rpms/firewalld
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import firewalld-0.8.2-2.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-11-03 06:44:30 -05:00 committed by Andrew Lukoshko
parent dd14143383
commit af587a4f77
88 changed files with 3783 additions and 8482 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.firewalld.metadata
View File

@ -1 +1 @@
e558ccbfd8a0e08d9339cf1506d8856d3533ed82 SOURCES/firewalld-0.8.0.tar.gz
785c4062248b95a85ddc023eba075b66109e254b SOURCES/firewalld-0.8.2.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/firewalld-0.8.0.tar.gz
SOURCES/firewalld-0.8.2.tar.gz

248
SOURCES/RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch → SOURCES/0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
View File

@ -1,7 +1,7 @@
From aaba32dd922c84662521754952e5a50198dd8625 Mon Sep 17 00:00:00 2001
From 52d53cc4ab0503ad484330b2121f85094a7903de Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Mon, 9 Jul 2018 11:29:33 -0400
Subject: [PATCH] Add cockpit by default to some zones
Subject: [PATCH 1/6] RHEL only: Add cockpit by default to some zones
Fixes: #1581578
---
@ -9,9 +9,9 @@ Fixes: #1581578
config/zones/internal.xml | 1 +
config/zones/public.xml | 1 +
config/zones/work.xml | 1 +
src/tests/cli/firewall-cmd.at | 14 +++++++++++++-
src/tests/features/helpers_custom.at | 9 +++++++++
src/tests/features/service_include.at | 2 +-
src/tests/firewall-cmd.at | 14 +++++++++++++-
src/tests/regression/gh366.at | 3 +++
src/tests/regression/gh453.at | 2 ++
src/tests/regression/rhbz1514043.at | 2 +-
@ -57,100 +57,11 @@ index 6ea5550a40bd..9609ee6f65c2 100644
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
</zone>
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index c65f067a06ec..263185c88724 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -17,6 +17,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -27,6 +28,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -35,6 +37,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -51,6 +54,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -61,6 +65,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -69,6 +74,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -86,6 +92,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
@@ -99,6 +106,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
@@ -109,6 +117,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
index 219d5b42767b..0bf59f63b81b 100644
--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
@@ -117,7 +117,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl
])
FWD_CHECK([--zone=public --list-services], 0, [dnl
-dhcpv6-client ssh
+cockpit dhcpv6-client ssh
])
FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist])
FWD_RELOAD
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index 0e0d3938da0a..540bdb8b1065 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -1144,6 +1144,7 @@ FWD_START_TEST([rich rules priority])
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index 806af74221b6..74f480f8730f 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -1285,6 +1285,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -158,7 +69,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
tcp dport 1122 ct state new,untracked accept
tcp dport 3333 ct state new,untracked accept
tcp dport 4444 ct state new,untracked accept
@@ -1159,6 +1160,7 @@ FWD_START_TEST([rich rules priority])
@@ -1300,6 +1301,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -166,7 +77,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 ctstate NEW,UNTRACKED
@@ -1173,6 +1175,7 @@ FWD_START_TEST([rich rules priority])
@@ -1314,6 +1316,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -174,7 +85,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
ACCEPT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:3333 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:4444 ctstate NEW,UNTRACKED
@@ -1254,6 +1257,7 @@ FWD_START_TEST([rich rules priority])
@@ -1395,6 +1398,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -182,7 +93,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
}
}
])
@@ -1357,6 +1361,7 @@ FWD_START_TEST([rich rules priority])
@@ -1498,6 +1502,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -190,7 +101,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
])
IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
])
@@ -1391,6 +1396,7 @@ FWD_START_TEST([rich rules priority])
@@ -1532,6 +1537,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -198,7 +109,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
])
IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
])
@@ -1438,6 +1444,7 @@ FWD_START_TEST([rich rules priority])
@@ -1579,6 +1585,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -206,7 +117,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
icmp type echo-request accept
icmpv6 type echo-request accept
}
@@ -1478,6 +1485,7 @@ FWD_START_TEST([rich rules priority])
@@ -1619,6 +1626,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -214,7 +125,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
])
IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
@@ -1500,6 +1508,7 @@ FWD_START_TEST([rich rules priority])
@@ -1641,6 +1649,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -222,7 +133,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
])
IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
@@ -1556,6 +1565,7 @@ FWD_START_TEST([rich rules priority])
@@ -1697,6 +1706,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -230,7 +141,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
}
}
])
@@ -1593,6 +1603,7 @@ FWD_START_TEST([rich rules priority])
@@ -1734,6 +1744,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -238,7 +149,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
])
IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
])
@@ -1613,6 +1624,7 @@ FWD_START_TEST([rich rules priority])
@@ -1754,6 +1765,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -246,7 +157,7 @@ index 0e0d3938da0a..540bdb8b1065 100644
])
IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
])
@@ -1638,7 +1650,7 @@ FWD_START_TEST([rich rules priority])
@@ -1779,7 +1791,7 @@ FWD_START_TEST([rich rules priority])
icmp-block-inversion: no
interfaces:
sources:
@ -255,6 +166,95 @@ index 0e0d3938da0a..540bdb8b1065 100644
ports:
protocols:
masquerade: no
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index 41d0f17b1d9e..bd4b52cfb1d6 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -37,6 +37,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -47,6 +48,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -55,6 +57,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -91,6 +94,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -101,6 +105,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -109,6 +114,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -126,6 +132,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
@@ -139,6 +146,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
@@ -149,6 +157,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
index 7f02701a9419..070f1578fc2b 100644
--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
@@ -120,7 +120,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl
])
FWD_CHECK([--zone=public --list-services], 0, [dnl
-dhcpv6-client ssh
+cockpit dhcpv6-client ssh
])
FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist])
FWD_RELOAD
diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at
index 1441a6be53bf..51ff504e6a9d 100644
--- a/src/tests/regression/gh366.at
@ -282,25 +282,25 @@ index 1441a6be53bf..51ff504e6a9d 100644
])])
diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at
index f57a79dcf9a2..6d820fce840a 100644
index 36a6fce5f22a..61bc90aae673 100644
--- a/src/tests/regression/gh453.at
+++ b/src/tests/regression/gh453.at
@@ -18,6 +18,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 21 ct state new,untracked accept
}
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 21 ct state new,untracked accept
}
@@ -42,6 +43,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 21 ct state new,untracked accept
tcp dport 5060 ct helper set "helper-sip-tcp"
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 21 ct state new,untracked accept
tcp dport 5060 ct helper set "helper-sip-tcp"
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
index efc33e09478b..241cf547f7f3 100644
--- a/src/tests/regression/rhbz1514043.at

102
SOURCES/0039-RHEL-only-default-to-AllowZoneDrifting-yes.patch → SOURCES/0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch
View File

@ -1,19 +1,20 @@
From d31326a93b0dc1e203f4696aca4a7c0f8118d2e8 Mon Sep 17 00:00:00 2001
From 42c3c63410d53f1f1eef8a756202231a7872aafa Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Feb 2020 09:12:17 -0500
Subject: [PATCH 39/39] RHEL only: default to AllowZoneDrifting=yes
Subject: [PATCH 2/6] RHEL only: default to AllowZoneDrifting=yes
---
config/firewalld.conf | 4 ++--
doc/xml/firewalld.conf.xml | 2 +-
doc/xml/firewalld.dbus.xml | 2 +-
src/firewall/config/__init__.py.in | 2 +-
src/tests/cli/firewall-cmd.at | 4 ++++
src/tests/cli/firewall-cmd.at | 8 ++++++++
src/tests/dbus/firewalld.conf.at | 4 ++--
src/tests/features/rfc3964_ipv4.at | 4 ++++
src/tests/functions.at | 1 +
src/tests/regression/rhbz1514043.at | 4 ++++
9 files changed, 20 insertions(+), 7 deletions(-)
src/tests/regression/rhbz1715977.at | 9 +++++++++
10 files changed, 33 insertions(+), 7 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index 532f0452212e..f791b2358ab8 100644
@ -64,10 +65,21 @@ index 481eb8de758d..645c76b66c8d 100644
-FALLBACK_ALLOW_ZONE_DRIFTING = False
+FALLBACK_ALLOW_ZONE_DRIFTING = True
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index 51b367e7a0f0..3590cb23d600 100644
index 74f480f8730f..c47c14ea1fc2 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -1054,6 +1054,10 @@ FWD_START_TEST([rich rules priority])
@@ -696,6 +696,10 @@ FWD_START_TEST([ipset])
CHECK_IPSET
CHECK_IPSET_HASH_MAC
+ dnl Expected test results assume this is set to "no"
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+ FWD_RELOAD
+
FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, ignore)
FWD_CHECK([--reload], 0, ignore)
FWD_CHECK([--ipset=foobar --get-entries], 0, [
@@ -1197,6 +1201,10 @@ FWD_START_TEST([rich rules priority])
CHECK_LOG_AUDIT
@ -116,7 +128,7 @@ index 54f5f756270b..15fef52612cc 100644
AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
FWD_RELOAD
diff --git a/src/tests/functions.at b/src/tests/functions.at
index cd4e31c7f9d4..0e28420d7123 100644
index 5b3ed3ee4a5a..8f5ceba4d3f2 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [
@ -142,6 +154,82 @@ index 241cf547f7f3..8e4846a078b8 100644
FWD_CHECK([-q --set-log-denied=all])
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
FWD_RELOAD
diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at
index d548de72b90c..b9886e1a0a2b 100644
--- a/src/tests/regression/rhbz1715977.at
+++ b/src/tests/regression/rhbz1715977.at
@@ -14,6 +14,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
udp dport 137 ct state new,untracked accept
udp dport 138 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
}
}
@@ -23,6 +24,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
@@ -31,6 +33,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept'])
@@ -44,6 +47,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
udp dport 137 ct state new,untracked accept
udp dport 138 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
}
@@ -54,6 +58,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
])
@@ -63,6 +68,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept'])
@@ -76,6 +82,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
udp dport 137 ct state new,untracked accept
udp dport 138 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept
@@ -87,6 +94,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED
@@ -97,6 +105,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore])
--
2.23.0

132
SOURCES/0002-fix-CLI-service-also-output-helpers-for-service-info.patch
View File

@ -1,132 +0,0 @@
From ff17d85fd863e7be2b4088c92360185aca6693b0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 7 Nov 2019 08:21:52 -0500
Subject: [PATCH] fix: CLI: service: also output helpers for service info
Fixes: 0c07b704f76d ("feat: CLI: add "helper" support for services")
Fixes: rhbz 1769520
(cherry picked from commit 6bfffe65f55b727afc37a8c1fb4068f6589bb890)
---
src/firewall/command.py | 2 ++
src/tests/features/helpers_custom.at | 42 ++++++++++++++++++++++++++-
src/tests/features/service_include.at | 3 ++
3 files changed, 46 insertions(+), 1 deletion(-)
diff --git a/src/firewall/command.py b/src/firewall/command.py
index 85e58d731a80..c371dc23584c 100644
--- a/src/firewall/command.py
+++ b/src/firewall/command.py
@@ -449,6 +449,7 @@ class FirewallCommand(object):
destinations = settings.getDestinations()
short_description = settings.getShort()
includes = settings.getIncludes()
+ helpers = settings.getHelpers()
self.print_msg(service)
if self.verbose:
self.print_msg(" summary: " + short_description)
@@ -464,6 +465,7 @@ class FirewallCommand(object):
" ".join(["%s:%s" % (k, v)
for k, v in destinations.items()]))
self.print_msg(" includes: " + " ".join(sorted(includes)))
+ self.print_msg(" helpers: " + " ".join(sorted(helpers)))
def print_icmptype_info(self, icmptype, settings):
destinations = settings.getDestinations()
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index c65f067a06ec..4c9024d1e2b8 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -1,5 +1,5 @@
FWD_START_TEST([customer helpers])
-AT_KEYWORDS(helpers rhbz1733066 gh514)
+AT_KEYWORDS(helpers rhbz1733066 gh514 rhbz1769520)
FWD_CHECK([-q --permanent --new-helper="ftptest" --module="nf_conntrack_ftp"])
FWD_CHECK([-q --permanent --helper=ftptest --add-port="2121/tcp"])
@@ -8,7 +8,27 @@ FWD_CHECK([-q --permanent --new-service="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --add-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --add-port="2121/tcp"])
+FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules: ftptest
+ destination:
+ includes:
+ helpers:
+])])
FWD_RELOAD
+FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules: ftptest
+ destination:
+ includes:
+ helpers:
+])])
FWD_CHECK([-q --add-service=ftptest])
@@ -42,7 +62,27 @@ dnl Same thing as above, but with the new "helper" in service.
FWD_CHECK([-q --permanent --service=ftptest --remove-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"], 1)
FWD_CHECK([-q --permanent --service=ftptest --add-helper="ftptest"])
+FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules:
+ destination:
+ includes:
+ helpers: ftptest
+])])
FWD_RELOAD
+FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules:
+ destination:
+ includes:
+ helpers: ftptest
+])])
FWD_CHECK([-q --add-service=ftptest])
diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
index 219d5b42767b..7f02701a9419 100644
--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
@@ -76,6 +76,7 @@ my-service-with-include
modules:
destination:
includes: mdns recursive-service ssdp
+ helpers:
])])
FWD_CHECK([--info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl
my-service-with-include
@@ -85,6 +86,7 @@ my-service-with-include
modules:
destination:
includes: mdns recursive-service ssdp
+ helpers:
])])
dnl firewall-offline-cmd
@@ -106,6 +108,7 @@ my-service-with-include
modules:
destination:
includes: mdns recursive-service ssdp
+ helpers:
])])
dnl negative test for including service that doesn't exist
--
2.23.0

29
SOURCES/0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch Normal file
View File

@ -0,0 +1,29 @@
From b2e4f83c8fb011ffe0a8b040fa937f60c842cc25 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 2 Apr 2020 14:42:22 -0400
Subject: [PATCH 3/6] fix: nftables: ipset: port ranges for non-default
protocols
Fixes: 2d1b0fe9fe74 ("fix: nftables: allow set intervals with concatenations")
(cherry picked from commit e80f4fccfc771128affdc578ed37842d5d469ca9)
(cherry picked from commit 6a2fd018666ab8c4877291f8f807a9943db74de3)
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index a9d5a45337bd..69ee63b32f8b 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1680,7 +1680,7 @@ class nftables(object):
port_str = entry_tokens[i][index+1:]
try:
- index = entry_tokens[i].index("-")
+ index = port_str.index("-")
except ValueError:
fragment.append(port_str)
else:
--
2.23.0

32
SOURCES/0003-fix-reload-let-NM-interface-assignments-override-per.patch
View File

@ -1,32 +0,0 @@
From d4866bf76574a436372204583f4194ca01beb265 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 19 Nov 2019 11:34:03 -0500
Subject: [PATCH 03/37] fix: reload: let NM interface assignments override
permanent config
Use the change interface call instead of add interface. This lets NM
override the permanent interface assignment.
Fixes: rhbz 1773809
(cherry picked from commit a3265daf5b8092878e82fc7840e56bb0b36a43ea)
(cherry picked from commit 48bde3b3343cbdd35af58958467b8e64e10f3821)
---
src/firewall/core/fw.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 4dc6a4f47aff..050fb9cd976d 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -988,7 +988,7 @@ class Firewall(object):
if nm_bus_name:
for zone in self.zone.get_zones() + [""]:
for interface in nm_get_interfaces_in_zone(zone):
- self.zone.add_interface(zone, interface, sender=nm_bus_name)
+ self.zone.change_zone_of_interface(zone, interface, sender=nm_bus_name)
self._panic = _panic
if not self._panic:
--
2.23.0

31
SOURCES/0004-fix-dbus-firewall.conf-fix-check-for-AutomaticHelper.patch
View File

@ -1,31 +0,0 @@
From e4d104ed8546e457d223dc1472942427241f0e44 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 2 Dec 2019 08:47:47 -0500
Subject: [PATCH 04/37] fix: dbus/firewall.conf: fix check for AutomaticHelpers
If nft fib is not available the test was checking for "system", but it
always yields "no".
Fixes: 6cd756b15685 ("chore: deprecate AutomaticHelpers")
(cherry picked from commit 58c19a06e9b47bc16cc00d2b7d26d5fce6f91a7a)
(cherry picked from commit 3fbeb0d92fa632ecd7174afccd8e5cb71c9adaa6)
---
src/tests/dbus/firewalld.conf.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index a26be3213d79..06f6df9bdd70 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -17,7 +17,7 @@ string "MinimalMark" : variant int32 100
string "RFC3964_IPv4" : variant string "yes"
])], [
DBUS_GETALL([config], [config], 0, [dnl
-string "AutomaticHelpers" : variant string "system"
+string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
string "FirewallBackend" : variant string "nftables"
--
2.23.0

