set-log-denied does not zero config])
AT_KEYWORDS(log_denied rhbz1514043)
@@ -123,6 +123,11 @@ m4_define([FWD_START_TEST], [
dnl set the appropriate backend
AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
+dnl Expected test results assume this is set to "no"
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+FWD_RELOAD
+ dnl Expected test results assume this is set to "no", but downstream
+ dnl RHEL overrides it to "yes". Override it back to "no" so we don't
+ dnl have to fix up all the tests when bringing them from upstream.
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+
FWD_CHECK([-q --set-log-denied=all])
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
FWD_RELOAD
diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at
index d548de72b90c..b9886e1a0a2b 100644
--- a/src/tests/regression/rhbz1715977.at
+++ b/src/tests/regression/rhbz1715977.at
@@ -14,6 +14,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
udp dport 137 ct state new,untracked accept
udp dport 138 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
}
}
@@ -23,6 +24,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
@@ -31,6 +33,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept'])
@@ -44,6 +47,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
udp dport 137 ct state new,untracked accept
udp dport 138 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
}
@@ -54,6 +58,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
])
@@ -63,6 +68,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept'])
@@ -76,6 +82,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
udp dport 137 ct state new,untracked accept
udp dport 138 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept
@@ -87,6 +94,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED
@@ -97,6 +105,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore])
dnl fib matching is pretty new in nftables. Don't use rpfilter on older
dnl kernels.
m4_if(nftables, FIREWALL_BACKEND, [
--
2.23.0
2.27.0

View File

@ -1,29 +0,0 @@
From b2e4f83c8fb011ffe0a8b040fa937f60c842cc25 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 2 Apr 2020 14:42:22 -0400
Subject: [PATCH 3/6] fix: nftables: ipset: port ranges for non-default
protocols
Fixes: 2d1b0fe9fe74 ("fix: nftables: allow set intervals with concatenations")
(cherry picked from commit e80f4fccfc771128affdc578ed37842d5d469ca9)
(cherry picked from commit 6a2fd018666ab8c4877291f8f807a9943db74de3)
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index a9d5a45337bd..69ee63b32f8b 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1680,7 +1680,7 @@ class nftables(object):
port_str = entry_tokens[i][index+1:]
try:
- index = entry_tokens[i].index("-")
+ index = port_str.index("-")
except ValueError:
fragment.append(port_str)
else:
--
2.23.0

View File

@ -0,0 +1,85 @@
From 9c26e2d1eb45c5afc0e6430d2736aeefe9f07cf1 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 25 Jan 2021 11:29:48 -0500
Subject: [PATCH 04/22] fix(dbus): conf: setting deprecated properties should
be ignored
They weren't being written to the config file, but the runtime dbus
values were being changed.
(cherry picked from commit 9001e0cfc18fdcf8526d774fad396414d223c70a)
(cherry picked from commit e8451a455461b5cf177ea8a9aaab7a5e5100991b)
---
src/firewall/server/config.py | 23 +++++------------------
src/tests/dbus/firewalld.conf.at | 4 ++--
2 files changed, 7 insertions(+), 20 deletions(-)
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index 1f832a459915..031ef5d1afaa 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -706,22 +706,11 @@ class FirewallDConfig(slip.dbus.service.Object):
self.accessCheck(sender)
if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
- if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown",
+ if property_name in [ "CleanupOnExit", "Lockdown",
"IPv6_rpfilter", "IndividualCalls",
- "LogDenied", "AutomaticHelpers",
+ "LogDenied",
"FirewallBackend", "FlushAllOnReload",
"RFC3964_IPv4", "AllowZoneDrifting" ]:
- if property_name == "MinimalMark":
- try:
- int(new_value)
- except ValueError:
- raise FirewallError(errors.INVALID_MARK, new_value)
- try:
- new_value = str(new_value)
- except:
- raise FirewallError(errors.INVALID_VALUE,
- "'%s' for %s" % \
- (new_value, property_name))
if property_name in [ "CleanupOnExit", "Lockdown",
"IPv6_rpfilter", "IndividualCalls" ]:
if new_value.lower() not in [ "yes", "no",
@@ -734,11 +723,6 @@ class FirewallDConfig(slip.dbus.service.Object):
raise FirewallError(errors.INVALID_VALUE,
"'%s' for %s" % \
(new_value, property_name))
- if property_name == "AutomaticHelpers":
- if new_value not in config.AUTOMATIC_HELPERS_VALUES:
- raise FirewallError(errors.INVALID_VALUE,
- "'%s' for %s" % \
- (new_value, property_name))
if property_name == "FirewallBackend":
if new_value not in config.FIREWALL_BACKEND_VALUES:
raise FirewallError(errors.INVALID_VALUE,
@@ -764,6 +748,9 @@ class FirewallDConfig(slip.dbus.service.Object):
self.config.get_firewalld_conf().write()
self.PropertiesChanged(interface_name,
{ property_name: new_value }, [ ])
+ elif property_name in ["MinimalMark", "AutomaticHelpers"]:
+ # deprecated fields. Ignore setting them.
+ pass
else:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index cc15318c78dc..9fc5502a8d0b 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -37,8 +37,8 @@ $3
])
dnl Test individual Set/Get
-_helper([MinimalMark], [int32:1234], [variant int32 1234])
-_helper([AutomaticHelpers], [string:"no"], [variant string "no"])
+_helper([MinimalMark], [int32:1234], [variant int32 100])
+_helper([AutomaticHelpers], [string:"yes"], [variant string "no"])
_helper([Lockdown], [string:"yes"], [variant string "yes"])
_helper([LogDenied], [string:"all"], [variant string "all"])
_helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
--
2.27.0

View File

@ -1,44 +0,0 @@
From c694ab9a3d00f0471bfdf73a1b00d43f60395717 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 2 Apr 2020 14:38:45 -0400
Subject: [PATCH 4/6] test: ipset: verify port ranges for non-default protocol
(cherry picked from commit c0ad3a0b3340a27c34b33128f756f64acc3a771b)
(cherry picked from commit a2b8a09b929901e14620aa802fd423f958c56188)
---
src/tests/cli/firewall-cmd.at | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index c47c14ea1fc2..ad7b1b32f42c 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -743,6 +743,7 @@ FWD_START_TEST([ipset])
dnl multi dimensional set with non default protocol
FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip,port], 0, ignore)
FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,sctp:1234], 0, ignore)
+ FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,udp:1000-1002], 0, ignore)
FWD_RELOAD
FWD_CHECK([--ipset=foobar --add-entry=20.20.20.20,8080], 0, ignore)
FWD_CHECK([--zone internal --add-source=ipset:foobar], 0, ignore)
@@ -752,6 +753,7 @@ FWD_START_TEST([ipset])
type ipv4_addr . inet_proto . inet_service
flags interval
elements = { 10.10.10.10 . sctp . 1234,
+ 10.10.10.10 . udp . 1000-1002,
20.20.20.20 . tcp . 8080 }
}
}
@@ -769,6 +771,9 @@ FWD_START_TEST([ipset])
Type: hash:ip,port
Members:
10.10.10.10,sctp:1234
+ 10.10.10.10,udp:1000
+ 10.10.10.10,udp:1001
+ 10.10.10.10,udp:1002
20.20.20.20,tcp:8080
])
FWD_CHECK([--ipset=foobar --add-entry=1.2.3.4,sctp:8080], 0, ignore)
--
2.23.0

View File

@ -1,51 +0,0 @@
From 85782b1fb964e3b67a0276881bdba4ca9881dec3 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 2 Apr 2020 15:21:58 -0400
Subject: [PATCH 5/6] test: log: verify logging still works after truncate
The log policy we ship presumes firewalld opens log files in append
mode. This is because the logrotate policy uses "copytruncate". Lets
verify that it actually works as expected.
(cherry picked from commit e887c16512abd6a3051b0519ee9af344c9f08827)
(cherry picked from commit 2ab7f9e793a51c9aebe08fff6226c38159ae2312)
---
src/tests/regression/gh599.at | 16 ++++++++++++++++
src/tests/regression/regression.at | 1 +
2 files changed, 17 insertions(+)
create mode 100644 src/tests/regression/gh599.at
diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at
new file mode 100644
index 000000000000..472f228ba2a9
--- /dev/null
+++ b/src/tests/regression/gh599.at
@@ -0,0 +1,16 @@
+FWD_START_TEST([writing to log after copytruncate])
+AT_KEYWORDS(gh599)
+
+AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])])
+AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])])
+
+dnl Verify we continue to write to the log file after it's truncated. That is,
+dnl simulate logrotate's copytruncate.
+NS_CHECK([truncate -s 0 ./firewalld.log])
+
+dnl generate some logs, anything will do since we have debug enabled.
+FWD_CHECK([--list-all], 0, [ignore], [ignore])
+
+NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"'])
+
+FWD_END_TEST
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 8042c3a27f89..2528ddd3fede 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -27,3 +27,4 @@ m4_include([regression/gh509.at])
m4_include([regression/gh567.at])
m4_include([regression/rhbz1779835.at])
m4_include([regression/gh330.at])
+m4_include([regression/gh599.at])
--
2.23.0

View File

@ -0,0 +1,29 @@
From 41aee42de0f55e45b55f94a66d31731697e5fc73 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 3 Feb 2021 14:37:44 -0500
Subject: [PATCH 05/22] test(nftables): normalize reject statement output
The output became more verbose in nftables commit 7ca3368cd757 ("reject:
Unify inet, netdev and bridge delinearization").
(cherry picked from commit 00835e746cf48c73e386d3ad24af7e8fcf3c73ed)
(cherry picked from commit a47186bda1a308a34b5e114a634ae6450d17205b)
---
src/tests/functions.at | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 7ac28d514233..4c8a4603f287 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -419,6 +419,7 @@ m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
-e '/type.*hook.*priority.*policy.*/d'dnl
dnl tranform ct state { established,related } to ct state established,related
-e '/ct \(state\|status\)/{s/\(ct \(state\|status\)\) {/\1/g; s/ }//; s/\(@<:@a-z@:>@*\), /\1,/g;}' dnl
+ -e 's/reject with icmp[[x6]]\? type port-unreachable/reject/' dnl
])
m4_define([NFT_LIST_RULES_ALWAYS], [
--
2.27.0

View File

@ -1,32 +0,0 @@
From 01dd132e2004e6d40c6c2200f6105ca49594041a Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 6 Apr 2020 15:34:57 -0400
Subject: [PATCH 6/6] fix: test/regression/gh599: fix if not using debug output
Fixes: e887c16512ab ("test: log: verify logging still works after truncate")
(cherry picked from commit f7e3c60263e144a04ee175d5f7bb3fa4636a97a4)
(cherry picked from commit e78548b1fd6e87500d7df3ade5373285ca525f03)
---
src/tests/regression/gh599.at | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at
index 472f228ba2a9..337e18018baf 100644
--- a/src/tests/regression/gh599.at
+++ b/src/tests/regression/gh599.at
@@ -8,9 +8,9 @@ dnl Verify we continue to write to the log file after it's truncated. That is,
dnl simulate logrotate's copytruncate.
NS_CHECK([truncate -s 0 ./firewalld.log])
-dnl generate some logs, anything will do since we have debug enabled.
-FWD_CHECK([--list-all], 0, [ignore], [ignore])
+dnl generate some logs
+FWD_CHECK([-q --add-service=this_does_not_exist], 101, [ignore], [ignore])
NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"'])
-FWD_END_TEST
+FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: this_does_not_exist/d'])
--
2.23.0

View File

@ -0,0 +1,29 @@
From f29791c69afc760c2356c9d72d4c1d7333e7b814 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 3 Feb 2021 17:02:42 -0500
Subject: [PATCH 06/22] test(nftables): fix normalization of reject statement
output for icmpv6
Fixes: 00835e746cf4 ("test(nftables): normalize reject statement output")
(cherry picked from commit 3a3b4676ccb7b40cf304b773456dec2662783425)
(cherry picked from commit 3bfef89745cfb2c4d90d721c377a409de9c60611)
---
src/tests/functions.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 4c8a4603f287..562bc6105a8f 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -419,7 +419,7 @@ m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
-e '/type.*hook.*priority.*policy.*/d'dnl
dnl tranform ct state { established,related } to ct state established,related
-e '/ct \(state\|status\)/{s/\(ct \(state\|status\)\) {/\1/g; s/ }//; s/\(@<:@a-z@:>@*\), /\1,/g;}' dnl
- -e 's/reject with icmp[[x6]]\? type port-unreachable/reject/' dnl
+ -e 's/reject with icmp\(x\|v6\)\? type port-unreachable/reject/' dnl
])
m4_define([NFT_LIST_RULES_ALWAYS], [
--
2.27.0

View File

@ -1,496 +0,0 @@
From 5a912cc04a75e018631745647a524cce8569505b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Apr 2020 13:38:06 -0400
Subject: [PATCH 07/10] test: dbus: zone: verify permanent config API
signatures
(cherry picked from commit f6a6837cb49d5a9ca4ea08964fb62bb9f7f420ac)
(cherry picked from commit 7cc77369cd68ff1860b151fc649d237f1feb84ba)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/zone_permanent_signatures.at | 464 ++++++++++++++++++++
2 files changed, 465 insertions(+)
create mode 100644 src/tests/dbus/zone_permanent_signatures.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index 46fec2ff4024..ffef478f5449 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -1,3 +1,4 @@
AT_BANNER([dbus])
m4_include([dbus/firewalld.conf.at])
m4_include([dbus/service.at])
+m4_include([dbus/zone_permanent_signatures.at])
diff --git a/src/tests/dbus/zone_permanent_signatures.at b/src/tests/dbus/zone_permanent_signatures.at
new file mode 100644
index 000000000000..15319552c15f
--- /dev/null
+++ b/src/tests/dbus/zone_permanent_signatures.at
@@ -0,0 +1,464 @@
+FWD_START_TEST([dbus api - zone permanent signatures])
+AT_KEYWORDS(dbus zone gh586)
+
+dnl ####################
+dnl Global APIs
+dnl ####################
+
+DBUS_INTROSPECT([config], [[//method[@name="listZones"]]], 0, [dnl
+ <method name="listZones">
+ <arg direction="out" type="ao"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="getZoneNames"]]], 0, [dnl
+ <method name="getZoneNames">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="getZoneByName"]]], 0, [dnl
+ <method name="getZoneByName">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="o"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="addZone"]]], 0, [dnl
+ <method name="addZone">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ <arg direction="out" type="o"></arg>
+ </method>
+])
+
+dnl zone relation to interface/sources
+DBUS_INTROSPECT([config], [[//method[@name="getZoneOfInterface"]]], 0, [dnl
+ <method name="getZoneOfInterface">
+ <arg direction="in" name="iface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="getZoneOfSource"]]], 0, [dnl
+ <method name="getZoneOfSource">
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+
+
+dnl ####################
+dnl Zone object APIs
+dnl ####################
+
+dnl Get a reference to the public zone. We'll use it to introspect APIs.
+DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout])
+DBUS_PUBLIC_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)]
+export DBUS_PUBLIC_ZONE_OBJ
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSettings"]]], 0, [dnl
+ <method name="getSettings">
+ <arg direction="out" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="update"]]], 0, [dnl
+ <method name="update">
+ <arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="loadDefaults"]]], 0, [dnl
+ <method name="loadDefaults">
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="remove"]]], 0, [dnl
+ <method name="remove">
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="rename"]]], 0, [dnl
+ <method name="rename">
+ <arg direction="in" name="name" type="s"></arg>
+ </method>
+])
+
+dnl Version
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getVersion"]]], 0, [dnl
+ <method name="getVersion">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setVersion"]]], 0, [dnl
+ <method name="setVersion">
+ <arg direction="in" name="version" type="s"></arg>
+ </method>
+])
+
+dnl Short
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getShort"]]], 0, [dnl
+ <method name="getShort">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setShort"]]], 0, [dnl
+ <method name="setShort">
+ <arg direction="in" name="short" type="s"></arg>
+ </method>
+])
+
+dnl Description
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getDescription"]]], 0, [dnl
+ <method name="getDescription">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setDescription"]]], 0, [dnl
+ <method name="setDescription">
+ <arg direction="in" name="description" type="s"></arg>
+ </method>
+])
+
+dnl Target
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getTarget"]]], 0, [dnl
+ <method name="getTarget">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setTarget"]]], 0, [dnl
+ <method name="setTarget">
+ <arg direction="in" name="target" type="s"></arg>
+ </method>
+])
+
+dnl Interfaces
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getInterfaces"]]], 0, [dnl
+ <method name="getInterfaces">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setInterfaces"]]], 0, [dnl
+ <method name="setInterfaces">
+ <arg direction="in" name="interfaces" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addInterface"]]], 0, [dnl
+ <method name="addInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeInterface"]]], 0, [dnl
+ <method name="removeInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryInterface"]]], 0, [dnl
+ <method name="queryInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Sources
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSources"]]], 0, [dnl
+ <method name="getSources">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSources"]]], 0, [dnl
+ <method name="setSources">
+ <arg direction="in" name="sources" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSource"]]], 0, [dnl
+ <method name="addSource">
+ <arg direction="in" name="source" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSource"]]], 0, [dnl
+ <method name="removeSource">
+ <arg direction="in" name="source" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySource"]]], 0, [dnl
+ <method name="querySource">
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Services
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getServices"]]], 0, [dnl
+ <method name="getServices">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setServices"]]], 0, [dnl
+ <method name="setServices">
+ <arg direction="in" name="services" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addService"]]], 0, [dnl
+ <method name="addService">
+ <arg direction="in" name="service" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeService"]]], 0, [dnl
+ <method name="removeService">
+ <arg direction="in" name="service" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryService"]]], 0, [dnl
+ <method name="queryService">
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Ports
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getPorts"]]], 0, [dnl
+ <method name="getPorts">
+ <arg direction="out" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setPorts"]]], 0, [dnl
+ <method name="setPorts">
+ <arg direction="in" name="ports" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addPort"]]], 0, [dnl
+ <method name="addPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removePort"]]], 0, [dnl
+ <method name="removePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryPort"]]], 0, [dnl
+ <method name="queryPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Source Ports
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSourcePorts"]]], 0, [dnl
+ <method name="getSourcePorts">
+ <arg direction="out" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSourcePorts"]]], 0, [dnl
+ <method name="setSourcePorts">
+ <arg direction="in" name="ports" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSourcePort"]]], 0, [dnl
+ <method name="addSourcePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSourcePort"]]], 0, [dnl
+ <method name="removeSourcePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySourcePort"]]], 0, [dnl
+ <method name="querySourcePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Protocol
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getProtocols"]]], 0, [dnl
+ <method name="getProtocols">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setProtocols"]]], 0, [dnl
+ <method name="setProtocols">
+ <arg direction="in" name="protocols" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addProtocol"]]], 0, [dnl
+ <method name="addProtocol">
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeProtocol"]]], 0, [dnl
+ <method name="removeProtocol">
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryProtocol"]]], 0, [dnl
+ <method name="queryProtocol">
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Forward Ports
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getForwardPorts"]]], 0, [dnl
+ <method name="getForwardPorts">
+ <arg direction="out" type="a(ssss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setForwardPorts"]]], 0, [dnl
+ <method name="setForwardPorts">
+ <arg direction="in" name="ports" type="a(ssss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addForwardPort"]]], 0, [dnl
+ <method name="addForwardPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeForwardPort"]]], 0, [dnl
+ <method name="removeForwardPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryForwardPort"]]], 0, [dnl
+ <method name="queryForwardPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Masquerade
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getMasquerade"]]], 0, [dnl
+ <method name="getMasquerade">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setMasquerade"]]], 0, [dnl
+ <method name="setMasquerade">
+ <arg direction="in" name="masquerade" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addMasquerade"]]], 0, [dnl
+ <method name="addMasquerade">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeMasquerade"]]], 0, [dnl
+ <method name="removeMasquerade">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryMasquerade"]]], 0, [dnl
+ <method name="queryMasquerade">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl ICMP Block
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlocks"]]], 0, [dnl
+ <method name="getIcmpBlocks">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlocks"]]], 0, [dnl
+ <method name="setIcmpBlocks">
+ <arg direction="in" name="icmptypes" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlock"]]], 0, [dnl
+ <method name="addIcmpBlock">
+ <arg direction="in" name="icmptype" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlock"]]], 0, [dnl
+ <method name="removeIcmpBlock">
+ <arg direction="in" name="icmptype" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlock"]]], 0, [dnl
+ <method name="queryIcmpBlock">
+ <arg direction="in" name="icmptype" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl ICMP Block Inversion
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlockInversion"]]], 0, [dnl
+ <method name="getIcmpBlockInversion">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlockInversion"]]], 0, [dnl
+ <method name="setIcmpBlockInversion">
+ <arg direction="in" name="flag" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl
+ <method name="addIcmpBlockInversion">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
+ <method name="removeIcmpBlockInversion">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
+ <method name="queryIcmpBlockInversion">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Rich Rules
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getRichRules"]]], 0, [dnl
+ <method name="getRichRules">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setRichRules"]]], 0, [dnl
+ <method name="setRichRules">
+ <arg direction="in" name="rules" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addRichRule"]]], 0, [dnl
+ <method name="addRichRule">
+ <arg direction="in" name="rule" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeRichRule"]]], 0, [dnl
+ <method name="removeRichRule">
+ <arg direction="in" name="rule" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryRichRule"]]], 0, [dnl
+ <method name="queryRichRule">
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+FWD_END_TEST
--
2.25.2

View File

@ -0,0 +1,27 @@
From 9f1e32fd5dea726904ba3fc9373269d15b70dd7d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 5 Feb 2021 12:34:01 -0500
Subject: [PATCH 07/22] test(functions): increase debug level
(cherry picked from commit 39b7ad4a5568bb65cc46db4b70eb133e8625974f)
(cherry picked from commit f78cc99a67a4b4ef3660703fd2e43db00634b6ca)
---
src/tests/functions.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 562bc6105a8f..631beee6e2d8 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -11,7 +11,7 @@ m4_define([FWD_STOP_FIREWALLD], [
m4_define([FWD_START_FIREWALLD], [
FIREWALLD_ARGS="--nofork --nopid --log-file ./firewalld.log --system-config ./"
dnl if testsuite ran with debug flag, add debug output
- ${at_debug_p} && FIREWALLD_ARGS="--debug=3 ${FIREWALLD_ARGS}"
+ ${at_debug_p} && FIREWALLD_ARGS="--debug=10 ${FIREWALLD_ARGS}"
if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
FIREWALLD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}"
fi
--
2.27.0

View File

@ -1,446 +0,0 @@
From 3122491686014a2cdd83d3506334055fd18c80e0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Apr 2020 14:16:48 -0400
Subject: [PATCH 08/10] test: dbus: zone: verify runtime config API signatures
(cherry picked from commit fca39ea7edbd57283bc15fdd88fbfd4b1943f977)
(cherry picked from commit d17a68d680b631954fdb5031a3c0627a68f77049)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/zone_runtime_signatures.at | 415 ++++++++++++++++++++++
2 files changed, 416 insertions(+)
create mode 100644 src/tests/dbus/zone_runtime_signatures.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index ffef478f5449..377244460e7a 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -2,3 +2,4 @@ AT_BANNER([dbus])
m4_include([dbus/firewalld.conf.at])
m4_include([dbus/service.at])
m4_include([dbus/zone_permanent_signatures.at])
+m4_include([dbus/zone_runtime_signatures.at])
diff --git a/src/tests/dbus/zone_runtime_signatures.at b/src/tests/dbus/zone_runtime_signatures.at
new file mode 100644
index 000000000000..53fdbea03180
--- /dev/null
+++ b/src/tests/dbus/zone_runtime_signatures.at
@@ -0,0 +1,415 @@
+FWD_START_TEST([dbus api - zone runtime signatures])
+AT_KEYWORDS(dbus zone gh586)
+
+dnl ####################
+dnl Global APIs
+dnl ####################
+
+DBUS_INTROSPECT([], [[//method[@name="getZoneSettings"]]], 0, [dnl
+ <method name="getZoneSettings">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ </method>
+])
+
+dnl Default Zone
+DBUS_INTROSPECT([], [[//method[@name="getDefaultZone"]]], 0, [dnl
+ <method name="getDefaultZone">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="setDefaultZone"]]], 0, [dnl
+ <method name="setDefaultZone">
+ <arg direction="in" name="zone" type="s"></arg>
+ </method>
+])
+
+dnl Fetching Zones
+DBUS_INTROSPECT([], [[//method[@name="getZones"]]], 0, [dnl
+ <method name="getZones">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getActiveZones"]]], 0, [dnl
+ <method name="getActiveZones">
+ <arg direction="out" type="a{sa{sas}}"></arg>
+ </method>
+])
+
+dnl Interface/Source
+DBUS_INTROSPECT([], [[//method[@name="getZoneOfInterface"]]], 0, [dnl
+ <method name="getZoneOfInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getZoneOfSource"]]], 0, [dnl
+ <method name="getZoneOfSource">
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+
+dnl ####################
+dnl Zone APIs
+dnl ####################
+
+DBUS_INTROSPECT([], [[//method[@name="isImmutable"]]], 0, [dnl
+ <method name="isImmutable">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Interfaces
+DBUS_INTROSPECT([], [[//method[@name="addInterface"]]], 0, [dnl
+ <method name="addInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="changeZone"]]], 0, [dnl
+ <method name="changeZone">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="changeZoneOfInterface"]]], 0, [dnl
+ <method name="changeZoneOfInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeInterface"]]], 0, [dnl
+ <method name="removeInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryInterface"]]], 0, [dnl
+ <method name="queryInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getInterfaces"]]], 0, [dnl
+ <method name="getInterfaces">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Sources
+DBUS_INTROSPECT([], [[//method[@name="addSource"]]], 0, [dnl
+ <method name="addSource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="changeZoneOfSource"]]], 0, [dnl
+ <method name="changeZoneOfSource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeSource"]]], 0, [dnl
+ <method name="removeSource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="querySource"]]], 0, [dnl
+ <method name="querySource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getSources"]]], 0, [dnl
+ <method name="getSources">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Services
+DBUS_INTROSPECT([], [[//method[@name="addService"]]], 0, [dnl
+ <method name="addService">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeService"]]], 0, [dnl
+ <method name="removeService">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryService"]]], 0, [dnl
+ <method name="queryService">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getServices"]]], 0, [dnl
+ <method name="getServices">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Protocols
+DBUS_INTROSPECT([], [[//method[@name="addProtocol"]]], 0, [dnl
+ <method name="addProtocol">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeProtocol"]]], 0, [dnl
+ <method name="removeProtocol">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryProtocol"]]], 0, [dnl
+ <method name="queryProtocol">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getProtocols"]]], 0, [dnl
+ <method name="getProtocols">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Ports
+DBUS_INTROSPECT([], [[//method[@name="addPort"]]], 0, [dnl
+ <method name="addPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removePort"]]], 0, [dnl
+ <method name="removePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryPort"]]], 0, [dnl
+ <method name="queryPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getPorts"]]], 0, [dnl
+ <method name="getPorts">
+ <arg direction="in" name="zone" type="s"></arg>
+ dnl NOTE: The signature is "aas", but getPorts() actually returns
+ dnl "a(ss)". Apparently python-dbus coerces to "aas".
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+dnl Source Ports
+DBUS_INTROSPECT([], [[//method[@name="addSourcePort"]]], 0, [dnl
+ <method name="addSourcePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeSourcePort"]]], 0, [dnl
+ <method name="removeSourcePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="querySourcePort"]]], 0, [dnl
+ <method name="querySourcePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getSourcePorts"]]], 0, [dnl
+ <method name="getSourcePorts">
+ <arg direction="in" name="zone" type="s"></arg>
+ dnl NOTE: The signature is "aas", but getPorts() actually returns
+ dnl "a(ss)". Apparently python-dbus coerces to "aas".
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+dnl Forward Ports
+DBUS_INTROSPECT([], [[//method[@name="addForwardPort"]]], 0, [dnl
+ <method name="addForwardPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeForwardPort"]]], 0, [dnl
+ <method name="removeForwardPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryForwardPort"]]], 0, [dnl
+ <method name="queryForwardPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getForwardPorts"]]], 0, [dnl
+ <method name="getForwardPorts">
+ <arg direction="in" name="zone" type="s"></arg>
+ dnl NOTE: The signature is "aas", but getPorts() actually returns
+ dnl "a(ssss)". Apparently python-dbus coerces to "aas".
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+dnl Masquerade
+DBUS_INTROSPECT([], [[//method[@name="addMasquerade"]]], 0, [dnl
+ <method name="addMasquerade">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeMasquerade"]]], 0, [dnl
+ <method name="removeMasquerade">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryMasquerade"]]], 0, [dnl
+ <method name="queryMasquerade">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl ICMP Block
+DBUS_INTROSPECT([], [[//method[@name="addIcmpBlock"]]], 0, [dnl
+ <method name="addIcmpBlock">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="icmp" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlock"]]], 0, [dnl
+ <method name="removeIcmpBlock">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="icmp" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlock"]]], 0, [dnl
+ <method name="queryIcmpBlock">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="icmp" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getIcmpBlocks"]]], 0, [dnl
+ <method name="getIcmpBlocks">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl ICMP Block Inversion
+DBUS_INTROSPECT([], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl
+ <method name="addIcmpBlockInversion">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
+ <method name="removeIcmpBlockInversion">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
+ <method name="queryIcmpBlockInversion">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Rich Rules
+DBUS_INTROSPECT([], [[//method[@name="addRichRule"]]], 0, [dnl
+ <method name="addRichRule">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeRichRule"]]], 0, [dnl
+ <method name="removeRichRule">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryRichRule"]]], 0, [dnl
+ <method name="queryRichRule">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getRichRules"]]], 0, [dnl
+ <method name="getRichRules">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+FWD_END_TEST
--
2.25.2