44
SOURCES/0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch Normal file
View File

@ -0,0 +1,44 @@
From c694ab9a3d00f0471bfdf73a1b00d43f60395717 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 2 Apr 2020 14:38:45 -0400
Subject: [PATCH 4/6] test: ipset: verify port ranges for non-default protocol
(cherry picked from commit c0ad3a0b3340a27c34b33128f756f64acc3a771b)
(cherry picked from commit a2b8a09b929901e14620aa802fd423f958c56188)
---
src/tests/cli/firewall-cmd.at | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index c47c14ea1fc2..ad7b1b32f42c 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -743,6 +743,7 @@ FWD_START_TEST([ipset])
dnl multi dimensional set with non default protocol
FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip,port], 0, ignore)
FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,sctp:1234], 0, ignore)
+ FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,udp:1000-1002], 0, ignore)
FWD_RELOAD
FWD_CHECK([--ipset=foobar --add-entry=20.20.20.20,8080], 0, ignore)
FWD_CHECK([--zone internal --add-source=ipset:foobar], 0, ignore)
@@ -752,6 +753,7 @@ FWD_START_TEST([ipset])
type ipv4_addr . inet_proto . inet_service
flags interval
elements = { 10.10.10.10 . sctp . 1234,
+ 10.10.10.10 . udp . 1000-1002,
20.20.20.20 . tcp . 8080 }
}
}
@@ -769,6 +771,9 @@ FWD_START_TEST([ipset])
Type: hash:ip,port
Members:
10.10.10.10,sctp:1234
+ 10.10.10.10,udp:1000
+ 10.10.10.10,udp:1001
+ 10.10.10.10,udp:1002
20.20.20.20,tcp:8080
])
FWD_CHECK([--ipset=foobar --add-entry=1.2.3.4,sctp:8080], 0, ignore)
--
2.23.0

38
SOURCES/0005-fix-test-CHECK_NAT_COEXISTENCE-only-check-for-kernel.patch
View File

@ -1,38 +0,0 @@
From f9dc97f5161eea0900b9e99bb29e8a4d5cda3109 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 2 Dec 2019 09:08:00 -0500
Subject: [PATCH 05/37] fix: test: CHECK_NAT_COEXISTENCE: only check for kernel
version
Calling modprobe is problematic inside a container. Just check if the
running kernel is >4.18 as this is when NAT coexistence was fixed.
(cherry picked from commit 2b7d150d4b15b4b3876df0179cd08aaae33f2e38)
(cherry picked from commit fd54fafb9e43f2e0a396b8c502ef81bc738affeb)
---
src/tests/functions.at | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index fc53f591b1bf..31d1a3c187e4 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -436,13 +436,8 @@ m4_define([CHECK_NAT_COEXISTENCE], [
m4_if(nftables, FIREWALL_BACKEND, [
KERNEL_MAJOR=`uname -r | cut -d. -f1`
KERNEL_MINOR=`uname -r | cut -d. -f2`
- if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 16 || test ${KERNEL_MAJOR} -gt 4; then
- dnl Only check >=4.16 kernels. Previous versions did not explicitly
- dnl deny it, but had undefined behavior.
- AT_SKIP_IF([! modprobe iptable_nat])
- AT_SKIP_IF([! NS_CMD([nft add table ip foobar])])
- AT_SKIP_IF([! NS_CMD([nft add chain ip foobar foobar_chain { type nat hook postrouting priority 100 \; }])])
- NS_CHECK([nft delete table ip foobar])
+ if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 18 || test ${KERNEL_MAJOR} -gt 4; then
+ :
else
AT_SKIP_IF([true])
fi
--
2.23.0

51
SOURCES/0005-test-log-verify-logging-still-works-after-truncate.patch Normal file
View File

@ -0,0 +1,51 @@
From 85782b1fb964e3b67a0276881bdba4ca9881dec3 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 2 Apr 2020 15:21:58 -0400
Subject: [PATCH 5/6] test: log: verify logging still works after truncate
The log policy we ship presumes firewalld opens log files in append
mode. This is because the logrotate policy uses "copytruncate". Lets
verify that it actually works as expected.
(cherry picked from commit e887c16512abd6a3051b0519ee9af344c9f08827)
(cherry picked from commit 2ab7f9e793a51c9aebe08fff6226c38159ae2312)
---
src/tests/regression/gh599.at | 16 ++++++++++++++++
src/tests/regression/regression.at | 1 +
2 files changed, 17 insertions(+)
create mode 100644 src/tests/regression/gh599.at
diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at
new file mode 100644
index 000000000000..472f228ba2a9
--- /dev/null
+++ b/src/tests/regression/gh599.at
@@ -0,0 +1,16 @@
+FWD_START_TEST([writing to log after copytruncate])
+AT_KEYWORDS(gh599)
+
+AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])])
+AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])])
+
+dnl Verify we continue to write to the log file after it's truncated. That is,
+dnl simulate logrotate's copytruncate.
+NS_CHECK([truncate -s 0 ./firewalld.log])
+
+dnl generate some logs, anything will do since we have debug enabled.
+FWD_CHECK([--list-all], 0, [ignore], [ignore])
+
+NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"'])
+
+FWD_END_TEST
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 8042c3a27f89..2528ddd3fede 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -27,3 +27,4 @@ m4_include([regression/gh509.at])
m4_include([regression/gh567.at])
m4_include([regression/rhbz1779835.at])
m4_include([regression/gh330.at])
+m4_include([regression/gh599.at])
--
2.23.0

28
SOURCES/0006-fix-test-direct-passthrough-no-need-to-check-for-dum.patch
View File

@ -1,28 +0,0 @@
From 3268ec28df668efcf8fd8fc3017d0768b0c70fe1 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 5 Dec 2019 12:31:06 -0500
Subject: [PATCH 06/37] fix: test: direct passthrough: no need to check for
dummy module
(cherry picked from commit 3b9e8565a224937bb6c6b950ae3596abacc14c5d)
(cherry picked from commit 7b2740294a86cca114e8ce3938b5b0ba8f5bd28f)
---
src/tests/firewall-cmd.at | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index 540bdb8b1065..51b367e7a0f0 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -866,8 +866,6 @@ FWD_END_TEST
FWD_START_TEST([direct passthrough])
AT_KEYWORDS(direct passthrough)
- AT_CHECK([if ! modprobe dummy; then exit 77; fi])
-
FWD_CHECK([--direct --passthrough ipv4 --table mangle --append POSTROUTING --out-interface dummy0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill], 0, ignore)
FWD_CHECK([--direct --passthrough ipv4 --table mangle --delete POSTROUTING --out-interface dummy0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill], 0, ignore)
--
2.23.0

32
SOURCES/0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch Normal file
View File

@ -0,0 +1,32 @@
From 01dd132e2004e6d40c6c2200f6105ca49594041a Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 6 Apr 2020 15:34:57 -0400
Subject: [PATCH 6/6] fix: test/regression/gh599: fix if not using debug output
Fixes: e887c16512ab ("test: log: verify logging still works after truncate")
(cherry picked from commit f7e3c60263e144a04ee175d5f7bb3fa4636a97a4)
(cherry picked from commit e78548b1fd6e87500d7df3ade5373285ca525f03)
---
src/tests/regression/gh599.at | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at
index 472f228ba2a9..337e18018baf 100644
--- a/src/tests/regression/gh599.at
+++ b/src/tests/regression/gh599.at
@@ -8,9 +8,9 @@ dnl Verify we continue to write to the log file after it's truncated. That is,
dnl simulate logrotate's copytruncate.
NS_CHECK([truncate -s 0 ./firewalld.log])
-dnl generate some logs, anything will do since we have debug enabled.
-FWD_CHECK([--list-all], 0, [ignore], [ignore])
+dnl generate some logs
+FWD_CHECK([-q --add-service=this_does_not_exist], 101, [ignore], [ignore])
NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"'])
-FWD_END_TEST
+FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: this_does_not_exist/d'])
--
2.23.0

32
SOURCES/0007-fix-test-functions-FWD_END_TEST-improve-grep-for-err.patch
View File

@ -1,32 +0,0 @@
From 0c254abccf3553192e13f736351926c5fa45df0b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 9 Dec 2019 16:57:13 -0500
Subject: [PATCH 07/37] fix: test/functions: FWD_END_TEST: improve grep for
errors/warnings
Match more specifically so we don't accidentally match a debug log that
also has "ERROR:" or "WARNING:" as is common for modprobes.
(cherry picked from commit 5f67a78a68a4b5117d7be3402fc9dd639f318a60)
(cherry picked from commit ec0e86677372e994151263a3cb0f1124e2df219b)
---
src/tests/functions.at | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 31d1a3c187e4..1bed8a4f3a6c 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -150,8 +150,7 @@ m4_define([FWD_END_TEST], [
if test -n "$1"; then
sed -i $1 ./firewalld.log
fi
- AT_FAIL_IF([grep ERROR ./firewalld.log])
- AT_FAIL_IF([grep WARNING ./firewalld.log])
+ AT_FAIL_IF([grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log])
fi
m4_undefine([CURRENT_DBUS_ADDRESS])
m4_undefine([CURRENT_TEST_NS])
--
2.23.0

496
SOURCES/0007-test-dbus-zone-verify-permanent-config-API-signature.patch Normal file
View File

@ -0,0 +1,496 @@
From 5a912cc04a75e018631745647a524cce8569505b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Apr 2020 13:38:06 -0400
Subject: [PATCH 07/10] test: dbus: zone: verify permanent config API
signatures
(cherry picked from commit f6a6837cb49d5a9ca4ea08964fb62bb9f7f420ac)
(cherry picked from commit 7cc77369cd68ff1860b151fc649d237f1feb84ba)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/zone_permanent_signatures.at | 464 ++++++++++++++++++++
2 files changed, 465 insertions(+)
create mode 100644 src/tests/dbus/zone_permanent_signatures.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index 46fec2ff4024..ffef478f5449 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -1,3 +1,4 @@
AT_BANNER([dbus])
m4_include([dbus/firewalld.conf.at])
m4_include([dbus/service.at])
+m4_include([dbus/zone_permanent_signatures.at])
diff --git a/src/tests/dbus/zone_permanent_signatures.at b/src/tests/dbus/zone_permanent_signatures.at
new file mode 100644
index 000000000000..15319552c15f
--- /dev/null
+++ b/src/tests/dbus/zone_permanent_signatures.at
@@ -0,0 +1,464 @@
+FWD_START_TEST([dbus api - zone permanent signatures])
+AT_KEYWORDS(dbus zone gh586)
+
+dnl ####################
+dnl Global APIs
+dnl ####################
+
+DBUS_INTROSPECT([config], [[//method[@name="listZones"]]], 0, [dnl
+ <method name="listZones">
+ <arg direction="out" type="ao"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="getZoneNames"]]], 0, [dnl
+ <method name="getZoneNames">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="getZoneByName"]]], 0, [dnl
+ <method name="getZoneByName">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="o"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="addZone"]]], 0, [dnl
+ <method name="addZone">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ <arg direction="out" type="o"></arg>
+ </method>
+])
+
+dnl zone relation to interface/sources
+DBUS_INTROSPECT([config], [[//method[@name="getZoneOfInterface"]]], 0, [dnl
+ <method name="getZoneOfInterface">
+ <arg direction="in" name="iface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config], [[//method[@name="getZoneOfSource"]]], 0, [dnl
+ <method name="getZoneOfSource">
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+
+
+dnl ####################
+dnl Zone object APIs
+dnl ####################
+
+dnl Get a reference to the public zone. We'll use it to introspect APIs.
+DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout])
+DBUS_PUBLIC_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)]
+export DBUS_PUBLIC_ZONE_OBJ
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSettings"]]], 0, [dnl
+ <method name="getSettings">
+ <arg direction="out" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="update"]]], 0, [dnl
+ <method name="update">
+ <arg direction="in" name="settings" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="loadDefaults"]]], 0, [dnl
+ <method name="loadDefaults">
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="remove"]]], 0, [dnl
+ <method name="remove">
+ </method>
+])
+
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="rename"]]], 0, [dnl
+ <method name="rename">
+ <arg direction="in" name="name" type="s"></arg>
+ </method>
+])
+
+dnl Version
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getVersion"]]], 0, [dnl
+ <method name="getVersion">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setVersion"]]], 0, [dnl
+ <method name="setVersion">
+ <arg direction="in" name="version" type="s"></arg>
+ </method>
+])
+
+dnl Short
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getShort"]]], 0, [dnl
+ <method name="getShort">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setShort"]]], 0, [dnl
+ <method name="setShort">
+ <arg direction="in" name="short" type="s"></arg>
+ </method>
+])
+
+dnl Description
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getDescription"]]], 0, [dnl
+ <method name="getDescription">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setDescription"]]], 0, [dnl
+ <method name="setDescription">
+ <arg direction="in" name="description" type="s"></arg>
+ </method>
+])
+
+dnl Target
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getTarget"]]], 0, [dnl
+ <method name="getTarget">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setTarget"]]], 0, [dnl
+ <method name="setTarget">
+ <arg direction="in" name="target" type="s"></arg>
+ </method>
+])
+
+dnl Interfaces
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getInterfaces"]]], 0, [dnl
+ <method name="getInterfaces">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setInterfaces"]]], 0, [dnl
+ <method name="setInterfaces">
+ <arg direction="in" name="interfaces" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addInterface"]]], 0, [dnl
+ <method name="addInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeInterface"]]], 0, [dnl
+ <method name="removeInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryInterface"]]], 0, [dnl
+ <method name="queryInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Sources
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSources"]]], 0, [dnl
+ <method name="getSources">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSources"]]], 0, [dnl
+ <method name="setSources">
+ <arg direction="in" name="sources" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSource"]]], 0, [dnl
+ <method name="addSource">
+ <arg direction="in" name="source" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSource"]]], 0, [dnl
+ <method name="removeSource">
+ <arg direction="in" name="source" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySource"]]], 0, [dnl
+ <method name="querySource">
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Services
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getServices"]]], 0, [dnl
+ <method name="getServices">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setServices"]]], 0, [dnl
+ <method name="setServices">
+ <arg direction="in" name="services" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addService"]]], 0, [dnl
+ <method name="addService">
+ <arg direction="in" name="service" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeService"]]], 0, [dnl
+ <method name="removeService">
+ <arg direction="in" name="service" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryService"]]], 0, [dnl
+ <method name="queryService">
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Ports
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getPorts"]]], 0, [dnl
+ <method name="getPorts">
+ <arg direction="out" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setPorts"]]], 0, [dnl
+ <method name="setPorts">
+ <arg direction="in" name="ports" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addPort"]]], 0, [dnl
+ <method name="addPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removePort"]]], 0, [dnl
+ <method name="removePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryPort"]]], 0, [dnl
+ <method name="queryPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Source Ports
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getSourcePorts"]]], 0, [dnl
+ <method name="getSourcePorts">
+ <arg direction="out" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setSourcePorts"]]], 0, [dnl
+ <method name="setSourcePorts">
+ <arg direction="in" name="ports" type="a(ss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addSourcePort"]]], 0, [dnl
+ <method name="addSourcePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeSourcePort"]]], 0, [dnl
+ <method name="removeSourcePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="querySourcePort"]]], 0, [dnl
+ <method name="querySourcePort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Protocol
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getProtocols"]]], 0, [dnl
+ <method name="getProtocols">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setProtocols"]]], 0, [dnl
+ <method name="setProtocols">
+ <arg direction="in" name="protocols" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addProtocol"]]], 0, [dnl
+ <method name="addProtocol">
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeProtocol"]]], 0, [dnl
+ <method name="removeProtocol">
+ <arg direction="in" name="protocol" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryProtocol"]]], 0, [dnl
+ <method name="queryProtocol">
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Forward Ports
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getForwardPorts"]]], 0, [dnl
+ <method name="getForwardPorts">
+ <arg direction="out" type="a(ssss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setForwardPorts"]]], 0, [dnl
+ <method name="setForwardPorts">
+ <arg direction="in" name="ports" type="a(ssss)"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addForwardPort"]]], 0, [dnl
+ <method name="addForwardPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeForwardPort"]]], 0, [dnl
+ <method name="removeForwardPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryForwardPort"]]], 0, [dnl
+ <method name="queryForwardPort">
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Masquerade
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getMasquerade"]]], 0, [dnl
+ <method name="getMasquerade">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setMasquerade"]]], 0, [dnl
+ <method name="setMasquerade">
+ <arg direction="in" name="masquerade" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addMasquerade"]]], 0, [dnl
+ <method name="addMasquerade">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeMasquerade"]]], 0, [dnl
+ <method name="removeMasquerade">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryMasquerade"]]], 0, [dnl
+ <method name="queryMasquerade">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl ICMP Block
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlocks"]]], 0, [dnl
+ <method name="getIcmpBlocks">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlocks"]]], 0, [dnl
+ <method name="setIcmpBlocks">
+ <arg direction="in" name="icmptypes" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlock"]]], 0, [dnl
+ <method name="addIcmpBlock">
+ <arg direction="in" name="icmptype" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlock"]]], 0, [dnl
+ <method name="removeIcmpBlock">
+ <arg direction="in" name="icmptype" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlock"]]], 0, [dnl
+ <method name="queryIcmpBlock">
+ <arg direction="in" name="icmptype" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl ICMP Block Inversion
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getIcmpBlockInversion"]]], 0, [dnl
+ <method name="getIcmpBlockInversion">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setIcmpBlockInversion"]]], 0, [dnl
+ <method name="setIcmpBlockInversion">
+ <arg direction="in" name="flag" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl
+ <method name="addIcmpBlockInversion">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
+ <method name="removeIcmpBlockInversion">
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
+ <method name="queryIcmpBlockInversion">
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Rich Rules
+dnl
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="getRichRules"]]], 0, [dnl
+ <method name="getRichRules">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="setRichRules"]]], 0, [dnl
+ <method name="setRichRules">
+ <arg direction="in" name="rules" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="addRichRule"]]], 0, [dnl
+ <method name="addRichRule">
+ <arg direction="in" name="rule" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="removeRichRule"]]], 0, [dnl
+ <method name="removeRichRule">
+ <arg direction="in" name="rule" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [[//method[@name="queryRichRule"]]], 0, [dnl
+ <method name="queryRichRule">
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+FWD_END_TEST
--
2.25.2

75
SOURCES/0008-test-build-add-support-for-running-in-containers.patch
View File

@ -1,75 +0,0 @@
From d059664e2de82a2e212fe14f3799450ca4ef5a51 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 27 Nov 2019 13:32:42 -0500
Subject: [PATCH 08/37] test: build: add support for running in containers
This is just a dummy target at the moment.
(cherry picked from commit df13ebc5d8df69b0b0b15c6777c8bb906a67bf5b)
(cherry picked from commit 11c36a3c81987f4e34bf87e99d0800401c24561f)
---
Makefile.am | 3 +++
README | 7 +++++++
configure.ac | 1 +
src/tests/Makefile.am | 4 ++++
4 files changed, 15 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index b3dbce1f2b11..c377d6f63792 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -78,6 +78,9 @@ dist-check:
exit 1; \
fi
+check-container:
+ $(MAKE) -C src/tests $@
+
update-docs:
$(MAKE) -C doc/xml
diff --git a/README b/README
index 181d50f301e9..9cb2ef4a15b7 100644
--- a/README
+++ b/README
@@ -102,6 +102,13 @@ Or just the keywords
|awk '/^[[:space:]]*[[:digit:]]+/{getline; print $0}' \
|tr ' ' '\n' |sort |uniq
+There is also a check-container target that will run the testsuite inside
+various podman/docker containers. This is useful for coverage of multiple
+distributions. As a bonus, it allows us to run tests that may be destructive to
+the host (container) such as NetworkManager integration tests.
+
+ make check-container TESTSUITEFLAGS="-j4"
+
RPM package
-----------
diff --git a/configure.ac b/configure.ac
index 39d6af1f89f1..0758c69d442c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,6 +36,7 @@ AC_PATH_PROG([RMMOD], [rmmod], [/sbin/rmmod])
AC_PATH_PROG([SYSCTL], [sysctl], [/sbin/sysctl])
AC_CONFIG_TESTDIR([src/tests])
+AC_PATH_PROGS([PODMAN], [podman docker], [/bin/false])
GLIB_GSETTINGS
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 09bf699b81d0..84c076c847b0 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -41,3 +41,7 @@ AUTOTEST = $(AUTOM4TE) --language=autotest
$(TESTSUITE): $(TESTSUITE_FILES) $(srcdir)/package.m4
$(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at
mv $@.tmp $@
+
+check-container:
+
+.PHONY: check-container
--
2.23.0

446
SOURCES/0008-test-dbus-zone-verify-runtime-config-API-signatures.patch Normal file
View File

@ -0,0 +1,446 @@
From 3122491686014a2cdd83d3506334055fd18c80e0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Apr 2020 14:16:48 -0400
Subject: [PATCH 08/10] test: dbus: zone: verify runtime config API signatures
(cherry picked from commit fca39ea7edbd57283bc15fdd88fbfd4b1943f977)
(cherry picked from commit d17a68d680b631954fdb5031a3c0627a68f77049)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/zone_runtime_signatures.at | 415 ++++++++++++++++++++++
2 files changed, 416 insertions(+)
create mode 100644 src/tests/dbus/zone_runtime_signatures.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index ffef478f5449..377244460e7a 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -2,3 +2,4 @@ AT_BANNER([dbus])
m4_include([dbus/firewalld.conf.at])
m4_include([dbus/service.at])
m4_include([dbus/zone_permanent_signatures.at])
+m4_include([dbus/zone_runtime_signatures.at])
diff --git a/src/tests/dbus/zone_runtime_signatures.at b/src/tests/dbus/zone_runtime_signatures.at
new file mode 100644
index 000000000000..53fdbea03180
--- /dev/null
+++ b/src/tests/dbus/zone_runtime_signatures.at
@@ -0,0 +1,415 @@
+FWD_START_TEST([dbus api - zone runtime signatures])
+AT_KEYWORDS(dbus zone gh586)
+
+dnl ####################
+dnl Global APIs
+dnl ####################
+
+DBUS_INTROSPECT([], [[//method[@name="getZoneSettings"]]], 0, [dnl
+ <method name="getZoneSettings">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="(sssbsasa(ss)asba(ssss)asasasasa(ss)b)"></arg>
+ </method>
+])
+
+dnl Default Zone
+DBUS_INTROSPECT([], [[//method[@name="getDefaultZone"]]], 0, [dnl
+ <method name="getDefaultZone">
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="setDefaultZone"]]], 0, [dnl
+ <method name="setDefaultZone">
+ <arg direction="in" name="zone" type="s"></arg>
+ </method>
+])
+
+dnl Fetching Zones
+DBUS_INTROSPECT([], [[//method[@name="getZones"]]], 0, [dnl
+ <method name="getZones">
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getActiveZones"]]], 0, [dnl
+ <method name="getActiveZones">
+ <arg direction="out" type="a{sa{sas}}"></arg>
+ </method>
+])
+
+dnl Interface/Source
+DBUS_INTROSPECT([], [[//method[@name="getZoneOfInterface"]]], 0, [dnl
+ <method name="getZoneOfInterface">
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getZoneOfSource"]]], 0, [dnl
+ <method name="getZoneOfSource">
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+
+dnl ####################
+dnl Zone APIs
+dnl ####################
+
+DBUS_INTROSPECT([], [[//method[@name="isImmutable"]]], 0, [dnl
+ <method name="isImmutable">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Interfaces
+DBUS_INTROSPECT([], [[//method[@name="addInterface"]]], 0, [dnl
+ <method name="addInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="changeZone"]]], 0, [dnl
+ <method name="changeZone">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="changeZoneOfInterface"]]], 0, [dnl
+ <method name="changeZoneOfInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeInterface"]]], 0, [dnl
+ <method name="removeInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryInterface"]]], 0, [dnl
+ <method name="queryInterface">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="interface" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getInterfaces"]]], 0, [dnl
+ <method name="getInterfaces">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Sources
+DBUS_INTROSPECT([], [[//method[@name="addSource"]]], 0, [dnl
+ <method name="addSource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="changeZoneOfSource"]]], 0, [dnl
+ <method name="changeZoneOfSource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeSource"]]], 0, [dnl
+ <method name="removeSource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="querySource"]]], 0, [dnl
+ <method name="querySource">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="source" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getSources"]]], 0, [dnl
+ <method name="getSources">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Services
+DBUS_INTROSPECT([], [[//method[@name="addService"]]], 0, [dnl
+ <method name="addService">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeService"]]], 0, [dnl
+ <method name="removeService">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryService"]]], 0, [dnl
+ <method name="queryService">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="service" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getServices"]]], 0, [dnl
+ <method name="getServices">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Protocols
+DBUS_INTROSPECT([], [[//method[@name="addProtocol"]]], 0, [dnl
+ <method name="addProtocol">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeProtocol"]]], 0, [dnl
+ <method name="removeProtocol">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryProtocol"]]], 0, [dnl
+ <method name="queryProtocol">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getProtocols"]]], 0, [dnl
+ <method name="getProtocols">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl Ports
+DBUS_INTROSPECT([], [[//method[@name="addPort"]]], 0, [dnl
+ <method name="addPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removePort"]]], 0, [dnl
+ <method name="removePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryPort"]]], 0, [dnl
+ <method name="queryPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getPorts"]]], 0, [dnl
+ <method name="getPorts">
+ <arg direction="in" name="zone" type="s"></arg>
+ dnl NOTE: The signature is "aas", but getPorts() actually returns
+ dnl "a(ss)". Apparently python-dbus coerces to "aas".
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+dnl Source Ports
+DBUS_INTROSPECT([], [[//method[@name="addSourcePort"]]], 0, [dnl
+ <method name="addSourcePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeSourcePort"]]], 0, [dnl
+ <method name="removeSourcePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="querySourcePort"]]], 0, [dnl
+ <method name="querySourcePort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getSourcePorts"]]], 0, [dnl
+ <method name="getSourcePorts">
+ <arg direction="in" name="zone" type="s"></arg>
+ dnl NOTE: The signature is "aas", but getPorts() actually returns
+ dnl "a(ss)". Apparently python-dbus coerces to "aas".
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+dnl Forward Ports
+DBUS_INTROSPECT([], [[//method[@name="addForwardPort"]]], 0, [dnl
+ <method name="addForwardPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeForwardPort"]]], 0, [dnl
+ <method name="removeForwardPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryForwardPort"]]], 0, [dnl
+ <method name="queryForwardPort">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="port" type="s"></arg>
+ <arg direction="in" name="protocol" type="s"></arg>
+ <arg direction="in" name="toport" type="s"></arg>
+ <arg direction="in" name="toaddr" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getForwardPorts"]]], 0, [dnl
+ <method name="getForwardPorts">
+ <arg direction="in" name="zone" type="s"></arg>
+ dnl NOTE: The signature is "aas", but getPorts() actually returns
+ dnl "a(ssss)". Apparently python-dbus coerces to "aas".
+ <arg direction="out" type="aas"></arg>
+ </method>
+])
+
+dnl Masquerade
+DBUS_INTROSPECT([], [[//method[@name="addMasquerade"]]], 0, [dnl
+ <method name="addMasquerade">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeMasquerade"]]], 0, [dnl
+ <method name="removeMasquerade">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryMasquerade"]]], 0, [dnl
+ <method name="queryMasquerade">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl ICMP Block
+DBUS_INTROSPECT([], [[//method[@name="addIcmpBlock"]]], 0, [dnl
+ <method name="addIcmpBlock">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="icmp" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlock"]]], 0, [dnl
+ <method name="removeIcmpBlock">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="icmp" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlock"]]], 0, [dnl
+ <method name="queryIcmpBlock">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="icmp" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getIcmpBlocks"]]], 0, [dnl
+ <method name="getIcmpBlocks">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+dnl ICMP Block Inversion
+DBUS_INTROSPECT([], [[//method[@name="addIcmpBlockInversion"]]], 0, [dnl
+ <method name="addIcmpBlockInversion">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeIcmpBlockInversion"]]], 0, [dnl
+ <method name="removeIcmpBlockInversion">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryIcmpBlockInversion"]]], 0, [dnl
+ <method name="queryIcmpBlockInversion">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+
+dnl Rich Rules
+DBUS_INTROSPECT([], [[//method[@name="addRichRule"]]], 0, [dnl
+ <method name="addRichRule">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="in" name="timeout" type="i"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="removeRichRule"]]], 0, [dnl
+ <method name="removeRichRule">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="out" type="s"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="queryRichRule"]]], 0, [dnl
+ <method name="queryRichRule">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="in" name="rule" type="s"></arg>
+ <arg direction="out" type="b"></arg>
+ </method>
+])
+DBUS_INTROSPECT([], [[//method[@name="getRichRules"]]], 0, [dnl
+ <method name="getRichRules">
+ <arg direction="in" name="zone" type="s"></arg>
+ <arg direction="out" type="as"></arg>
+ </method>
+])
+
+FWD_END_TEST
--
2.25.2

38
SOURCES/0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch Normal file
View File

@ -0,0 +1,38 @@
From ac3d706eb4bfead921c7e739e5e95a186bf35438 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 8 Apr 2020 17:05:39 -0400
Subject: [PATCH 09/10] fix: test/regression/gh599: use expr to be more
portable
dash was failing due to not having "let". So lets use "expr" instead.
Fixes: e887c16512ab ("test: log: verify logging still works after truncate")
(cherry picked from commit eba44b2ebeedccbac0329a56c86c5d8f26c30f9f)
(cherry picked from commit cdd7c9d60624a443a0a07c29081d0ef68a384beb)
---
src/tests/regression/gh599.at | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tests/regression/gh599.at b/src/tests/regression/gh599.at
index 337e18018baf..b0a230733c85 100644
--- a/src/tests/regression/gh599.at
+++ b/src/tests/regression/gh599.at
@@ -3,6 +3,7 @@ AT_KEYWORDS(gh599)
AT_SKIP_IF([! NS_CMD([which truncate >/dev/null 2>&1])])
AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])])
+AT_SKIP_IF([! NS_CMD([which expr >/dev/null 2>&1])])
dnl Verify we continue to write to the log file after it's truncated. That is,
dnl simulate logrotate's copytruncate.
@@ -11,6 +12,6 @@ NS_CHECK([truncate -s 0 ./firewalld.log])
dnl generate some logs
FWD_CHECK([-q --add-service=this_does_not_exist], 101, [ignore], [ignore])
-NS_CHECK([sh -c 'let "$(cat ./firewalld.log | wc -c) > 0"'])
+NS_CHECK([expr $(cat ./firewalld.log | wc -c) ">" 0], 0, [ignore], [ignore])
FWD_END_TEST([-e '/ERROR: INVALID_SERVICE: this_does_not_exist/d'])
--
2.25.2

43
SOURCES/0009-test-check-container-add-support-for-debian-sid.patch
View File

@ -1,43 +0,0 @@
From 616ab06147e174ac69b2e1cfff73e4519058676c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 10 Dec 2019 10:18:00 -0500
Subject: [PATCH 09/37] test: check-container: add support for debian sid
(cherry picked from commit be2a4c06c7bc7fcf9efc710ffc459b2a24118457)
(cherry picked from commit f7252214a08c33c81bb613514e24af95dc2ed096)
---
src/tests/Makefile.am | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 84c076c847b0..4939fb818459 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -42,6 +42,23 @@ $(TESTSUITE): $(TESTSUITE_FILES) $(srcdir)/package.m4
$(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at
mv $@.tmp $@
-check-container:
+check-container-debian-sid:
+ (cd $(abs_top_srcdir) && tar -c . ) | \
+ $(PODMAN) run -i --rm --privileged debian:sid bash -c \
+ "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \
+ apt-get update && \
+ apt-get install -y autoconf automake pkg-config intltool libglib2.0-dev \
+ xsltproc docbook-xsl docbook-xml iptables ipset ebtables \
+ nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \
+ python3-dbus python3-gi python3-slip-dbus python3-nftables \
+ procps && \
+ apt-get install -y libnftables-dev && \
+ ./autogen.sh && \
+ ./configure PYTHON=/usr/bin/python3 && \
+ make && \
+ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" "
+
+check-container: check-container-debian-sid
.PHONY: check-container
+.PHONY: check-container-debian-sid
--
2.23.0

27
SOURCES/0010-fix-systemd-Conflict-with-nftables.service.patch Normal file
View File

@ -0,0 +1,27 @@
From 10f7c0956e7c7054da9e6187aa525c23f65a8dfc Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 14 Apr 2020 07:40:48 -0400
Subject: [PATCH 10/10] fix(systemd): Conflict with nftables.service
(cherry picked from commit 7b6aff3a51a955399c782f48137405d0fa94e966)
(cherry picked from commit fc00563ef029cb4c12c652725bfd3a3b5122d136)
---
config/firewalld.service.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/firewalld.service.in b/config/firewalld.service.in
index b757a08f28dc..afbe0ac5def7 100644
--- a/config/firewalld.service.in
+++ b/config/firewalld.service.in
@@ -4,7 +4,7 @@ Before=network-pre.target
Wants=network-pre.target
After=dbus.service
After=polkit.service
-Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
+Conflicts=iptables.service ip6tables.service ebtables.service ipset.service nftables.service
Documentation=man:firewalld(1)
[Service]
--
2.25.2