View File

@ -0,0 +1,27 @@
From a9e05358d0070d4326be0df882f4d480822f4f06 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 5 Feb 2021 14:50:03 -0500
Subject: [PATCH 08/22] test(functions): format xml output with xmllint
(cherry picked from commit 53684e4b3b458b91fe7a71e7c3f8aa3363e5d108)
(cherry picked from commit c509b9a4c0749087e462bbb62a9808a43a74b3d9)
---
src/tests/functions.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 631beee6e2d8..8632f49e442f 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -471,7 +471,7 @@ m4_define([DBUS_INTROSPECT], [
NS_CHECK([PIPESTATUS0([gdbus introspect --xml --system --dest=org.fedoraproject.FirewallD1 dnl
m4_ifblank([$1], [--object-path /org/fedoraproject/FirewallD1],
[--object-path /org/fedoraproject/FirewallD1/$1])], dnl
- [m4_ifnblank([$2], [xmllint --xpath '$2' - |]) xmllint --c14n - | TRIM_WHITESPACE])],
+ [m4_ifnblank([$2], [xmllint --xpath '$2' - |]) xmllint --format - | xmllint --c14n - | TRIM_WHITESPACE])],
[$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
])
--
2.27.0

View File

@ -0,0 +1,43 @@
From 3f5c45753a172bd1c713b318cd530c667a7f41b1 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 23 Dec 2020 09:22:30 -0500
Subject: [PATCH 09/22] docs(firewall-cmd): reload does not affect direct rules
if FlushAllOnReload=no
(cherry picked from commit b682ba874ef879797d681fb018ce3c7b9c57efdb)
(cherry picked from commit ab4ce6fb13607dba4f8a0e771455ad34d3adb77a)
---
doc/xml/firewall-cmd.xml.in | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
index 3369c2d3f942..691117f3dbff 100644
--- a/doc/xml/firewall-cmd.xml.in
+++ b/doc/xml/firewall-cmd.xml.in
@@ -133,9 +133,9 @@
if they have not been also in permanent configuration.
</para>
<para>
- Note: Runtime changes applied via the direct interface are not
+ Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not
affected and will therefore stay in place until firewalld daemon
- is restarted completely.
+ is restarted completely. For FlushAllOnReload, see <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
</listitem>
</varlistentry>
@@ -147,9 +147,9 @@
Reload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. This option should only be used in case of severe firewall problems. For example if there are state information problems that no connection can be established with correct firewall rules.
</para>
<para>
- Note: Runtime changes applied via the direct interface are not
+ Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not
affected and will therefore stay in place until firewalld daemon
- is restarted completely.
+ is restarted completely. For FlushAllOnReload, see <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
</listitem>
</varlistentry>
--
2.27.0

View File

@ -1,38 +0,0 @@
From ac3d706eb4bfead921c7e739e5e95a186bf35438 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Apr 2020 17:05:39 -0400
Subject: [PATCH 09/10] fix: test/regression/gh599: use expr to be more
portable
dash was failing due to not having "let". So lets use "expr" instead.
Fixes: e887c16512ab ("test: log: verify logging still works after truncate")
(cherry picked from commit eba44b2ebeedccbac0329a56c86c5d8f26c30f9f)
(cherry picked from commit cdd7c9d60624a443a0a07c29081d0ef68a384beb)
---
src/tests/regression/gh599.at | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at
index 337e18018baf..b0a230733c85 100644
--- a/src/tests/regression/gh599.at
+++ b/src/tests/regression/gh599.at
@@ -3,6 +3,7 @@ AT_KEYWORDS(gh599)
AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])])
AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])])
+AT_SKIP_IF([! NS_CMD([which expr >/dev/null 2>&1])])
dnl Verify we continue to write to the log file after it's truncated. That is,
dnl simulate logrotate's copytruncate.
@@ -11,6 +12,6 @@ NS_CHECK([truncate -s 0 ./firewalld.log])
dnl generate some logs
FWD_CHECK([-q --add-service=this_does_not_exist], 101, [ignore], [ignore])
-NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"'])
+NS_CHECK([expr $(cat ./firewalld.log | wc -c) ">" 0], 0, [ignore], [ignore])
FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: this_does_not_exist/d'])
--
2.25.2

View File

@ -0,0 +1,27 @@
From 1e633c4f475e5cc43aca2d2f381abac85718ae22 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 23 Dec 2020 09:54:57 -0500
Subject: [PATCH 10/22] docs(dbus): fix copy/paste error for FlushAllOnReload
(cherry picked from commit 63b1f5cfa73071153f732947dcf9ea3064d64970)
(cherry picked from commit e74da4714ca9a64d8891f8fc340a0cab0087d609)
---
doc/xml/firewalld.dbus.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index d68c775ee5bf..57560e93da67 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2825,7 +2825,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.Properties.FlushAllOnReload">
- <term>FirewallBackend - s - (rw)</term>
+ <term>FlushAllOnReload - s - (rw)</term>
<listitem>
<para>
Flush all runtime rules on a reload. Valid options are; yes, no.
--
2.27.0

View File

@ -1,27 +0,0 @@
From 10f7c0956e7c7054da9e6187aa525c23f65a8dfc Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 14 Apr 2020 07:40:48 -0400
Subject: [PATCH 10/10] fix(systemd): Conflict with nftables.service
(cherry picked from commit 7b6aff3a51a955399c782f48137405d0fa94e966)
(cherry picked from commit fc00563ef029cb4c12c652725bfd3a3b5122d136)
---
config/firewalld.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/firewalld.service.in b/config/firewalld.service.in
index b757a08f28dc..afbe0ac5def7 100644
--- a/config/firewalld.service.in
+++ b/config/firewalld.service.in
@@ -4,7 +4,7 @@ Before=network-pre.target
Wants=network-pre.target
After=dbus.service
After=polkit.service
-Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
+Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service
Documentation=man:firewalld(1)
[Service]
--
2.25.2

View File

@ -0,0 +1,27 @@
From c22d8092863d323eb795cf6f9a27bb70a0743fd0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 23 Dec 2020 09:55:22 -0500
Subject: [PATCH 11/22] docs(dbus): fix copy/paste error for RFC3964_IPv4
(cherry picked from commit b530915ec8e8f035d363d9dedf226bb20259d0e4)
(cherry picked from commit 35f4ca803cd8042b4541ca0e9f8b2449c3a7c1b4)
---
doc/xml/firewalld.dbus.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 57560e93da67..d17cb8b6c1ec 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2867,7 +2867,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.Properties.RFC3964_IPv4">
- <term>FirewallBackend - s - (rw)</term>
+ <term>RFC3964_IPv4 - s - (rw)</term>
<listitem>
<para>
As per RFC 3964, filter IPv6 traffic with 6to4 destination
--
2.27.0

View File

@ -1,390 +0,0 @@
From 3564be1c8a28ac59e8a7135a1ab2a82d2e8a3c90 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 9 Apr 2020 12:49:02 -0400
Subject: [PATCH 11/45] test(dbus): zone: verify permanent config APIs
(cherry picked from commit 64d5bf1b117bc29d09b4f30cbb1c87d8559eeac0)
(cherry picked from commit a972e90b522ba11e0bd65b8d0cd1a55e1d18f9cd)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/zone_permanent_functional.at | 359 ++++++++++++++++++++
2 files changed, 360 insertions(+)
create mode 100644 src/tests/dbus/zone_permanent_functional.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index 377244460e7a..31c180dc3d3d 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -3,3 +3,4 @@ m4_include([dbus/firewalld.conf.at])
m4_include([dbus/service.at])
m4_include([dbus/zone_permanent_signatures.at])
m4_include([dbus/zone_runtime_signatures.at])
+m4_include([dbus/zone_permanent_functional.at])
diff --git a/src/tests/dbus/zone_permanent_functional.at b/src/tests/dbus/zone_permanent_functional.at
new file mode 100644
index 000000000000..2261832e00a8
--- /dev/null
+++ b/src/tests/dbus/zone_permanent_functional.at
@@ -0,0 +1,359 @@
+FWD_START_TEST([dbus api - zone permanent functional])
+AT_KEYWORDS(dbus zone gh586)
+
+dnl ####################
+dnl Global APIs
+dnl ####################
+
+DBUS_CHECK([config], [config.addZone],
+ ["foobar" dnl name
+ '("1.0", dnl version
+ "foobar", dnl short
+ "foobar zone", dnl description
+ false, dnl bogus/unused
+ "ACCEPT", dnl target
+ @<:@"ssh", "mdns"@:>@, dnl services
+ @<:@("1234", "tcp"), ("1234", "udp")@:>@, dnl ports
+ @<:@"echo-request"@:>@, dnl ICMP Blocks
+ true, dnl masquerade
+ @<:@("1234", "tcp", "4321", ""), ("1234", "udp", "4321", "10.10.10.10")@:>@, dnl forward ports
+ @<:@"dummy0", "dummy1"@:>@, dnl interfaces
+ @<:@"10.10.10.0/24"@:>@, dnl sources
+ @<:@"rule family=ipv4 source address=10.20.20.20 drop"@:>@, dnl rules_str
+ @<:@"icmp"@:>@, dnl protocols
+ @<:@("1234", "tcp"), ("1234", "udp")@:>@, dnl source ports
+ false dnl ICMP block inversion
+ )'dnl
+ ], 0, [stdout])
+DBUS_FOOBAR_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)]
+export DBUS_FOOBAR_ZONE_OBJ
+
+dnl Get Zones
+dnl
+DBUS_CHECK([config], [config.getZoneNames], [], 0, [dnl
+ [(['block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', 'public', 'trusted', 'work'],)]
+])
+DBUS_CHECK([config], [config.listZones], [], 0, [stdout])
+NS_CHECK([sed -e ["s/['][,]/'\n/g"] ./stdout |dnl
+ sed -e ["s/.*config\/zone\/\([^']\+\)['].*/\1/"] |dnl
+ while read LINE; do { echo "${LINE}" | grep ["^[0-9]\+$"] ; } || exit 1; done], 0, [ignore])
+DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout])
+NS_CHECK([sed -e ["s/.*config\/zone\/\([^']\+\)['].*/\1/"] ./stdout | grep ["^[0-9]\+$"]], 0, [ignore])
+
+dnl Interfaces
+FWD_CHECK([-q --permanent --zone public --add-interface dummy2])
+DBUS_CHECK([config], [config.getZoneOfInterface], ["dummy2"], 0, [dnl
+ ('public',)
+])
+FWD_CHECK([-q --permanent --zone public --remove-interface dummy2])
+
+dnl Sources
+FWD_CHECK([-q --permanent --zone public --add-source 10.20.20.0/24])
+DBUS_CHECK([config], [config.getZoneOfSource], ["10.20.20.0/24"], 0, [dnl
+ ('public',)
+])
+FWD_CHECK([-q --permanent --zone public --remove-source 10.20.20.0/24])
+
+dnl ####################
+dnl Zone object APIs
+dnl ####################
+
+DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.getSettings], [], 0, [dnl
+ (('1.0', dnl version
+ 'foobar', dnl short
+ 'foobar zone', dnl description
+ false, dnl bogus/unused
+ 'ACCEPT', dnl target
+ @<:@'ssh', 'mdns'@:>@, dnl services
+ @<:@('1234', 'tcp'), ('1234', 'udp')@:>@, dnl ports
+ @<:@'echo-request'@:>@, dnl ICMP Blocks
+ true, dnl masquerade
+ @<:@('1234', 'tcp', '4321', ''), ('1234', 'udp', '4321', '10.10.10.10')@:>@, dnl forward ports
+ @<:@'dummy0', 'dummy1'@:>@, dnl interfaces
+ @<:@'10.10.10.0/24'@:>@, dnl sources
+ @<:@'rule family="ipv4" source address="10.20.20.20" drop'@:>@, dnl rules_str
+ @<:@'icmp'@:>@, dnl protocols
+ @<:@('1234', 'tcp'), ('1234', 'udp')@:>@, dnl source ports
+ false),)
+])
+
+dnl Verify update works
+dnl
+DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.update], [dnl
+ '("1.1", dnl version
+ "foobar v2", dnl short
+ "foobar zone updated", dnl description
+ false, dnl bogus/unused
+ "ACCEPT", dnl target
+ @<:@"ssh", "mdns", "samba"@:>@, dnl services
+ @<:@("1234", "tcp"), ("4444", "udp")@:>@, dnl ports
+ @<:@"echo-request", "echo-reply"@:>@, dnl ICMP Blocks
+ false, dnl masquerade
+ @<:@("1234", "tcp", "4321", "")@:>@, dnl forward ports
+ @<:@"dummy0", "dummy1", "dummy2"@:>@, dnl interfaces
+ @<:@"10.10.10.0/24", "10.20.0.0/16"@:>@, dnl sources
+ @<:@"rule family=ipv4 source address=10.20.20.20 reject"@:>@, dnl rules_str
+ @<:@"icmp", "ipv6-icmp"@:>@, dnl protocols
+ @<:@("1234", "tcp"), ("6666", "udp")@:>@, dnl source ports
+ true dnl ICMP block inversion
+ )'dnl
+ ], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.getSettings], [], 0, [dnl
+ (('1.1', dnl version
+ 'foobar v2', dnl short
+ 'foobar zone updated', dnl description
+ false, dnl bogus/unused
+ 'ACCEPT', dnl target
+ @<:@'ssh', 'mdns', 'samba'@:>@, dnl services
+ @<:@('1234', 'tcp'), ('4444', 'udp')@:>@, dnl ports
+ @<:@'echo-request', 'echo-reply'@:>@, dnl ICMP Blocks
+ false, dnl masquerade
+ @<:@('1234', 'tcp', '4321', '')@:>@, dnl forward ports
+ @<:@'dummy0', 'dummy1', 'dummy2'@:>@, dnl interfaces
+ @<:@'10.10.10.0/24', '10.20.0.0/16'@:>@, dnl sources
+ @<:@'rule family="ipv4" source address="10.20.20.20" reject'@:>@, dnl rules_str
+ @<:@'icmp', 'ipv6-icmp'@:>@, dnl protocols
+ @<:@('1234', 'tcp'), ('6666', 'udp')@:>@, dnl source ports
+ true),)
+])
+
+dnl Rename
+DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.rename], ["foobar-renamed"], 0, [ignore])
+DBUS_CHECK([config], [config.getZoneByName], ["foobar-renamed"], 0, [ignore])
+
+dnl Remove
+DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.remove], [], 0, [ignore])
+DBUS_CHECK([config], [config.getZoneByName], ["foobar-renamed"], 1, [ignore], [ignore])
+
+dnl Get a reference to the public zone. We'll use for the rest of the tests.
+DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout])
+DBUS_PUBLIC_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)]
+export DBUS_PUBLIC_ZONE_OBJ
+
+dnl loadDefaults
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.loadDefaults], [], 0, [ignore])
+
+dnl Version
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getVersion], [], 0, [dnl
+ ('',)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setVersion], ["1.1"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getVersion], [], 0, [dnl
+ ('1.1',)
+])
+
+dnl Short
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getShort], [], 0, [dnl
+ ('Public',)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setShort], ["Public updated"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getShort], [], 0, [dnl
+ ('Public updated',)
+])
+
+dnl Description
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getDescription], [], 0, [dnl
+ ('For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.',)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setDescription], ["A shorter description."], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getDescription], [], 0, [dnl
+ ('A shorter description.',)
+])
+
+dnl Target
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getTarget], [], 0, [dnl
+ ('default',)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setTarget], ["ACCEPT"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getTarget], [], 0, [dnl
+ ('ACCEPT',)
+])
+
+dnl Interfaces
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addInterface], ["dummy0"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryInterface], ["dummy0"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryInterface], ["dummy1"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setInterfaces], [['["dummy0", "dummy1"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getInterfaces], [], 0, [dnl
+ [(['dummy0', 'dummy1'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeInterface], ["dummy0"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getInterfaces], [], 0, [dnl
+ [(['dummy1'],)]
+])
+
+dnl Sources
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addSource], ["10.10.10.0/24"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySource], ["10.10.10.0/24"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySource], ["10.20.20.0/24"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setSources], [['["10.10.10.0/24", "10.20.20.0/24"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSources], [], 0, [dnl
+ [(['10.10.10.0/24', '10.20.20.0/24'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeSource], ["10.10.10.0/24"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSources], [], 0, [dnl
+ [(['10.20.20.0/24'],)]
+])
+
+dnl Services
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addService], ["samba"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryService], ["samba"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryService], ["https"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setServices], [['["samba", "https"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getServices], [], 0, [dnl
+ [(['samba', 'https'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeService], ["samba"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getServices], [], 0, [dnl
+ [(['https'],)]
+])
+
+dnl Ports
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addPort], ["1234" "tcp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryPort], ["1234" "tcp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryPort], ["4321" "udp"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setPorts], [['[("1234", "tcp"), ("4321", "udp")]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getPorts], [], 0, [dnl
+ [([('1234', 'tcp'), ('4321', 'udp')],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removePort], ["1234" "tcp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getPorts], [], 0, [dnl
+ [([('4321', 'udp')],)]
+])
+
+dnl Source Ports
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addSourcePort], ["1234" "tcp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySourcePort], ["1234" "tcp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySourcePort], ["4321" "udp"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setSourcePorts], [['[("1234", "tcp"), ("4321", "udp")]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSourcePorts], [], 0, [dnl
+ [([('1234', 'tcp'), ('4321', 'udp')],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeSourcePort], ["1234" "tcp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSourcePorts], [], 0, [dnl
+ [([('4321', 'udp')],)]
+])
+
+dnl Forward Ports
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addForwardPort], ["1234" "tcp" "1111" ""], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryForwardPort], ["1234" "tcp" "1111" ""], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryForwardPort], ["4321" "udp" "4444" "10.10.10.10"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setForwardPorts], [['[("1234", "tcp", "1111", ""), ("4321", "udp", "4444", "10.10.10.10")]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getForwardPorts], [], 0, [dnl
+ [([('1234', 'tcp', '1111', ''), ('4321', 'udp', '4444', '10.10.10.10')],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeForwardPort], ["1234" "tcp" "1111" ""], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getForwardPorts], [], 0, [dnl
+ [([('4321', 'udp', '4444', '10.10.10.10')],)]
+])
+
+dnl Protocols
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addProtocol], ["icmp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryProtocol], ["icmp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryProtocol], ["igmp"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setProtocols], [['["icmp", "igmp"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getProtocols], [], 0, [dnl
+ [(['icmp', 'igmp'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeProtocol], ["icmp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getProtocols], [], 0, [dnl
+ [(['igmp'],)]
+])
+
+dnl Masquerade
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryMasquerade], [], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addMasquerade], [], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryMasquerade], [], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setMasquerade], [true], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getMasquerade], [], 0, [dnl
+ [(true,)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeMasquerade], [], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getMasquerade], [], 0, [dnl
+ [(false,)]
+])
+
+dnl ICMP Block
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addIcmpBlock], ["echo-reply"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlock], ["echo-reply"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlock], ["echo-request"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setIcmpBlocks], [['["echo-reply", "echo-request"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlocks], [], 0, [dnl
+ [(['echo-reply', 'echo-request'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeIcmpBlock], ["echo-reply"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlocks], [], 0, [dnl
+ [(['echo-request'],)]
+])
+
+dnl ICMP Block Inversion
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlockInversion], [], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addIcmpBlockInversion], [], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlockInversion], [], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setIcmpBlockInversion], [true], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlockInversion], [], 0, [dnl
+ [(true,)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeIcmpBlockInversion], [], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlockInversion], [], 0, [dnl
+ [(false,)]
+])
+
+dnl Rich Rules
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryRichRule], ["rule family=ipv4 source address=10.20.20.0/24 drop"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setRichRules], [['["rule family=ipv4 source address=10.10.10.0/24 accept", "rule family=ipv4 source address=10.20.20.0/24 drop"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getRichRules], [], 0, [dnl
+ [(['rule family="ipv4" source address="10.10.10.0/24" accept', 'rule family="ipv4" source address="10.20.20.0/24" drop'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getRichRules], [], 0, [dnl
+ [(['rule family="ipv4" source address="10.20.20.0/24" drop'],)]
+])
+
+FWD_END_TEST([-e '/ERROR: INVALID_ZONE: foobar-renamed/d'])
--
2.27.0

View File

@ -0,0 +1,379 @@
From e0bc051a52bccdbd17ada7ab974b1c32d25ac7c1 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 8 Feb 2021 14:53:38 -0500
Subject: [PATCH 12/22] test(dbus): direct: add coverage for signatures
(cherry picked from commit 4673e0e55353c3f0243035f47d7c2832db9928e4)
(cherry picked from commit 1b1b27ec0c19046ef041d465e44c81ad0f675fc9)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/direct.at | 348 +++++++++++++++++++++++++++++++++++++++
2 files changed, 349 insertions(+)
create mode 100644 src/tests/dbus/direct.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index 5f7b6cbdc108..a9707f825041 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -9,3 +9,4 @@ m4_include([dbus/policy_permanent_signatures.at])
m4_include([dbus/policy_runtime_signatures.at])
m4_include([dbus/policy_permanent_functional.at])
m4_include([dbus/policy_runtime_functional.at])
+m4_include([dbus/direct.at])
diff --git a/src/tests/dbus/direct.at b/src/tests/dbus/direct.at
new file mode 100644
index 000000000000..fe92db6bb510
--- /dev/null
+++ b/src/tests/dbus/direct.at
@@ -0,0 +1,348 @@
+FWD_START_TEST([dbus api - direct signatures])
+AT_KEYWORDS(dbus direct)
+
+dnl ###############################
+dnl ########## runtime ############
+dnl ###############################
+
+DBUS_INTROSPECT([], [[//method[@name="addChain"]]], 0, [dnl
+ <method name="addChain">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="addPassthrough"]]], 0, [dnl
+ <method name="addPassthrough">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="addRule"]]], 0, [dnl
+ <method name="addRule">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ <arg direction="in" name="priority" type="i"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="getAllChains"]]], 0, [dnl
+ <method name="getAllChains">
+ <arg direction="out" type="a(sss)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="getAllPassthroughs"]]], 0, [dnl
+ <method name="getAllPassthroughs">
+ <arg direction="out" type="a(sas)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="getAllRules"]]], 0, [dnl
+ <method name="getAllRules">
+ <arg direction="out" type="a(sssias)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="getChains"]]], 0, [dnl
+ <method name="getChains">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="getPassthroughs"]]], 0, [dnl
+ <method name="getPassthroughs">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="getRules"]]], 0, [dnl
+ <method name="getRules">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ <arg direction="out" type="a(ias)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="passthrough"]]], 0, [dnl
+ <method name="passthrough">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="queryChain"]]], 0, [dnl
+ <method name="queryChain">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="queryPassthrough"]]], 0, [dnl
+ <method name="queryPassthrough">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="queryRule"]]], 0, [dnl
+ <method name="queryRule">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ <arg direction="in" name="priority" type="i"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="removeAllPassthroughs"]]], 0, [dnl
+ <method name="removeAllPassthroughs">
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="removeChain"]]], 0, [dnl
+ <method name="removeChain">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="removePassthrough"]]], 0, [dnl
+ <method name="removePassthrough">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="removeRule"]]], 0, [dnl
+ <method name="removeRule">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ <arg direction="in" name="priority" type="i"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//method[@name="removeRules"]]], 0, [dnl
+ <method name="removeRules">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([], [[//signal[@name="ChainAdded"]]], 0, [dnl
+ <signal name="ChainAdded">
+ <arg name="ipv" type="s"></arg>
+ <arg name="table" type="s"></arg>
+ <arg name="chain" type="s"></arg>
+ </signal>
+])
+
+DBUS_INTROSPECT([], [[//signal[@name="ChainRemoved"]]], 0, [dnl
+ <signal name="ChainRemoved">
+ <arg name="ipv" type="s"></arg>
+ <arg name="table" type="s"></arg>
+ <arg name="chain" type="s"></arg>
+ </signal>
+])
+
+DBUS_INTROSPECT([], [[//signal[@name="PassthroughAdded"]]], 0, [dnl
+ <signal name="PassthroughAdded">
+ <arg name="ipv" type="s"></arg>
+ <arg name="args" type="as"></arg>
+ </signal>
+])
+
+DBUS_INTROSPECT([], [[//signal[@name="PassthroughRemoved"]]], 0, [dnl
+ <signal name="PassthroughRemoved">
+ <arg name="ipv" type="s"></arg>
+ <arg name="args" type="as"></arg>
+ </signal>
+])
+
+DBUS_INTROSPECT([], [[//signal[@name="RuleAdded"]]], 0, [dnl
+ <signal name="RuleAdded">
+ <arg name="ipv" type="s"></arg>
+ <arg name="table" type="s"></arg>
+ <arg name="chain" type="s"></arg>
+ <arg name="priority" type="i"></arg>
+ <arg name="args" type="as"></arg>
+ </signal>
+])
+
+DBUS_INTROSPECT([], [[//signal[@name="RuleRemoved"]]], 0, [dnl
+ <signal name="RuleRemoved">
+ <arg name="ipv" type="s"></arg>
+ <arg name="table" type="s"></arg>
+ <arg name="chain" type="s"></arg>
+ <arg name="priority" type="i"></arg>
+ <arg name="args" type="as"></arg>
+ </signal>
+])
+
+dnl ###############################
+dnl ######### permanent ###########
+dnl ###############################
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getSettings"]]], 0, [dnl
+ <method name="getSettings">
+ <arg direction="out" type="(a(sss)a(sssias)a(sas))"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="update"]]], 0, [dnl
+ <method name="update">
+ <arg direction="in" name="settings" type="(a(sss)a(sssias)a(sas))"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="addChain"]]], 0, [dnl
+ <method name="addChain">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="addPassthrough"]]], 0, [dnl
+ <method name="addPassthrough">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="addRule"]]], 0, [dnl
+ <method name="addRule">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ <arg direction="in" name="priority" type="i"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getAllChains"]]], 0, [dnl
+ <method name="getAllChains">
+ <arg direction="out" type="a(sss)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getAllPassthroughs"]]], 0, [dnl
+ <method name="getAllPassthroughs">
+ <arg direction="out" type="a(sas)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getAllRules"]]], 0, [dnl
+ <method name="getAllRules">
+ <arg direction="out" type="a(sssias)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getChains"]]], 0, [dnl
+ <method name="getChains">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getPassthroughs"]]], 0, [dnl
+ <method name="getPassthroughs">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="getRules"]]], 0, [dnl
+ <method name="getRules">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ <arg direction="out" type="a(ias)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="queryChain"]]], 0, [dnl
+ <method name="queryChain">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="queryPassthrough"]]], 0, [dnl
+ <method name="queryPassthrough">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="queryRule"]]], 0, [dnl
+ <method name="queryRule">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ <arg direction="in" name="priority" type="i"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removeChain"]]], 0, [dnl
+ <method name="removeChain">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removePassthrough"]]], 0, [dnl
+ <method name="removePassthrough">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removeRule"]]], 0, [dnl
+ <method name="removeRule">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ <arg direction="in" name="priority" type="i"></arg>
+ <arg direction="in" name="args" type="as"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//method[@name="removeRules"]]], 0, [dnl
+ <method name="removeRules">
+ <arg direction="in" name="ipv" type="s"></arg>
+ <arg direction="in" name="table" type="s"></arg>
+ <arg direction="in" name="chain" type="s"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config.direct"]//signal[@name="Updated"]]], 0, [dnl
+ <signal name="Updated">
+ </signal>
+])
+
+FWD_END_TEST
--
2.27.0