44
SOURCES/0010-test-check-container-add-support-for-fedora-rawhide.patch
View File

@ -1,44 +0,0 @@
From c9b56988eeee3da0b987adce79536ae4a4f2b6d0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 10 Dec 2019 10:15:13 -0500
Subject: [PATCH 10/37] test: check-container: add support for fedora rawhide
(cherry picked from commit 8168904f2dd1ecdec17638854e7630f2ccc90860)
(cherry picked from commit 25f35e1c400f68f33773d162d84f9a7af8aa9938)
---
src/tests/Makefile.am | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 4939fb818459..cef17b6eba4b 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -58,7 +58,25 @@ check-container-debian-sid:
make && \
make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" "
+check-container-fedora-rawhide:
+ (cd $(abs_top_srcdir) && tar -c . ) | \
+ $(PODMAN) run -i --rm --privileged fedora:rawhide bash -c \
+ "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \
+ dnf -y makecache && \
+ dnf -y install autoconf automake conntrack-tools desktop-file-utils \
+ docbook-style-xsl file gettext glib2-devel intltool ipset \
+ iptables iptables-nft libtool libxml2 libxslt make nftables \
+ python3-nftables python3-slip-dbus python3-gobject-base \
+ diffutils procps-ng iproute which dbus-daemon && \
+ alternatives --set ebtables /usr/sbin/ebtables-nft && \
+ ./autogen.sh && \
+ ./configure PYTHON=/usr/bin/python3 && \
+ make && \
+ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" "
+
check-container: check-container-debian-sid
+check-container: check-container-fedora-rawhide
.PHONY: check-container
.PHONY: check-container-debian-sid
+.PHONY: check-container-fedora-rawhide
--
2.23.0

45
SOURCES/0011-fix-test-leave-cleanup-for-tests-cases.patch
View File

@ -1,45 +0,0 @@
From 1fff192d3dcc8dfaf1e9f8ef4a5e427772ce23bc Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 16 Dec 2019 15:47:24 -0500
Subject: [PATCH 11/37] fix: test: leave "cleanup" for tests cases
Introduce "cleanup_late" for high level stuff not used by test cases.
(cherry picked from commit ebe4ee52658bb26d976bd2e7149c3ac1a5be65c7)
(cherry picked from commit 6068bb9ae8fca3f87edc194567909b34ee071276)
---
src/tests/functions.at | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 1bed8a4f3a6c..46bcd369864f 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -89,12 +89,13 @@ m4_define([FWD_START_TEST], [
dnl run cleanup commands on test exit
echo "" > cleanup
- trap ". ./cleanup; kill_firewalld" EXIT
+ echo "" > cleanup_late
+ trap ". ./cleanup; kill_firewalld; . ./cleanup_late" EXIT
dnl create a namespace and dbus-daemon
m4_define([CURRENT_DBUS_ADDRESS], [unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}])
m4_define([CURRENT_TEST_NS], [fwd-test-${at_group_normalized}])
- echo "ip netns delete CURRENT_TEST_NS" >> ./cleanup
+ echo "ip netns delete CURRENT_TEST_NS" >> ./cleanup_late
AT_CHECK([ip netns add CURRENT_TEST_NS])
AT_DATA([./dbus.conf], [
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
@@ -135,7 +136,7 @@ m4_define([FWD_START_TEST], [
if test $? -ne 0; then
AT_FAIL_IF([:])
fi
- echo "kill $DBUS_PID" >> ./cleanup
+ echo "kill $DBUS_PID" >> ./cleanup_late
FWD_START_FIREWALLD
])
--
2.23.0

390
SOURCES/0011-test-dbus-zone-verify-permanent-config-APIs.patch Normal file
View File

@ -0,0 +1,390 @@
From 3564be1c8a28ac59e8a7135a1ab2a82d2e8a3c90 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 9 Apr 2020 12:49:02 -0400
Subject: [PATCH 11/45] test(dbus): zone: verify permanent config APIs
(cherry picked from commit 64d5bf1b117bc29d09b4f30cbb1c87d8559eeac0)
(cherry picked from commit a972e90b522ba11e0bd65b8d0cd1a55e1d18f9cd)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/zone_permanent_functional.at | 359 ++++++++++++++++++++
2 files changed, 360 insertions(+)
create mode 100644 src/tests/dbus/zone_permanent_functional.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index 377244460e7a..31c180dc3d3d 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -3,3 +3,4 @@ m4_include([dbus/firewalld.conf.at])
m4_include([dbus/service.at])
m4_include([dbus/zone_permanent_signatures.at])
m4_include([dbus/zone_runtime_signatures.at])
+m4_include([dbus/zone_permanent_functional.at])
diff --git a/src/tests/dbus/zone_permanent_functional.at b/src/tests/dbus/zone_permanent_functional.at
new file mode 100644
index 000000000000..2261832e00a8
--- /dev/null
+++ b/src/tests/dbus/zone_permanent_functional.at
@@ -0,0 +1,359 @@
+FWD_START_TEST([dbus api - zone permanent functional])
+AT_KEYWORDS(dbus zone gh586)
+
+dnl ####################
+dnl Global APIs
+dnl ####################
+
+DBUS_CHECK([config], [config.addZone],
+ ["foobar" dnl name
+ '("1.0", dnl version
+ "foobar", dnl short
+ "foobar zone", dnl description
+ false, dnl bogus/unused
+ "ACCEPT", dnl target
+ @<:@"ssh", "mdns"@:>@, dnl services
+ @<:@("1234", "tcp"), ("1234", "udp")@:>@, dnl ports
+ @<:@"echo-request"@:>@, dnl ICMP Blocks
+ true, dnl masquerade
+ @<:@("1234", "tcp", "4321", ""), ("1234", "udp", "4321", "10.10.10.10")@:>@, dnl forward ports
+ @<:@"dummy0", "dummy1"@:>@, dnl interfaces
+ @<:@"10.10.10.0/24"@:>@, dnl sources
+ @<:@"rule family=ipv4 source address=10.20.20.20 drop"@:>@, dnl rules_str
+ @<:@"icmp"@:>@, dnl protocols
+ @<:@("1234", "tcp"), ("1234", "udp")@:>@, dnl source ports
+ false dnl ICMP block inversion
+ )'dnl
+ ], 0, [stdout])
+DBUS_FOOBAR_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)]
+export DBUS_FOOBAR_ZONE_OBJ
+
+dnl Get Zones
+dnl
+DBUS_CHECK([config], [config.getZoneNames], [], 0, [dnl
+ [(['block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', 'public', 'trusted', 'work'],)]
+])
+DBUS_CHECK([config], [config.listZones], [], 0, [stdout])
+NS_CHECK([sed -e ["s/['][,]/'\n/g"] ./stdout |dnl
+ sed -e ["s/.*config\/zone\/\([^']\+\)['].*/\1/"] |dnl
+ while read LINE; do { echo "${LINE}" | grep ["^[0-9]\+$"] ; } || exit 1; done], 0, [ignore])
+DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout])
+NS_CHECK([sed -e ["s/.*config\/zone\/\([^']\+\)['].*/\1/"] ./stdout | grep ["^[0-9]\+$"]], 0, [ignore])
+
+dnl Interfaces
+FWD_CHECK([-q --permanent --zone public --add-interface dummy2])
+DBUS_CHECK([config], [config.getZoneOfInterface], ["dummy2"], 0, [dnl
+ ('public',)
+])
+FWD_CHECK([-q --permanent --zone public --remove-interface dummy2])
+
+dnl Sources
+FWD_CHECK([-q --permanent --zone public --add-source 10.20.20.0/24])
+DBUS_CHECK([config], [config.getZoneOfSource], ["10.20.20.0/24"], 0, [dnl
+ ('public',)
+])
+FWD_CHECK([-q --permanent --zone public --remove-source 10.20.20.0/24])
+
+dnl ####################
+dnl Zone object APIs
+dnl ####################
+
+DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.getSettings], [], 0, [dnl
+ (('1.0', dnl version
+ 'foobar', dnl short
+ 'foobar zone', dnl description
+ false, dnl bogus/unused
+ 'ACCEPT', dnl target
+ @<:@'ssh', 'mdns'@:>@, dnl services
+ @<:@('1234', 'tcp'), ('1234', 'udp')@:>@, dnl ports
+ @<:@'echo-request'@:>@, dnl ICMP Blocks
+ true, dnl masquerade
+ @<:@('1234', 'tcp', '4321', ''), ('1234', 'udp', '4321', '10.10.10.10')@:>@, dnl forward ports
+ @<:@'dummy0', 'dummy1'@:>@, dnl interfaces
+ @<:@'10.10.10.0/24'@:>@, dnl sources
+ @<:@'rule family="ipv4" source address="10.20.20.20" drop'@:>@, dnl rules_str
+ @<:@'icmp'@:>@, dnl protocols
+ @<:@('1234', 'tcp'), ('1234', 'udp')@:>@, dnl source ports
+ false),)
+])
+
+dnl Verify update works
+dnl
+DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.update], [dnl
+ '("1.1", dnl version
+ "foobar v2", dnl short
+ "foobar zone updated", dnl description
+ false, dnl bogus/unused
+ "ACCEPT", dnl target
+ @<:@"ssh", "mdns", "samba"@:>@, dnl services
+ @<:@("1234", "tcp"), ("4444", "udp")@:>@, dnl ports
+ @<:@"echo-request", "echo-reply"@:>@, dnl ICMP Blocks
+ false, dnl masquerade
+ @<:@("1234", "tcp", "4321", "")@:>@, dnl forward ports
+ @<:@"dummy0", "dummy1", "dummy2"@:>@, dnl interfaces
+ @<:@"10.10.10.0/24", "10.20.0.0/16"@:>@, dnl sources
+ @<:@"rule family=ipv4 source address=10.20.20.20 reject"@:>@, dnl rules_str
+ @<:@"icmp", "ipv6-icmp"@:>@, dnl protocols
+ @<:@("1234", "tcp"), ("6666", "udp")@:>@, dnl source ports
+ true dnl ICMP block inversion
+ )'dnl
+ ], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.getSettings], [], 0, [dnl
+ (('1.1', dnl version
+ 'foobar v2', dnl short
+ 'foobar zone updated', dnl description
+ false, dnl bogus/unused
+ 'ACCEPT', dnl target
+ @<:@'ssh', 'mdns', 'samba'@:>@, dnl services
+ @<:@('1234', 'tcp'), ('4444', 'udp')@:>@, dnl ports
+ @<:@'echo-request', 'echo-reply'@:>@, dnl ICMP Blocks
+ false, dnl masquerade
+ @<:@('1234', 'tcp', '4321', '')@:>@, dnl forward ports
+ @<:@'dummy0', 'dummy1', 'dummy2'@:>@, dnl interfaces
+ @<:@'10.10.10.0/24', '10.20.0.0/16'@:>@, dnl sources
+ @<:@'rule family="ipv4" source address="10.20.20.20" reject'@:>@, dnl rules_str
+ @<:@'icmp', 'ipv6-icmp'@:>@, dnl protocols
+ @<:@('1234', 'tcp'), ('6666', 'udp')@:>@, dnl source ports
+ true),)
+])
+
+dnl Rename
+DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.rename], ["foobar-renamed"], 0, [ignore])
+DBUS_CHECK([config], [config.getZoneByName], ["foobar-renamed"], 0, [ignore])
+
+dnl Remove
+DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.remove], [], 0, [ignore])
+DBUS_CHECK([config], [config.getZoneByName], ["foobar-renamed"], 1, [ignore], [ignore])
+
+dnl Get a reference to the public zone. We'll use for the rest of the tests.
+DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout])
+DBUS_PUBLIC_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)]
+export DBUS_PUBLIC_ZONE_OBJ
+
+dnl loadDefaults
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.loadDefaults], [], 0, [ignore])
+
+dnl Version
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getVersion], [], 0, [dnl
+ ('',)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setVersion], ["1.1"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getVersion], [], 0, [dnl
+ ('1.1',)
+])
+
+dnl Short
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getShort], [], 0, [dnl
+ ('Public',)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setShort], ["Public updated"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getShort], [], 0, [dnl
+ ('Public updated',)
+])
+
+dnl Description
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getDescription], [], 0, [dnl
+ ('For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.',)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setDescription], ["A shorter description."], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getDescription], [], 0, [dnl
+ ('A shorter description.',)
+])
+
+dnl Target
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getTarget], [], 0, [dnl
+ ('default',)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setTarget], ["ACCEPT"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getTarget], [], 0, [dnl
+ ('ACCEPT',)
+])
+
+dnl Interfaces
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addInterface], ["dummy0"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryInterface], ["dummy0"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryInterface], ["dummy1"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setInterfaces], [['["dummy0", "dummy1"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getInterfaces], [], 0, [dnl
+ [(['dummy0', 'dummy1'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeInterface], ["dummy0"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getInterfaces], [], 0, [dnl
+ [(['dummy1'],)]
+])
+
+dnl Sources
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addSource], ["10.10.10.0/24"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySource], ["10.10.10.0/24"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySource], ["10.20.20.0/24"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setSources], [['["10.10.10.0/24", "10.20.20.0/24"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSources], [], 0, [dnl
+ [(['10.10.10.0/24', '10.20.20.0/24'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeSource], ["10.10.10.0/24"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSources], [], 0, [dnl
+ [(['10.20.20.0/24'],)]
+])
+
+dnl Services
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addService], ["samba"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryService], ["samba"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryService], ["https"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setServices], [['["samba", "https"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getServices], [], 0, [dnl
+ [(['samba', 'https'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeService], ["samba"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getServices], [], 0, [dnl
+ [(['https'],)]
+])
+
+dnl Ports
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addPort], ["1234" "tcp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryPort], ["1234" "tcp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryPort], ["4321" "udp"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setPorts], [['[("1234", "tcp"), ("4321", "udp")]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getPorts], [], 0, [dnl
+ [([('1234', 'tcp'), ('4321', 'udp')],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removePort], ["1234" "tcp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getPorts], [], 0, [dnl
+ [([('4321', 'udp')],)]
+])
+
+dnl Source Ports
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addSourcePort], ["1234" "tcp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySourcePort], ["1234" "tcp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySourcePort], ["4321" "udp"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setSourcePorts], [['[("1234", "tcp"), ("4321", "udp")]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSourcePorts], [], 0, [dnl
+ [([('1234', 'tcp'), ('4321', 'udp')],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeSourcePort], ["1234" "tcp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSourcePorts], [], 0, [dnl
+ [([('4321', 'udp')],)]
+])
+
+dnl Forward Ports
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addForwardPort], ["1234" "tcp" "1111" ""], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryForwardPort], ["1234" "tcp" "1111" ""], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryForwardPort], ["4321" "udp" "4444" "10.10.10.10"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setForwardPorts], [['[("1234", "tcp", "1111", ""), ("4321", "udp", "4444", "10.10.10.10")]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getForwardPorts], [], 0, [dnl
+ [([('1234', 'tcp', '1111', ''), ('4321', 'udp', '4444', '10.10.10.10')],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeForwardPort], ["1234" "tcp" "1111" ""], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getForwardPorts], [], 0, [dnl
+ [([('4321', 'udp', '4444', '10.10.10.10')],)]
+])
+
+dnl Protocols
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addProtocol], ["icmp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryProtocol], ["icmp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryProtocol], ["igmp"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setProtocols], [['["icmp", "igmp"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getProtocols], [], 0, [dnl
+ [(['icmp', 'igmp'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeProtocol], ["icmp"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getProtocols], [], 0, [dnl
+ [(['igmp'],)]
+])
+
+dnl Masquerade
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryMasquerade], [], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addMasquerade], [], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryMasquerade], [], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setMasquerade], [true], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getMasquerade], [], 0, [dnl
+ [(true,)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeMasquerade], [], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getMasquerade], [], 0, [dnl
+ [(false,)]
+])
+
+dnl ICMP Block
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addIcmpBlock], ["echo-reply"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlock], ["echo-reply"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlock], ["echo-request"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setIcmpBlocks], [['["echo-reply", "echo-request"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlocks], [], 0, [dnl
+ [(['echo-reply', 'echo-request'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeIcmpBlock], ["echo-reply"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlocks], [], 0, [dnl
+ [(['echo-request'],)]
+])
+
+dnl ICMP Block Inversion
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlockInversion], [], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addIcmpBlockInversion], [], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlockInversion], [], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setIcmpBlockInversion], [true], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlockInversion], [], 0, [dnl
+ [(true,)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeIcmpBlockInversion], [], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlockInversion], [], 0, [dnl
+ [(false,)]
+])
+
+dnl Rich Rules
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryRichRule], ["rule family=ipv4 source address=10.20.20.0/24 drop"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setRichRules], [['["rule family=ipv4 source address=10.10.10.0/24 accept", "rule family=ipv4 source address=10.20.20.0/24 drop"]']], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getRichRules], [], 0, [dnl
+ [(['rule family="ipv4" source address="10.10.10.0/24" accept', 'rule family="ipv4" source address="10.20.20.0/24" drop'],)]
+])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [ignore])
+DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getRichRules], [], 0, [dnl
+ [(['rule family="ipv4" source address="10.20.20.0/24" drop'],)]
+])
+
+FWD_END_TEST([-e '/ERROR: INVALID_ZONE: foobar-renamed/d'])
--
2.27.0

328
SOURCES/0012-test-dbus-zone-verify-runtime-config-APIs.patch Normal file
View File

@ -0,0 +1,328 @@
From 069fbf5bda85526cdae9cf684a61c49d6961c065 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 9 Apr 2020 14:03:48 -0400
Subject: [PATCH 12/45] test(dbus): zone: verify runtime config APIs
(cherry picked from commit b1e7a3843f7c6dfc31ac3ac38cc938bd8ece7c6c)
(cherry picked from commit 2bc363979f3223ed0b98f027c96d8af7c3d79211)
---
src/tests/dbus/dbus.at | 1 +
src/tests/dbus/zone_runtime_functional.at | 297 ++++++++++++++++++++++
2 files changed, 298 insertions(+)
create mode 100644 src/tests/dbus/zone_runtime_functional.at
diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at
index 31c180dc3d3d..d9f7a2953131 100644
--- a/src/tests/dbus/dbus.at
+++ b/src/tests/dbus/dbus.at
@@ -4,3 +4,4 @@ m4_include([dbus/service.at])
m4_include([dbus/zone_permanent_signatures.at])
m4_include([dbus/zone_runtime_signatures.at])
m4_include([dbus/zone_permanent_functional.at])
+m4_include([dbus/zone_runtime_functional.at])
diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at
new file mode 100644
index 000000000000..d0098dfdff65
--- /dev/null
+++ b/src/tests/dbus/zone_runtime_functional.at
@@ -0,0 +1,297 @@
+FWD_START_TEST([dbus api - zone permanent functional])
+AT_KEYWORDS(dbus zone gh586)
+
+dnl ####################
+dnl Global APIs
+dnl ####################
+
+DBUS_CHECK([], [getZoneSettings], ["public"], 0, [dnl
+ (('', dnl version
+ 'Public', dnl short
+ 'For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.', dnl description
+ false, dnl bogus/unused
+ 'default', dnl target
+ @<:@'ssh', 'dhcpv6-client', 'cockpit'@:>@, dnl services
+ @a(ss) @<:@@:>@, dnl ports
+ @as @<:@@:>@, dnl ICMP Blocks
+ false, dnl masquerade
+ @a(ssss) @<:@@:>@, dnl forward ports
+ @as @<:@@:>@, dnl interfaces
+ @as @<:@@:>@, dnl sources
+ @as @<:@@:>@, dnl rules_str
+ @as @<:@@:>@, dnl protocols
+ @a(ss) @<:@@:>@, dnl source ports
+ false),)
+])
+
+dnl Default Zone
+DBUS_CHECK([], [getDefaultZone], [], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [setDefaultZone], ['drop'], 0, [dnl
+ ()
+])
+DBUS_CHECK([], [getDefaultZone], [], 0, [dnl
+ ('drop',)
+])
+
+dnl Fetching Zones
+DBUS_CHECK([], [zone.getZones], [], 0, [dnl
+ [(['block', 'dmz', 'drop', 'external', 'home', 'internal', 'public', 'trusted', 'work'],)]
+])
+FWD_CHECK([-q --zone public --add-interface dummy0])
+FWD_CHECK([-q --zone public --add-source 10.1.1.1])
+DBUS_CHECK([], [zone.getActiveZones], [], 0, [dnl
+ ['public': {'interfaces': ['dummy0'], 'sources': ['10.1.1.1']}]
+])
+FWD_CHECK([-q --zone public --remove-interface dummy0])
+FWD_CHECK([-q --zone public --remove-source 10.1.1.1])
+
+dnl Interfaces/Sources
+FWD_CHECK([-q --zone public --add-interface dummy1])
+DBUS_CHECK([], [zone.getZoneOfInterface], ["dummy1"], 0, [dnl
+ ('public',)
+])
+FWD_CHECK([-q --zone public --remove-interface dummy1])
+FWD_CHECK([-q --zone drop --add-source 10.10.10.0/24])
+DBUS_CHECK([], [zone.getZoneOfSource], ["10.10.10.0/24"], 0, [dnl
+ ('drop',)
+])
+FWD_CHECK([-q --zone drop --remove-source 10.10.10.0/24])
+
+dnl ####################
+dnl Zone Individual APIs
+dnl ####################
+
+dnl isImmutable
+DBUS_CHECK([], [zone.isImmutable], ["public"], 0, [dnl
+ (false,)
+])
+
+dnl Interfaces
+DBUS_CHECK([], [zone.addInterface], ["public" "dummy0"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.changeZone], ["drop" "dummy0"], 0, [dnl
+ ('drop',)
+])
+DBUS_CHECK([], [zone.queryInterface], ["public" "dummy0"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([], [zone.queryInterface], ["drop" "dummy0"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.changeZoneOfInterface], ["public" "dummy0"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryInterface], ["public" "dummy0"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.queryInterface], ["drop" "dummy0"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([], [zone.addInterface], ["public" "dummy1"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getInterfaces], ["public"], 0, [dnl
+ [(['dummy0', 'dummy1'],)]
+])
+DBUS_CHECK([], [zone.removeInterface], ["public" "dummy0"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getInterfaces], ["public"], 0, [dnl
+ [(['dummy1'],)]
+])
+
+dnl Sources
+DBUS_CHECK([], [zone.addSource], ["public" "10.10.10.0/24"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.changeZoneOfSource], ["drop" "10.10.10.0/24"], 0, [dnl
+ ('drop',)
+])
+DBUS_CHECK([], [zone.querySource], ["public" "10.10.10.0/24"], 0, [dnl
+ (false,)
+])
+DBUS_CHECK([], [zone.querySource], ["drop" "10.10.10.0/24"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.changeZoneOfSource], ["public" "10.10.10.0/24"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.addSource], ["public" "10.20.0.0/16"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getSources], ["public"], 0, [dnl
+ [(['10.10.10.0/24', '10.20.0.0/16'],)]
+])
+DBUS_CHECK([], [zone.removeSource], ["public" "10.10.10.0/24"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getSources], ["public"], 0, [dnl
+ [(['10.20.0.0/16'],)]
+])
+
+dnl Services
+DBUS_CHECK([], [zone.addService], ["public" "samba" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryService], ["public" "samba"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.getServices], ["public"], 0, [dnl
+ [(['ssh', 'dhcpv6-client', 'cockpit', 'samba'],)]
+])
+DBUS_CHECK([], [zone.removeService], ["public" "samba"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryService], ["public" "samba"], 0, [dnl
+ (false,)
+])
+
+dnl Protocols
+DBUS_CHECK([], [zone.addProtocol], ["public" "icmp" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryProtocol], ["public" "icmp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.getProtocols], ["public"], 0, [dnl
+ [(['icmp'],)]
+])
+DBUS_CHECK([], [zone.removeProtocol], ["public" "icmp"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryProtocol], ["public" "icmp"], 0, [dnl
+ (false,)
+])
+
+dnl Ports
+DBUS_CHECK([], [zone.addPort], ["public" "1234" "tcp" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryPort], ["public" "1234" "tcp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.addPort], ["public" "4321" "udp" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getPorts], ["public"], 0, [dnl
+ [([['1234', 'tcp'], ['4321', 'udp']],)]
+])
+DBUS_CHECK([], [zone.removePort], ["public" "1234" "tcp"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryPort], ["public" "1234" "tcp"], 0, [dnl
+ (false,)
+])
+
+dnl Source Ports
+DBUS_CHECK([], [zone.addSourcePort], ["public" "1234" "tcp" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.querySourcePort], ["public" "1234" "tcp"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.addSourcePort], ["public" "4321" "udp" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getSourcePorts], ["public"], 0, [dnl
+ [([['1234', 'tcp'], ['4321', 'udp']],)]
+])
+DBUS_CHECK([], [zone.removeSourcePort], ["public" "1234" "tcp"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.querySourcePort], ["public" "1234" "tcp"], 0, [dnl
+ (false,)
+])
+
+dnl Forward Ports
+DBUS_CHECK([], [zone.addForwardPort], ["public" "1234" "tcp" "1111" "" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.addForwardPort], ["public" "4321" "udp" "4444" "10.10.10.10" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getForwardPorts], ["public"], 0, [dnl
+ [([['1234', 'tcp', '1111', ''], ['4321', 'udp', '4444', '10.10.10.10']],)]
+])
+DBUS_CHECK([], [zone.removeForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl
+ (false,)
+])
+
+dnl Masquerade
+DBUS_CHECK([], [zone.addMasquerade], ["public" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryMasquerade], ["public"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.removeMasquerade], ["public"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryMasquerade], ["public"], 0, [dnl
+ (false,)
+])
+
+dnl ICMP Block
+DBUS_CHECK([], [zone.addIcmpBlock], ["public" "echo-reply" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryIcmpBlock], ["public" "echo-reply"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.addIcmpBlock], ["public" "echo-request" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getIcmpBlocks], ["public"], 0, [dnl
+ [(['echo-reply', 'echo-request'],)]
+])
+DBUS_CHECK([], [zone.removeIcmpBlock], ["public" "echo-reply"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryIcmpBlock], ["public" "echo-reply"], 0, [dnl
+ (false,)
+])
+
+dnl ICMP Block Inversion
+DBUS_CHECK([], [zone.addIcmpBlockInversion], ["public"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryIcmpBlockInversion], ["public"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.removeIcmpBlockInversion], ["public"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryIcmpBlockInversion], ["public"], 0, [dnl
+ (false,)
+])
+
+dnl Rich Rules
+DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl
+ (true,)
+])
+DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept" 0], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl
+ [(['rule family="ipv4" source address="10.10.10.10" accept', 'rule family="ipv4" source address="20.20.20.20" accept'],)]
+])
+DBUS_CHECK([], [zone.removeRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl
+ ('public',)
+])
+DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl
+ (false,)
+])
+
+FWD_END_TEST
--
2.27.0

129
SOURCES/0012-test-functions-new-macros-for-starting-stopping-Netw.patch
View File

@ -1,129 +0,0 @@
From 8a1ee3a46ca31d36e1b5702971d8f0b6240edc93 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 19 Nov 2019 15:31:28 -0500
Subject: [PATCH 12/37] test: functions: new macros for starting/stopping
NetworkManager
(cherry picked from commit fd99d328cf9713445428d4b8c4317377ee494981)
(cherry picked from commit 689c833fc83e2f858792f7f5e979b413421a8e0d)
---
src/tests/functions.at | 85 +++++++++++++++++++++++++++++++++++++++++-
1 file changed, 84 insertions(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 46bcd369864f..f59eef80c348 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -34,6 +34,48 @@ m4_define([FWD_START_FIREWALLD], [
AT_FAIL_IF([test $up -ne 1])
])
+m4_define([START_NETWORKMANAGER], [
+ AT_SKIP_IF([! NS_CMD([which NetworkManager >/dev/null 2>&1])])
+ AT_SKIP_IF([! NS_CMD([which nmcli >/dev/null 2>&1])])
+
+ AT_DATA([./NetworkManager.conf], [dnl
+[[main]]
+plugins=
+
+[[logging]]
+#level=DEBUG
+#domains=ALL
+])
+
+ NM_ARGS="--no-daemon --config ./NetworkManager.conf"
+ NS_CMD([NetworkManager $NM_ARGS &])
+ if test $? -ne 0; then
+ AT_FAIL_IF([:])
+ fi
+ echo "$!" > networkmanager.pid
+
+ dnl Give it some time for the dbus interface to come up
+ up=0
+ for I in 1 2 3 4 5 6 7 8 9 0; do
+ if NS_CMD([nmcli general status >/dev/null 2>&1]); then
+ up=1
+ break
+ fi
+ sleep 1
+ done
+ AT_FAIL_IF([test $up -ne 1])
+])
+
+m4_define([STOP_NETWORKMANAGER], [
+ pid=$(< networkmanager.pid)
+ kill $pid
+ for I in 1 2 3 4 5 6 7 8 9 0; do
+ ps --pid $pid >/dev/null || { pid=0; break; }
+ sleep 1
+ done
+ test $pid -eq 0 || { kill -9 $pid; sleep 3; }
+])
+
m4_define([FWD_RELOAD], [
FWD_CHECK([-q --reload], [$1], [$2], [$3])
FWD_CHECK([-q --state], [$4], [$5], [$6])
@@ -86,11 +128,16 @@ m4_define([FWD_START_TEST], [
function kill_firewalld() {
FWD_STOP_FIREWALLD
}
+ function kill_networkmanager() {
+ if test -f networkmanager.pid; then
+ STOP_NETWORKMANAGER
+ fi
+ }
dnl run cleanup commands on test exit
echo "" > cleanup
echo "" > cleanup_late
- trap ". ./cleanup; kill_firewalld; . ./cleanup_late" EXIT
+ trap ". ./cleanup; kill_firewalld; kill_networkmanager; . ./cleanup_late" EXIT
dnl create a namespace and dbus-daemon
m4_define([CURRENT_DBUS_ADDRESS], [unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}])
@@ -130,6 +177,42 @@ m4_define([FWD_START_TEST], [
send_interface="org.freedesktop.DBus.Properties"/>
<allow send_destination="org.fedoraproject.FirewallD1.config"/>
</policy>
+
+ <!-- from org.freedesktop.NetworkManager.conf -->
+ <policy user="root">
+ <allow own="org.freedesktop.NetworkManager"/>
+ <allow send_destination="org.freedesktop.NetworkManager"/>
+
+ <allow send_destination="org.freedesktop.NetworkManager"
+ send_interface="org.freedesktop.NetworkManager.PPP"/>
+
+ <allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
+ <!-- These are there because some broken policies do
+ <deny send_interface="..." /> (see dbus-daemon(8) for details).
+ This seems to override that for the known VPN plugins.
+ -->
+ <allow send_destination="org.freedesktop.NetworkManager.openconnect"/>
+ <allow send_destination="org.freedesktop.NetworkManager.openswan"/>
+ <allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
+ <allow send_destination="org.freedesktop.NetworkManager.pptp"/>
+ <allow send_destination="org.freedesktop.NetworkManager.vpnc"/>
+ <allow send_destination="org.freedesktop.NetworkManager.ssh"/>
+ <allow send_destination="org.freedesktop.NetworkManager.iodine"/>
+ <allow send_destination="org.freedesktop.NetworkManager.l2tp"/>
+ <allow send_destination="org.freedesktop.NetworkManager.libreswan"/>
+ <allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/>
+ <allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
+ <allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
+
+ <allow send_destination="org.fedoraproject.FirewallD1"/>
+
+ <!-- Allow the custom name for the dnsmasq instance spawned by NM
+ from the dns dnsmasq plugin to own it's dbus name, and for
+ messages to be sent to it.
+ -->
+ <allow own="org.freedesktop.NetworkManager.dnsmasq"/>
+ <allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
+ </policy>
</busconfig>
])
DBUS_PID=`NS_CMD([dbus-daemon --address="CURRENT_DBUS_ADDRESS" --print-pid --config-file="./dbus.conf"])`
--
2.23.0

45
SOURCES/0013-fix-direct-rule-in-a-zone-chain.patch Normal file
View File

@ -0,0 +1,45 @@
From 54b9d3c0aab51a598162ccd58152861730b9cee7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 29 Apr 2020 08:08:21 -0400
Subject: [PATCH 13/45] fix(direct): rule in a zone chain
Fixes: rhbz 1829104
Fixes: 3c439c9008ad ("chore: eliminate FirewallZoneTransaction class")
(cherry picked from commit f2941a82592b2ac6e9001b0d0f6c321fcb704005)
(cherry picked from commit f1d8753487e99ed8b3b036df36bedb861db00e65)
---
src/firewall/core/fw_zone.py | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 59c9401c1060..5677effab146 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -188,7 +188,7 @@ class FirewallZone(object):
if splits[1] not in self.get_zones():
return None
if len(splits) == 2 or \
- (len(splits) == 3 and splits[2] in [ "log", "deny", "allow" ]):
+ (len(splits) == 3 and splits[2] in [ "pre", "log", "deny", "allow", "post" ]):
return (splits[1], _chain)
return None
@@ -200,14 +200,12 @@ class FirewallZone(object):
x = self.zone_from_chain(chain)
if x is not None:
(_zone, _chain) = x
-
if use_transaction is None:
transaction = self.new_transaction()
else:
transaction = use_transaction
- self.gen_chain_rules(_zone, True, [(table, _chain)],
- transaction)
+ self.gen_chain_rules(_zone, True, table, _chain, transaction)
if use_transaction is None:
transaction.execute(True)
--
2.27.0