View File

@ -1,328 +0,0 @@
From 069fbf5bda85526cdae9cf684a61c49d6961c065 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 9 Apr 2020 14:03:48 -0400
Subject: [PATCH 12/45] test(dbus): zone: verify runtime config APIs
(cherry picked from commit b1e7a3843f7c6dfc31ac3ac38cc938bd8ece7c6c)
(cherry picked from commit 2bc363979f3223ed0b98f027c96d8af7c3d79211)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/zone_runtime_functional.at | 297 ++++++++++++++++++++++
2 files changed, 298 insertions(+)
create mode 100644 src/tests/dbus/zone_runtime_functional.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index 31c180dc3d3d..d9f7a2953131 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -4,3 +4,4 @@ m4_include([dbus/service.at])
m4_include([dbus/zone_permanent_signatures.at])
m4_include([dbus/zone_runtime_signatures.at])
m4_include([dbus/zone_permanent_functional.at])
+m4_include([dbus/zone_runtime_functional.at])
diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at
new file mode 100644
index 000000000000..d0098dfdff65
--- /dev/null
+++ b/src/tests/dbus/zone_runtime_functional.at
@@ -0,0 +1,297 @@
+FWD_START_TEST([dbus api - zone permanent functional])
+AT_KEYWORDS(dbus zone gh586)
+
+dnl ####################
+dnl Global APIs
+dnl ####################
+
+DBUS_CHECK([], [getZoneSettings], ["public"], 0, [dnl
+ (('', dnl version
+ 'Public', dnl short
+ 'For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.', dnl description
+ false, dnl bogus/unused
+ 'default', dnl target
+ @<:@'ssh', 'dhcpv6-client', 'cockpit'@:>@, dnl services
+ @a(ss) @<:@@:>@, dnl ports
+ @as @<:@@:>@, dnl ICMP Blocks
+ false, dnl masquerade
+ @a(ssss) @<:@@:>@, dnl forward ports
+ @as @<:@@:>@, dnl interfaces
+ @as @<:@@:>@, dnl sources
+ @as @<:@@:>@, dnl rules_str
+ @as @<:@@:>@, dnl protocols
+ @a(ss) @<:@@:>@, dnl source ports
+ false),)
+])
+
+dnl Default Zone
+DBUS_CHECK([], [getDefaultZone], [], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [setDefaultZone], ['drop'], 0, [dnl
+ ()
+])
+DBUS_CHECK([], [getDefaultZone], [], 0, [dnl
+ ('drop',)
+])
+
+dnl Fetching Zones
+DBUS_CHECK([], [zone.getZones], [], 0, [dnl
+ [(['block', 'dmz', 'drop', 'external', 'home', 'internal', 'public', 'trusted', 'work'],)]
+])
+FWD_CHECK([-q --zone public --add-interface dummy0])
+FWD_CHECK([-q --zone public --add-source 10.1.1.1])
+DBUS_CHECK([], [zone.getActiveZones], [], 0, [dnl
+ ['public': {'interfaces': ['dummy0'], 'sources': ['10.1.1.1']}]
+])
+FWD_CHECK([-q --zone public --remove-interface dummy0])
+FWD_CHECK([-q --zone public --remove-source 10.1.1.1])
+
+dnl Interfaces/Sources
+FWD_CHECK([-q --zone public --add-interface dummy1])
+DBUS_CHECK([], [zone.getZoneOfInterface], ["dummy1"], 0, [dnl
+ ('public',)
+])
+FWD_CHECK([-q --zone public --remove-interface dummy1])
+FWD_CHECK([-q --zone drop --add-source 10.10.10.0/24])
+DBUS_CHECK([], [zone.getZoneOfSource], ["10.10.10.0/24"], 0, [dnl
+ ('drop',)
+])
+FWD_CHECK([-q --zone drop --remove-source 10.10.10.0/24])
+
+dnl ####################
+dnl Zone Individual APIs
+dnl ####################
+
+dnl isImmutable
+DBUS_CHECK([], [zone.isImmutable], ["public"], 0, [dnl
+ (false,)
+])
+
+dnl Interfaces
+DBUS_CHECK([], [zone.addInterface], ["public" "dummy0"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.changeZone], ["drop" "dummy0"], 0, [dnl
+ ('drop',)
+])
+DBUS_CHECK([], [zone.queryInterface], ["public" "dummy0"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([], [zone.queryInterface], ["drop" "dummy0"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.changeZoneOfInterface], ["public" "dummy0"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryInterface], ["public" "dummy0"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.queryInterface], ["drop" "dummy0"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([], [zone.addInterface], ["public" "dummy1"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getInterfaces], ["public"], 0, [dnl
+ [(['dummy0', 'dummy1'],)]
+])
+DBUS_CHECK([], [zone.removeInterface], ["public" "dummy0"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getInterfaces], ["public"], 0, [dnl
+ [(['dummy1'],)]
+])
+
+dnl Sources
+DBUS_CHECK([], [zone.addSource], ["public" "10.10.10.0/24"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.changeZoneOfSource], ["drop" "10.10.10.0/24"], 0, [dnl
+ ('drop',)
+])
+DBUS_CHECK([], [zone.querySource], ["public" "10.10.10.0/24"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([], [zone.querySource], ["drop" "10.10.10.0/24"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.changeZoneOfSource], ["public" "10.10.10.0/24"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.addSource], ["public" "10.20.0.0/16"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getSources], ["public"], 0, [dnl
+ [(['10.10.10.0/24', '10.20.0.0/16'],)]
+])
+DBUS_CHECK([], [zone.removeSource], ["public" "10.10.10.0/24"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getSources], ["public"], 0, [dnl
+ [(['10.20.0.0/16'],)]
+])
+
+dnl Services
+DBUS_CHECK([], [zone.addService], ["public" "samba" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryService], ["public" "samba"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.getServices], ["public"], 0, [dnl
+ [(['ssh', 'dhcpv6-client', 'cockpit', 'samba'],)]
+])
+DBUS_CHECK([], [zone.removeService], ["public" "samba"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryService], ["public" "samba"], 0, [dnl
+ (false,)
+])
+
+dnl Protocols
+DBUS_CHECK([], [zone.addProtocol], ["public" "icmp" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryProtocol], ["public" "icmp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.getProtocols], ["public"], 0, [dnl
+ [(['icmp'],)]
+])
+DBUS_CHECK([], [zone.removeProtocol], ["public" "icmp"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryProtocol], ["public" "icmp"], 0, [dnl
+ (false,)
+])
+
+dnl Ports
+DBUS_CHECK([], [zone.addPort], ["public" "1234" "tcp" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryPort], ["public" "1234" "tcp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.addPort], ["public" "4321" "udp" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getPorts], ["public"], 0, [dnl
+ [([['1234', 'tcp'], ['4321', 'udp']],)]
+])
+DBUS_CHECK([], [zone.removePort], ["public" "1234" "tcp"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryPort], ["public" "1234" "tcp"], 0, [dnl
+ (false,)
+])
+
+dnl Source Ports
+DBUS_CHECK([], [zone.addSourcePort], ["public" "1234" "tcp" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.querySourcePort], ["public" "1234" "tcp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.addSourcePort], ["public" "4321" "udp" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getSourcePorts], ["public"], 0, [dnl
+ [([['1234', 'tcp'], ['4321', 'udp']],)]
+])
+DBUS_CHECK([], [zone.removeSourcePort], ["public" "1234" "tcp"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.querySourcePort], ["public" "1234" "tcp"], 0, [dnl
+ (false,)
+])
+
+dnl Forward Ports
+DBUS_CHECK([], [zone.addForwardPort], ["public" "1234" "tcp" "1111" "" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.addForwardPort], ["public" "4321" "udp" "4444" "10.10.10.10" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getForwardPorts], ["public"], 0, [dnl
+ [([['1234', 'tcp', '1111', ''], ['4321', 'udp', '4444', '10.10.10.10']],)]
+])
+DBUS_CHECK([], [zone.removeForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl
+ (false,)
+])
+
+dnl Masquerade
+DBUS_CHECK([], [zone.addMasquerade], ["public" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryMasquerade], ["public"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.removeMasquerade], ["public"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryMasquerade], ["public"], 0, [dnl
+ (false,)
+])
+
+dnl ICMP Block
+DBUS_CHECK([], [zone.addIcmpBlock], ["public" "echo-reply" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryIcmpBlock], ["public" "echo-reply"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.addIcmpBlock], ["public" "echo-request" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getIcmpBlocks], ["public"], 0, [dnl
+ [(['echo-reply', 'echo-request'],)]
+])
+DBUS_CHECK([], [zone.removeIcmpBlock], ["public" "echo-reply"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryIcmpBlock], ["public" "echo-reply"], 0, [dnl
+ (false,)
+])
+
+dnl ICMP Block Inversion
+DBUS_CHECK([], [zone.addIcmpBlockInversion], ["public"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryIcmpBlockInversion], ["public"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.removeIcmpBlockInversion], ["public"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryIcmpBlockInversion], ["public"], 0, [dnl
+ (false,)
+])
+
+dnl Rich Rules
+DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl
+ [(['rule family="ipv4" source address="10.10.10.10" accept', 'rule family="ipv4" source address="20.20.20.20" accept'],)]
+])
+DBUS_CHECK([], [zone.removeRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl
+ (false,)
+])
+
+FWD_END_TEST
--
2.27.0

View File

@ -1,45 +0,0 @@
From 54b9d3c0aab51a598162ccd58152861730b9cee7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 29 Apr 2020 08:08:21 -0400
Subject: [PATCH 13/45] fix(direct): rule in a zone chain
Fixes: rhbz 1829104
Fixes: 3c439c9008ad ("chore: eliminate FirewallZoneTransaction class")
(cherry picked from commit f2941a82592b2ac6e9001b0d0f6c321fcb704005)
(cherry picked from commit f1d8753487e99ed8b3b036df36bedb861db00e65)
---
src/firewall/core/fw_zone.py | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 59c9401c1060..5677effab146 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -188,7 +188,7 @@ class FirewallZone(object):
if splits[1] not in self.get_zones():
return None
if len(splits) == 2 or \
- (len(splits) == 3 and splits[2] in [ "log", "deny", "allow" ]):
+ (len(splits) == 3 and splits[2] in [ "pre", "log", "deny", "allow", "post" ]):
return (splits[1], _chain)
return None
@@ -200,14 +200,12 @@ class FirewallZone(object):
x = self.zone_from_chain(chain)
if x is not None:
(_zone, _chain) = x
-
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
- self.gen_chain_rules(_zone, True, [(table, _chain)],
- transaction)
+ self.gen_chain_rules(_zone, True, table, _chain, transaction)
if use_transaction is None:
transaction.execute(True)
--
2.27.0

View File

@ -0,0 +1,119 @@
From 25e0354c7a582df802a54d1dd5bd22462e50f5b3 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 9 Feb 2021 12:19:53 -0500
Subject: [PATCH 13/22] test(dbus): policy: scope introspection checks to
interface
(cherry picked from commit 76c7ef5140de4e578e7409113c26e6c223b8ed60)
(cherry picked from commit 2236a03c212ac9abb173a5d5a5ba68a4f75e7989)
---
src/tests/dbus/policy_permanent_signatures.at | 18 +++++++++---------
src/tests/dbus/policy_runtime_signatures.at | 8 ++++----
2 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/src/tests/dbus/policy_permanent_signatures.at b/src/tests/dbus/policy_permanent_signatures.at
index d9dc38179840..7363b7715947 100644
--- a/src/tests/dbus/policy_permanent_signatures.at
+++ b/src/tests/dbus/policy_permanent_signatures.at
@@ -5,23 +5,23 @@ dnl ####################
dnl Global APIs
dnl ####################
-DBUS_INTROSPECT([config], [[//method[@name="listPolicies"]]], 0, [dnl
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="listPolicies"]]], 0, [dnl
<method name="listPolicies">
<arg direction="out" type="ao"></arg>
</method>
])
-DBUS_INTROSPECT([config], [[//method[@name="getPolicyNames"]]], 0, [dnl
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="getPolicyNames"]]], 0, [dnl
<method name="getPolicyNames">
<arg direction="out" type="as"></arg>
</method>
])
-DBUS_INTROSPECT([config], [[//method[@name="getPolicyByName"]]], 0, [dnl
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="getPolicyByName"]]], 0, [dnl
<method name="getPolicyByName">
<arg direction="in" name="policy" type="s"></arg>
<arg direction="out" type="o"></arg>
</method>
])
-DBUS_INTROSPECT([config], [[//method[@name="addPolicy"]]], 0, [dnl
+DBUS_INTROSPECT([config], [[//interface[@name="org.fedoraproject.FirewallD1.config"]//method[@name="addPolicy"]]], 0, [dnl
<method name="addPolicy">
<arg direction="in" name="policy" type="s"></arg>
<arg direction="in" name="settings" type="a{sv}"></arg>
@@ -37,30 +37,30 @@ DBUS_CHECK([config], [config.getPolicyByName], ["allow-host-ipv6"], 0, [stdout])
DBUS_POLICY_OBJ=[$(sed -e "s/.*config\/policy\/\([^']\+\)['].*/\1/" ./stdout)]
export DBUS_POLICY_OBJ
-DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="getSettings"]]], 0, [dnl
+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="getSettings"]]], 0, [dnl
<method name="getSettings">
<arg direction="out" type="a{sv}"></arg>
</method>
])
-DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="update"]]], 0, [dnl
+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="update"]]], 0, [dnl
<method name="update">
<arg direction="in" name="settings" type="a{sv}"></arg>
</method>
])
-DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="remove"]]], 0, [dnl
+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="remove"]]], 0, [dnl
<method name="remove">
</method>
])
-DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="rename"]]], 0, [dnl
+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="rename"]]], 0, [dnl
<method name="rename">
<arg direction="in" name="name" type="s"></arg>
</method>
])
-DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//method[@name="loadDefaults"]]], 0, [dnl
+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="loadDefaults"]]], 0, [dnl
<method name="loadDefaults">
</method>
])
diff --git a/src/tests/dbus/policy_runtime_signatures.at b/src/tests/dbus/policy_runtime_signatures.at
index 2f0c5e75496b..c651ae981adf 100644
--- a/src/tests/dbus/policy_runtime_signatures.at
+++ b/src/tests/dbus/policy_runtime_signatures.at
@@ -3,13 +3,13 @@ AT_KEYWORDS(dbus policy)
dnl Settings
dnl
-DBUS_INTROSPECT([], [[//method[@name="getPolicySettings"]]], 0, [dnl
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getPolicySettings"]]], 0, [dnl
<method name="getPolicySettings">
<arg direction="in" name="policy" type="s"></arg>
<arg direction="out" type="a{sv}"></arg>
</method>
])
-DBUS_INTROSPECT([], [[//method[@name="setPolicySettings"]]], 0, [dnl
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="setPolicySettings"]]], 0, [dnl
<method name="setPolicySettings">
<arg direction="in" name="policy" type="s"></arg>
<arg direction="in" name="settings" type="a{sv}"></arg>
@@ -17,12 +17,12 @@ DBUS_INTROSPECT([], [[//method[@name="setPolicySettings"]]], 0, [dnl
])
dnl Fetching Policies
-DBUS_INTROSPECT([], [[//method[@name="getPolicies"]]], 0, [dnl
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getPolicies"]]], 0, [dnl
<method name="getPolicies">
<arg direction="out" type="as"></arg>
</method>
])
-DBUS_INTROSPECT([], [[//method[@name="getActivePolicies"]]], 0, [dnl
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getActivePolicies"]]], 0, [dnl
<method name="getActivePolicies">
<arg direction="out" type="a{sa{sas}}"></arg>
</method>
--
2.27.0

File diff suppressed because it is too large Load Diff

View File

@ -1,88 +0,0 @@
From 162e697cf86947e7ff54a05570146b5b75321e97 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 29 Apr 2020 08:00:35 -0400
Subject: [PATCH 14/45] test(direct): rule in a zone chain
Coverage for rhbz 1829104.
(cherry picked from commit f88617bb205c6891d4f9c1d5231ddf356a3bd59f)
(cherry picked from commit c9f519adea34ec29e262713a543f2b086fb9ffa7)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1829104.at | 55 +++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 src/tests/regression/rhbz1829104.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 2528ddd3fede..c3a5706c6406 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -28,3 +28,4 @@ m4_include([regression/gh567.at])
m4_include([regression/rhbz1779835.at])
m4_include([regression/gh330.at])
m4_include([regression/gh599.at])
+m4_include([regression/rhbz1829104.at])
diff --git a/src/tests/regression/rhbz1829104.at b/src/tests/regression/rhbz1829104.at
new file mode 100644
index 000000000000..45659eb3c3df
--- /dev/null
+++ b/src/tests/regression/rhbz1829104.at
@@ -0,0 +1,55 @@
+m4_if(iptables, FIREWALL_BACKEND, [
+FWD_START_TEST([direct rule in zone chain])
+AT_KEYWORDS(direct rhbz1829104)
+
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_END_TEST
+])
--
2.27.0

View File

@ -1,36 +0,0 @@
From 1eb5d5c57edb6e35895fa4ae4314f652da423d92 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 24 Apr 2020 11:27:10 -0400
Subject: [PATCH 15/45] fix(client): addService needs to reduce tuple size
The dbus API only allows 8 elements. Reduce the tuple to the correct
size as it's common for clients to do
settings = FirewallClientServiceSettings()
[..]
addService(settings.settings)
(cherry picked from commit e2ab8a6e584e6ba2adb0a5e0a13fbb6d7eb39b0c)
(cherry picked from commit 3eae583907a953b71df16747bbabefd24fbdc3ab)
---
src/firewall/client.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/firewall/client.py b/src/firewall/client.py
index efe5d7db1273..ea27c0186509 100644
--- a/src/firewall/client.py
+++ b/src/firewall/client.py
@@ -2488,7 +2488,9 @@ class FirewallClientConfig(object):
elif type(settings) is dict:
path = self.fw_config.addService2(name, settings)
else:
- path = self.fw_config.addService(name, tuple(settings))
+ # tuple based dbus API has 8 elements. Slice what we're given down
+ # to the expected size.
+ path = self.fw_config.addService(name, tuple(settings[:8]))
return FirewallClientConfigService(self.bus, path)
# icmptype
--
2.27.0

View File

@ -0,0 +1,69 @@
From a97286a71ea39200fdbd6ad876a3b597f9ece6a7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 9 Feb 2021 12:20:27 -0500
Subject: [PATCH 15/22] test(dbus): policy: introspect signals
(cherry picked from commit 4ef37228e9bb1f564597b4cd654c2092cef0cca8)
(cherry picked from commit 9aac1417b2d10a4793756b4bdfa10047a2240ecd)
---
src/tests/dbus/policy_permanent_signatures.at | 15 +++++++++++++++
src/tests/dbus/policy_runtime_signatures.at | 6 ++++++
2 files changed, 21 insertions(+)
diff --git a/src/tests/dbus/policy_permanent_signatures.at b/src/tests/dbus/policy_permanent_signatures.at
index 7363b7715947..9ad36fa131e7 100644
--- a/src/tests/dbus/policy_permanent_signatures.at
+++ b/src/tests/dbus/policy_permanent_signatures.at
@@ -48,17 +48,32 @@ DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fed
<arg direction="in" name="settings" type="a{sv}"></arg>
</method>
])
+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//signal[@name="Updated"]]], 0, [dnl
+ <signal name="Updated">
+ <arg name="name" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="remove"]]], 0, [dnl
<method name="remove">
</method>
])
+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//signal[@name="Removed"]]], 0, [dnl
+ <signal name="Removed">
+ <arg name="name" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="rename"]]], 0, [dnl
<method name="rename">
<arg direction="in" name="name" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//signal[@name="Renamed"]]], 0, [dnl
+ <signal name="Renamed">
+ <arg name="name" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([config/policy/${DBUS_POLICY_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.policy"]//method[@name="loadDefaults"]]], 0, [dnl
<method name="loadDefaults">
diff --git a/src/tests/dbus/policy_runtime_signatures.at b/src/tests/dbus/policy_runtime_signatures.at
index c651ae981adf..e299329e4f4f 100644
--- a/src/tests/dbus/policy_runtime_signatures.at
+++ b/src/tests/dbus/policy_runtime_signatures.at
@@ -15,6 +15,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//
<arg direction="in" name="settings" type="a{sv}"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//signal[@name="PolicyUpdated"]]], 0, [dnl
+ <signal name="PolicyUpdated">
+ <arg name="policy" type="s"></arg>
+ <arg name="settings" type="a{sv}"></arg>
+ </signal>
+])
dnl Fetching Policies
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.policy"]//method[@name="getPolicies"]]], 0, [dnl
--
2.27.0

View File

@ -1,36 +0,0 @@
From c9fccec891a3cd454ad7179ee3871f630b635b47 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 20 Apr 2020 16:45:02 -0400
Subject: [PATCH 16/45] test(dbus): zone: fix false failure due to list order
Fixes: b1e7a3843f7c ("test(dbus): zone: verify runtime config APIs")
(cherry picked from commit 8ca79abf32fd609b10b88482c89ee0c9c9711718)
(cherry picked from commit 86feb18448794b58f2725484083ead9ddc0bc451)
---
src/tests/dbus/zone_runtime_functional.at | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at
index d0098dfdff65..f48d97897cd9 100644
--- a/src/tests/dbus/zone_runtime_functional.at
+++ b/src/tests/dbus/zone_runtime_functional.at
@@ -281,11 +281,14 @@ DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=10
DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl
(true,)
])
+DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl
+ [(['rule family="ipv4" source address="10.10.10.10" accept'],)]
+])
DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept" 0], 0, [dnl
('public',)
])
-DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl
- [(['rule family="ipv4" source address="10.10.10.10" accept', 'rule family="ipv4" source address="20.20.20.20" accept'],)]
+DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept"], 0, [dnl
+ (true,)
])
DBUS_CHECK([], [zone.removeRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl
('public',)
--
2.27.0