30
SOURCES/0013-test-functions-add-macro-NMCLI_CHECK.patch
View File

@ -1,30 +0,0 @@
From 520420aa83eda967cdb8b30527886eed5dcec8fe Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 19 Nov 2019 13:14:45 -0500
Subject: [PATCH 13/37] test: functions: add macro NMCLI_CHECK
Useful for NetworkManager integration tests.
(cherry picked from commit 608f00749967ba71b04c4cbb86f5877382aaee07)
(cherry picked from commit ca41c60bde8897d218e1046fab2549278a3105da)
---
src/tests/functions.at | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index f59eef80c348..e79557350558 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -586,3 +586,9 @@ m4_define([IF_HOST_SUPPORTS_IPV6_RULES], [
IF_HOST_SUPPORTS_IP6TABLES([$1], [$2])
])])
])
+
+m4_define([NMCLI_CHECK], [
+ AT_SKIP_IF([! NS_CMD([nmcli connection show >/dev/null 2>&1])])
+ NS_CHECK([PIPESTATUS0([nmcli $1], [TRIM_WHITESPACE])],
+ [$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6])
+])
--
2.23.0

100
SOURCES/0014-test-build-support-integration-tests.patch
View File

@ -1,100 +0,0 @@
From a49f1e42bc8ac34df7790446e3a421d376c4d216 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 16 Dec 2019 13:11:24 -0500
Subject: [PATCH 14/37] test: build: support integration tests
These use the target "check-integration". We use a separate target
because these tests may be destructive to the host. The plan is to run
them from within the "check-container" target.
(cherry picked from commit ab6c22b8419f5eb333484376ea41d592c809eb2a)
(cherry picked from commit 50c393d5618bf34110b59a3805963444e5f41e3a)
---
Makefile.am | 4 +++-
src/tests/Makefile.am | 17 ++++++++++++++++-
src/tests/integration/testsuite.at | 11 +++++++++++
3 files changed, 30 insertions(+), 2 deletions(-)
create mode 100644 src/tests/integration/testsuite.at
diff --git a/Makefile.am b/Makefile.am
index c377d6f63792..85da0b5857d2 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -78,9 +78,11 @@ dist-check:
exit 1; \
fi
-check-container:
+check-container check-integration installcheck-integration:
$(MAKE) -C src/tests $@
+.PHONY: check-container check-integration installcheck-integration
+
update-docs:
$(MAKE) -C doc/xml
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index cef17b6eba4b..c00c198bf9bb 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -1,12 +1,16 @@
TESTSUITE = $(srcdir)/testsuite
+TESTSUITE_INTEGRATION = $(srcdir)/integration/testsuite
+
TESTSUITE_FILES = \
$(wildcard $(srcdir)/*.at) \
$(wildcard $(srcdir)/dbus/*.at) \
$(wildcard $(srcdir)/features/*.at) \
+ $(wildcard $(srcdir)/integration/*.at) \
$(wildcard $(srcdir)/regression/*.at)
EXTRA_DIST = \
$(TESTSUITE) \
+ $(TESTSUITE_INTEGRATION) \
$(TESTSUITE_FILES) \
$(wildcard $(srcdir)/python/*.py) \
$(srcdir)/package.m4 \
@@ -38,7 +42,7 @@ clean-local:
AUTOM4TE = $(SHELL) $(top_srcdir)/missing --run autom4te
AUTOTEST = $(AUTOM4TE) --language=autotest
-$(TESTSUITE): $(TESTSUITE_FILES) $(srcdir)/package.m4
+$(TESTSUITE) $(TESTSUITE_INTEGRATION): $(TESTSUITE_FILES) $(srcdir)/package.m4
$(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at
mv $@.tmp $@
@@ -80,3 +84,14 @@ check-container: check-container-fedora-rawhide
.PHONY: check-container
.PHONY: check-container-debian-sid
.PHONY: check-container-fedora-rawhide
+
+check-integration: atconfig atlocal $(TESTSUITE_INTEGRATION)
+ $(SHELL) '$(TESTSUITE_INTEGRATION)' $(TESTSUITEFLAGS) \
+ AUTOTEST_PATH="src" \
+ PYTHONPATH="${abs_top_srcdir}/src:${PYTHONPATH}" \
+ FIREWALLD_DEFAULT_CONFIG="${abs_top_srcdir}/config"
+
+installcheck-integration: atconfig atlocal $(TESTSUITE_INTEGRATION)
+ $(SHELL) '$(TESTSUITE_INTEGRATION)' $(TESTSUITEFLAGS)
+
+.PHONY: check-integration installcheck-integration
diff --git a/src/tests/integration/testsuite.at b/src/tests/integration/testsuite.at
new file mode 100644
index 000000000000..bbaf07a191b9
--- /dev/null
+++ b/src/tests/integration/testsuite.at
@@ -0,0 +1,11 @@
+AT_INIT
+AT_COLOR_TESTS
+
+dnl Override m4_include to avoid warning about inclusion
+dnl
+m4_define([m4_include], [m4_builtin([include], [$1])])
+
+m4_include([functions.at])
+
+m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
+])
--
2.23.0

88
SOURCES/0014-test-direct-rule-in-a-zone-chain.patch Normal file
View File

@ -0,0 +1,88 @@
From 162e697cf86947e7ff54a05570146b5b75321e97 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 29 Apr 2020 08:00:35 -0400
Subject: [PATCH 14/45] test(direct): rule in a zone chain
Coverage for rhbz 1829104.
(cherry picked from commit f88617bb205c6891d4f9c1d5231ddf356a3bd59f)
(cherry picked from commit c9f519adea34ec29e262713a543f2b086fb9ffa7)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1829104.at | 55 +++++++++++++++++++++++++++++
2 files changed, 56 insertions(+)
create mode 100644 src/tests/regression/rhbz1829104.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 2528ddd3fede..c3a5706c6406 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -28,3 +28,4 @@ m4_include([regression/gh567.at])
m4_include([regression/rhbz1779835.at])
m4_include([regression/gh330.at])
m4_include([regression/gh599.at])
+m4_include([regression/rhbz1829104.at])
diff --git a/src/tests/regression/rhbz1829104.at b/src/tests/regression/rhbz1829104.at
new file mode 100644
index 000000000000..45659eb3c3df
--- /dev/null
+++ b/src/tests/regression/rhbz1829104.at
@@ -0,0 +1,55 @@
+m4_if(iptables, FIREWALL_BACKEND, [
+FWD_START_TEST([direct rule in zone chain])
+AT_KEYWORDS(direct rhbz1829104)
+
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT])
+
+FWD_END_TEST
+])
--
2.27.0

36
SOURCES/0015-fix-client-addService-needs-to-reduce-tuple-size.patch Normal file
View File

@ -0,0 +1,36 @@
From 1eb5d5c57edb6e35895fa4ae4314f652da423d92 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 24 Apr 2020 11:27:10 -0400
Subject: [PATCH 15/45] fix(client): addService needs to reduce tuple size
The dbus API only allows 8 elements. Reduce the tuple to the correct
size as it's common for clients to do
settings = FirewallClientServiceSettings()
[..]
addService(settings.settings)
(cherry picked from commit e2ab8a6e584e6ba2adb0a5e0a13fbb6d7eb39b0c)
(cherry picked from commit 3eae583907a953b71df16747bbabefd24fbdc3ab)
---
src/firewall/client.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/firewall/client.py b/src/firewall/client.py
index efe5d7db1273..ea27c0186509 100644
--- a/src/firewall/client.py
+++ b/src/firewall/client.py
@@ -2488,7 +2488,9 @@ class FirewallClientConfig(object):
elif type(settings) is dict:
path = self.fw_config.addService2(name, settings)
else:
- path = self.fw_config.addService(name, tuple(settings))
+ # tuple based dbus API has 8 elements. Slice what we're given down
+ # to the expected size.
+ path = self.fw_config.addService(name, tuple(settings[:8]))
return FirewallClientConfigService(self.bus, path)
# icmptype
--
2.27.0

72
SOURCES/0015-test-integration-NM-zone-overrides-interface-on-relo.patch
View File

@ -1,72 +0,0 @@
From f8283f747843e50d6d088bc864ae232744a085d5 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 16 Dec 2019 13:33:08 -0500
Subject: [PATCH 15/37] test: integration: NM zone overrides interface on
reload
Coverage for rhbz 1773809
(cherry picked from commit ea97fb2bde6fb683b1ba2c41882d6d4f63299255)
(cherry picked from commit 04b8394c0a8344d5225b0716e23dc0558d2fc594)
---
src/tests/integration/networkmanager.at | 2 ++
src/tests/integration/rhbz1773809.at | 27 +++++++++++++++++++++++++
src/tests/integration/testsuite.at | 1 +
3 files changed, 30 insertions(+)
create mode 100644 src/tests/integration/networkmanager.at
create mode 100644 src/tests/integration/rhbz1773809.at
diff --git a/src/tests/integration/networkmanager.at b/src/tests/integration/networkmanager.at
new file mode 100644
index 000000000000..08cf6d28451a
--- /dev/null
+++ b/src/tests/integration/networkmanager.at
@@ -0,0 +1,2 @@
+AT_BANNER([NetworkManager (FIREWALL_BACKEND)])
+m4_include([integration/rhbz1773809.at])
diff --git a/src/tests/integration/rhbz1773809.at b/src/tests/integration/rhbz1773809.at
new file mode 100644
index 000000000000..e58a4337c716
--- /dev/null
+++ b/src/tests/integration/rhbz1773809.at
@@ -0,0 +1,27 @@
+FWD_START_TEST([NM overrides interface on reload])
+AT_KEYWORDS(zone reload rhbz1773809)
+
+START_NETWORKMANAGER
+
+NMCLI_CHECK([connection add type dummy con-name dummy0 ifname dummy0 ip4 10.0.0.2 gw4 10.0.0.1], 0, [ignore])
+echo NS_CMD([nmcli connection delete dummy0]) >> ./cleanup
+NMCLI_CHECK([connection show dummy0], 0, [ignore])
+NMCLI_CHECK([connection up dummy0], 0, [ignore])
+
+dnl Use firewall-offline-cmd otherwise the request will be forwarded to
+dnl NetworkManager.
+FWD_OFFLINE_CHECK([-q --zone internal --add-interface dummy0])
+FWD_RELOAD
+
+dnl firewall-cmd should forward the request to NetworkManager.
+FWD_CHECK([-q --permanent --zone trusted --change-interface dummy0])
+NMCLI_CHECK([-f connection.zone connection show dummy0], 0, [dnl
+connection.zone: trusted
+])
+
+FWD_RELOAD
+FWD_CHECK([--get-zone-of-interface dummy0], 0, [dnl
+trusted
+])
+
+FWD_END_TEST
diff --git a/src/tests/integration/testsuite.at b/src/tests/integration/testsuite.at
index bbaf07a191b9..6c957033bae2 100644
--- a/src/tests/integration/testsuite.at
+++ b/src/tests/integration/testsuite.at
@@ -8,4 +8,5 @@ m4_define([m4_include], [m4_builtin([include], [$1])])
m4_include([functions.at])
m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
+ m4_include([integration/networkmanager.at])
])
--
2.23.0

54
SOURCES/0016-test-check-container-also-run-check-integration.patch
View File

@ -1,54 +0,0 @@
From d411807ff46fa6faf8410d994c2f39520b8fc2dc Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 16 Dec 2019 13:36:12 -0500
Subject: [PATCH 16/37] test: check-container: also run check-integration
This ties the integration tests into the "check-container" target.
NOTE: We force "-j1" because the integration tests must be run serially.
(cherry picked from commit c1c8156e267d3680959d9bc8ac092d829bac6719)
(cherry picked from commit fbfc230ed2c2082d0e55b25e551ebc241f7efdf2)
---
src/tests/Makefile.am | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index c00c198bf9bb..bf028c7c5389 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -55,12 +55,13 @@ check-container-debian-sid:
xsltproc docbook-xsl docbook-xml iptables ipset ebtables \
nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \
python3-dbus python3-gi python3-slip-dbus python3-nftables \
- procps && \
+ procps network-manager gir1.2-nm-1.0 && \
apt-get install -y libnftables-dev && \
./autogen.sh && \
./configure PYTHON=/usr/bin/python3 && \
make && \
- make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" "
+ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \
+ make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" "
check-container-fedora-rawhide:
(cd $(abs_top_srcdir) && tar -c . ) | \
@@ -71,12 +72,14 @@ check-container-fedora-rawhide:
docbook-style-xsl file gettext glib2-devel intltool ipset \
iptables iptables-nft libtool libxml2 libxslt make nftables \
python3-nftables python3-slip-dbus python3-gobject-base \
- diffutils procps-ng iproute which dbus-daemon && \
+ diffutils procps-ng iproute which dbus-daemon \
+ NetworkManager && \
alternatives --set ebtables /usr/sbin/ebtables-nft && \
./autogen.sh && \
./configure PYTHON=/usr/bin/python3 && \
make && \
- make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" "
+ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \
+ make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" "
check-container: check-container-debian-sid
check-container: check-container-fedora-rawhide
--
2.23.0

36
SOURCES/0016-test-dbus-zone-fix-false-failure-due-to-list-order.patch Normal file
View File

@ -0,0 +1,36 @@
From c9fccec891a3cd454ad7179ee3871f630b635b47 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 20 Apr 2020 16:45:02 -0400
Subject: [PATCH 16/45] test(dbus): zone: fix false failure due to list order
Fixes: b1e7a3843f7c ("test(dbus): zone: verify runtime config APIs")
(cherry picked from commit 8ca79abf32fd609b10b88482c89ee0c9c9711718)
(cherry picked from commit 86feb18448794b58f2725484083ead9ddc0bc451)
---
src/tests/dbus/zone_runtime_functional.at | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at
index d0098dfdff65..f48d97897cd9 100644
--- a/src/tests/dbus/zone_runtime_functional.at
+++ b/src/tests/dbus/zone_runtime_functional.at
@@ -281,11 +281,14 @@ DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=10
DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl
(true,)
])
+DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl
+ [(['rule family="ipv4" source address="10.10.10.10" accept'],)]
+])
DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept" 0], 0, [dnl
('public',)
])
-DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl
- [(['rule family="ipv4" source address="10.10.10.10" accept', 'rule family="ipv4" source address="20.20.20.20" accept'],)]
+DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept"], 0, [dnl
+ (true,)
])
DBUS_CHECK([], [zone.removeRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl
('public',)
--
2.27.0

36
SOURCES/0017-doc-README-add-note-about-integration-tests.patch
View File

@ -1,36 +0,0 @@
From 4b8338a4635b8485b2890072e89f16e39e30ab29 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 17 Dec 2019 13:04:22 -0500
Subject: [PATCH 17/37] doc: README: add note about integration tests
(cherry picked from commit 18be66cf7e914b128e954c1e97ce29f542ee5fdd)
(cherry picked from commit c3a581d1acc713c2f8a74109e00690c649d4204f)
---
README | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/README b/README
index 9cb2ef4a15b7..287a3021b633 100644
--- a/README
+++ b/README
@@ -102,10 +102,15 @@ Or just the keywords
|awk '/^[[:space:]]*[[:digit:]]+/{getline; print $0}' \
|tr ' ' '\n' |sort |uniq
+There are integration tests. Currently this includes NetworkManager. These may
+be _destructive_ to the host. Run them in a disposable VM or container.
+
+ make check-integration
+
There is also a check-container target that will run the testsuite inside
various podman/docker containers. This is useful for coverage of multiple
-distributions. As a bonus, it allows us to run tests that may be destructive to
-the host (container) such as NetworkManager integration tests.
+distributions. It also runs tests that may be destructive to the host such as
+integration tests.
make check-container TESTSUITEFLAGS="-j4"
--
2.23.0

26
SOURCES/0017-test-dbus-zone-fix-zone-runtime-functional-test-titl.patch Normal file
View File

@ -0,0 +1,26 @@
From 9bdee2d94d0fadde8c40d7742176089bed602213 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 24 Apr 2020 13:50:10 -0400
Subject: [PATCH 17/45] test(dbus): zone: fix zone runtime functional test
title
Fixes: b1e7a3843f7c ("test(dbus): zone: verify runtime config APIs")
(cherry picked from commit 72191394919d1d69a40e258227dbbc3ee3e0285e)
(cherry picked from commit d0713c7b04ac430adb4855078e91fa62b2c79486)
---
src/tests/dbus/zone_runtime_functional.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at
index f48d97897cd9..bb0798abe7da 100644
--- a/src/tests/dbus/zone_runtime_functional.at
+++ b/src/tests/dbus/zone_runtime_functional.at
@@ -1,4 +1,4 @@
-FWD_START_TEST([dbus api - zone permanent functional])
+FWD_START_TEST([dbus api - zone runtime functional])
AT_KEYWORDS(dbus zone gh586)
dnl ####################
--
2.27.0

684
SOURCES/0018-chore-update-translations.patch
View File

@ -1,684 +0,0 @@
From 98b36302a635c70a0b986d7f77a310d13fcca259 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 7 Jan 2020 09:22:42 -0500
Subject: [PATCH 18/37] chore: update translations
(cherry picked from commit cfe26b5f4febf0c9c8c4935750702f0257b5a7b7)
---
po/ar.po | 2 +-
po/as.po | 2 +-
po/bg.po | 2 +-
po/bn_IN.po | 2 +-
po/ca.po | 2 +-
po/cs.po | 2 +-
po/da.po | 2 +-
po/de.po | 2 +-
po/el.po | 2 +-
po/en_GB.po | 2 +-
po/en_US.po | 2 +-
po/es.po | 2 +-
po/et.po | 2 +-
po/eu.po | 2 +-
po/fi.po | 2 +-
po/fr.po | 2 +-
po/gl.po | 2 +-
po/gu.po | 2 +-
po/hi.po | 2 +-
po/hu.po | 2 +-
po/ia.po | 2 +-
po/id.po | 2 +-
po/it.po | 2 +-
po/ja.po | 2 +-
po/ka.po | 2 +-
po/kn.po | 2 +-
po/ko.po | 2 +-
po/lt.po | 2 +-
po/ml.po | 2 +-
po/mr.po | 2 +-
po/nl.po | 2 +-
po/or.po | 2 +-
po/pa.po | 2 +-
po/pl.po | 2 +-
po/pt.po | 2 +-
po/pt_BR.po | 2 +-
po/ru.po | 2 +-
po/sk.po | 2 +-
po/sq.po | 2 +-
po/sr.po | 2 +-
po/sr@latin.po | 2 +-
po/sv.po | 2 +-
po/ta.po | 2 +-
po/te.po | 2 +-
po/tr.po | 2 +-
po/uk.po | 2 +-
po/zh_CN.po | 2 +-
po/zh_TW.po | 2 +-
48 files changed, 48 insertions(+), 48 deletions(-)
diff --git a/po/ar.po b/po/ar.po
index 7eaed07251dd..8abfdee73473 100644
--- a/po/ar.po
+++ b/po/ar.po
@@ -17,7 +17,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:20+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Arabic (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/as.po b/po/as.po
index 8fc9f12fb92a..16999c36c1d8 100644
--- a/po/as.po
+++ b/po/as.po
@@ -13,7 +13,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:15+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Assamese (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/bg.po b/po/bg.po
index 4f4a50bac50b..d2df33305874 100644
--- a/po/bg.po
+++ b/po/bg.po
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:43+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Bulgarian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/bn_IN.po b/po/bn_IN.po
index 3c840080f831..72c8591392de 100644
--- a/po/bn_IN.po
+++ b/po/bn_IN.po
@@ -13,7 +13,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:43+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Bengali (India) (http://www.transifex.com/projects/p/"
diff --git a/po/ca.po b/po/ca.po
index 2802c368224b..d2d8ec80af9c 100644
--- a/po/ca.po
+++ b/po/ca.po
@@ -19,7 +19,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-08-20 10:43+0000\n"
"Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n"
"Language-Team: Catalan (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/cs.po b/po/cs.po
index 66870f4b7e64..7319d3748f0a 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -27,7 +27,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2019-06-14 06:09+0000\n"
"Last-Translator: Pavel Borecki <pavel.borecki@gmail.com>\n"
"Language-Team: Czech (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/da.po b/po/da.po
index 98dfb5b4bebb..978936ce8f5d 100644
--- a/po/da.po
+++ b/po/da.po
@@ -13,7 +13,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-09-20 10:43+0000\n"
"Last-Translator: scootergrisen <scootergrisen@gmail.com>\n"
"Language-Team: Danish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/de.po b/po/de.po
index a27d39c56547..dd610cfed621 100644
--- a/po/de.po
+++ b/po/de.po
@@ -40,7 +40,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:22+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: German (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/el.po b/po/el.po
index 5227bfc9bf4f..26d4a55dc0ba 100644
--- a/po/el.po
+++ b/po/el.po
@@ -16,7 +16,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:27+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Greek (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/en_GB.po b/po/en_GB.po
index b617e4379dd5..d739c60136bd 100644
--- a/po/en_GB.po
+++ b/po/en_GB.po
@@ -11,7 +11,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:44+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: English (United Kingdom) (http://www.transifex.com/projects/p/"
diff --git a/po/en_US.po b/po/en_US.po
index 8ae2ae5bcd8a..f8e2a767a40e 100644
--- a/po/en_US.po
+++ b/po/en_US.po
@@ -7,7 +7,7 @@ msgid ""
msgstr ""
"Project-Id-Version: firewalld\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2014-10-15 14:24+0000\n"
"Last-Translator: Jiří Popelka <jpopelka@redhat.com>\n"
"Language-Team: English (United States) (http://www.transifex.com/projects/p/"
diff --git a/po/es.po b/po/es.po
index a84b9e05343a..0f228150fd2c 100644
--- a/po/es.po
+++ b/po/es.po
@@ -31,7 +31,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:22+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Spanish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/et.po b/po/et.po
index 8da6377bdac7..795090f4abde 100644
--- a/po/et.po
+++ b/po/et.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:21+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Estonian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/eu.po b/po/eu.po
index b8e14e2a1b86..a2fd55d6a404 100644
--- a/po/eu.po
+++ b/po/eu.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:43+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Basque (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/fi.po b/po/fi.po
index 71ad70257f21..752329c32489 100644
--- a/po/fi.po
+++ b/po/fi.po
@@ -15,7 +15,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-08-19 12:28+0000\n"
"Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>\n"
"Language-Team: Finnish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/fr.po b/po/fr.po
index d807315b5826..283dfa6d4dfc 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -34,7 +34,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:23+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: French (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/gl.po b/po/gl.po
index 47f9b6940401..4845df696886 100644
--- a/po/gl.po
+++ b/po/gl.po
@@ -9,7 +9,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:45+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Galician (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/gu.po b/po/gu.po
index 8698b52527b8..00d073043ae6 100644
--- a/po/gu.po
+++ b/po/gu.po
@@ -14,7 +14,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:45+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Gujarati (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/hi.po b/po/hi.po
index 24626fd4b2a3..07520b920e9f 100644
--- a/po/hi.po
+++ b/po/hi.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:28+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Hindi (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/hu.po b/po/hu.po
index f12170b0247c..8d02f894e92e 100644
--- a/po/hu.po
+++ b/po/hu.po
@@ -24,7 +24,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:24+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Hungarian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/ia.po b/po/ia.po
index d9d26140acd1..59bfc3f3f4b6 100644
--- a/po/ia.po
+++ b/po/ia.po
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:58+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Interlingua (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/id.po b/po/id.po
index f53a785bdcc1..3304d54878b2 100644
--- a/po/id.po
+++ b/po/id.po
@@ -3,7 +3,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-05-22 09:00+0000\n"
"Last-Translator: Ferdi Saptanera <ferdisn@fedoraproject.org>\n"
"Language-Team: Indonesian\n"
diff --git a/po/it.po b/po/it.po
index 7c2b4c02ed87..6358ba40bd31 100644
--- a/po/it.po
+++ b/po/it.po
@@ -36,7 +36,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:24+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Italian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/ja.po b/po/ja.po
index 340a68a9dfa5..ea830261b855 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -22,7 +22,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:25+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Japanese (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/ka.po b/po/ka.po
index ca538252795e..864b3c8058c6 100644
--- a/po/ka.po
+++ b/po/ka.po
@@ -9,7 +9,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:24+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Georgian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/kn.po b/po/kn.po
index a62e59eb5a3e..1826797aa9cd 100644
--- a/po/kn.po
+++ b/po/kn.po
@@ -13,7 +13,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:59+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Kannada (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/ko.po b/po/ko.po
index c928658f0195..c36161b7163b 100644
--- a/po/ko.po
+++ b/po/ko.po
@@ -18,7 +18,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:25+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Korean (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/lt.po b/po/lt.po
index bf3b73972c75..07a03e594ae7 100644
--- a/po/lt.po
+++ b/po/lt.po
@@ -4,7 +4,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2019-05-13 08:05+0000\n"
"Last-Translator: Moo <hazap@hotmail.com>\n"
"Language-Team: Lithuanian\n"
diff --git a/po/ml.po b/po/ml.po
index c265a921804c..93b6b6b63d05 100644
--- a/po/ml.po
+++ b/po/ml.po
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 10:00+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Malayalam (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/mr.po b/po/mr.po
index 04c29128fe3d..2b7159fdd370 100644
--- a/po/mr.po
+++ b/po/mr.po
@@ -15,7 +15,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 10:00+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Marathi (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/nl.po b/po/nl.po
index ac384020ad3a..351b9906332a 100644
--- a/po/nl.po
+++ b/po/nl.po
@@ -17,7 +17,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:26+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Dutch (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/or.po b/po/or.po
index 4b846a9f615d..90ffdcb7ca97 100644
--- a/po/or.po
+++ b/po/or.po
@@ -12,7 +12,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:33+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Oriya (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/pa.po b/po/pa.po
index 5a52ff6ccca9..3480e4223dce 100644
--- a/po/pa.po
+++ b/po/pa.po
@@ -22,7 +22,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2017-11-26 02:37+0000\n"
"Last-Translator: A S Alam <aalam@fedoraproject.org>\n"
"Language-Team: Panjabi (Punjabi) (http://www.transifex.com/projects/p/"
diff --git a/po/pl.po b/po/pl.po
index 843c883dd05d..83703401460b 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -17,7 +17,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:26+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Polish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/pt.po b/po/pt.po
index 27d3e7d44abd..7d5e816e2e7e 100644
--- a/po/pt.po
+++ b/po/pt.po
@@ -12,7 +12,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2019-09-07 12:26+0000\n"
"Last-Translator: Manuela Silva <mmsrs@sky.com>\n"
"Language-Team: Portuguese (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/pt_BR.po b/po/pt_BR.po
index 322fd5f69f3d..c381fa07343f 100644
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
@@ -34,7 +34,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:27+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Portuguese (Brazil) (http://www.transifex.com/projects/p/"
diff --git a/po/ru.po b/po/ru.po
index e15835624511..38cede8b55e6 100644
--- a/po/ru.po
+++ b/po/ru.po
@@ -22,7 +22,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:27+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Russian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/sk.po b/po/sk.po
index 23634d087ae3..4d6e67eb05b2 100644
--- a/po/sk.po
+++ b/po/sk.po
@@ -14,7 +14,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-08-13 06:16+0000\n"
"Last-Translator: feonsu <feonsu@gmail.com>\n"
"Language-Team: Slovak (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/sq.po b/po/sq.po
index 109b4d6e29c5..91c16e57045d 100644
--- a/po/sq.po
+++ b/po/sq.po
@@ -4,7 +4,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2017-04-20 11:49+0000\n"
"Last-Translator: Sidorela Uku <uku.sidorela@gmail.com>\n"
"Language-Team: Albanian\n"
diff --git a/po/sr.po b/po/sr.po
index d742901dd676..7c45f703a716 100644
--- a/po/sr.po
+++ b/po/sr.po
@@ -12,7 +12,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:42+0000\n"
"Last-Translator: Momcilo Medic <medicmomcilo@gmail.com>\n"
"Language-Team: Serbian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/sr@latin.po b/po/sr@latin.po
index 7045f7510b33..6bde5c3dafb6 100644
--- a/po/sr@latin.po
+++ b/po/sr@latin.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 10:03+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Serbian (Latin) (http://www.transifex.com/projects/p/"
diff --git a/po/sv.po b/po/sv.po
index d89a7c261fdd..f7e2ee9c9ec7 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -15,7 +15,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:28+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Swedish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/ta.po b/po/ta.po
index a53847a694fb..3370eb155992 100644
--- a/po/ta.po
+++ b/po/ta.po
@@ -16,7 +16,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 10:04+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Tamil (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/te.po b/po/te.po
index 542b57c404ad..6365c4adf6e3 100644
--- a/po/te.po
+++ b/po/te.po
@@ -15,7 +15,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:44+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Telugu (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/tr.po b/po/tr.po
index 29d589174412..404c8687de5e 100644
--- a/po/tr.po
+++ b/po/tr.po
@@ -12,7 +12,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2019-03-08 01:23+0000\n"
"Last-Translator: Serdar Sağlam <teknomobil@msn.com>\n"
"Language-Team: Turkish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/uk.po b/po/uk.po
index 4408f372a319..f237acc315e4 100644
--- a/po/uk.po
+++ b/po/uk.po
@@ -14,7 +14,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-07-29 04:00+0000\n"
"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
"Language-Team: Ukrainian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/zh_CN.po b/po/zh_CN.po
index bcb5a75283a4..ee57808023f1 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -24,7 +24,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2019-03-10 05:14+0000\n"
"Last-Translator: Pany <pany@fedoraproject.org>\n"
"Language-Team: Chinese (China) (http://www.transifex.com/projects/p/"
diff --git a/po/zh_TW.po b/po/zh_TW.po
index 27e8dff208f9..47f1e2c9f55d 100644
--- a/po/zh_TW.po
+++ b/po/zh_TW.po
@@ -21,7 +21,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:29+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Chinese (Taiwan) (http://www.transifex.com/projects/p/"
--
2.23.0

55
SOURCES/0018-fix-doc-dbus-signatures-for-zone-tuple-based-APIs.patch Normal file
View File

@ -0,0 +1,55 @@
From 6112ab6a515ac5813e8b4027976a6dc651647f07 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 16 Apr 2020 15:40:49 -0400
Subject: [PATCH 18/45] fix(doc): dbus: signatures for zone tuple based APIs
Fixes: 26e23b8cd945 ("firewall.core.io.zone: New icmp block inversion flag")
(cherry picked from commit 7fbc6f6204a342f5ae92f10923093d2381c9b0ac)
(cherry picked from commit 13edc3137fc3b9ed36207009621dda437a8f87df)
---
doc/xml/firewalld.dbus.xml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 77ad77c01675..1625b9d50576 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -274,7 +274,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.Methods.getZoneSettings">
- <term><methodname>getZoneSettings</methodname>(s: <parameter>zone</parameter>) &rarr; (sssbsasa(ss)asba(ssss)asasasasa(ss))</term>
+ <term><methodname>getZoneSettings</methodname>(s: <parameter>zone</parameter>) &rarr; (sssbsasa(ss)asba(ssss)asasasasa(ss)b)</term>
<listitem>
<para>
Return runtime settings of given <replaceable>zone</replaceable>.
@@ -2338,7 +2338,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.Methods.addZone">
- <term><methodname>addZone</methodname>(s: zone, (sssbsasa(ss)asba(ssss)asasasasa(ss)): settings) &rarr; o</term>
+ <term><methodname>addZone</methodname>(s: zone, (sssbsasa(ss)asba(ssss)asasasasa(ss)b): settings) &rarr; o</term>
<listitem>
<para>
Add <replaceable>zone</replaceable> with given <replaceable>settings</replaceable> into permanent configuration.
@@ -3810,7 +3810,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.zone.Methods.getSettings">
- <term><methodname>getSettings</methodname>() &rarr; (sssbsasa(ss)asba(ssss)asasasasa(ss))</term>
+ <term><methodname>getSettings</methodname>() &rarr; (sssbsasa(ss)asba(ssss)asasasasa(ss)b)</term>
<listitem>
<para>
Return permanent settings of given <replaceable>zone</replaceable>.
@@ -4309,7 +4309,7 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.zone.Methods.update">
- <term><methodname>update</methodname>((sssbsasa(ss)asba(ssss)asasasasa(ss)): settings) &rarr; Nothing</term>
+ <term><methodname>update</methodname>((sssbsasa(ss)asba(ssss)asasasasa(ss)b): settings) &rarr; Nothing</term>
<listitem>
<para>
Update settings of zone to <replaceable>settings</replaceable>.
--
2.27.0

32
SOURCES/0019-doc-README-add-note-about-language-translations.patch
View File

@ -1,32 +0,0 @@
From 7b2f75ecf57dd3f46da24db640aec63aac3e703d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 14 Jan 2020 09:15:22 -0500
Subject: [PATCH 19/37] doc: README: add note about language translations
(cherry picked from commit 1b829ebb1d79e674b191d7f201787688b8a1d609)
(cherry picked from commit 86b4a2643882e1d70c92859bfdfca24d768102f9)
---
README | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/README b/README
index 287a3021b633..120543588540 100644
--- a/README
+++ b/README
@@ -17,6 +17,13 @@ To check out the source repository, you can use:
This will create a local copy of the repository.
+Language Translations
+---------------------
+Firewalld uses GNU gettext for localization support. Translations can be done
+using Fedora's Weblate instance [1]. Translations are periodically merged into
+the main firewalld repository.
+
+[1] https://translate.stg.fedoraproject.org/projects/firewalld/
Working With The Source Repository
----------------------------------
--
2.23.0