View File

@ -0,0 +1,369 @@
From c15f2c1b94faf21eb39e4d1c525d205cb1b71dbc Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 9 Feb 2021 14:31:53 -0500
Subject: [PATCH 16/22] test(dbus): zone: introspect signals
(cherry picked from commit 04548b4c3be23288ccaeee74f7b1fda5e9d5e047)
(cherry picked from commit 2f9a05fbaf5882ca91cf4e4141aec27b6f58855c)
---
src/tests/dbus/zone_permanent_signatures.at | 15 ++
src/tests/dbus/zone_runtime_signatures.at | 152 ++++++++++++++++++++
2 files changed, 167 insertions(+)
diff --git a/src/tests/dbus/zone_permanent_signatures.at b/src/tests/dbus/zone_permanent_signatures.at
index 31b27925495a..2db55c5b3936 100644
--- a/src/tests/dbus/zone_permanent_signatures.at
+++ b/src/tests/dbus/zone_permanent_signatures.at
@@ -64,6 +64,11 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.
<arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
</method>
])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//signal[@name="Updated"]]], 0, [dnl
+ <signal name="Updated">
+ <arg name="name" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="loadDefaults"]]], 0, [dnl
<method name="loadDefaults">
@@ -74,12 +79,22 @@ DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.
<method name="remove">
</method>
])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//signal[@name="Removed"]]], 0, [dnl
+ <signal name="Removed">
+ <arg name="name" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//method[@name="rename"]]], 0, [dnl
<method name="rename">
<arg direction="in" name="name" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//interface[@name="org.fedoraproject.FirewallD1.config.zone"]//signal[@name="Renamed"]]], 0, [dnl
+ <signal name="Renamed">
+ <arg name="name" type="s"></arg>
+ </signal>
+])
dnl Version
dnl
diff --git a/src/tests/dbus/zone_runtime_signatures.at b/src/tests/dbus/zone_runtime_signatures.at
index 29571a48ec5f..68aec78153ae 100644
--- a/src/tests/dbus/zone_runtime_signatures.at
+++ b/src/tests/dbus/zone_runtime_signatures.at
@@ -69,6 +69,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="InterfaceAdded"]]], 0, [dnl
+ <signal name="InterfaceAdded">
+ <arg name="zone" type="s"></arg>
+ <arg name="interface" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZone"]]], 0, [dnl
<method name="changeZone">
<arg direction="in" name="zone" type="s"></arg>
@@ -76,6 +82,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ZoneChanged"]]], 0, [dnl
+ <signal name="ZoneChanged">
+ <arg name="zone" type="s"></arg>
+ <arg name="interface" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZoneOfInterface"]]], 0, [dnl
<method name="changeZoneOfInterface">
<arg direction="in" name="zone" type="s"></arg>
@@ -90,6 +102,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="InterfaceRemoved"]]], 0, [dnl
+ <signal name="InterfaceRemoved">
+ <arg name="zone" type="s"></arg>
+ <arg name="interface" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryInterface"]]], 0, [dnl
<method name="queryInterface">
<arg direction="in" name="zone" type="s"></arg>
@@ -112,6 +130,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourceAdded"]]], 0, [dnl
+ <signal name="SourceAdded">
+ <arg name="zone" type="s"></arg>
+ <arg name="source" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="changeZoneOfSource"]]], 0, [dnl
<method name="changeZoneOfSource">
<arg direction="in" name="zone" type="s"></arg>
@@ -126,6 +150,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourceRemoved"]]], 0, [dnl
+ <signal name="SourceRemoved">
+ <arg name="zone" type="s"></arg>
+ <arg name="source" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="querySource"]]], 0, [dnl
<method name="querySource">
<arg direction="in" name="zone" type="s"></arg>
@@ -149,6 +179,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ServiceAdded"]]], 0, [dnl
+ <signal name="ServiceAdded">
+ <arg name="zone" type="s"></arg>
+ <arg name="service" type="s"></arg>
+ <arg name="timeout" type="i"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeService"]]], 0, [dnl
<method name="removeService">
<arg direction="in" name="zone" type="s"></arg>
@@ -156,6 +193,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ServiceRemoved"]]], 0, [dnl
+ <signal name="ServiceRemoved">
+ <arg name="zone" type="s"></arg>
+ <arg name="service" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryService"]]], 0, [dnl
<method name="queryService">
<arg direction="in" name="zone" type="s"></arg>
@@ -179,6 +222,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ProtocolAdded"]]], 0, [dnl
+ <signal name="ProtocolAdded">
+ <arg name="zone" type="s"></arg>
+ <arg name="protocol" type="s"></arg>
+ <arg name="timeout" type="i"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeProtocol"]]], 0, [dnl
<method name="removeProtocol">
<arg direction="in" name="zone" type="s"></arg>
@@ -186,6 +236,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ProtocolRemoved"]]], 0, [dnl
+ <signal name="ProtocolRemoved">
+ <arg name="zone" type="s"></arg>
+ <arg name="protocol" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryProtocol"]]], 0, [dnl
<method name="queryProtocol">
<arg direction="in" name="zone" type="s"></arg>
@@ -210,6 +266,14 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="PortAdded"]]], 0, [dnl
+ <signal name="PortAdded">
+ <arg name="zone" type="s"></arg>
+ <arg name="port" type="s"></arg>
+ <arg name="protocol" type="s"></arg>
+ <arg name="timeout" type="i"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removePort"]]], 0, [dnl
<method name="removePort">
<arg direction="in" name="zone" type="s"></arg>
@@ -218,6 +282,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="PortRemoved"]]], 0, [dnl
+ <signal name="PortRemoved">
+ <arg name="zone" type="s"></arg>
+ <arg name="port" type="s"></arg>
+ <arg name="protocol" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryPort"]]], 0, [dnl
<method name="queryPort">
<arg direction="in" name="zone" type="s"></arg>
@@ -245,6 +316,14 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourcePortAdded"]]], 0, [dnl
+ <signal name="SourcePortAdded">
+ <arg name="zone" type="s"></arg>
+ <arg name="port" type="s"></arg>
+ <arg name="protocol" type="s"></arg>
+ <arg name="timeout" type="i"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeSourcePort"]]], 0, [dnl
<method name="removeSourcePort">
<arg direction="in" name="zone" type="s"></arg>
@@ -253,6 +332,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="SourcePortRemoved"]]], 0, [dnl
+ <signal name="SourcePortRemoved">
+ <arg name="zone" type="s"></arg>
+ <arg name="port" type="s"></arg>
+ <arg name="protocol" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="querySourcePort"]]], 0, [dnl
<method name="querySourcePort">
<arg direction="in" name="zone" type="s"></arg>
@@ -282,6 +368,16 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ForwardPortAdded"]]], 0, [dnl
+ <signal name="ForwardPortAdded">
+ <arg name="zone" type="s"></arg>
+ <arg name="port" type="s"></arg>
+ <arg name="protocol" type="s"></arg>
+ <arg name="toport" type="s"></arg>
+ <arg name="toaddr" type="s"></arg>
+ <arg name="timeout" type="i"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeForwardPort"]]], 0, [dnl
<method name="removeForwardPort">
<arg direction="in" name="zone" type="s"></arg>
@@ -292,6 +388,15 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="ForwardPortRemoved"]]], 0, [dnl
+ <signal name="ForwardPortRemoved">
+ <arg name="zone" type="s"></arg>
+ <arg name="port" type="s"></arg>
+ <arg name="protocol" type="s"></arg>
+ <arg name="toport" type="s"></arg>
+ <arg name="toaddr" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryForwardPort"]]], 0, [dnl
<method name="queryForwardPort">
<arg direction="in" name="zone" type="s"></arg>
@@ -319,12 +424,23 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="MasqueradeAdded"]]], 0, [dnl
+ <signal name="MasqueradeAdded">
+ <arg name="zone" type="s"></arg>
+ <arg name="timeout" type="i"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeMasquerade"]]], 0, [dnl
<method name="removeMasquerade">
<arg direction="in" name="zone" type="s"></arg>
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="MasqueradeRemoved"]]], 0, [dnl
+ <signal name="MasqueradeRemoved">
+ <arg name="zone" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryMasquerade"]]], 0, [dnl
<method name="queryMasquerade">
<arg direction="in" name="zone" type="s"></arg>
@@ -341,6 +457,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockAdded"]]], 0, [dnl
+ <signal name="IcmpBlockAdded">
+ <arg name="zone" type="s"></arg>
+ <arg name="icmp" type="s"></arg>
+ <arg name="timeout" type="i"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeIcmpBlock"]]], 0, [dnl
<method name="removeIcmpBlock">
<arg direction="in" name="zone" type="s"></arg>
@@ -348,6 +471,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockRemoved"]]], 0, [dnl
+ <signal name="IcmpBlockRemoved">
+ <arg name="zone" type="s"></arg>
+ <arg name="icmp" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryIcmpBlock"]]], 0, [dnl
<method name="queryIcmpBlock">
<arg direction="in" name="zone" type="s"></arg>
@@ -369,12 +498,22 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockInversionAdded"]]], 0, [dnl
+ <signal name="IcmpBlockInversionAdded">
+ <arg name="zone" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
<method name="removeIcmpBlockInversion">
<arg direction="in" name="zone" type="s"></arg>
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="IcmpBlockInversionRemoved"]]], 0, [dnl
+ <signal name="IcmpBlockInversionRemoved">
+ <arg name="zone" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
<method name="queryIcmpBlockInversion">
<arg direction="in" name="zone" type="s"></arg>
@@ -391,6 +530,13 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="RichRuleAdded"]]], 0, [dnl
+ <signal name="RichRuleAdded">
+ <arg name="zone" type="s"></arg>
+ <arg name="rule" type="s"></arg>
+ <arg name="timeout" type="i"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="removeRichRule"]]], 0, [dnl
<method name="removeRichRule">
<arg direction="in" name="zone" type="s"></arg>
@@ -398,6 +544,12 @@ DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//me
<arg direction="out" type="s"></arg>
</method>
])
+DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//signal[@name="RichRuleRemoved"]]], 0, [dnl
+ <signal name="RichRuleRemoved">
+ <arg name="zone" type="s"></arg>
+ <arg name="rule" type="s"></arg>
+ </signal>
+])
DBUS_INTROSPECT([], [[//interface[@name="org.fedoraproject.FirewallD1.zone"]//method[@name="queryRichRule"]]], 0, [dnl
<method name="queryRichRule">
<arg direction="in" name="zone" type="s"></arg>
--
2.27.0

View File

@ -0,0 +1,35 @@
From 633f2335b9305514b36b50455063070c4888be61 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 10 Feb 2021 16:35:12 -0500
Subject: [PATCH 17/22] fix(dbus): properties: IPv4 and IPv6 should be true if
using nftables
(cherry picked from commit 85feb6cf091d4e03c1175770a7cacb9d994f1126)
(cherry picked from commit 94cc358fe90f4926e588f568edec9fd4efe49370)
---
src/firewall/server/firewalld.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index 895e9635d1aa..f74e6e6ae6ff 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -158,13 +158,13 @@ class FirewallD(slip.dbus.service.Object):
return dbus.String(self.fw.get_state())
elif prop == "IPv4":
- return dbus.Boolean(self.fw.ip4tables_enabled)
+ return dbus.Boolean(self.fw.is_ipv_enabled("ipv4"))
elif prop == "IPv4ICMPTypes":
return dbus.Array(self.fw.ipv4_supported_icmp_types, "s")
elif prop == "IPv6":
- return dbus.Boolean(self.fw.ip6tables_enabled)
+ return dbus.Boolean(self.fw.is_ipv_enabled("ipv6"))
elif prop == "IPv6_rpfilter":
return dbus.Boolean(self.fw.ipv6_rpfilter_enabled)
--
2.27.0

View File

@ -1,26 +0,0 @@
From 9bdee2d94d0fadde8c40d7742176089bed602213 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 24 Apr 2020 13:50:10 -0400
Subject: [PATCH 17/45] test(dbus): zone: fix zone runtime functional test
title
Fixes: b1e7a3843f7c ("test(dbus): zone: verify runtime config APIs")
(cherry picked from commit 72191394919d1d69a40e258227dbbc3ee3e0285e)
(cherry picked from commit d0713c7b04ac430adb4855078e91fa62b2c79486)
---
src/tests/dbus/zone_runtime_functional.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at
index f48d97897cd9..bb0798abe7da 100644
--- a/src/tests/dbus/zone_runtime_functional.at
+++ b/src/tests/dbus/zone_runtime_functional.at
@@ -1,4 +1,4 @@
-FWD_START_TEST([dbus api - zone permanent functional])
+FWD_START_TEST([dbus api - zone runtime functional])
AT_KEYWORDS(dbus zone gh586)
dnl ####################
--
2.27.0

View File

@ -1,55 +0,0 @@
From 6112ab6a515ac5813e8b4027976a6dc651647f07 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 16 Apr 2020 15:40:49 -0400
Subject: [PATCH 18/45] fix(doc): dbus: signatures for zone tuple based APIs
Fixes: 26e23b8cd945 ("firewall.core.io.zone: New icmp block inversion flag")
(cherry picked from commit 7fbc6f6204a342f5ae92f10923093d2381c9b0ac)
(cherry picked from commit 13edc3137fc3b9ed36207009621dda437a8f87df)
---
doc/xml/firewalld.dbus.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 77ad77c01675..1625b9d50576 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -274,7 +274,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.Methods.getZoneSettings">
- <term><methodname>getZoneSettings</methodname>(s: <parameter>zone</parameter>) &rarr; (sssbsasa(ss)asba(ssss)asasasasa(ss))</term>
+ <term><methodname>getZoneSettings</methodname>(s: <parameter>zone</parameter>) &rarr; (sssbsasa(ss)asba(ssss)asasasasa(ss)b)</term>
<listitem>
<para>
Return runtime settings of given <replaceable>zone</replaceable>.
@@ -2338,7 +2338,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.Methods.addZone">
- <term><methodname>addZone</methodname>(s: zone, (sssbsasa(ss)asba(ssss)asasasasa(ss)): settings) &rarr; o</term>
+ <term><methodname>addZone</methodname>(s: zone, (sssbsasa(ss)asba(ssss)asasasasa(ss)b): settings) &rarr; o</term>
<listitem>
<para>
Add <replaceable>zone</replaceable> with given <replaceable>settings</replaceable> into permanent configuration.
@@ -3810,7 +3810,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.zone.Methods.getSettings">
- <term><methodname>getSettings</methodname>() &rarr; (sssbsasa(ss)asba(ssss)asasasasa(ss))</term>
+ <term><methodname>getSettings</methodname>() &rarr; (sssbsasa(ss)asba(ssss)asasasasa(ss)b)</term>
<listitem>
<para>
Return permanent settings of given <replaceable>zone</replaceable>.
@@ -4309,7 +4309,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.zone.Methods.update">
- <term><methodname>update</methodname>((sssbsasa(ss)asba(ssss)asasasasa(ss)): settings) &rarr; Nothing</term>
+ <term><methodname>update</methodname>((sssbsasa(ss)asba(ssss)asasasasa(ss)b): settings) &rarr; Nothing</term>
<listitem>
<para>
Update settings of zone to <replaceable>settings</replaceable>.
--
2.27.0

View File

@ -0,0 +1,52 @@
From 04b9b7138e4af55f56a82f0b3727b0e70de3a5a0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 11 Feb 2021 15:10:04 -0500
Subject: [PATCH 18/22] test(ipset): add missing CHECK_IPSET
(cherry picked from commit 61a2f56e889f5a370e28bf98f8dcf2e864a01283)
(cherry picked from commit 95f18c89e22271ec437377f8fed753997f5828aa)
---
src/tests/regression/gh567.at | 1 +
src/tests/regression/rhbz1779835.at | 10 +++++++++-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/tests/regression/gh567.at b/src/tests/regression/gh567.at
index 03c3bde4a0fe..7faa9a5b0291 100644
--- a/src/tests/regression/gh567.at
+++ b/src/tests/regression/gh567.at
@@ -1,5 +1,6 @@
FWD_START_TEST([rich rule source w/ mark action])
AT_KEYWORDS(gh567 rich ipset)
+CHECK_IPSET
FWD_CHECK([-q --permanent --new-ipset=Teste --type=hash:net])
FWD_CHECK([-q --permanent --add-rich-rule "rule family=ipv4 source ipset=Teste mark set=2"])
diff --git a/src/tests/regression/rhbz1779835.at b/src/tests/regression/rhbz1779835.at
index 8de5c0353b6e..1c6738bce468 100644
--- a/src/tests/regression/rhbz1779835.at
+++ b/src/tests/regression/rhbz1779835.at
@@ -1,5 +1,6 @@
FWD_START_TEST([ipv6 address with brackets])
-AT_KEYWORDS(rhbz1779835 ipset zone forward_port rich)
+AT_KEYWORDS(rhbz1779835 ipset)
+CHECK_IPSET
IF_HOST_SUPPORTS_IPV6_RULES([], [AT_SKIP_IF([:])])
@@ -10,6 +11,13 @@ FWD_CHECK([-q --permanent --new-ipset=foobar2 --type=hash:net --family=inet6])
FWD_CHECK([[-q --permanent --ipset foobar2 --add-entry='[1234::]/64']])
FWD_RELOAD
+FWD_END_TEST
+
+FWD_START_TEST([ipv6 address with brackets])
+AT_KEYWORDS(rhbz1779835 zone forward_port rich)
+
+IF_HOST_SUPPORTS_IPV6_RULES([], [AT_SKIP_IF([:])])
+
dnl zone source
FWD_CHECK([[-q --zone internal --add-source='[::1234]']])
FWD_CHECK([[-q --zone internal --add-source='[1234::]/64']])
--
2.27.0

View File

@ -1,29 +0,0 @@
From cc9d8ac3501b1dc64d6b48990792a06637d69314 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 17 Apr 2020 14:45:16 -0400
Subject: [PATCH 19/45] fix(config): bool values in dict based import/export
Always export bool values.
(cherry picked from commit ae4b9b44ed8e9e62f47846f7032c19b559e3d7ad)
(cherry picked from commit 88016dc40ba2e119fe04e54724fb432404d7e8c1)
---
src/firewall/core/io/service.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py
index cf343fe0ce93..0387b6c798b0 100644
--- a/src/firewall/core/io/service.py
+++ b/src/firewall/core/io/service.py
@@ -96,7 +96,7 @@ class Service(IO_Object):
conf = {}
type_formats = dict([(x[0], x[1]) for x in self.IMPORT_EXPORT_STRUCTURE])
for key in type_formats:
- if getattr(self, key):
+ if getattr(self, key) or isinstance(getattr(self, key), bool):
conf[key] = copy.deepcopy(getattr(self, key))
return conf
--
2.27.0

View File

@ -0,0 +1,48 @@
From 0ada4672b42c426de1ffc7f3ae2416629225369f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 15 Feb 2021 09:53:02 -0500
Subject: [PATCH 19/22] fix(fw): when checking tables make sure to check the
actual backend
Calling get_backend_by_ipv() will return nftables if we're using
nftables backend, but we really need to check if iptables, et al. are
available.
(cherry picked from commit 48d97fb40929afbc1b0bc82759ad75b1937f6e3f)
(cherry picked from commit fba59a99735ec46d787141350564137abfec0c87)
---
src/firewall/core/fw.py | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 15284a4929e9..3eb54e37ab5c 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -131,18 +131,18 @@ class Firewall(object):
def _check_tables(self):
# check if iptables, ip6tables and ebtables are usable, else disable
if self.ip4tables_enabled and \
- "filter" not in self.get_backend_by_ipv("ipv4").get_available_tables():
- log.warning("iptables not usable, disabling IPv4 firewall.")
+ "filter" not in self.ip4tables_backend.get_available_tables():
+ log.info1("iptables is not usable.")
self.ip4tables_enabled = False
if self.ip6tables_enabled and \
- "filter" not in self.get_backend_by_ipv("ipv6").get_available_tables():
- log.warning("ip6tables not usable, disabling IPv6 firewall.")
+ "filter" not in self.ip6tables_backend.get_available_tables():
+ log.info1("ip6tables is not usable.")
self.ip6tables_enabled = False
if self.ebtables_enabled and \
- "filter" not in self.get_backend_by_ipv("eb").get_available_tables():
- log.warning("ebtables not usable, disabling ethernet bridge firewall.")
+ "filter" not in self.ebtables_backend.get_available_tables():
+ log.info1("ebtables is not usable.")
self.ebtables_enabled = False
# is there at least support for ipv4 or ipv6
--
2.27.0

View File

@ -1,39 +0,0 @@
From 8d48dfee165ad41ed2d235dc3772c5b588a75521 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 4 May 2020 10:48:10 -0400
Subject: [PATCH 20/45] fix(dbus): service: don't cleanup config for old set
APIs
This avoids them from unknowingly wiping away config that the old APIs
are unaware of.
Fixes: 335a68c1bba5 ("fix: dbus: fix service API break")
(cherry picked from commit 11bd8742158b2b3c9b0412a9ca1cb9ada7fd6fd7)
(cherry picked from commit faa5822d8073336bed29e12b7cc73bedfa4811b7)
---
src/firewall/core/fw_config.py | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/firewall/core/fw_config.py b/src/firewall/core/fw_config.py
index 8f29f0c416d2..35f623f2c8f1 100644
--- a/src/firewall/core/fw_config.py
+++ b/src/firewall/core/fw_config.py
@@ -566,7 +566,6 @@ class FirewallConfig(object):
if obj.builtin:
x = copy.copy(obj)
- x.cleanup()
x.import_config(conf_dict)
x.path = config.ETC_FIREWALLD_SERVICES
x.builtin = False
@@ -576,7 +575,6 @@ class FirewallConfig(object):
service_writer(x)
return x
else:
- obj.cleanup()
obj.import_config(conf_dict)
service_writer(obj)
return obj
--
2.27.0

View File

@ -0,0 +1,118 @@
From 12b83f9c9381e60496a63082343512e62b03de5f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 22 Feb 2021 15:11:21 -0500
Subject: [PATCH 20/22] fix(ipset): nftables: use interval flag for "ip" types
This is to be compatible with ipset. ipset allows adding to a non-mask
type, e.g. "ip", by using a mask. ipset translates this into many
entries. Support it in nftables simply by using intervals.
(cherry picked from commit faaf3ac649a347f0bccae800fd0e4daeebbd1539)
(cherry picked from commit c9d1c88e91c84561af0dbfb5999f722a3b6bb397)
---
src/firewall/core/nftables.py | 2 +-
src/tests/cli/firewall-cmd.at | 1 +
src/tests/regression/gh330.at | 6 ++++++
src/tests/regression/rhbz1734765.at | 2 ++
4 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index ff077aded340..e6907421e111 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1767,7 +1767,7 @@ class nftables(object):
# Some types need the interval flag
for t in type.split(":")[1].split(","):
- if t in ["net", "port"]:
+ if t in ["ip", "net", "port"]:
set_dict["flags"] = ["interval"]
break
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index 67af8a19c072..450737776a9f 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -974,6 +974,7 @@ FWD_START_TEST([ipset])
table inet firewalld {
set foobar {
type ipv4_addr . mark
+ flags interval
elements = { 10.10.10.10 . 0x00000100,
20.20.20.20 . 0x00000200 }
}
diff --git a/src/tests/regression/gh330.at b/src/tests/regression/gh330.at
index fd8d2f8d2dd8..0564501aa18d 100644
--- a/src/tests/regression/gh330.at
+++ b/src/tests/regression/gh330.at
@@ -17,6 +17,7 @@ NFT_LIST_SET([foobar], 0, [dnl
table inet firewalld {
set foobar {
type ipv4_addr
+ flags interval
elements = { 1.2.3.4 }
}
}
@@ -43,6 +44,7 @@ NFT_LIST_SET([foobar], 0, [dnl
table inet firewalld {
set foobar {
type ipv4_addr
+ flags interval
elements = { 1.2.3.4, 10.10.10.10 }
}
}
@@ -60,6 +62,7 @@ NFT_LIST_SET([foobar], 0, [dnl
table inet firewalld {
set foobar {
type ipv4_addr
+ flags interval
elements = { 1.2.3.4, 10.10.10.10 }
}
}
@@ -80,6 +83,7 @@ NFT_LIST_SET([foobar], 0, [dnl
table inet firewalld {
set foobar {
type ipv4_addr
+ flags interval
elements = { 1.2.3.4, 4.3.2.1,
10.10.10.10 }
}
@@ -104,6 +108,7 @@ NFT_LIST_SET([foobar], 0, [dnl
table inet firewalld {
set foobar {
type ipv4_addr
+ flags interval
elements = { 1.2.3.4, 4.3.2.1,
6.6.6.6, 10.10.10.10 }
}
@@ -129,6 +134,7 @@ NFT_LIST_SET([foobar], 0, [dnl
table inet firewalld {
set foobar {
type ipv4_addr
+ flags interval
elements = { 1.2.3.4 }
}
}
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
index b9f6aa5d49a1..b5023a058a55 100644
--- a/src/tests/regression/rhbz1734765.at
+++ b/src/tests/regression/rhbz1734765.at
@@ -47,6 +47,7 @@ NFT_LIST_SET([ipsetv4], 0, [dnl
table inet firewalld {
set ipsetv4 {
type ipv4_addr
+ flags interval
elements = { 192.0.2.12 }
}
}
@@ -55,6 +56,7 @@ NFT_LIST_SET([ipsetv6], 0, [dnl
table inet firewalld {
set ipsetv6 {
type ipv6_addr
+ flags interval
elements = { ::2 }
}
}
--
2.27.0

View File

@ -1,33 +0,0 @@
From b33d40f277444f0af0f780b68389af4098ab639b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 6 Jan 2020 15:38:28 -0500
Subject: [PATCH 21/45] test(gh509): only run test for nftables backend
The test wipes the config and therefore restarts with defaults (e.g.
the nftables backend). Some hosts under test may not have nftables
available so the test will fail. Only use the test if FIREWALL_BACKEND
is nftables.
(cherry picked from commit 61140a7ed9d6b26cd030d366eb7c9111a3ad45df)
(cherry picked from commit 4d3907862535298e6f8b6bc566bdce10a86647bc)
---
src/tests/regression/gh509.at | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tests/regression/gh509.at b/src/tests/regression/gh509.at
index 00cc51c9c51f..1c151066c2bb 100644
--- a/src/tests/regression/gh509.at
+++ b/src/tests/regression/gh509.at
@@ -1,3 +1,4 @@
+m4_if(nftables, FIREWALL_BACKEND, [
FWD_START_TEST([missing firewalld.conf file])
AT_KEYWORDS(gh509)
@@ -12,3 +13,4 @@ FWD_RESTART
FWD_END_TEST([-e '/ERROR: Failed to load/d' dnl
-e '/WARNING:.*No such file or directory:.*/d' dnl
-e '/WARNING: Using fallback firewalld configuration settings/d'])
+])
--
2.27.0

View File

@ -0,0 +1,54 @@
From 8adac165dc93d28802c645a3626a3bcf29503ace Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 15 Feb 2021 11:29:07 -0500
Subject: [PATCH 21/22] test(ipset): verify ipset netmask allowed for hash:ip
(cherry picked from commit b7718f0dfa9ce7247911ef49c62e3ef2e4208343)
(cherry picked from commit 1fd50036a51b6147f9e77d61d7e63c8a8e564756)
---
src/tests/regression/ipset_netmask_allowed.at | 23 +++++++++++++++++++
src/tests/regression/regression.at | 1 +
2 files changed, 24 insertions(+)
create mode 100644 src/tests/regression/ipset_netmask_allowed.at
diff --git a/src/tests/regression/ipset_netmask_allowed.at b/src/tests/regression/ipset_netmask_allowed.at
new file mode 100644
index 000000000000..b5165d94b220
--- /dev/null
+++ b/src/tests/regression/ipset_netmask_allowed.at
@@ -0,0 +1,23 @@
+FWD_START_TEST([ipset netmask allowed type hash:ip])
+AT_KEYWORDS(ipset reload)
+
+FWD_CHECK([--permanent --new-ipset foobar --type hash:ip], 0, [ignore])
+FWD_RELOAD
+
+dnl ipset allows specifying a mask for hash:ip, but it will translate it into
+dnl an add for the whole range. i.e. 1.2.3.4/24 --> 1.2.3.[0.255] (256
+dnl entries).
+dnl
+dnl In nftables, we allow this by using actual intervals.
+FWD_CHECK([--permanent --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
+FWD_CHECK([ --ipset foobar --add-entry 1.2.3.0/24], 0, [ignore])
+
+dnl check the edge case
+FWD_CHECK([--permanent --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
+FWD_CHECK([ --ipset foobar --add-entry 4.3.2.1/32], 0, [ignore])
+
+dnl overlaps should be denied by ipset
+FWD_CHECK([ --ipset foobar --add-entry 1.2.3.0/22], 13, [ignore], [ignore])
+FWD_CHECK([ --ipset foobar --add-entry 1.2.3.0/30], 13, [ignore], [ignore])
+
+FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:/d'])
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index a90fc37d51c6..a49bb3b756e7 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -38,3 +38,4 @@ m4_include([regression/rhbz1855140.at])
m4_include([regression/rhbz1871298.at])
m4_include([regression/rhbz1596304.at])
m4_include([regression/gh703.at])
+m4_include([regression/ipset_netmask_allowed.at])
--
2.27.0

View File

@ -1,29 +0,0 @@
From ab514ea71dcc69abd910790822d67e2854ad54c7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 12 May 2020 09:12:46 -0400
Subject: [PATCH 22/45] test(ipv6): skip square bracket address tests if ipv6
not available
Fixes: ff9cd7a4c618 ("test: ipset: coverage for ipv6 addresses with brackets")
(cherry picked from commit fc626b34171a71f500fac31b9f2929b009993b98)
(cherry picked from commit bd98ef1f5660dc83c5179d4c6204cf62ba985122)
---
src/tests/regression/rhbz1779835.at | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tests/regression/rhbz1779835.at b/src/tests/regression/rhbz1779835.at
index 37d1afc990ab..8de5c0353b6e 100644
--- a/src/tests/regression/rhbz1779835.at
+++ b/src/tests/regression/rhbz1779835.at
@@ -1,6 +1,8 @@
FWD_START_TEST([ipv6 address with brackets])
AT_KEYWORDS(rhbz1779835 ipset zone forward_port rich)
+IF_HOST_SUPPORTS_IPV6_RULES([], [AT_SKIP_IF([:])])
+
dnl ipset
FWD_CHECK([-q --permanent --new-ipset=foobar --type=hash:ip --family=inet6])
FWD_CHECK([[-q --permanent --ipset foobar --add-entry='[1234::4321]']])
--
2.27.0

View File

@ -0,0 +1,34 @@
From be0b7cac7e80d51cc976085f9575b0feb3f1fbe7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 19 Feb 2021 10:27:18 -0500
Subject: [PATCH 22/22] test(offline): always allow ipset tests
(cherry picked from commit 50c713a8b82be5a3499a15f825cdceb373fe3698)
(cherry picked from commit f17e1937597455257a29ae848ea51c5e089c1077)
---
src/tests/functions.at | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 8632f49e442f..54afcf14585a 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -519,6 +519,7 @@ m4_define([DBUS_SET], [
])
m4_define([CHECK_IPSET], [
+ m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
m4_if(nftables, FIREWALL_BACKEND, [
dnl If our nft binary has buggy flush set, then skip the test
NS_CHECK([nft add table inet firewalld_check_ipset])
@@ -537,6 +538,7 @@ m4_define([CHECK_IPSET], [
NS_CHECK([nft delete table inet firewalld_check_ipset])
])
+ ])
])
m4_define([CHECK_IPSET_HASH_MAC], [
--
2.27.0

View File

@ -0,0 +1,167 @@
From 44dff592c200f81d74b64ba1c729ec8ec3b8612e Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 13 Apr 2021 14:35:31 -0400
Subject: [PATCH 23/30] fix(direct): rule order with multiple address with
-s/-d
Fixes: rhbz 1940928
Fixes: rhbz 1949552
(cherry picked from commit 2be50d366b9ba073e5f86edcd0b412ff48c3fed1)
(cherry picked from commit a545183d6916169cd16648707b9f876ea0833955)
---
src/firewall/core/fw_direct.py | 53 +++++++++++++++++++++++++++++-----
src/firewall/core/ipXtables.py | 32 --------------------
2 files changed, 46 insertions(+), 39 deletions(-)
diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
index e53a72e3326a..76aeda9f19cb 100644
--- a/src/firewall/core/fw_direct.py
+++ b/src/firewall/core/fw_direct.py
@@ -298,7 +298,7 @@ class FirewallDirect(object):
r.append((ipv, table, chain, priority, list(args)))
return r
- def _register_rule(self, rule_id, chain_id, priority, enable):
+ def _register_rule(self, rule_id, chain_id, priority, enable, count):
if enable:
if chain_id not in self._rules:
self._rules[chain_id] = LastUpdatedOrderedDict()
@@ -307,14 +307,14 @@ class FirewallDirect(object):
self._rule_priority_positions[chain_id] = { }
if priority in self._rule_priority_positions[chain_id]:
- self._rule_priority_positions[chain_id][priority] += 1
+ self._rule_priority_positions[chain_id][priority] += count
else:
- self._rule_priority_positions[chain_id][priority] = 1
+ self._rule_priority_positions[chain_id][priority] = count
else:
del self._rules[chain_id][rule_id]
if len(self._rules[chain_id]) == 0:
del self._rules[chain_id]
- self._rule_priority_positions[chain_id][priority] -= 1
+ self._rule_priority_positions[chain_id][priority] -= count
# DIRECT PASSTHROUGH (untracked)
@@ -376,6 +376,34 @@ class FirewallDirect(object):
r.append(list(args))
return r
+ def split_value(self, rules, opts):
+ """Split values combined with commas for options in opts"""
+
+ out_rules = [ ]
+ for rule in rules:
+ processed = False
+ for opt in opts:
+ try:
+ i = rule.index(opt)
+ except ValueError:
+ pass
+ else:
+ if len(rule) > i and "," in rule[i+1]:
+ # For all items in the comma separated list in index
+ # i of the rule, a new rule is created with a single
+ # item from this list
+ processed = True
+ items = rule[i+1].split(",")
+ for item in items:
+ _rule = rule[:]
+ _rule[i+1] = item
+ out_rules.append(_rule)
+ if not processed:
+ out_rules.append(rule)
+
+ return out_rules
+
+
def _rule(self, enable, ipv, table, chain, priority, args, transaction):
self._check_ipv_table(ipv, table)
# Do not create zone chains if we're using nftables. Only allow direct
@@ -458,6 +486,7 @@ class FirewallDirect(object):
# has index 1.
index = 1
+ count = 0
if chain_id in self._rule_priority_positions:
positions = sorted(self._rule_priority_positions[chain_id].keys())
j = 0
@@ -465,11 +494,21 @@ class FirewallDirect(object):
index += self._rule_priority_positions[chain_id][positions[j]]
j += 1
- transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, args))
+ # split the direct rule in some cases as iptables-restore can't handle
+ # compound args.
+ #
+ args_list = [list(args)]
+ args_list = self.split_value(args_list, [ "-s", "--source" ])
+ args_list = self.split_value(args_list, [ "-d", "--destination" ])
+
+ for _args in args_list:
+ transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, tuple(_args)))
+ index += 1
+ count += 1
- self._register_rule(rule_id, chain_id, priority, enable)
+ self._register_rule(rule_id, chain_id, priority, enable, count)
transaction.add_fail(self._register_rule,
- rule_id, chain_id, priority, not enable)
+ rule_id, chain_id, priority, not enable, count)
def _chain(self, add, ipv, table, chain, transaction):
self._check_ipv_table(ipv, table)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 968b75867849..818ce3f153d0 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -200,36 +200,6 @@ class ip4tables(object):
" ".join(_args), ret))
return ret
- def split_value(self, rules, opts=None):
- """Split values combined with commas for options in opts"""
-
- if opts is None:
- return rules
-
- out_rules = [ ]
- for rule in rules:
- processed = False
- for opt in opts:
- try:
- i = rule.index(opt)
- except ValueError:
- pass
- else:
- if len(rule) > i and "," in rule[i+1]:
- # For all items in the comma separated list in index
- # i of the rule, a new rule is created with a single
- # item from this list
- processed = True
- items = rule[i+1].split(",")
- for item in items:
- _rule = rule[:]
- _rule[i+1] = item
- out_rules.append(_rule)
- if not processed:
- out_rules.append(rule)
-
- return out_rules
-
def _rule_replace(self, rule, pattern, replacement):
try:
i = rule.index(pattern)
@@ -472,8 +442,6 @@ class ip4tables(object):
for table in table_rules:
rules = table_rules[table]
- rules = self.split_value(rules, [ "-s", "--source" ])
- rules = self.split_value(rules, [ "-d", "--destination" ])
temp_file.write("*%s\n" % table)
for rule in rules:
--
2.27.0

View File

@ -1,34 +0,0 @@
From 4a94fcfa0450b653c579118678da409b0f449259 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 12 May 2020 09:34:12 -0400
Subject: [PATCH 23/45] fix(ipset): flush the set if IndividiualCalls=yes
Make sure we flush the set when creating. Otherwise a pre-existing set
may have stale entries.
Fixes: 81d784f8c856 ("test: ipset: verify clean up on exit/reload")
(cherry picked from commit fab381045990f1c994d60c3f7c5813c576e60af1)
(cherry picked from commit a512e55190210ecba57f0ccfda88d39ac3151d13)
---
src/firewall/core/fw_ipset.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
index 68f016ba2222..90b24c6264c0 100644
--- a/src/firewall/core/fw_ipset.py
+++ b/src/firewall/core/fw_ipset.py
@@ -117,6 +117,11 @@ class FirewallIPSet(object):
# no entries visible for ipsets with timeout
continue
+ try:
+ backend.set_flush(obj.name)
+ except Exception as msg:
+ raise FirewallError(errors.COMMAND_FAILED, msg)
+
for entry in obj.entries:
try:
backend.set_add(obj.name, entry)
--
2.27.0

View File

@ -1,64 +0,0 @@
From 729936737ae3588d5b79c9f00760a2228586338b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 12 May 2020 08:25:07 -0400
Subject: [PATCH 24/45] test(dbus): better way to check IPv6_rpfilter expected
value
(cherry picked from commit 42e349f57a41305354871ca0c0d08fcf800a2fe3)
(cherry picked from commit a79695be7243802b49c5bdb131c231b1ef8a9350)
---
src/tests/dbus/firewalld.conf.at | 24 +++++++-----------------
1 file changed, 7 insertions(+), 17 deletions(-)
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 4eefa3286f9f..1c957957b3da 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -1,8 +1,13 @@
FWD_START_TEST([firewalld.conf])
AT_KEYWORDS(dbus)
-dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
IF_HOST_SUPPORTS_NFT_FIB([
+ EXPECTED_IPV6_RPFILTER_VALUE=yes
+], [
+ EXPECTED_IPV6_RPFILTER_VALUE=no
+])
+
+dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
DBUS_GETALL([config], [config], 0, [dnl
string "AllowZoneDrifting" : variant string "yes"
string "AutomaticHelpers" : variant string "no"
@@ -10,28 +15,13 @@ string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
string "FirewallBackend" : variant string "nftables"
string "FlushAllOnReload" : variant string "yes"
-string "IPv6_rpfilter" : variant string "yes"
-string "IndividualCalls" : variant string "no"
-string "Lockdown" : variant string "no"
-string "LogDenied" : variant string "off"
-string "MinimalMark" : variant int32 100
-string "RFC3964_IPv4" : variant string "yes"
-])], [
-DBUS_GETALL([config], [config], 0, [dnl
-string "AllowZoneDrifting" : variant string "yes"
-string "AutomaticHelpers" : variant string "no"
-string "CleanupOnExit" : variant string "no"
-string "DefaultZone" : variant string "public"
-string "FirewallBackend" : variant string "nftables"
-string "FlushAllOnReload" : variant string "yes"
-string "IPv6_rpfilter" : variant string "no"
+string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"])
string "IndividualCalls" : variant string "no"
string "Lockdown" : variant string "no"
string "LogDenied" : variant string "off"
string "MinimalMark" : variant int32 100
string "RFC3964_IPv4" : variant string "yes"
])
-])
m4_define([_helper], [
DBUS_SET([config], [config], [string:"$1" $2], 0, ignore)
--
2.27.0

View File

@ -0,0 +1,86 @@
From ed0b0a7f967f33729e4ec7472b4229f0317fd92d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 9 Apr 2021 13:34:31 -0400
Subject: [PATCH 24/30] test(direct): verify rule order with multiple address
with -s/-d
Coverage: rhbz 1940928
Coverage: rhbz 1949552
(cherry picked from commit 80c30dacc066af4d6d71d298b5e47625ecee5bdf)
(cherry picked from commit c1262441db90108eb8044053ae1b93f66f0c2839)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1940928.at | 52 +++++++++++++++++++++++++++++
2 files changed, 53 insertions(+)
create mode 100644 src/tests/regression/rhbz1940928.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index a49bb3b756e7..8156ee608189 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -39,3 +39,4 @@ m4_include([regression/rhbz1871298.at])
m4_include([regression/rhbz1596304.at])
m4_include([regression/gh703.at])
m4_include([regression/ipset_netmask_allowed.at])
+m4_include([regression/rhbz1940928.at])
diff --git a/src/tests/regression/rhbz1940928.at b/src/tests/regression/rhbz1940928.at
new file mode 100644
index 000000000000..0a4367080b5e
--- /dev/null
+++ b/src/tests/regression/rhbz1940928.at
@@ -0,0 +1,52 @@
+FWD_START_TEST([direct -s/-d multiple addresses])
+AT_KEYWORDS(direct rhbz1940928 rhbz1949552)
+CHECK_IPTABLES
+
+dnl test triggers a limitation in iptables-restore
+dnl
+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=no/' ./firewalld.conf])
+FWD_RELOAD
+
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore])
+
+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
+ ACCEPT tcp -- 0.0.0.0/0 10.0.0.0/8
+ ACCEPT tcp -- 0.0.0.0/0 172.16.0.0/16
+ ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/24
+ ACCEPT udp -- 0.0.0.0/0 10.0.0.0/8
+ ACCEPT udp -- 0.0.0.0/0 172.16.0.0/16
+ ACCEPT udp -- 0.0.0.0/0 192.168.0.0/24
+ DROP all -- 0.0.0.0/0 0.0.0.0/0
+])
+
+FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+
+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
+ ACCEPT sctp -- 0.0.0.0/0 10.0.0.0/8
+ ACCEPT sctp -- 0.0.0.0/0 172.16.0.0/16
+ ACCEPT sctp -- 0.0.0.0/0 192.168.0.0/24
+ ACCEPT tcp -- 0.0.0.0/0 10.0.0.0/8
+ ACCEPT tcp -- 0.0.0.0/0 172.16.0.0/16
+ ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/24
+ ACCEPT udp -- 0.0.0.0/0 10.0.0.0/8
+ ACCEPT udp -- 0.0.0.0/0 172.16.0.0/16
+ ACCEPT udp -- 0.0.0.0/0 192.168.0.0/24
+ DROP all -- 0.0.0.0/0 0.0.0.0/0
+])
+
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore])
+FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore])
+
+
+IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl
+])
+
+FWD_END_TEST
--
2.27.0

View File

@ -0,0 +1,31 @@
From 44442eace5a5a4330fb40d47cd9fb3c561d38c56 Mon Sep 17 00:00:00 2001
From: Fabrizio D'Angelo <fdangelo@redhat.com>
Date: Mon, 12 Apr 2021 13:56:00 -0400
Subject: [PATCH 25/30] fix(ipset): fix hash:net,net functionality
Fixes: rhbz 1936896
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
(cherry picked from commit 36f3d50d729d3329ce99653d8227e3f52a02a43f)
(cherry picked from commit 3ea4779dc4a957f9c0eb795ab0b00e67d653b772)
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index e6907421e111..e3ae988bbdab 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1742,8 +1742,8 @@ class nftables(object):
"hash:ip,mark" : [ipv_addr[ipv], "mark"],
"hash:net" : ipv_addr[ipv],
+ "hash:net,net" : [ipv_addr[ipv], ipv_addr[ipv]],
"hash:net,port" : [ipv_addr[ipv], "inet_proto", "inet_service"],
- "hash:net,port,ip" : [ipv_addr[ipv], "inet_proto", "inet_service", ipv_addr[ipv]],
"hash:net,port,net" : [ipv_addr[ipv], "inet_proto", "inet_service", ipv_addr[ipv]],
"hash:net,iface" : [ipv_addr[ipv], "ifname"],
--
2.27.0

View File

@ -1,47 +0,0 @@
From 571c32c466f0516d0543926828ce49b004ce584f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 11 May 2020 17:19:12 -0400
Subject: [PATCH 25/45] test(functions): add macro
IF_HOST_SUPPORTS_NFT_RULE_INDEX
(cherry picked from commit 735eb589b2a18129b2b8a9d4dfe8b9375757619a)
(cherry picked from commit cda25d11a9e333ee5cdd9d7e084e7075cb1550bb)
---
src/tests/functions.at | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 8f5ceba4d3f2..f83720595d2f 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -598,3 +598,27 @@ m4_define([NMCLI_CHECK], [
NS_CHECK([PIPESTATUS0([nmcli $1], [TRIM_WHITESPACE])],
[$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6])
])
+
+m4_define([IF_HOST_SUPPORTS_NFT_RULE_INDEX], [
+ m4_if(nftables, FIREWALL_BACKEND, [
+ AT_DATA([./nft_rule_index.nft], [
+ add table inet firewalld_check_rule_index
+ add chain inet firewalld_check_rule_index foobar { type filter hook input priority 0 ; }
+ add rule inet firewalld_check_rule_index foobar tcp dport 1234 accept
+ add rule inet firewalld_check_rule_index foobar accept
+ insert rule inet firewalld_check_rule_index foobar index 1 udp dport 4321 accept
+])
+ NS_CHECK([nft -f ./nft_rule_index.nft])
+
+ if test "$( NS_CMD([nft list chain inet firewalld_check_rule_index foobar | head -n 5 |tail -n 1 | TRIM_WHITESPACE]) )" = "udp dport 4321 accept"; then
+ :
+ $1
+ else
+ :
+ $2
+ fi
+
+ NS_CHECK([rm ./nft_rule_index.nft])
+ NS_CHECK([nft delete table inet firewalld_check_rule_index])
+ ], [$1])
+])
--
2.27.0

View File

@ -1,57 +0,0 @@
From 5e35e5d183773984bc69ff035e7f0c69cc99b282 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 11 May 2020 17:22:39 -0400
Subject: [PATCH 26/45] test(functions): use IndividualCalls if host doesn't
support nft rule index
(cherry picked from commit 5418d89006665e90f7f742bbdc9a551d9d9a1ca7)
(cherry picked from commit 4224d86814ac6aa80fbc58c2b6f8e53a89adcaba)
---
src/tests/dbus/firewalld.conf.at | 8 +++++++-
src/tests/functions.at | 4 ++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 1c957957b3da..14d87767a267 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -7,6 +7,12 @@ IF_HOST_SUPPORTS_NFT_FIB([
EXPECTED_IPV6_RPFILTER_VALUE=no
])
+IF_HOST_SUPPORTS_NFT_RULE_INDEX([
+ EXPECTED_INDIVIDUAL_CALLS_VALUE=no
+], [
+ EXPECTED_INDIVIDUAL_CALLS_VALUE=yes
+])
+
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
DBUS_GETALL([config], [config], 0, [dnl
string "AllowZoneDrifting" : variant string "yes"
@@ -16,7 +22,7 @@ string "DefaultZone" : variant string "public"
string "FirewallBackend" : variant string "nftables"
string "FlushAllOnReload" : variant string "yes"
string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"])
-string "IndividualCalls" : variant string "no"
+string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"])
string "Lockdown" : variant string "no"
string "LogDenied" : variant string "off"
string "MinimalMark" : variant int32 100
diff --git a/src/tests/functions.at b/src/tests/functions.at
index f83720595d2f..1cde4997f920 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -221,6 +221,10 @@ m4_define([FWD_START_TEST], [
fi
echo "kill $DBUS_PID" >> ./cleanup_late
+ IF_HOST_SUPPORTS_NFT_RULE_INDEX([], [
+ AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf])
+ ])
+
FWD_START_FIREWALLD
])
])
--
2.27.0

View File

@ -0,0 +1,64 @@
From 6d19a0bdb26f0eeb08dfdd9957c184e90db8766e Mon Sep 17 00:00:00 2001
From: Fabrizio D'Angelo <fdangelo@redhat.com>
Date: Mon, 12 Apr 2021 14:05:36 -0400
Subject: [PATCH 26/30] test(ipset): add test to verify hash:net,net
Signed-off-by: Fabrizio D'Angelo <fdangelo@redhat.com>
(cherry picked from commit f3bd1297f656217031957eee7cfb4b3ee5ef42f2)
(cherry picked from commit 690ad9abf26f8ec3486704553d891d7d2ce11a80)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1936896.at | 32 +++++++++++++++++++++++++++++
2 files changed, 33 insertions(+)
create mode 100644 src/tests/regression/rhbz1936896.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 8156ee608189..2a5ad9ef995a 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -40,3 +40,4 @@ m4_include([regression/rhbz1596304.at])
m4_include([regression/gh703.at])
m4_include([regression/ipset_netmask_allowed.at])
m4_include([regression/rhbz1940928.at])
+m4_include([regression/rhbz1936896.at])
diff --git a/src/tests/regression/rhbz1936896.at b/src/tests/regression/rhbz1936896.at
new file mode 100644
index 000000000000..911db0bc448d
--- /dev/null
+++ b/src/tests/regression/rhbz1936896.at
@@ -0,0 +1,32 @@
+FWD_START_TEST([ipset type hash:net,net])
+AT_KEYWORDS(rhbz1936896)
+CHECK_IPSET
+
+FWD_CHECK([-q --permanent --new-ipset testset --type hash:net,net])
+FWD_CHECK([--permanent --ipset=testset --add-entry=192.168.0.0/24,10.0.1.0/24], 0, ignore)
+FWD_RELOAD
+FWD_CHECK([--permanent --info-ipset=testset | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ testset
+ type: hash:net,net
+ options:
+ entries: 192.168.0.0/24,10.0.1.0/24
+])])
+
+IPSET_LIST_SET([testset], 0, [dnl
+ Name: testset
+ Type: hash:net,net
+ Members:
+ 192.168.0.0/24,10.0.1.0/24
+])
+
+NFT_LIST_SET([testset], 0, [dnl
+ table inet firewalld {
+ set testset {
+ type ipv4_addr . ipv4_addr
+ flags interval
+ elements = { 192.168.0.0/24 . 10.0.1.0/24 }
+ }
+ }
+])
+
+FWD_END_TEST
--
2.27.0

View File

@ -0,0 +1,45 @@
From 1cbe39d4260c633da4b7110d6e2e7722b8454af4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 27 Apr 2021 08:56:13 -0400
Subject: [PATCH 27/30] fix(nm): reload: only consider NM connections with a
real interface
Where real interface means linux interface capable of having an IP
address and does not exceed IFNAMSIZ.
Fixes: rhbz 1928860
(cherry picked from commit f18f1cc96503fbc5d42f30ecdc6f0da4c56aac4d)
(cherry picked from commit 7e9c4a5072ee3fd1aaf4162ef6ef1bf84b8a82eb)
---
src/firewall/core/fw_nm.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py
index 37282a1a7711..0e38dd47e927 100644
--- a/src/firewall/core/fw_nm.py
+++ b/src/firewall/core/fw_nm.py
@@ -141,7 +141,9 @@ def nm_get_connections(connections, connections_name):
connections_name[uuid] = name
for dev in devices:
- connections[dev.get_iface()] = uuid
+ ip_iface = dev.get_ip_iface()
+ if ip_iface:
+ connections[ip_iface] = uuid
def nm_get_interfaces():
"""Get active interfaces from NM
@@ -169,7 +171,9 @@ def nm_get_interfaces():
continue
for dev in active_con.get_devices():
- active_interfaces.append(dev.get_iface())
+ ip_iface = dev.get_ip_iface()
+ if ip_iface:
+ active_interfaces.append(ip_iface)
return active_interfaces
--
2.27.0

View File

@ -1,57 +0,0 @@
From 4c90b4a07d2b3f935f5ea8b4607a77f12b66d855 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 10 Dec 2019 10:34:16 -0500
Subject: [PATCH 27/45] test(check-container): add support for centos8 stream
(cherry picked from commit 47be9c516344243750b68d570c69e7a5c4022805)
(cherry picked from commit fdf7eb8c8d7b82e68c6488e4755568fd0a5442a1)
---
src/tests/Makefile.am | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 6be678146b99..b7556b30ecc8 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -48,7 +48,7 @@ $(TESTSUITE) $(TESTSUITE_INTEGRATION): $(TESTSUITE_FILES) $(srcdir)/package.m4
$(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at
mv $@.tmp $@
-CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide
+CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide check-container-centos8-stream
check-container-debian-sid-image: check-container-%-image:
(cd $(abs_top_srcdir) && { \
@@ -76,11 +76,28 @@ check-container-fedora-rawhide-image: check-container-%-image:
echo "COPY . /tmp/firewalld"; \
} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
+check-container-centos8-stream-image: check-container-%-image:
+ (cd $(abs_top_srcdir) && { \
+ echo "FROM centos:8" && \
+ echo "RUN dnf -y makecache" && \
+ echo "RUN dnf -y install centos-release-stream" && \
+ echo "RUN dnf -y install autoconf automake conntrack-tools desktop-file-utils \
+ docbook-style-xsl file gettext glib2-devel intltool ipset \
+ iptables iptables-ebtables nftables libtool libxml2 \
+ libxslt make nftables python3-nftables python3-slip-dbus \
+ python3-gobject-base diffutils procps-ng iproute which dbus-daemon \
+ NetworkManager" && \
+ echo "COPY . /tmp/firewalld"; \
+ } | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
+
+check-container-debian-sid: PYTHON=/usr/bin/python3
+check-container-fedora-rawhide: PYTHON=/usr/bin/python3
+check-container-centos8-stream: PYTHON=/usr/libexec/platform-python
$(CONTAINER_TARGETS): check-container-%: check-container-%-image
$(PODMAN) run -i --rm --privileged firewalld-testsuite-$* bash -c " \
cd /tmp/firewalld && \
./autogen.sh && \
- ./configure PYTHON=/usr/bin/python3 && \
+ ./configure PYTHON=\"${PYTHON}\" && \
make && \
{ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" || \
make -C src/tests check-local TESTSUITEFLAGS=\"--recheck --errexit --verbose\" ; } && \
--
2.27.0

View File

@ -1,33 +0,0 @@
From fe902f0be61bb0fe25418e5e13f7aa0131e042db Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 19 May 2020 13:24:25 -0400
Subject: [PATCH 28/45] fix(firewall-offline-cmd): remove instances of "[P]" in
help text
All commands are permanent. The "[P]" tag is unnecessary.
(cherry picked from commit 32f7ea86eaf86705d8f52eeb1195e7549653fdce)
(cherry picked from commit 1a22a093088eb7cc23f3b6c4b4ba6fb3323902aa)
---
src/firewall-offline-cmd.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/firewall-offline-cmd.in b/src/firewall-offline-cmd.in
index 98ca3e81ad7b..c0ad9ec8f64e 100755
--- a/src/firewall-offline-cmd.in
+++ b/src/firewall-offline-cmd.in
@@ -168,9 +168,9 @@ IPSet Options
--ipset=<ipset> --get-entries
List entries of an ipset
--ipset=<ipset> --add-entries-from-file=<entry>
- Add a new entries to an ipset [P]
+ Add a new entries to an ipset
--ipset=<ipset> --remove-entries-from-file=<entry>
- Remove entries from an ipset [P]
+ Remove entries from an ipset
IcmpType Options
--new-icmptype=<icmptype>
--
2.27.0

View File

@ -0,0 +1,81 @@
From 1a2c50e5cf165a5392764ff435b7183a6d6610a7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 27 Apr 2021 09:06:22 -0400
Subject: [PATCH 28/30] test(nm): reload: only consider NM connections with a
real interface
Coverage: rhbz 1928860
(cherry picked from commit 7566d3dc5664955064b14314b3d3ef20bcebd6e4)
(cherry picked from commit e936e005898e18caa628b5b61d7589c2bbc461cb)
---
src/tests/Makefile.am | 4 ++--
src/tests/integration/networkmanager.at | 1 +
src/tests/integration/rhbz1928860.at | 26 +++++++++++++++++++++++++
3 files changed, 29 insertions(+), 2 deletions(-)
create mode 100644 src/tests/integration/rhbz1928860.at
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index b7556b30ecc8..e936454faf6a 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -71,7 +71,7 @@ check-container-fedora-rawhide-image: check-container-%-image:
iptables iptables-nft libtool libxml2 libxslt make nftables \
python3-nftables python3-slip-dbus python3-gobject-base \
diffutils procps-ng iproute which dbus-daemon \
- NetworkManager" && \
+ NetworkManager NetworkManager-ovs" && \
echo "RUN alternatives --set ebtables /usr/sbin/ebtables-nft" && \
echo "COPY . /tmp/firewalld"; \
} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
@@ -86,7 +86,7 @@ check-container-centos8-stream-image: check-container-%-image:
iptables iptables-ebtables nftables libtool libxml2 \
libxslt make nftables python3-nftables python3-slip-dbus \
python3-gobject-base diffutils procps-ng iproute which dbus-daemon \
- NetworkManager" && \
+ NetworkManager NetworkManager-ovs" && \
echo "COPY . /tmp/firewalld"; \
} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
diff --git a/src/tests/integration/networkmanager.at b/src/tests/integration/networkmanager.at
index 08cf6d28451a..0b20adce0462 100644
--- a/src/tests/integration/networkmanager.at
+++ b/src/tests/integration/networkmanager.at
@@ -1,2 +1,3 @@
AT_BANNER([NetworkManager (FIREWALL_BACKEND)])
m4_include([integration/rhbz1773809.at])
+m4_include([integration/rhbz1928860.at])
diff --git a/src/tests/integration/rhbz1928860.at b/src/tests/integration/rhbz1928860.at
new file mode 100644
index 000000000000..8ef2a1dcbd01
--- /dev/null
+++ b/src/tests/integration/rhbz1928860.at
@@ -0,0 +1,26 @@
+FWD_START_TEST([reload don't consider non IP capable interfaces])
+AT_KEYWORDS(reload rhbz1928860)
+
+START_NETWORKMANAGER
+
+dnl OVS bridge and port
+NMCLI_CHECK([connection add type ovs-bridge conn.interface ovs-br con-name ovs-br], 0, [ignore])
+NMCLI_CHECK([connection add type ovs-port conn.interface ovs-interface-port master ovs-br con-name ovs-interface-port], 0, [ignore])
+echo NS_CMD([nmcli connection delete ovs-br]) >> ./cleanup
+echo NS_CMD([nmcli connection delete ovs-interface-port]) >> ./cleanup
+
+dnl Up them
+NMCLI_CHECK([connection up ovs-br], 0, [ignore])
+NMCLI_CHECK([connection up ovs-interface-port], 0, [ignore])
+
+dnl Omit the actual linux interface because it requires the OVS daemon to be
+dnl running. The bug is reproducible without it.
+dnl
+dnl NMCLI_CHECK([connection add type ovs-interface slave-type ovs-port conn.interface ovs-br master ovs-interface-port con-name ovs-interface ipv4.method disabled ipv6.method disabled], 0, [ignore])
+dnl echo NS_CMD([nmcli connection delete ovs-interface]) >> ./cleanup
+dnl NMCLI_CHECK([connection up ovs-interface], 0, [ignore])
+
+dnl just need to verify reload
+FWD_RELOAD
+
+FWD_END_TEST
--
2.27.0

View File

@ -0,0 +1,36 @@
From 6e97c635d2bfe9ef73f72aa165443cfcefc6c82c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 17 May 2021 15:43:13 -0400
Subject: [PATCH 29/30] docs(conf): note that IPv6_rpfilter has a performance
penalty
Fixes: rhbz 1871860
(cherry picked from commit aad59154e16f669bf85e9894e7e0e19061d370d4)
(cherry picked from commit 5391c26d3e730f283d1f00f7ac1869aeb2251837)
---
doc/xml/firewalld.conf.xml | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index c21ef87813bc..0bf4c2d4d011 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -114,6 +114,15 @@
If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.
For IPv4 the rp_filter is controlled using sysctl.
</para>
+ <para>
+ <emphasis role="bold">Note</emphasis>: This feature has a performance
+ impact. In most cases the impact is not enough to cause a noticeable
+ difference. It requires route lookups and its execution occurs before
+ the established connections fast path. As such it can have a
+ significant performance impact if there is a lot of traffic. It's
+ enabled by default for security, but can be disabled if performance is
+ a concern.
+ </para>
</listitem>
</varlistentry>
--
2.27.0

View File

@ -1,30 +0,0 @@
From 53e62b6640c2d52ca6385120e3215b18d4ea70bf Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 8 Jun 2020 14:58:50 -0400
Subject: [PATCH 29/45] fix(rich): source mac with nftables backend
Fixes: #643
Fixes: rhbz 1843398
Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface")
(cherry picked from commit e255e7357358b5fe1593225e6bd995850421825a)
(cherry picked from commit d78607ca4862a7b20551a98387ff285499d73440)
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 69ee63b32f8b..97b1cd9f7f1e 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1064,7 +1064,7 @@ class nftables(object):
if addr_field == "daddr":
raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__))
family = "ether"
- if check_single_address("ipv4", address):
+ elif check_single_address("ipv4", address):
family = "ip"
elif check_address("ipv4", address):
family = "ip"
--
2.27.0

View File

@ -0,0 +1,28 @@
From 60e4181ca9ac8dbd1acb6baf85b42b0666aa56b7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 19 May 2021 12:52:52 -0400
Subject: [PATCH 30/30] improvement(conf): note that IPv6_rpfilter has a
performance penalty
(cherry picked from commit cf8e0df944322f1ad283946c64bf7f933c25340d)
(cherry picked from commit 1a8bb7e5dcee3bcd691219104427daf39ead1f82)
---
config/firewalld.conf | 2 ++
1 file changed, 2 insertions(+)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index f791b2358ab8..a0556c0bbf5b 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -23,6 +23,8 @@ Lockdown=no
# packet would be sent via the same interface that the packet arrived on, the
# packet will match and be accepted, otherwise dropped.
# The rp_filter for IPv4 is controlled using sysctl.
+# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
+# for details.
# Default: yes
IPv6_rpfilter=yes
--
2.27.0

View File

@ -1,42 +0,0 @@
From 8058fda3072600ce65851b43cd3422fe0acdecb4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 8 Jun 2020 14:11:27 -0400
Subject: [PATCH 30/45] test(rich): source mac with nftables backend
With the nftables backend firewalld fails to add a rule that matches the
source mac address.
(cherry picked from commit ef555fa1538b8df414fecaf400653fb0a95322db)
(cherry picked from commit a1fe0b082aec4ea5f175854412cd7ab4eef4e294)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1843398.at | 8 ++++++++
2 files changed, 9 insertions(+)
create mode 100644 src/tests/regression/rhbz1843398.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index c3a5706c6406..984d299bfd4e 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -29,3 +29,4 @@ m4_include([regression/rhbz1779835.at])
m4_include([regression/gh330.at])
m4_include([regression/gh599.at])
m4_include([regression/rhbz1829104.at])
+m4_include([regression/rhbz1843398.at])
diff --git a/src/tests/regression/rhbz1843398.at b/src/tests/regression/rhbz1843398.at
new file mode 100644
index 000000000000..4606e8497223
--- /dev/null
+++ b/src/tests/regression/rhbz1843398.at
@@ -0,0 +1,8 @@
+FWD_START_TEST([rich rule source mac])
+AT_KEYWORDS(rich rhbz1843398 gh643)
+
+FWD_CHECK([--permanent --add-rich-rule='rule source mac="11:22:33:44:55:66" reject'], 0, [ignore])
+FWD_CHECK([ --add-rich-rule='rule source mac="11:22:33:44:55:66" reject'], 0, [ignore])
+FWD_RELOAD
+
+FWD_END_TEST
--
2.27.0

View File

@ -1,27 +0,0 @@
From 944b49770943ec485212f2ca50d73231b7495d65 Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Wed, 10 Jun 2020 17:55:54 -0400
Subject: [PATCH 31/45] docs(README): add libxslt for doc generation
(cherry picked from commit 1e9638b07a9c740a4ab5128708f9a40acc2d4668)
(cherry picked from commit 32c7f4c7eeafa4298ca403f45db8fda49f01ed2e)
---
README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README b/README
index 120543588540..7c00c3094949 100644
--- a/README
+++ b/README
@@ -58,7 +58,7 @@ For use with Python 2:
To be able to create man pages and documentation from docbook files:
docbook-style-xsl
-
+ libxslt
Use the usual autoconf/automake incantation to generate makefiles
--
2.27.0

View File

@ -0,0 +1,28 @@
From 8d8ec4530dea1a74254c6cc14ece4fa14f7f94fe Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 3 Jun 2021 12:00:06 -0400
Subject: [PATCH 31/36] test(functions): FWD_GREP_LOG: allow checking error
code
(cherry picked from commit 748bcaee9a1d1151cf0e4bc9229f7b46774332ae)
(cherry picked from commit 69c6a91ca507bdf0e18784ce06d3d872a1c2e5ab)
---
src/tests/functions.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 54afcf14585a..4b298644d7e4 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -328,7 +328,7 @@ m4_define([FWD_CHECK], [
])
m4_define([FWD_GREP_LOG], [
- AT_CHECK([grep "$1" ./firewalld.log], 0, [ignore], [ignore])
+ AT_CHECK([grep "$1" ./firewalld.log], $2, [ignore], [ignore])
])
m4_define([TRIM], [[sed -e 's/^[ \t]*//' -e 's/[ \t]*$//']])
--
2.27.0

View File

@ -1,56 +0,0 @@
From d48ffab0a49db8c937bbd62b0b8b755b3dbca4a8 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 23 Jun 2020 13:39:49 -0400
Subject: [PATCH 32/45] docs: replace occurrences of the term blacklist with
denylist
(cherry picked from commit af3f7cd074f737c584a42cf1028f18e6fa597204)
(cherry picked from commit 621916b2dbb4cb04da4a0babc3b741202fd709b4)
---
doc/xml/firewalld.direct.xml | 12 ++++++------
src/firewall-config.glade | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/doc/xml/firewalld.direct.xml b/doc/xml/firewalld.direct.xml
index de7b5973dd7f..d65b66f74513 100644
--- a/doc/xml/firewalld.direct.xml
+++ b/doc/xml/firewalld.direct.xml
@@ -273,16 +273,16 @@
<title>Example</title>
<para>
- Blacklisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with logging and dropping early in the raw table:
+ Denylisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with logging and dropping early in the raw table:
<programlisting>
&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;direct&gt;
- &lt;chain ipv="ipv4" table="raw" chain="blacklist"/&gt;
- &lt;rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0"&gt;-s 192.168.1.0/24 -j blacklist&lt;/rule&gt;
- &lt;rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1"&gt;-s 192.168.5.0/24 -j blacklist&lt;/rule&gt;
- &lt;rule ipv="ipv4" table="raw" chain="blacklist" priority="0"&gt;-m limit --limit 1/min -j LOG --log-prefix "blacklisted: "&lt;/rule&gt;
- &lt;rule ipv="ipv4" table="raw" chain="blacklist" priority="1"&gt;-j DROP&lt;/rule&gt;
+ &lt;chain ipv="ipv4" table="raw" chain="denylist"/&gt;
+ &lt;rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0"&gt;-s 192.168.1.0/24 -j denylist&lt;/rule&gt;
+ &lt;rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1"&gt;-s 192.168.5.0/24 -j denylist&lt;/rule&gt;
+ &lt;rule ipv="ipv4" table="raw" chain="denylist" priority="0"&gt;-m limit --limit 1/min -j LOG --log-prefix "denylisted: "&lt;/rule&gt;
+ &lt;rule ipv="ipv4" table="raw" chain="denylist" priority="1"&gt;-j DROP&lt;/rule&gt;
&lt;/direct&gt;
</programlisting>
diff --git a/src/firewall-config.glade b/src/firewall-config.glade
index 689433c47eca..6c057f66f401 100644
--- a/src/firewall-config.glade
+++ b/src/firewall-config.glade
@@ -9761,7 +9761,7 @@
<object class="GtkLabel" id="label38">
<property name="can_focus">False</property>
<property name="halign">start</property>
- <property name="label" translatable="yes">For host or network white or blacklisting deactivate the element.</property>
+ <property name="label" translatable="yes">For host or network allow or denylisting deactivate the element.</property>
<property name="wrap">True</property>
<property name="xalign">0</property>
<property name="yalign">0</property>
--
2.27.0

View File

@ -0,0 +1,41 @@
From fd61eebac7618b1f9051497904d4392ac9b6f53b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 3 Jun 2021 12:12:03 -0400
Subject: [PATCH 32/36] test(functions): improve checking firewalld.log for
errors
Don't delete the errors/warnings from the log. Use sed/grep in a pipe
instead.
(cherry picked from commit 23dc028083dbdbd291f022ab60bad0462e23d48e)
(cherry picked from commit 1bafb54763926f49f930038fb6ecd9ab3e05c796)
---
src/tests/functions.at | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 4b298644d7e4..03795bc3c132 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -255,14 +255,11 @@ m4_define([FWD_START_TEST], [
m4_define([FWD_END_TEST], [
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
- IF_HOST_SUPPORTS_IP6TABLES([], [
- sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
- ])
if test x"$1" != x"ignore"; then
- if test -n "$1"; then
- sed -i $1 ./firewalld.log
- fi
- AT_FAIL_IF([[grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log]])
+ AT_FAIL_IF([cat ./firewalld.log | dnl
+ sed "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" | dnl
+ m4_ifnblank([$1], [sed $1 |]) dnl
+ [grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)']])
fi
m4_undefine([CURRENT_DBUS_ADDRESS])
m4_undefine([CURRENT_TEST_NS])
--
2.27.0

View File

@ -0,0 +1,46 @@
From a79321b79b0543cff0c99702c1ab9eeaab8bfe06 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 3 Jun 2021 11:42:58 -0400
Subject: [PATCH 33/36] fix(policy): warn instead of error for overlapping
ports
Fixes: rhbz 1914935
(cherry picked from commit b71e532bc21fb6a06345b5ecfeb60683c7a194e9)
(cherry picked from commit 66ca4b0fd9588d60d31998ad792f04962053aaab)
---
src/firewall/core/fw_policy.py | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/firewall/core/fw_policy.py b/src/firewall/core/fw_policy.py
index 3f5dab808ff0..79a52d8d97c0 100644
--- a/src/firewall/core/fw_policy.py
+++ b/src/firewall/core/fw_policy.py
@@ -98,11 +98,23 @@ class FirewallPolicy(object):
for args in obj.services:
self.add_service(policy, args)
for args in obj.ports:
- self.add_port(policy, *args)
+ try:
+ self.add_port(policy, *args)
+ except FirewallError as error:
+ if error.code in [errors.ALREADY_ENABLED]:
+ log.warning(error)
+ else:
+ raise error
for args in obj.protocols:
self.add_protocol(policy, args)
for args in obj.source_ports:
- self.add_source_port(policy, *args)
+ try:
+ self.add_source_port(policy, *args)
+ except FirewallError as error:
+ if error.code in [errors.ALREADY_ENABLED]:
+ log.warning(error)
+ else:
+ raise error
for args in obj.rules:
self.add_rule(policy, args)
if obj.masquerade:
--
2.27.0

View File

@ -1,31 +0,0 @@
From 542e44f2ba257b7f643770c9e2eedcf9a9f87c9c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Jun 2020 11:08:58 +0300
Subject: [PATCH 33/45] fix: update dynamic DCE RPC ports in freeipa-trust
service
Samba did change DCE RPC dynamic port range to 49152-65535 with version
4.7.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
(cherry picked from commit 0753d6e653b804779f7301737809767f0d5cf9af)
(cherry picked from commit 88bbe05e5bdd510cc2544f2fb201186ef2abb8bb)
---
config/services/freeipa-trust.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/services/freeipa-trust.xml b/config/services/freeipa-trust.xml
index 100cab614abe..315f69cce150 100644
--- a/config/services/freeipa-trust.xml
+++ b/config/services/freeipa-trust.xml
@@ -9,6 +9,6 @@
<port protocol="udp" port="389"/>
<port protocol="tcp" port="445"/>
<port protocol="udp" port="445"/>
- <port protocol="tcp" port="1024-1300"/>
+ <port protocol="tcp" port="49152-65535"/><!-- Dynamic RPC Ports -->
<port protocol="tcp" port="3268"/>
</service>
--
2.27.0

View File

@ -1,70 +0,0 @@
From 4b2fecb2288fdd345f98890f9c801b1e4e2a5474 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 25 Jun 2020 16:42:36 +0200
Subject: [PATCH 34/45] fix: core: rich: Catch ValueError on non-numeric
priority values
Be a bit more user-friendly by printing:
| Error: INVALID_RULE: invalid 'priority' attribute value 'ab'.
instead of Python's default, which is:
| Error: invalid literal for int() with base 10: 'ab'
Fixes: rhbz 1689429
(cherry picked from commit 3a0e79b1cfe4344d21d30eb47c038252d728cc44)
(cherry picked from commit fa21382cc513cc0dba56ba085782a3e23c863afc)
---
src/firewall/core/rich.py | 5 ++++-
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1689429.at | 12 ++++++++++++
3 files changed, 17 insertions(+), 1 deletion(-)
create mode 100644 src/tests/regression/rhbz1689429.at
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index dacaeb9c0b70..eb4a2d2d9669 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -379,7 +379,10 @@ class Rich_Rule(object):
raise FirewallError(errors.INVALID_RULE, "'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead." % attr_value)
self.family = attr_value
elif attr_name == 'priority':
- self.priority = int(attr_value)
+ try:
+ self.priority = int(attr_value)
+ except ValueError:
+ raise FirewallError(errors.INVALID_RULE, "invalid 'priority' attribute value '%s'." % attr_value)
elif attr_name:
if attr_name == 'protocol':
err_msg = "wrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'."
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 984d299bfd4e..1c8f76afa87a 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -30,3 +30,4 @@ m4_include([regression/gh330.at])
m4_include([regression/gh599.at])
m4_include([regression/rhbz1829104.at])
m4_include([regression/rhbz1843398.at])
+m4_include([regression/rhbz1689429.at])
diff --git a/src/tests/regression/rhbz1689429.at b/src/tests/regression/rhbz1689429.at
new file mode 100644
index 000000000000..5701607d660f
--- /dev/null
+++ b/src/tests/regression/rhbz1689429.at
@@ -0,0 +1,12 @@
+FWD_START_TEST([rich rule invalid priority])
+AT_KEYWORDS(rich rhbz1689429)
+
+FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 122, [],
+ [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'.
+])
+FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 122, [],
+ [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'.
+])
+FWD_RELOAD
+
+FWD_END_TEST([ignore])
--
2.27.0

View File

@ -0,0 +1,99 @@
From 7c1e62b4933f2b110dcedc411b4381c00abe799f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 3 Jun 2021 11:27:11 -0400
Subject: [PATCH 34/36] test(zone): verify overlapping ports don't halt zone
loading
We can warn about the overlapping ports, but don't completely error out.
Coverage: rhbz 1914935
(cherry picked from commit 012a87a343673c7699f48fa6af973c890be08671)
(cherry picked from commit 50e4c979283eee83bf0c707184cd0ca9bf112e85)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1914935.at | 64 +++++++++++++++++++++++++++++
2 files changed, 65 insertions(+)
create mode 100644 src/tests/regression/rhbz1914935.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 2a5ad9ef995a..aadd948a459f 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -41,3 +41,4 @@ m4_include([regression/gh703.at])
m4_include([regression/ipset_netmask_allowed.at])
m4_include([regression/rhbz1940928.at])
m4_include([regression/rhbz1936896.at])
+m4_include([regression/rhbz1914935.at])
diff --git a/src/tests/regression/rhbz1914935.at b/src/tests/regression/rhbz1914935.at
new file mode 100644
index 000000000000..5b110ea4cf4d
--- /dev/null
+++ b/src/tests/regression/rhbz1914935.at
@@ -0,0 +1,64 @@
+FWD_START_TEST([zone overlapping ports])
+AT_KEYWORDS(zone port rhbz1914935)
+
+AT_CHECK([mkdir -p ./zones])
+
+AT_DATA([./zones/foobar.xml], [dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<port port="1024-65535" protocol="tcp" />
+<port port="1234" protocol="tcp" />
+<port port="2000-3000" protocol="tcp" />
+</zone>
+])
+FWD_RELOAD
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1234:tcp' already in 'foobar'])
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '2000-3000:tcp' already in 'foobar'])
+FWD_CHECK([--zone foobar --list-ports], 0, [dnl
+1024-65535/tcp
+])
+
+AT_DATA([./zones/foobar.xml], [dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<source-port port="1024-65535" protocol="tcp" />
+<source-port port="1234" protocol="tcp" />
+<source-port port="2000-3000" protocol="tcp" />
+</zone>
+])
+FWD_RELOAD
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1234:tcp' already in 'foobar'])
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '2000-3000:tcp' already in 'foobar'])
+FWD_CHECK([--zone foobar --list-source-ports], 0, [dnl
+1024-65535/tcp
+])
+
+dnl this one partially overlaps so it should not throw a warning.
+AT_DATA([./zones/foobar.xml], [dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<port port="1024-2000" protocol="tcp" />
+<port port="1500-2500" protocol="tcp" />
+</zone>
+])
+FWD_RELOAD
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1500-2500:tcp' already in 'foobar'], 1)
+FWD_CHECK([--zone foobar --list-ports], 0, [dnl
+1024-2500/tcp
+])
+
+dnl this one partially overlaps so it should not throw a warning.
+AT_DATA([./zones/foobar.xml], [dnl
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+<source-port port="1024-2000" protocol="tcp" />
+<source-port port="1500-2500" protocol="tcp" />
+</zone>
+])
+FWD_RELOAD
+FWD_GREP_LOG([WARNING: ALREADY_ENABLED: '1500-2500:tcp' already in 'foobar'], 1)
+FWD_CHECK([--zone foobar --list-source-ports], 0, [dnl
+1024-2500/tcp
+])
+
+FWD_END_TEST([-e '/WARNING: ALREADY_ENABLED:/d'])
--
2.27.0

View File

@ -1,55 +0,0 @@
From 040621b36e72f63482cce6c4e4daefd8b982387c Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Tue, 23 Jun 2020 20:01:17 -0400
Subject: [PATCH 35/45] fix(cli): add --zone is an invalid option with --direct
Fixes: rhbz 1483921
(cherry picked from commit 303f85fc35d230f6e1980996020011dd8c0c2041)
(cherry picked from commit e946d8c8f4717d269b9ca785cf124d83de7b723e)
---
src/firewall-cmd.in | 3 +++
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1483921.at | 8 ++++++++
3 files changed, 12 insertions(+)
create mode 100644 src/tests/regression/rhbz1483921.at
diff --git a/src/firewall-cmd.in b/src/firewall-cmd.in
index 317da5eab6e4..014f3884d64b 100755
--- a/src/firewall-cmd.in
+++ b/src/firewall-cmd.in
@@ -962,6 +962,9 @@ if (a.direct and not options_direct) or (options_direct and not a.direct):
cmd.fail(parser.format_usage() +
"Wrong usage of 'direct' options.")
+if a.zone and a.direct:
+ cmd.fail(parser.format_usage() + "--zone is an invalid option with --direct")
+
if a.name and not (a.new_zone_from_file or a.new_service_from_file or \
a.new_ipset_from_file or a.new_icmptype_from_file or \
a.new_helper_from_file):
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 1c8f76afa87a..5241a11a830d 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -31,3 +31,4 @@ m4_include([regression/gh599.at])
m4_include([regression/rhbz1829104.at])
m4_include([regression/rhbz1843398.at])
m4_include([regression/rhbz1689429.at])
+m4_include([regression/rhbz1483921.at])
diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at
new file mode 100644
index 000000000000..d3dd60bc8faf
--- /dev/null
+++ b/src/tests/regression/rhbz1483921.at
@@ -0,0 +1,8 @@
+FWD_START_TEST([direct zone])
+ AT_KEYWORDS(direct rhbz1483921)
+
+ FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
+
+ FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
+FWD_END_TEST
+
--
2.27.0

View File

@ -1,29 +0,0 @@
From 23a0df223fdcb52b96aa0c68d5faabc5d645682d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 29 Jun 2020 14:48:00 -0400
Subject: [PATCH 36/45] test(rhbz1483921): better test name
Fixes: 303f85fc35d2 ("fix(cli): add --zone is an invalid option with --direct")
(cherry picked from commit a844f985f2d160b921ad65c87d91e795ef9a45cb)
(cherry picked from commit 48a97e77452dff84b542006f7e3a64434a993a48)
---
src/tests/regression/rhbz1483921.at | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at
index d3dd60bc8faf..97939919f9af 100644
--- a/src/tests/regression/rhbz1483921.at
+++ b/src/tests/regression/rhbz1483921.at
@@ -1,8 +1,7 @@
-FWD_START_TEST([direct zone])
+FWD_START_TEST([direct and zone mutually exclusive])
AT_KEYWORDS(direct rhbz1483921)
FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
FWD_END_TEST
-
--
2.27.0

View File

@ -1,71 +0,0 @@
From 09b9f5a18dbe01d0d3ab9b0db721eadab5e38b35 Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Mon, 29 Jun 2020 17:34:46 -0400
Subject: [PATCH 37/45] fix(cli): add ipset type hash:mac is incompatible with
the family parameter Fixes: rhbz1541077
(cherry picked from commit dddba7b9c276e9c58f6c2bc554c82252fa084eaf)
(cherry picked from commit 15f5691f0dbffcc1d4c1f42e77e79c6600db0d77)
---
src/firewall-cmd.in | 3 +++
src/firewall-offline-cmd.in | 3 +++
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1541077.at | 9 +++++++++
4 files changed, 16 insertions(+)
create mode 100644 src/tests/regression/rhbz1541077.at
diff --git a/src/firewall-cmd.in b/src/firewall-cmd.in
index 014f3884d64b..b6c2f84f5a9e 100755
--- a/src/firewall-cmd.in
+++ b/src/firewall-cmd.in
@@ -1074,6 +1074,9 @@ if a.permanent:
if not a.type:
cmd.fail(parser.format_usage() + "No type specified.")
+ if a.type=='hash:mac' and a.family:
+ cmd.fail(parser.format_usage()+ "--family is not compatible with the hash:mac type")
+
settings = FirewallClientIPSetSettings()
settings.setType(a.type)
if a.option:
diff --git a/src/firewall-offline-cmd.in b/src/firewall-offline-cmd.in
index c0ad9ec8f64e..98c00548e3e5 100755
--- a/src/firewall-offline-cmd.in
+++ b/src/firewall-offline-cmd.in
@@ -1577,6 +1577,9 @@ try:
if not a.type:
cmd.fail(parser.format_usage() + "No type specified.")
+ if a.type=='hash:mac' and a.family:
+ cmd.fail(parser.format_usage() + "--family is not compatible with the hash:mac type")
+
settings = FirewallClientIPSetSettings()
settings.setType(a.type)
if a.option:
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 5241a11a830d..5c8aae7e64d3 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -32,3 +32,4 @@ m4_include([regression/rhbz1829104.at])
m4_include([regression/rhbz1843398.at])
m4_include([regression/rhbz1689429.at])
m4_include([regression/rhbz1483921.at])
+m4_include([regression/rhbz1541077.at])
diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at
new file mode 100644
index 000000000000..765ab0c6290b
--- /dev/null
+++ b/src/tests/regression/rhbz1541077.at
@@ -0,0 +1,9 @@
+FWD_START_TEST([hash:mac and family mutually exclusive])
+ AT_KEYWORDS(ipset rhbz1541077)
+
+ FWD_CHECK([firewall-cmd --permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
+
+ FWD_CHECK([firewall-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
+
+ FWD_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
+FWD_END_TEST
--
2.27.0

View File

@ -1,42 +0,0 @@
From 15989f86b18c99d79b342e78a2c3bd26c4973868 Mon Sep 17 00:00:00 2001
From: Vladislav Grigoryev <20725816+vgaetera@users.noreply.github.com>
Date: Tue, 23 Jun 2020 13:34:40 +0300
Subject: [PATCH 38/45] fix(cli): unify indentation for forward-ports and rich
rules
Unify indentation for forward-ports and rich rules in the CLI zone listing.
Do not insert redundant newlines when there are no forward-ports or rich rules.
(cherry picked from commit 41df4088cd98f35adb3ac836143e7be34bb07a21)
(cherry picked from commit 809fc4b61321cd459dde65559af3dfbd73f4ce1e)
---
src/firewall/command.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/firewall/command.py b/src/firewall/command.py
index c371dc23584c..8dee63bdda8f 100644
--- a/src/firewall/command.py
+++ b/src/firewall/command.py
@@ -428,7 +428,7 @@ class FirewallCommand(object):
for port in ports]))
self.print_msg(" protocols: " + " ".join(sorted(protocols)))
self.print_msg(" masquerade: %s" % ("yes" if masquerade else "no"))
- self.print_msg(" forward-ports: " +
+ self.print_msg(" forward-ports: " + ("\n\t" if forward_ports else "") +
"\n\t".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % \
(port, proto, toport, toaddr)
for (port, proto, toport, toaddr) in \
@@ -437,8 +437,8 @@ class FirewallCommand(object):
" ".join(["%s/%s" % (port[0], port[1])
for port in source_ports]))
self.print_msg(" icmp-blocks: " + " ".join(icmp_blocks))
- self.print_msg(" rich rules: \n\t" + "\n\t".join(
- sorted(rules, key=rich_rule_sorted_key)))
+ self.print_msg(" rich rules: " + ("\n\t" if rules else "") +
+ "\n\t".join(sorted(rules, key=rich_rule_sorted_key)))
def print_service_info(self, service, settings):
ports = settings.getPorts()
--
2.27.0

View File

@ -1,40 +0,0 @@
From 13442af85c144da1eff00cf193db118eb9afb498 Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Mon, 6 Jul 2020 20:43:05 -0400
Subject: [PATCH 39/45] improvement(service): IPsec: Update description and add
TCP port 4500
IKE and IPsec over TCP is defined in RFC 8229. It specifically mentions
no ports to allow administrators to configure any port to prevent being
blocked by networks.
However, most IKE/IPsec blocking seems to come from unwanted accidental
UDP blocks, so any TCP would usually ensures IPsec can still work on
such networks. The default is therefor to pick the same TCP port as IKE
and IPsec over UDP uses, port 4500.
(cherry picked from commit 8c4fb4f658719cfb58bacae9e6e82c8e82c3465d)
(cherry picked from commit 0e2733a5b052a4a1d5e1f6f34bca1ff3760948f1)
---
config/services/ipsec.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/services/ipsec.xml b/config/services/ipsec.xml
index 9e70acb40003..824f1f3e539f 100644
--- a/config/services/ipsec.xml
+++ b/config/services/ipsec.xml
@@ -1,9 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPsec</short>
- <description>Internet Protocol Security (IPsec) incorporates security for network transmissions directly into the Internet Protocol (IP). IPsec provides methods for both encrypting data and authentication for the host or network it sends to. If you plan to use a vpnc server or FreeS/WAN, do not disable this option.</description>
+ <description>Internet Protocol Security (IPsec) is the standarized IETF VPN architecture defined in RFC 4301. IPsec is negotiated using the IKEv1 (RFC 2409) or IKEv2 (RFC 7296) protocol, which in itself uses encryption and authentication. IPsec provides Internet Protocol (IP) packet encryption and authentication. Both IKE and IPsec can be encapsulated in UDP (RFC 3948) or TCP (RFC 8229 to make it easier to traverse NAT. Enabling this service will enable IKE, IPsec and their encapsulation protocols and ports. Note that IKE and IPsec can also be configured to use non-default ports, but this is not common practise.</description>
<port protocol="ah" port=""/>
<port protocol="esp" port=""/>
<port protocol="udp" port="500"/>
<port protocol="udp" port="4500"/>
+ <port protocol="tcp" port="4500"/>
</service>
--
2.27.0

View File

@ -1,30 +0,0 @@
From f32a3617acd884f0a1af8e648fe09fa17ac24193 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 21 Jul 2020 15:33:37 -0400
Subject: [PATCH 40/45] fix(rich): nftables: log level "warning"
nftables wants the "warn" keyword not "warning".
(cherry picked from commit f622e65783c4d9f6969701a799d13cb8486d1c0f)
(cherry picked from commit 995cde22cced261c558ecad523befe62eb878d05)
---
src/firewall/core/nftables.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 97b1cd9f7f1e..85c790b5b51e 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -993,7 +993,8 @@ class nftables(object):
if rich_rule.log.prefix:
log_options["prefix"] = "%s" % rich_rule.log.prefix
if rich_rule.log.level:
- log_options["level"] = "%s" % rich_rule.log.level
+ level = "warn" if "warning" == rich_rule.log.level else rich_rule.log.level
+ log_options["level"] = "%s" % level
rule = {"family": "inet",
"table": TABLE_NAME,
--
2.27.0

View File

@ -1,85 +0,0 @@
From 5acbdc31a56f4b680323ba7aa92383da9e9f25fa Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 22 Jul 2020 09:18:42 -0400
Subject: [PATCH 41/45] fix(rich): icmptypes with one family
They were mistakenly being added to both families which fails.
Fixes: rhbz 1855140
(cherry picked from commit 0112e36c4e225504b15a1feef3d453a757a00b21)
(cherry picked from commit bd61af7db6f92d48a79fb1e84405aef4f522ffbf)
---
src/firewall/core/fw_zone.py | 26 +++++++++++---------------
src/firewall/core/nftables.py | 2 +-
2 files changed, 12 insertions(+), 16 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 5677effab146..b9fe1f6aae97 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1522,14 +1522,17 @@ class FirewallZone(object):
transaction.add_rules(backend, rules)
def _rule_prepare(self, enable, zone, rule, transaction):
- if rule.family is not None:
+ ipvs = []
+ if rule.family:
ipvs = [ rule.family ]
- else:
- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
+ elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)):
+ ict = self._fw.icmptype.get_icmptype(rule.element.name)
+ if ict.destination:
+ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination]
source_ipv = self._rule_source_ipv(rule.source)
- if source_ipv is not None and source_ipv != "":
- if rule.family is not None:
+ if source_ipv:
+ if rule.family:
# rule family is defined by user, no way to change it
if rule.family != source_ipv:
raise FirewallError(errors.INVALID_RULE,
@@ -1538,6 +1541,9 @@ class FirewallZone(object):
# use the source family as rule family
ipvs = [ source_ipv ]
+ if not ipvs:
+ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
+
# add an element to object to allow backends to know what ipvs this applies to
rule.ipvs = ipvs
@@ -1699,16 +1705,6 @@ class FirewallZone(object):
# icmp block might have reject or drop action, but not accept
raise FirewallError(errors.INVALID_RULE,
"IcmpBlock not usable with accept action")
- if ict.destination:
- for ipv in ipvs:
- if ipv in ict.destination \
- and not backend.is_ipv_supported(ipv):
- raise FirewallError(
- errors.INVALID_RULE,
- "Icmp%s %s not usable with %s" % \
- ("Block" if type(rule.element) == \
- Rich_IcmpBlock else "Type",
- rule.element.name, backend.name))
table = "filter"
if enable:
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 85c790b5b51e..0198200b2372 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1383,7 +1383,7 @@ class nftables(object):
return ICMP_TYPES_FRAGMENTS[ipv][icmp_type]
else:
raise FirewallError(INVALID_ICMPTYPE,
- "ICMP type '%s' not supported by %s" % (icmp_type, self.name))
+ "ICMP type '%s' not supported by %s for %s" % (icmp_type, self.name, ipv))
def build_zone_icmp_block_rules(self, enable, zone, ict, rich_rule=None):
table = "filter"
--
2.27.0

View File

@ -1,68 +0,0 @@
From 210a2580e405a852b5b64da99e6fead6a0d9e069 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Aug 2020 11:59:04 -0400
Subject: [PATCH 42/45] test(rich): icmptypes with one family
Coverage for rhbz 1855140.
(cherry picked from commit 87ec14dddd742ff5fd8cce04e68c8bf9db8237e9)
(cherry picked from commit d5e74f5c4feb4a6ce060c2ded30f67a0fbe44865)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1855140.at | 35 +++++++++++++++++++++++++++++
2 files changed, 36 insertions(+)
create mode 100644 src/tests/regression/rhbz1855140.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 5c8aae7e64d3..d7b4d56239d1 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -33,3 +33,4 @@ m4_include([regression/rhbz1843398.at])
m4_include([regression/rhbz1689429.at])
m4_include([regression/rhbz1483921.at])
m4_include([regression/rhbz1541077.at])
+m4_include([regression/rhbz1855140.at])
diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
new file mode 100644
index 000000000000..8059e29fe71a
--- /dev/null
+++ b/src/tests/regression/rhbz1855140.at
@@ -0,0 +1,35 @@
+FWD_START_TEST([rich rule icmptypes with one family])
+AT_KEYWORDS(rich icmp rhbz1855140)
+
+FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
+FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
+FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
+FWD_RELOAD
+NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ icmp type echo-request accept
+ icmpv6 type echo-request accept
+ icmpv6 type nd-neighbor-advert accept
+ icmp type timestamp-request accept
+ }
+ }
+])
+IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
+ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13
+])
+IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136
+])
+
+FWD_END_TEST
--
2.27.0

View File

@ -1,59 +0,0 @@
From d76d54277bc51398f7aa20b3dce0863e3520810b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 29 Jul 2020 15:18:38 -0400
Subject: [PATCH 43/45] fix(LastUpdatedOrderedDict): __getitem__(): fetch from
list if int
If the LastUpdatedOrderedDict contains a boolean key, e.g.
myLastUpdatedOrderedDict = LastUpdatedOrderedDict()
myLastUpdatedOrderedDic[True] = "true"
then
myLastUpdatedOrderedDic[1]
yields "true". As such, using the LastUpdatedOrderedDict as an iterable
e.g.
for foo in myLastUpdatedOrderedDict:
...
would mean that the for loop tries integer indexes 0 (returns key True),
and then 1 (also returns key True). This caused duplicate walks of a key
True if it was the first key in the LastUpdatedOrderedDict.
This occurs because
>>> True == 1
True
>>> False == 0
True
(cherry picked from commit 55754b65be6eaa697382992679e6673346e39f78)
(cherry picked from commit 1561dbc6c2b8f8f7f27b89810a8dda9b869b1923)
---
src/firewall/fw_types.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/firewall/fw_types.py b/src/firewall/fw_types.py
index 07c69c61702f..3d90c1812aec 100644
--- a/src/firewall/fw_types.py
+++ b/src/firewall/fw_types.py
@@ -54,10 +54,10 @@ class LastUpdatedOrderedDict(object):
self._dict[key] = value
def __getitem__(self, key):
- if key in self._dict:
- return self._dict[key]
- else:
+ if type(key) == int:
return self._list[key]
+ else:
+ return self._dict[key]
def __len__(self):
return len(self._list)
--
2.27.0

View File

@ -1,35 +0,0 @@
From 38eec50b2a48b586b4dcceb03f119be967690c79 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Aug 2020 12:07:24 -0400
Subject: [PATCH 44/45] test(regression/rhbz1483921): correctly use macros
"firewall-cmd" is implicit in the macro. Specifying it will result in
CLI parse failure.
Fixes: 303f85fc35d2 ("fix(cli): add --zone is an invalid option with --direct")
(cherry picked from commit 0b8a2554463cfb96e17fbd31b8cbf4f6235e8625)
(cherry picked from commit bf6e1b8c1943166c60b9df25ae424e635ba23253)
---
src/tests/regression/rhbz1483921.at | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at
index 97939919f9af..4536615318eb 100644
--- a/src/tests/regression/rhbz1483921.at
+++ b/src/tests/regression/rhbz1483921.at
@@ -1,7 +1,8 @@
FWD_START_TEST([direct and zone mutually exclusive])
- AT_KEYWORDS(direct rhbz1483921)
+AT_KEYWORDS(direct rhbz1483921)
+
+FWD_CHECK([--zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, [ignore], [ignore])
+
+FWD_CHECK([--zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, [ignore], [ignore])
- FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
-
- FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
FWD_END_TEST
--
2.27.0

View File

@ -1,37 +0,0 @@
From 025b24b137cfe8c9ef7145848764f0051084df71 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Aug 2020 12:11:16 -0400
Subject: [PATCH 45/45] test(regression/rhbz1541077): correctly use macros
"firewall-cmd" is implicit in the macro. Specifying it will result in
CLI parse failure.
Fixes: dddba7b9c276 ("fix(cli): add ipset type hash:mac is incompatible with the family parameter")
(cherry picked from commit 6e279ef6517a1ee4e2f9ac60922e8ddac8b096b7)
(cherry picked from commit a9976e7165a5b88eedc30357250add8e690210f1)
---
src/tests/regression/rhbz1541077.at | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at
index 765ab0c6290b..692ca8ecc892 100644
--- a/src/tests/regression/rhbz1541077.at
+++ b/src/tests/regression/rhbz1541077.at
@@ -1,9 +1,9 @@
FWD_START_TEST([hash:mac and family mutually exclusive])
- AT_KEYWORDS(ipset rhbz1541077)
+AT_KEYWORDS(ipset rhbz1541077)
- FWD_CHECK([firewall-cmd --permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
-
- FWD_CHECK([firewall-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
+FWD_CHECK([--permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+FWD_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+
+AT_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
- FWD_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
FWD_END_TEST
--
2.27.0

View File

@ -1,49 +0,0 @@
From 32de2767e869970877c19c8919e37de375351bc1 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 6 Aug 2020 08:24:02 -0400
Subject: [PATCH] fix(rich): use correct error code for invalid priority
Fixes: 3a0e79b1cfe4 ("fix: core: rich: Catch ValueError on non-numeric priority values")
(cherry picked from commit e1562ba92caec988c7cf397b2fa77b8d41592c7e)
(cherry picked from commit 5a4e35317a32422dec4acffc845a6651f65680da)
---
src/firewall/core/rich.py | 2 +-
src/tests/regression/rhbz1689429.at | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index eb4a2d2d9669..86c0c998a478 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -382,7 +382,7 @@ class Rich_Rule(object):
try:
self.priority = int(attr_value)
except ValueError:
- raise FirewallError(errors.INVALID_RULE, "invalid 'priority' attribute value '%s'." % attr_value)
+ raise FirewallError(errors.INVALID_PRIORITY, "invalid 'priority' attribute value '%s'." % attr_value)
elif attr_name:
if attr_name == 'protocol':
err_msg = "wrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'."
diff --git a/src/tests/regression/rhbz1689429.at b/src/tests/regression/rhbz1689429.at
index 5701607d660f..9157c9544ffc 100644
--- a/src/tests/regression/rhbz1689429.at
+++ b/src/tests/regression/rhbz1689429.at
@@ -1,11 +1,11 @@
FWD_START_TEST([rich rule invalid priority])
AT_KEYWORDS(rich rhbz1689429)
-FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 122, [],
- [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'.
+FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 139, [],
+ [Error: INVALID_PRIORITY: invalid 'priority' attribute value 'foo'.
])
-FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 122, [],
- [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'.
+FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 139, [],
+ [Error: INVALID_PRIORITY: invalid 'priority' attribute value 'foo'.
])
FWD_RELOAD
--
2.27.0

View File

@ -1,55 +0,0 @@
From cd284a0cacb0e9c1b75a7651b83848dd51e52ffd Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 7 Aug 2020 07:42:00 -0400
Subject: [PATCH] test(dbus): zone: add nm-shared to expected output if it
exists
newer networkmanager ships with this zone. as such, if nm is installed
the expected "get zones" output changes.
(cherry picked from commit a609c15657e68bacbc05d87cb71f366148cb8ced)
(cherry picked from commit 9f8f9390ef0a1631c07cae37be2ab27f29d0f34d)
---
src/tests/dbus/zone_permanent_functional.at | 6 +++++-
src/tests/dbus/zone_runtime_functional.at | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/tests/dbus/zone_permanent_functional.at b/src/tests/dbus/zone_permanent_functional.at
index 2261832e00a8..75645983dbf7 100644
--- a/src/tests/dbus/zone_permanent_functional.at
+++ b/src/tests/dbus/zone_permanent_functional.at
@@ -30,8 +30,12 @@ export DBUS_FOOBAR_ZONE_OBJ
dnl Get Zones
dnl
+if NS_CMD([firewall-cmd --get-zones |grep "nm-shared" >/dev/null]); then
+ NM_SHARED="'nm-shared', "
+ export NM_SHARED
+fi
DBUS_CHECK([config], [config.getZoneNames], [], 0, [dnl
- [(['block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', 'public', 'trusted', 'work'],)]
+ (@<:@'block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', m4_escape([${NM_SHARED}])'public', 'trusted', 'work'@:>@,)
])
DBUS_CHECK([config], [config.listZones], [], 0, [stdout])
NS_CHECK([sed -e ["s/['][,]/'\n/g"] ./stdout |dnl
diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at
index bb0798abe7da..b5799b9b1ca3 100644
--- a/src/tests/dbus/zone_runtime_functional.at
+++ b/src/tests/dbus/zone_runtime_functional.at
@@ -36,8 +36,12 @@ DBUS_CHECK([], [getDefaultZone], [], 0, [dnl
])
dnl Fetching Zones
+if NS_CMD([firewall-cmd --get-zones |grep "nm-shared" >/dev/null]); then
+ NM_SHARED="'nm-shared', "
+ export NM_SHARED
+fi
DBUS_CHECK([], [zone.getZones], [], 0, [dnl
- [(['block', 'dmz', 'drop', 'external', 'home', 'internal', 'public', 'trusted', 'work'],)]
+ (@<:@'block', 'dmz', 'drop', 'external', 'home', 'internal', m4_escape([${NM_SHARED}])'public', 'trusted', 'work'@:>@,)
])
FWD_CHECK([-q --zone public --add-interface dummy0])
FWD_CHECK([-q --zone public --add-source 10.1.1.1])
--
2.27.0

View File

@ -1,29 +0,0 @@
From 2a1a55209a95c5463e07cc3eb048d128ab7593ed Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 10 Aug 2020 09:29:05 -0400
Subject: [PATCH 48/62] test(regression/rhbz1541077): use FWD_OFFLINE_CHECK
macro
Fixes: 6e279ef6517a ("test(regression/rhbz1541077): correctly use macros")
Fixes: dddba7b9c276 ("fix(cli): add ipset type hash:mac is incompatible with the family parameter")
(cherry picked from commit fae16b550ed8b384ee24691e6442b7cbd6b776aa)
(cherry picked from commit 3efe0f30d4499763aacc573dc634b52ceb11a017)
---
src/tests/regression/rhbz1541077.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at
index 692ca8ecc892..73ad4b49cb3d 100644
--- a/src/tests/regression/rhbz1541077.at
+++ b/src/tests/regression/rhbz1541077.at
@@ -4,6 +4,6 @@ AT_KEYWORDS(ipset rhbz1541077)
FWD_CHECK([--permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
FWD_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
-AT_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+FWD_OFFLINE_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
FWD_END_TEST
--
2.28.0

View File

@ -1,30 +0,0 @@
From 5326d7a86d6e7413dee343b795a352d8b4e6ab0d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 10 Aug 2020 09:33:22 -0400
Subject: [PATCH 49/62] test(regression/rhbz1855140.at): avoid IPv6 tests if
IPv6 not available
Fixes: 87ec14dddd74 ("test(rich): icmptypes with one family")
(cherry picked from commit a47819d346fbd0f4d4d382a6a795c76c7f443a3b)
(cherry picked from commit 1b4fea7277c26026ecbe09f79928c794489424b9)
---
src/tests/regression/rhbz1855140.at | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
index 8059e29fe71a..cea943e0bf24 100644
--- a/src/tests/regression/rhbz1855140.at
+++ b/src/tests/regression/rhbz1855140.at
@@ -2,7 +2,9 @@ FWD_START_TEST([rich rule icmptypes with one family])
AT_KEYWORDS(rich icmp rhbz1855140)
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
+IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
+])
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
--
2.28.0

View File

@ -1,53 +0,0 @@
From 4d099f4c0866801e40e362090e6986c693386e2c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 27 Aug 2020 15:30:45 -0400
Subject: [PATCH 50/62] fix(icmptype): when applying rules get ict from perm
config
Otherwise we may get runtime errors because the running kernel doesn't
support the ict. Use the permanent ict definition so we allow the case
where ip6tables is missing or not available. Explicit usage of an ict
not supported by the kernel will still fail to apply at runtime
(iptables complains), but if ip6tables is missing we don't attempt to
apply the ipv6 rules thus avoiding the issue.
(cherry picked from commit fdc44800aef4ec166987d529ffaea51f13ff54c2)
(cherry picked from commit 0016ec8e4aefb6cf2a8986a91530eae25a28ead7)
---
src/firewall/core/fw_zone.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index b9fe1f6aae97..9d8bcf620251 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1526,7 +1526,7 @@ class FirewallZone(object):
if rule.family:
ipvs = [ rule.family ]
elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)):
- ict = self._fw.icmptype.get_icmptype(rule.element.name)
+ ict = self._fw.config.get_icmptype(rule.element.name)
if ict.destination:
ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination]
@@ -1698,7 +1698,7 @@ class FirewallZone(object):
# ICMP BLOCK and ICMP TYPE
elif type(rule.element) == Rich_IcmpBlock or \
type(rule.element) == Rich_IcmpType:
- ict = self._fw.icmptype.get_icmptype(rule.element.name)
+ ict = self._fw.config.get_icmptype(rule.element.name)
if type(rule.element) == Rich_IcmpBlock and \
rule.action and type(rule.action) == Rich_Accept:
@@ -1862,7 +1862,7 @@ class FirewallZone(object):
transaction.add_rules(backend, rules)
def _icmp_block(self, enable, zone, icmp, transaction):
- ict = self._fw.icmptype.get_icmptype(icmp)
+ ict = self._fw.config.get_icmptype(icmp)
if enable:
transaction.add_chain(zone, "filter", "INPUT")
--
2.28.0

View File

@ -1,50 +0,0 @@
From 0b69b4e464f02ea6fec50522b587a93092040b4d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 27 Aug 2020 15:59:13 -0400
Subject: [PATCH 51/62] fix(rich): clamp the IP families to those actually
enabled
One scenario is if IPv6 is not available, but we specify an icmp-type
that is ipv6 only, then we'll still attempt to call the IPv6 backend. We
should not do that.
(cherry picked from commit 4fcb27bdcf8be30d91d490ba2c0286af1cf299de)
(cherry picked from commit b8b0aeaaf853546f6990e8f635d7ea79233bbc79)
---
src/firewall/core/fw_zone.py | 5 ++++-
src/tests/regression/rhbz1855140.at | 2 --
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 9d8bcf620251..bd026222dce5 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1542,7 +1542,10 @@ class FirewallZone(object):
ipvs = [ source_ipv ]
if not ipvs:
- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
+ ipvs = ["ipv4", "ipv6"]
+
+ # clamp ipvs to those that are actually enabled.
+ ipvs = [ipv for ipv in ipvs if self._fw.is_ipv_enabled(ipv)]
# add an element to object to allow backends to know what ipvs this applies to
rule.ipvs = ipvs
diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
index cea943e0bf24..8059e29fe71a 100644
--- a/src/tests/regression/rhbz1855140.at
+++ b/src/tests/regression/rhbz1855140.at
@@ -2,9 +2,7 @@ FWD_START_TEST([rich rule icmptypes with one family])
AT_KEYWORDS(rich icmp rhbz1855140)
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
-IF_HOST_SUPPORTS_IPV6_RULES([
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
-])
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
FWD_RELOAD
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
--
2.28.0

View File

@ -1,62 +0,0 @@
From 5c18dbc41a2f59364fb495ef164dcc3c9147e408 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 28 Aug 2020 11:44:33 -0400
Subject: [PATCH 52/62] fix(rich icmptype): verify rule and icmptype families
don't conflict
Fixes: rhbz 1855140
(cherry picked from commit 11aac7755d9c8e338f72b5350329255937efd8e8)
(cherry picked from commit b49a88095b05bcf1bce36e989d7003948f1ee6f7)
---
src/firewall/core/fw_zone.py | 6 ++++++
src/firewall/core/io/zone.py | 17 ++++++++++++++++-
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index bd026222dce5..129306b6f969 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1703,6 +1703,12 @@ class FirewallZone(object):
type(rule.element) == Rich_IcmpType:
ict = self._fw.config.get_icmptype(rule.element.name)
+ if rule.family and ict.destination and \
+ rule.family not in ict.destination:
+ raise FirewallError(errors.INVALID_ICMPTYPE,
+ "rich rule family '%s' conflicts with icmp type '%s'" % \
+ (rule.family, rule.element.name))
+
if type(rule.element) == Rich_IcmpBlock and \
rule.action and type(rule.action) == Rich_Accept:
# icmp block might have reject or drop action, but not accept
diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
index 68b2a7c9567c..529b92c25b62 100644
--- a/src/firewall/core/io/zone.py
+++ b/src/firewall/core/io/zone.py
@@ -232,7 +232,22 @@ class Zone(IO_Object):
raise FirewallError(errors.INVALID_ADDR, source)
elif item == "rules_str":
for rule in config:
- rich.Rich_Rule(rule_str=rule)
+ obj_rich = rich.Rich_Rule(rule_str=rule)
+ if self.fw_config and obj_rich.element and (isinstance(obj_rich.element, rich.Rich_IcmpBlock) or
+ isinstance(obj_rich.element, rich.Rich_IcmpType)):
+ existing_icmptypes = self.fw_config.get_icmptypes()
+ if obj_rich.element.name not in existing_icmptypes:
+ raise FirewallError(errors.INVALID_ICMPTYPE,
+ "'%s' not among existing icmp types" % \
+ obj_rich.element.name)
+
+ elif obj_rich.family:
+ ict = self.fw_config.get_icmptype(obj_rich.element.name)
+ if ict.destination and obj_rich.family not in ict.destination:
+ raise FirewallError(errors.INVALID_ICMPTYPE,
+ "rich rule family '%s' conflicts with icmp type '%s'" % \
+ (obj_rich.family, obj_rich.element.name))
+
def check_name(self, name):
super(Zone, self).check_name(name)
--
2.28.0

View File

@ -1,48 +0,0 @@
From 08cb6f0c7abca95fa898020bb9f3ba3f4bfbf148 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 28 Aug 2020 13:15:34 -0400
Subject: [PATCH 53/62] fix(nftables): packet marks with masks
(cherry picked from commit e296b926ae5dc4cbc277b6dd755d045e73ed4411)
(cherry picked from commit 371efe757f2bde20b4301a78ed3c48ec1d31bf5e)
---
src/firewall/core/fw_zone.py | 2 ++
src/firewall/core/nftables.py | 9 +++++++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 129306b6f969..6eaed4232405 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1719,6 +1719,8 @@ class FirewallZone(object):
if enable:
transaction.add_chain(zone, table, "INPUT")
transaction.add_chain(zone, table, "FORWARD_IN")
+ if enable and type(rule.action) == Rich_Mark:
+ transaction.add_chain(zone, "mangle", "PREROUTING")
rules = backend.build_zone_icmp_block_rules(enable, zone, ict, rule)
transaction.add_rules(backend, rules)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 0198200b2372..76668a60468f 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1043,8 +1043,13 @@ class nftables(object):
zone=zone)
table = "mangle"
chain = "%s_%s_%s" % (table, target, chain_suffix)
- rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
- "value": rich_rule.action.set}}
+ value = rich_rule.action.set.split("/")
+ if len(value) > 1:
+ rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
+ "value": {"^": [{"&": [{"meta": {"key": "mark"}}, value[1]]}, value[0]]}}}
+ else:
+ rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
+ "value": value[0]}}
else:
raise FirewallError(INVALID_RULE,
"Unknown action %s" % type(rich_rule.action))
--
2.28.0

View File

@ -1,27 +0,0 @@
From 603ca9c2dd16f212a8b2fb43a9e9599fe3dd3abf Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 28 Aug 2020 14:22:18 -0400
Subject: [PATCH 54/62] fix(nftables): icmp types with code == 0
(cherry picked from commit 098e35168d6a15516cc76189a70df8db56bd1b13)
(cherry picked from commit 8dcfaa607329cd4c2bdaa3b101371a30a04ef858)
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 76668a60468f..daa7ace085a2 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -82,7 +82,7 @@ def _icmp_types_fragments(protocol, type, code=None):
fragments = [{"match": {"left": {"payload": {"protocol": protocol, "field": "type"}},
"op": "==",
"right": type}}]
- if code:
+ if code is not None:
fragments.append({"match": {"left": {"payload": {"protocol": protocol, "field": "code"}},
"op": "==",
"right": code}})
--
2.28.0

View File

@ -1,35 +0,0 @@
From d4f35b11f2edb1cf680ed2081a14b599ef3f3b63 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 31 Aug 2020 15:38:34 -0400
Subject: [PATCH 55/62] fix(ipXtables): rich: avoid duplicate rules for
icmp-type w/ mark action
This is a stable only fix. It does not occur on master.
(cherry picked from commit 9b7ba2fcedace408aae498fea1c973a988370808)
---
src/firewall/core/ipXtables.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index b1d6c202fda7..c4535f2e5818 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -1240,8 +1240,13 @@ class ip4tables(object):
proto = [ "-p", "ipv6-icmp" ]
match = [ "-m", "icmp6", "--icmpv6-type", ict.name ]
+ if rich_rule and rich_rule.action and isinstance(rich_rule.action, Rich_Mark):
+ chains = ["PREROUTING"]
+ else:
+ chains = ["INPUT", "FORWARD_IN"]
+
rules = []
- for chain in ["INPUT", "FORWARD_IN"]:
+ for chain in chains:
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
zone=zone)
if self._fw.zone.query_icmp_block_inversion(zone):
--
2.28.0

View File

@ -1,66 +0,0 @@
From 08cc79942e820d9ce86c5c0bd0249ec4335955ce Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 28 Aug 2020 10:48:35 -0400
Subject: [PATCH 56/62] test(regression/rhbz1855140): add negative tests
(cherry picked from commit b50032185422f5538a8a6211cfa43cfaa2d67ec4)
(cherry picked from commit 264375df35124b5920b9d3e690944aaad1e4790c)
---
src/tests/regression/rhbz1855140.at | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
index 8059e29fe71a..fbb33a419c56 100644
--- a/src/tests/regression/rhbz1855140.at
+++ b/src/tests/regression/rhbz1855140.at
@@ -4,7 +4,15 @@ AT_KEYWORDS(rich icmp rhbz1855140)
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
+FWD_CHECK([--permanent --zone public --add-rich-rule 'rule icmp-type name=bad-header mark set=0x86/0x86'], 0, ignore)
FWD_RELOAD
+NFT_LIST_RULES([inet], [mangle_PRE_public_allow], 0, [dnl
+ table inet firewalld {
+ chain mangle_PRE_public_allow {
+ icmpv6 type parameter-problem icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
+ }
+ }
+])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
table inet firewalld {
chain filter_IN_public_allow {
@@ -18,12 +26,17 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
}
}
])
+IPTABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
+])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13
])
+IP6TABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
+ MARK icmpv6 ::/0 ::/0 ipv6-icmptype 4 code 0 MARK or 0x86
+])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@@ -32,4 +45,12 @@ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136
])
-FWD_END_TEST
+dnl verify bad icmptypes are rejected
+FWD_CHECK([--permanent --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore])
+FWD_CHECK([ --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore])
+FWD_CHECK([--permanent --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore])
+IF_HOST_SUPPORTS_IPV6_RULES([
+FWD_CHECK([ --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore])
+])
+
+FWD_END_TEST([-e '/ERROR: INVALID_ICMPTYPE:/d'])
--
2.28.0

View File

@ -1,80 +0,0 @@
From 0f94133731fa497b04744fa4a37cfa5fd5e45fab Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 26 Aug 2020 11:38:36 -0400
Subject: [PATCH 57/62] fix(policy): cache rule_str for rich rules
There are various areas that we use list comprehensions to convert
Rich_Rule to rule_str. This isn't cheap. Let's just cache the rule_str
and avoid the cost.
Fixes: rhbz 1871298
(cherry picked from commit 5402724221a3dddc9c139663d28ababed4057cc6)
(cherry picked from commit 763b07972fd80e7b2f28b29efe812b92f6dff1d1)
---
src/firewall/core/io/zone.py | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
index 529b92c25b62..ec81762be100 100644
--- a/src/firewall/core/io/zone.py
+++ b/src/firewall/core/io/zone.py
@@ -120,6 +120,7 @@ class Zone(IO_Object):
self.sources = [ ]
self.fw_config = None # to be able to check services and a icmp_blocks
self.rules = [ ]
+ self.rules_str = [ ]
self.icmp_block_inversion = False
self.combined = False
self.applied = False
@@ -141,6 +142,7 @@ class Zone(IO_Object):
del self.sources[:]
self.fw_config = None # to be able to check services and a icmp_blocks
del self.rules[:]
+ del self.rules_str[:]
self.icmp_block_inversion = False
self.combined = False
self.applied = False
@@ -163,17 +165,13 @@ class Zone(IO_Object):
self.interfaces = [u2b_if_py2(i) for i in self.interfaces]
self.sources = [u2b_if_py2(s) for s in self.sources]
self.rules = [u2b_if_py2(s) for s in self.rules]
-
- def __getattr__(self, name):
- if name == "rules_str":
- rules_str = [str(rule) for rule in self.rules]
- return rules_str
- else:
- return getattr(super(Zone, self), name)
+ self.rules_str = [u2b_if_py2(s) for s in self.rules_str]
def __setattr__(self, name, value):
if name == "rules_str":
self.rules = [rich.Rich_Rule(rule_str=s) for s in value]
+ # must convert back to string to get the canonical string.
+ super(Zone, self).__setattr__(name, [str(s) for s in self.rules])
else:
super(Zone, self).__setattr__(name, value)
@@ -307,6 +305,7 @@ class Zone(IO_Object):
self.source_ports.append(port)
for rule in zone.rules:
self.rules.append(rule)
+ self.rules_str.append(str(rule))
if zone.icmp_block_inversion:
self.icmp_block_inversion = True
@@ -687,9 +686,9 @@ class zone_ContentHandler(IO_Object_ContentHandler):
except Exception as e:
log.warning("%s: %s", e, str(self._rule))
else:
- if str(self._rule) not in \
- [ str(x) for x in self.item.rules ]:
+ if str(self._rule) not in self.item.rules_str:
self.item.rules.append(self._rule)
+ self.item.rules_str.append(str(self._rule))
else:
log.warning("Rule '%s' already set, ignoring.",
str(self._rule))
--
2.28.0

View File

@ -1,55 +0,0 @@
From ed42b8048e97040802da727f77cad4a1bb5ff42b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 26 Aug 2020 14:28:45 -0400
Subject: [PATCH 58/62] test(zone): rich rule parsing bottleneck
Coverage for rhbz 1871298.
Verify we can parse a large amount of rich rules in a reasonable time.
This test took 3m before the fix and now takes 18s after the fix.
Considering it "failed" after 45s should give us plenty of headroom.
(cherry picked from commit ece30971412eedb9032b0d87233ca21ef9154830)
(cherry picked from commit b21f071851ffec6d3a382b6e60eb88dcda7df467)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1871298.at | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
create mode 100644 src/tests/regression/rhbz1871298.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index d7b4d56239d1..65540840f50e 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -34,3 +34,4 @@ m4_include([regression/rhbz1689429.at])
m4_include([regression/rhbz1483921.at])
m4_include([regression/rhbz1541077.at])
m4_include([regression/rhbz1855140.at])
+m4_include([regression/rhbz1871298.at])
diff --git a/src/tests/regression/rhbz1871298.at b/src/tests/regression/rhbz1871298.at
new file mode 100644
index 000000000000..0689399d85ec
--- /dev/null
+++ b/src/tests/regression/rhbz1871298.at
@@ -0,0 +1,18 @@
+FWD_START_TEST([rich rule parsing bottleneck])
+AT_KEYWORDS(rich offline rhbz1871298)
+
+AT_SKIP_IF([! NS_CMD([which timeout >/dev/null 2>&1])])
+
+NS_CHECK([mkdir -p ./zones])
+NS_CHECK([echo '<?xml version="1.0" encoding="utf-8"?>' > ./zones/foobar.xml])
+NS_CHECK([echo "<zone>" >> ./zones/foobar.xml])
+NS_CHECK([echo "<short>foobar</short>" >> ./zones/foobar.xml])
+NS_CHECK([sh -c 'for I in $(seq 10000); do echo "<rule family=\"ipv4\"><port protocol=\"tcp\" port=\"$I\" /><accept/></rule>" >> ./zones/foobar.xml; done'])
+NS_CHECK([echo "</zone>" >> ./zones/foobar.xml])
+
+if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
+ FIREWALL_OFFLINE_CMD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}"
+fi
+NS_CHECK([timeout 45 firewall-offline-cmd --system-config ./ $FIREWALL_OFFLINE_CMD_ARGS --check-config], 0, [ignore])
+
+FWD_END_TEST
--
2.28.0

View File

@ -1,158 +0,0 @@
From 244d1bfe190f2cc32c10d0fecaf81536761ecc09 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 1 Sep 2020 13:16:23 -0400
Subject: [PATCH 59/62] fix(icmptype): nftables: runtimeToPermanent if
ip6tables not available
We were not filling the runtime ipv6 icmptypes list if the active
backend was nftables and ip6tables wasn't available. This caused "ipv6"
to be dropped from the supported ipvs/destinations for the icmptype.
This also caused runtimeToPermanent to fail because the runtime
icmptypes definition dropped "ipv6" causing runtimeToPermanent to copy
the runtime icmptype to permanent because they were different... this
caused sanity checks on the permanent configuration to fail.
(cherry picked from commit c92d43dcdf5622e82e28454652acd6a981b015f9)
(cherry picked from commit 6f23f727be818f356625e39682fb226a81925647)
---
src/firewall/core/fw.py | 24 ++++++++++++++----------
src/firewall/core/fw_icmptype.py | 8 ++++----
src/firewall/core/ipXtables.py | 2 +-
src/firewall/core/nftables.py | 6 +++---
src/firewall/server/firewalld.py | 4 ++--
5 files changed, 24 insertions(+), 20 deletions(-)
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index c767f416f3d2..1df916efb10f 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -76,10 +76,10 @@ class Firewall(object):
else:
self.ip4tables_backend = ipXtables.ip4tables(self)
self.ip4tables_enabled = True
- self.ip4tables_supported_icmp_types = [ ]
+ self.ipv4_supported_icmp_types = [ ]
self.ip6tables_backend = ipXtables.ip6tables(self)
self.ip6tables_enabled = True
- self.ip6tables_supported_icmp_types = [ ]
+ self.ipv6_supported_icmp_types = [ ]
self.ebtables_backend = ebtables.ebtables()
self.ebtables_enabled = True
self.ipset_backend = ipset.ipset()
@@ -172,11 +172,13 @@ class Firewall(object):
log.warning("iptables-restore and iptables are missing, "
"disabling IPv4 firewall.")
self.ip4tables_enabled = False
- if self.ip4tables_enabled:
- self.ip4tables_supported_icmp_types = \
- self.ip4tables_backend.supported_icmp_types()
+ if self.nftables_enabled:
+ self.ipv4_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv4")
else:
- self.ip4tables_supported_icmp_types = [ ]
+ if self.ip4tables_enabled:
+ self.ipv4_supported_icmp_types = self.ip4tables_backend.supported_icmp_types()
+ else:
+ self.ipv4_supported_icmp_types = [ ]
self.ip6tables_backend.fill_exists()
if not self.ip6tables_backend.restore_command_exists:
if self.ip6tables_backend.command_exists:
@@ -186,11 +188,13 @@ class Firewall(object):
log.warning("ip6tables-restore and ip6tables are missing, "
"disabling IPv6 firewall.")
self.ip6tables_enabled = False
- if self.ip6tables_enabled:
- self.ip6tables_supported_icmp_types = \
- self.ip6tables_backend.supported_icmp_types()
+ if self.nftables_enabled:
+ self.ipv6_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv6")
else:
- self.ip6tables_supported_icmp_types = [ ]
+ if self.ip6tables_enabled:
+ self.ipv6_supported_icmp_types = self.ip6tables_backend.supported_icmp_types()
+ else:
+ self.ipv6_supported_icmp_types = [ ]
self.ebtables_backend.fill_exists()
if not self.ebtables_backend.restore_command_exists:
if self.ebtables_backend.command_exists:
diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py
index afe9f91d6bf6..a565bb6d8733 100644
--- a/src/firewall/core/fw_icmptype.py
+++ b/src/firewall/core/fw_icmptype.py
@@ -57,13 +57,13 @@ class FirewallIcmpType(object):
ipvs = orig_ipvs[:]
for ipv in orig_ipvs:
if ipv == "ipv4":
- if not self._fw.ip4tables_enabled:
+ if not self._fw.ip4tables_enabled and not self._fw.nftables_enabled:
continue
- supported_icmps = self._fw.ip4tables_supported_icmp_types
+ supported_icmps = self._fw.ipv4_supported_icmp_types
elif ipv == "ipv6":
- if not self._fw.ip6tables_enabled:
+ if not self._fw.ip6tables_enabled and not self._fw.nftables_enabled:
continue
- supported_icmps = self._fw.ip6tables_supported_icmp_types
+ supported_icmps = self._fw.ipv6_supported_icmp_types
else:
supported_icmps = [ ]
if obj.name.lower() not in supported_icmps:
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index c4535f2e5818..450e427c08b5 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -612,7 +612,7 @@ class ip4tables(object):
rules.append(["-t", table, "-P", chain, _policy])
return rules
- def supported_icmp_types(self):
+ def supported_icmp_types(self, ipv=None):
"""Return ICMP types that are supported by the iptables/ip6tables command and kernel"""
ret = [ ]
output = ""
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index daa7ace085a2..0a73c2c2669d 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -480,13 +480,13 @@ class nftables(object):
return rules
- def supported_icmp_types(self):
+ def supported_icmp_types(self, ipv=None):
# nftables supports any icmp_type via arbitrary type/code matching.
# We just need a translation for it in ICMP_TYPES_FRAGMENTS.
supported = set()
- for ipv in ICMP_TYPES_FRAGMENTS.keys():
- supported.update(ICMP_TYPES_FRAGMENTS[ipv].keys())
+ for _ipv in [ipv] if ipv else ICMP_TYPES_FRAGMENTS.keys():
+ supported.update(ICMP_TYPES_FRAGMENTS[_ipv].keys())
return list(supported)
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index 10b085d48660..949f577053cc 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -162,7 +162,7 @@ class FirewallD(slip.dbus.service.Object):
return dbus.Boolean(self.fw.ip4tables_enabled)
elif prop == "IPv4ICMPTypes":
- return dbus.Array(self.fw.ip4tables_supported_icmp_types, "s")
+ return dbus.Array(self.fw.ipv4_supported_icmp_types, "s")
elif prop == "IPv6":
return dbus.Boolean(self.fw.ip6tables_enabled)
@@ -171,7 +171,7 @@ class FirewallD(slip.dbus.service.Object):
return dbus.Boolean(self.fw.ipv6_rpfilter_enabled)
elif prop == "IPv6ICMPTypes":
- return dbus.Array(self.fw.ip6tables_supported_icmp_types, "s")
+ return dbus.Array(self.fw.ipv6_supported_icmp_types, "s")
elif prop == "BRIDGE":
return dbus.Boolean(self.fw.ebtables_enabled)
--
2.28.0

View File

@ -1,29 +0,0 @@
From 8a520d8343ab1567f0f3df39e4fc45dbaf9c6f77 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 24 Sep 2020 15:24:41 -0400
Subject: [PATCH 60/62] docs(firewall-cmd): clarify lockdown whitelist command
paths
Reported-by: D. Hugh Redelmeier <hugh@mimosa.com>
(cherry picked from commit a7b12b8eb87dd3bd2bb342cf5d74bf089cf3b9a6)
(cherry picked from commit 7e9b1a02cc7aa12f9c499b2acad584dbabf9a518)
---
doc/xml/firewall-cmd.xml.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
index 8bc389acae6c..702c549ab9d9 100644
--- a/doc/xml/firewall-cmd.xml.in
+++ b/doc/xml/firewall-cmd.xml.in
@@ -2104,7 +2104,7 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.
</para>
<para>
- Commands for user root and others is not always the same. Example: As root <command>/bin/firewall-cmd</command> is used, as a normal user <command>/usr/bin/firewall-cmd</command> is be used on Fedora.
+ Command paths for users are not always the same and depends on the users PATH. Some distributions symlink <command>/bin</command> to <command>/usr/bin</command> in which case it depends on the order they appear in the PATH environment variable.
</para>
<para>
The context is the security (SELinux) context of a running application or service. To get the context of a running application use <command>ps -e --context</command>.
--
2.28.0

View File

@ -1,39 +0,0 @@
From b82e2cf588916624c5f45c10e7c929f24ff84e9a Mon Sep 17 00:00:00 2001
From: Donald Yandt <10255876+TorontoMedia@users.noreply.github.com>
Date: Sun, 27 Sep 2020 20:19:35 -0400
Subject: [PATCH 61/62] docs(dbus): fix invalid method names
Replace invalid method names for both 'queryEntry' and 'queryIPSet'.
Fixes: #693
(cherry picked from commit 6fc82d2d34b436a1f1921b36930169c965f3ff4b)
(cherry picked from commit 24fb2b2424107cd88e331b8f8edae0dc1671c504)
---
doc/xml/firewalld.dbus.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 1625b9d50576..3bf4f53b108d 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -579,7 +579,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.ipset.Methods.queryEntry">
- <term><methodname>queryService</methodname>(s: ipset, s: entry) &rarr; b</term>
+ <term><methodname>queryEntry</methodname>(s: ipset, s: entry) &rarr; b</term>
<listitem>
<para>
Return whether <replaceable>entry</replaceable> has been added to <replaceable>ipset</replaceable>.
@@ -591,7 +591,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.ipset.Methods.queryIPSet">
- <term><methodname>queryService</methodname>(s: ipset) &rarr; b</term>
+ <term><methodname>queryIPSet</methodname>(s: ipset) &rarr; b</term>
<listitem>
<para>
Return whether <replaceable>ipset</replaceable> is defined in runtime configuration.
--
2.28.0

View File

@ -1,27 +0,0 @@
From cd158a2880734c5da329e9a5c9c075ba5bceced6 Mon Sep 17 00:00:00 2001
From: diegoe <diegoe@gnome.org>
Date: Wed, 21 Oct 2020 21:19:52 -0500
Subject: [PATCH 62/62] docs(firewall-cmd): small description grammar fix
(cherry picked from commit 9ae97bb2b65fbafa0ed5c0bfd9ebd5945bc6bea9)
(cherry picked from commit 9b4664fca4d3551dbb758a53b212a5aab043ccd9)
---
doc/xml/firewall-cmd.xml.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
index 702c549ab9d9..1789f513d8ee 100644
--- a/doc/xml/firewall-cmd.xml.in
+++ b/doc/xml/firewall-cmd.xml.in
@@ -56,7 +56,7 @@
<title>Description</title>
<para>
- firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.
+ firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the runtime and permanent configurations.
</para>
<para>
--
2.28.0

View File

@ -1,107 +0,0 @@
From dbce20e28a898c394274109904d471d84cfa7fea Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Fri, 13 Nov 2020 10:40:51 -0500
Subject: [PATCH 65/66] fix(rich): non-printable characters removed from rich
rules
Fixes: rhbz 1596304
Fixes: #480
(cherry picked from commit ac5960856991a00ddf7a558e31fd3248c8279a1f)
(cherry picked from commit a55416ea5f79f1a7cb1a97b6ee39524a542a8663)
---
src/firewall/core/rich.py | 2 ++
src/firewall/functions.py | 9 ++++++++-
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1596304.at | 23 +++++++++++++++++++++++
4 files changed, 34 insertions(+), 1 deletion(-)
create mode 100644 src/tests/regression/rhbz1596304.at
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index 86c0c998a478..03bc194c2b28 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -307,6 +307,8 @@ class Rich_Rule(object):
if not rule_str:
raise FirewallError(errors.INVALID_RULE, 'empty rule')
+ rule_str = functions.stripNonPrintableCharacters(rule_str)
+
self.priority = 0
self.family = None
self.source = None
diff --git a/src/firewall/functions.py b/src/firewall/functions.py
index 6af220619f17..d20b702e047e 100644
--- a/src/firewall/functions.py
+++ b/src/firewall/functions.py
@@ -27,7 +27,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName",
"check_single_address", "check_mac", "uniqify", "ppid_of_pid",
"max_zone_name_len", "checkUser", "checkUid", "checkCommand",
"checkContext", "joinArgs", "splitArgs",
- "b2u", "u2b", "u2b_if_py2" ]
+ "b2u", "u2b", "u2b_if_py2", "stripNonPrintableCharacters"]
import socket
import os
@@ -42,6 +42,10 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
PY2 = sys.version < '3'
+NOPRINT_TRANS_TABLE = {
+ i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
+}
+
def getPortID(port):
""" Check and Get port id from port string or port id using socket.getservbyname
@@ -226,6 +230,9 @@ def checkIPnMask(ip):
return False
return True
+def stripNonPrintableCharacters(rule_str):
+ return rule_str.translate(NOPRINT_TRANS_TABLE)
+
def checkIP6nMask(ip):
if "/" in ip:
addr = ip[:ip.index("/")]
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 65540840f50e..c1e8620ee700 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -35,3 +35,4 @@ m4_include([regression/rhbz1483921.at])
m4_include([regression/rhbz1541077.at])
m4_include([regression/rhbz1855140.at])
m4_include([regression/rhbz1871298.at])
+m4_include([regression/rhbz1596304.at])
diff --git a/src/tests/regression/rhbz1596304.at b/src/tests/regression/rhbz1596304.at
new file mode 100644
index 000000000000..98a33934e271
--- /dev/null
+++ b/src/tests/regression/rhbz1596304.at
@@ -0,0 +1,23 @@
+FWD_START_TEST([rich rules strip non-printable characters])
+AT_KEYWORDS(rich rhbz1596304)
+
+dnl source address contains a tab character
+FWD_CHECK([--permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="104.243.250.0/22 " port port=80 protocol=tcp accept'],0,ignore)
+FWD_RELOAD
+FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ public
+ target: default
+ icmp-block-inversion: no
+ interfaces:
+ sources:
+ services: cockpit dhcpv6-client ssh
+ ports:
+ protocols:
+ masquerade: no
+ forward-ports:
+ source-ports:
+ icmp-blocks:
+ rich rules:
+ rule family="ipv4" source address="104.243.250.0/22" port port="80" protocol="tcp" accept
+ ])])
+FWD_END_TEST
--
2.28.0

View File

@ -1,38 +0,0 @@
From ff6e65737413d54b6f6964f72827a92fdbecc182 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 8 Jan 2021 13:38:15 -0500
Subject: [PATCH 68/68] fix(rich): limit table to strip non-printables to C0
and C1
Generating the table was taking an unreasonable amount of memory.
Stripping C0 and C1 should cover most scenarios while limiting memory
usage.
Fixes: ac5960856991 ("fix(rich): non-printable characters removed from rich rules")
(cherry picked from commit 015704b44f81d535a868fe28368f977cefd28638)
(cherry picked from commit 629a53ef027146f8e4e486c40c8bde04cda830d3)
---
src/firewall/functions.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/firewall/functions.py b/src/firewall/functions.py
index d20b702e047e..1ea9f4309234 100644
--- a/src/firewall/functions.py
+++ b/src/firewall/functions.py
@@ -43,7 +43,12 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
PY2 = sys.version < '3'
NOPRINT_TRANS_TABLE = {
- i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
+ # Limit to C0 and C1 code points. Building entries for all unicode code
+ # points requires too much memory.
+ # C0 = [0, 31]
+ # C1 = [127, 159]
+ #
+ i: None for i in range(0, 160) if not (i > 31 and i < 127)
}
def getPortID(port):
--
2.27.0

View File

@ -1,93 +0,0 @@
From 2871abfceceba37c6ba38aa0ef25e23a059294ec Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Wed, 18 Nov 2020 13:14:44 -0500
Subject: [PATCH 67/68] fix(zone): add source with mac address
nftables supports matching the destination MAC, but iptables does not.
As such, lift the restriction from nftables. For iptables, gracefully
ignore the scenarios in which we attempt to match destination MAC.
Fixes: #703
Fixes: df4aefcbe7b7 ("improvement(ipXtables): add utility function match sources")
Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface")
Co-authored-by: Eric Garver <eric@garver.life>
(cherry picked from commit 20151fbb5c5104e3d4dbc4ea938b9a68bdbcf225)
(cherry picked from commit 79bb113a2a108ce1c69dc7bc7af60297b8ec2ad0)
---
src/firewall/core/ipXtables.py | 4 ++++
src/firewall/core/nftables.py | 2 --
src/tests/regression/gh703.at | 23 +++++++++++++++++++++++
src/tests/regression/regression.at | 1 +
4 files changed, 28 insertions(+), 2 deletions(-)
create mode 100644 src/tests/regression/gh703.at
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 450e427c08b5..b28146edd060 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -814,6 +814,10 @@ class ip4tables(object):
else:
zone_dispatch_chain = "%s_ZONES" % (chain)
+ # iptables can not match destination MAC
+ if check_mac(address) and chain in ["POSTROUTING", "FORWARD_OUT", "OUTPUT"]:
+ return []
+
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
action = "-g"
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 0a73c2c2669d..a0a899dd3eef 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1067,8 +1067,6 @@ class nftables(object):
return self._set_match_fragment(address[len("ipset:"):], True if "daddr" == addr_field else False, invert)
else:
if check_mac(address):
- if addr_field == "daddr":
- raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__))
family = "ether"
elif check_single_address("ipv4", address):
family = "ip"
diff --git a/src/tests/regression/gh703.at b/src/tests/regression/gh703.at
new file mode 100644
index 000000000000..af724a7713a7
--- /dev/null
+++ b/src/tests/regression/gh703.at
@@ -0,0 +1,23 @@
+FWD_START_TEST([add source with mac address])
+AT_KEYWORDS(gh703)
+
+FWD_CHECK([--zone=home --add-source=34:7e:5c:3a:4c:32], 0, [ignore])
+
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES_SOURCE {
+ ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING_ZONES_SOURCE {
+ ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
+ }
+ }
+])
+
+dnl NOTE: iptables does _not_ support matching mac destination.
+
+FWD_END_TEST
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index c1e8620ee700..7597a458076c 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -36,3 +36,4 @@ m4_include([regression/rhbz1541077.at])
m4_include([regression/rhbz1855140.at])
m4_include([regression/rhbz1871298.at])
m4_include([regression/rhbz1596304.at])
+m4_include([regression/gh703.at])
--
2.27.0

View File

@ -1,52 +0,0 @@
From 4aa1e421dae3ece1de075ef538f709d6388f8811 Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Wed, 10 Jun 2020 16:14:43 -0400
Subject: [PATCH 63/64] feat(service): add collectd service Fixes: rhbz 1837368
(cherry picked from commit 8b974e75d9100b17568a55c4962dfe09d34f03dc)
---
config/Makefile.am | 1 +
config/services/collectd.xml | 6 ++++++
po/POTFILES.in | 1 +
3 files changed, 8 insertions(+)
create mode 100644 config/services/collectd.xml
diff --git a/config/Makefile.am b/config/Makefile.am
index 702592e6a685..5f44678841f3 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -134,6 +134,7 @@ CONFIG_FILES = \
services/ceph.xml \
services/cfengine.xml \
services/cockpit.xml \
+ services/collectd.xml \
services/condor-collector.xml \
services/ctdb.xml \
services/dhcpv6-client.xml \
diff --git a/config/services/collectd.xml b/config/services/collectd.xml
new file mode 100644
index 000000000000..fb2483e0e716
--- /dev/null
+++ b/config/services/collectd.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>Collectd</short>
+ <description>Collectd is a monitoring system that allows metrics to be sent over the network. This rule allows incoming collectd traffic from remote boxes.</description>
+ <port protocol="udp" port="25826"/>
+</service>
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 918f6f0986ae..92323b03fc17 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -67,6 +67,7 @@ config/services/ceph.xml
config/services/cfengine.xml
config/services/cockpit.xml
config/services/condor-collector.xml
+config/services/collectd.xml
config/services/ctdb.xml
config/services/dhcpv6-client.xml
config/services/dhcpv6.xml
--
2.28.0

View File

@ -1,54 +0,0 @@
From 7edc99c9aca9c1416a05c117ab65598dc3095c35 Mon Sep 17 00:00:00 2001
From: Kenneth D'souza <kdsouza@redhat.com>
Date: Tue, 16 Jun 2020 01:14:52 +0530
Subject: [PATCH 64/64] feat(service): Add rpc-rquotad.service
Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
(cherry picked from commit 35e58d6fca6fbf44c34629dc058f3f1f727e7783)
---
config/Makefile.am | 1 +
config/services/rquotad.xml | 7 +++++++
po/POTFILES.in | 1 +
3 files changed, 9 insertions(+)
create mode 100644 config/services/rquotad.xml
diff --git a/config/Makefile.am b/config/Makefile.am
index 5f44678841f3..178c2358b117 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -233,6 +233,7 @@ CONFIG_FILES = \
services/redis.xml \
services/RH-Satellite-6.xml \
services/rpc-bind.xml \
+ services/rquotad.xml \
services/rsh.xml \
services/rsyncd.xml \
services/rtsp.xml \
diff --git a/config/services/rquotad.xml b/config/services/rquotad.xml
new file mode 100644
index 000000000000..adcd233ebd4d
--- /dev/null
+++ b/config/services/rquotad.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>rquotad</short>
+ <description>Remote Quota Server Daemon</description>
+ <port protocol="tcp" port="875"/>
+ <port protocol="udp" port="875"/>
+</service>
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 92323b03fc17..8552b8eca4ab 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -166,6 +166,7 @@ config/services/redis-sentinel.xml
config/services/redis.xml
config/services/RH-Satellite-6.xml
config/services/rpc-bind.xml
+config/services/rquotad.xml
config/services/rsh.xml
config/services/rsyncd.xml
config/services/rtsp.xml
--
2.28.0

Some files were not shown because too many files have changed in this diff Show More