29
SOURCES/0019-fix-config-bool-values-in-dict-based-import-export.patch Normal file
View File

@ -0,0 +1,29 @@
From cc9d8ac3501b1dc64d6b48990792a06637d69314 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 17 Apr 2020 14:45:16 -0400
Subject: [PATCH 19/45] fix(config): bool values in dict based import/export
Always export bool values.
(cherry picked from commit ae4b9b44ed8e9e62f47846f7032c19b559e3d7ad)
(cherry picked from commit 88016dc40ba2e119fe04e54724fb432404d7e8c1)
---
src/firewall/core/io/service.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py
index cf343fe0ce93..0387b6c798b0 100644
--- a/src/firewall/core/io/service.py
+++ b/src/firewall/core/io/service.py
@@ -96,7 +96,7 @@ class Service(IO_Object):
conf = {}
type_formats = dict([(x[0], x[1]) for x in self.IMPORT_EXPORT_STRUCTURE])
for key in type_formats:
- if getattr(self, key):
+ if getattr(self, key) or isinstance(getattr(self, key), bool):
conf[key] = copy.deepcopy(getattr(self, key))
return conf
--
2.27.0

39
SOURCES/0020-fix-dbus-service-don-t-cleanup-config-for-old-set-AP.patch Normal file
View File

@ -0,0 +1,39 @@
From 8d48dfee165ad41ed2d235dc3772c5b588a75521 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 4 May 2020 10:48:10 -0400
Subject: [PATCH 20/45] fix(dbus): service: don't cleanup config for old set
APIs
This avoids them from unknowingly wiping away config that the old APIs
are unaware of.
Fixes: 335a68c1bba5 ("fix: dbus: fix service API break")
(cherry picked from commit 11bd8742158b2b3c9b0412a9ca1cb9ada7fd6fd7)
(cherry picked from commit faa5822d8073336bed29e12b7cc73bedfa4811b7)
---
src/firewall/core/fw_config.py | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/firewall/core/fw_config.py b/src/firewall/core/fw_config.py
index 8f29f0c416d2..35f623f2c8f1 100644
--- a/src/firewall/core/fw_config.py
+++ b/src/firewall/core/fw_config.py
@@ -566,7 +566,6 @@ class FirewallConfig(object):
if obj.builtin:
x = copy.copy(obj)
- x.cleanup()
x.import_config(conf_dict)
x.path = config.ETC_FIREWALLD_SERVICES
x.builtin = False
@@ -576,7 +575,6 @@ class FirewallConfig(object):
service_writer(x)
return x
else:
- obj.cleanup()
obj.import_config(conf_dict)
service_writer(obj)
return obj
--
2.27.0

31
SOURCES/0020-fix-rich-source-dest-only-matching-with-mark-action.patch
View File

@ -1,31 +0,0 @@
From b15d3998fc9cbc6fbaa5f54596cf6ae4af80c6b4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 10:41:29 -0500
Subject: [PATCH 20/37] fix: rich: source/dest only matching with mark action
We need to make sure the pre-requisite chains exist before generating
the rule for the mark action.
Fixes: #567
(cherry picked from commit 4997385a269b2128281f346ba6e049a41767d165)
(cherry picked from commit 16c70554005a2a8dc7947c94f0fcc7cc401de3d0)
---
src/firewall/core/fw_zone.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index cbb80f09e02f..5cda560a30e1 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1720,6 +1720,8 @@ class FirewallZone(object):
elif rule.element is None:
if enable:
transaction.add_chain(zone, "filter", "INPUT")
+ if enable and type(rule.action) == Rich_Mark:
+ transaction.add_chain(zone, "mangle", "PREROUTING")
rules = backend.build_zone_rich_source_destination_rules(
enable, zone, rule)
--
2.23.0

39
SOURCES/0021-test-coverage-for-gh-567.patch
View File

@ -1,39 +0,0 @@
From ff7fed03e2026b0f3e2959bcb4b71c57b48b33a4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 10:04:47 -0500
Subject: [PATCH 21/37] test: coverage for gh #567
(cherry picked from commit cdf3227ea9e1c14ca47fcd73c42b3c94f78b01a6)
(cherry picked from commit 846363e2ced0b5ec0eecd58574245a4f7a66235c)
---
src/tests/regression.at | 1 +
src/tests/regression/gh567.at | 8 ++++++++
2 files changed, 9 insertions(+)
create mode 100644 src/tests/regression/gh567.at
diff --git a/src/tests/regression.at b/src/tests/regression.at
index 3bc99543a9b1..4532d730fbe7 100644
--- a/src/tests/regression.at
+++ b/src/tests/regression.at
@@ -24,3 +24,4 @@ m4_include([regression/rhbz1715977.at])
m4_include([regression/rhbz1723610.at])
m4_include([regression/rhbz1734765.at])
m4_include([regression/gh509.at])
+m4_include([regression/gh567.at])
diff --git a/src/tests/regression/gh567.at b/src/tests/regression/gh567.at
new file mode 100644
index 000000000000..03c3bde4a0fe
--- /dev/null
+++ b/src/tests/regression/gh567.at
@@ -0,0 +1,8 @@
+FWD_START_TEST([rich rule source w/ mark action])
+AT_KEYWORDS(gh567 rich ipset)
+
+FWD_CHECK([-q --permanent --new-ipset=Teste --type=hash:net])
+FWD_CHECK([-q --permanent --add-rich-rule "rule family=ipv4 source ipset=Teste mark set=2"])
+FWD_RELOAD
+
+FWD_END_TEST
--
2.23.0

33
SOURCES/0021-test-gh509-only-run-test-for-nftables-backend.patch Normal file
View File

@ -0,0 +1,33 @@
From b33d40f277444f0af0f780b68389af4098ab639b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 6 Jan 2020 15:38:28 -0500
Subject: [PATCH 21/45] test(gh509): only run test for nftables backend
The test wipes the config and therefore restarts with defaults (e.g.
the nftables backend). Some hosts under test may not have nftables
available so the test will fail. Only use the test if FIREWALL_BACKEND
is nftables.
(cherry picked from commit 61140a7ed9d6b26cd030d366eb7c9111a3ad45df)
(cherry picked from commit 4d3907862535298e6f8b6bc566bdce10a86647bc)
---
src/tests/regression/gh509.at | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tests/regression/gh509.at b/src/tests/regression/gh509.at
index 00cc51c9c51f..1c151066c2bb 100644
--- a/src/tests/regression/gh509.at
+++ b/src/tests/regression/gh509.at
@@ -1,3 +1,4 @@
+m4_if(nftables, FIREWALL_BACKEND, [
FWD_START_TEST([missing firewalld.conf file])
AT_KEYWORDS(gh509)
@@ -12,3 +13,4 @@ FWD_RESTART
FWD_END_TEST([-e '/ERROR: Failed to load/d' dnl
-e '/WARNING:.*No such file or directory:.*/d' dnl
-e '/WARNING: Using fallback firewalld configuration settings/d'])
+])
--
2.27.0

33
SOURCES/0022-improvement-test-move-regression.at-inside-directory.patch
View File

@ -1,33 +0,0 @@
From e02639f73c9515ce4780b878ed0fc1308b46fc88 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 13:41:21 -0500
Subject: [PATCH 22/37] improvement: test: move regression.at inside directory
(cherry picked from commit 97066392d174bafbeaf4fce6d040352e64f1822c)
(cherry picked from commit a340e4767bef62d2ae6d000447ea162bb8dd016b)
---
src/tests/{ => regression}/regression.at | 0
src/tests/testsuite.at | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename src/tests/{ => regression}/regression.at (100%)
diff --git a/src/tests/regression.at b/src/tests/regression/regression.at
similarity index 100%
rename from src/tests/regression.at
rename to src/tests/regression/regression.at
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index b4dc05a59f55..be43c3bd4756 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -12,7 +12,7 @@ m4_include([dbus.at])
m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
m4_include([firewall-cmd.at])
- m4_include([regression.at])
+ m4_include([regression/regression.at])
m4_include([python.at])
m4_include([features.at])
])
--
2.23.0

29
SOURCES/0022-test-ipv6-skip-square-bracket-address-tests-if-ipv6-.patch Normal file
View File

@ -0,0 +1,29 @@
From ab514ea71dcc69abd910790822d67e2854ad54c7 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 12 May 2020 09:12:46 -0400
Subject: [PATCH 22/45] test(ipv6): skip square bracket address tests if ipv6
not available
Fixes: ff9cd7a4c618 ("test: ipset: coverage for ipv6 addresses with brackets")
(cherry picked from commit fc626b34171a71f500fac31b9f2929b009993b98)
(cherry picked from commit bd98ef1f5660dc83c5179d4c6204cf62ba985122)
---
src/tests/regression/rhbz1779835.at | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tests/regression/rhbz1779835.at b/src/tests/regression/rhbz1779835.at
index 37d1afc990ab..8de5c0353b6e 100644
--- a/src/tests/regression/rhbz1779835.at
+++ b/src/tests/regression/rhbz1779835.at
@@ -1,6 +1,8 @@
FWD_START_TEST([ipv6 address with brackets])
AT_KEYWORDS(rhbz1779835 ipset zone forward_port rich)
+IF_HOST_SUPPORTS_IPV6_RULES([], [AT_SKIP_IF([:])])
+
dnl ipset
FWD_CHECK([-q --permanent --new-ipset=foobar --type=hash:ip --family=inet6])
FWD_CHECK([[-q --permanent --ipset foobar --add-entry='[1234::4321]']])
--
2.27.0

34
SOURCES/0023-fix-ipset-flush-the-set-if-IndividiualCalls-yes.patch Normal file
View File

@ -0,0 +1,34 @@
From 4a94fcfa0450b653c579118678da409b0f449259 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 12 May 2020 09:34:12 -0400
Subject: [PATCH 23/45] fix(ipset): flush the set if IndividiualCalls=yes
Make sure we flush the set when creating. Otherwise a pre-existing set
may have stale entries.
Fixes: 81d784f8c856 ("test: ipset: verify clean up on exit/reload")
(cherry picked from commit fab381045990f1c994d60c3f7c5813c576e60af1)
(cherry picked from commit a512e55190210ecba57f0ccfda88d39ac3151d13)
---
src/firewall/core/fw_ipset.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
index 68f016ba2222..90b24c6264c0 100644
--- a/src/firewall/core/fw_ipset.py
+++ b/src/firewall/core/fw_ipset.py
@@ -117,6 +117,11 @@ class FirewallIPSet(object):
# no entries visible for ipsets with timeout
continue
+ try:
+ backend.set_flush(obj.name)
+ except Exception as msg:
+ raise FirewallError(errors.COMMAND_FAILED, msg)
+
for entry in obj.entries:
try:
backend.set_add(obj.name, entry)
--
2.27.0

45
SOURCES/0023-improvement-test-move-features.at-inside-directory.patch
View File

@ -1,45 +0,0 @@
From 469c9a24f6fb1ae7073a412755201d5a093a46d0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 13:42:31 -0500
Subject: [PATCH 23/37] improvement: test: move features.at inside directory
(cherry picked from commit 87ebf867d4c1f81ecba44346126fcb6a5b4e4e3e)
(cherry picked from commit 04891ae837b317b293f14aaa28c683375afee4a5)
---
src/tests/{ => features}/features.at | 0
src/tests/firewall-offline-cmd.at | 2 +-
src/tests/testsuite.at | 2 +-
3 files changed, 2 insertions(+), 2 deletions(-)
rename src/tests/{ => features}/features.at (100%)
diff --git a/src/tests/features.at b/src/tests/features/features.at
similarity index 100%
rename from src/tests/features.at
rename to src/tests/features/features.at
diff --git a/src/tests/firewall-offline-cmd.at b/src/tests/firewall-offline-cmd.at
index 0b05ee70ea9f..8cd6b6c5550f 100644
--- a/src/tests/firewall-offline-cmd.at
+++ b/src/tests/firewall-offline-cmd.at
@@ -9,7 +9,7 @@ dnl !!! DO NOT ADD TESTS HERE !!!
m4_define([TESTING_FIREWALL_OFFLINE_CMD])
m4_include([firewall-cmd.at])
-m4_include([features.at])
+m4_include([features/features.at])
dnl Now begin the tests explicitly for firewall-offline-cmd
dnl
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index be43c3bd4756..364b0ca30e04 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -14,5 +14,5 @@ m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
m4_include([firewall-cmd.at])
m4_include([regression/regression.at])
m4_include([python.at])
- m4_include([features.at])
+ m4_include([features/features.at])
])
--
2.23.0

32
SOURCES/0024-improvement-test-move-python.at-inside-directory.patch
View File

@ -1,32 +0,0 @@
From 318e99e5957fd92d6421350096c0dbc73c18f4ec Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 13:43:32 -0500
Subject: [PATCH 24/37] improvement: test: move python.at inside directory
(cherry picked from commit d6dbb79bd0fb470007d958296731e45912470ffe)
(cherry picked from commit 13c4830d4063dc2d76820f2a7db8b77f7427e763)
---
src/tests/{ => python}/python.at | 0
src/tests/testsuite.at | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename src/tests/{ => python}/python.at (100%)
diff --git a/src/tests/python.at b/src/tests/python/python.at
similarity index 100%
rename from src/tests/python.at
rename to src/tests/python/python.at
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index 364b0ca30e04..2a925fd77dd6 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -13,6 +13,6 @@ m4_include([dbus.at])
m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
m4_include([firewall-cmd.at])
m4_include([regression/regression.at])
- m4_include([python.at])
+ m4_include([python/python.at])
m4_include([features/features.at])
])
--
2.23.0

64
SOURCES/0024-test-dbus-better-way-to-check-IPv6_rpfilter-expected.patch Normal file
View File

@ -0,0 +1,64 @@
From 729936737ae3588d5b79c9f00760a2228586338b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 12 May 2020 08:25:07 -0400
Subject: [PATCH 24/45] test(dbus): better way to check IPv6_rpfilter expected
value
(cherry picked from commit 42e349f57a41305354871ca0c0d08fcf800a2fe3)
(cherry picked from commit a79695be7243802b49c5bdb131c231b1ef8a9350)
---
src/tests/dbus/firewalld.conf.at | 24 +++++++-----------------
1 file changed, 7 insertions(+), 17 deletions(-)
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 4eefa3286f9f..1c957957b3da 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -1,8 +1,13 @@
FWD_START_TEST([firewalld.conf])
AT_KEYWORDS(dbus)
-dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
IF_HOST_SUPPORTS_NFT_FIB([
+ EXPECTED_IPV6_RPFILTER_VALUE=yes
+], [
+ EXPECTED_IPV6_RPFILTER_VALUE=no
+])
+
+dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
DBUS_GETALL([config], [config], 0, [dnl
string "AllowZoneDrifting" : variant string "yes"
string "AutomaticHelpers" : variant string "no"
@@ -10,28 +15,13 @@ string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
string "FirewallBackend" : variant string "nftables"
string "FlushAllOnReload" : variant string "yes"
-string "IPv6_rpfilter" : variant string "yes"
-string "IndividualCalls" : variant string "no"
-string "Lockdown" : variant string "no"
-string "LogDenied" : variant string "off"
-string "MinimalMark" : variant int32 100
-string "RFC3964_IPv4" : variant string "yes"
-])], [
-DBUS_GETALL([config], [config], 0, [dnl
-string "AllowZoneDrifting" : variant string "yes"
-string "AutomaticHelpers" : variant string "no"
-string "CleanupOnExit" : variant string "no"
-string "DefaultZone" : variant string "public"
-string "FirewallBackend" : variant string "nftables"
-string "FlushAllOnReload" : variant string "yes"
-string "IPv6_rpfilter" : variant string "no"
+string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"])
string "IndividualCalls" : variant string "no"
string "Lockdown" : variant string "no"
string "LogDenied" : variant string "off"
string "MinimalMark" : variant int32 100
string "RFC3964_IPv4" : variant string "yes"
])
-])
m4_define([_helper], [
DBUS_SET([config], [config], [string:"$1" $2], 0, ignore)
--
2.27.0

33
SOURCES/0025-improvement-test-move-dbus.at-inside-directory.patch
View File

@ -1,33 +0,0 @@
From f57c3b19cf5c1ef0b68eab2819f4dafdcbd53b91 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 13:44:22 -0500
Subject: [PATCH 25/37] improvement: test: move dbus.at inside directory
(cherry picked from commit 0dfdf43524fc56d396c47198a7d2a4853373ac4c)
(cherry picked from commit 015229ef5c0f97d1664fb5670b4caef6d8242a68)
---
src/tests/{ => dbus}/dbus.at | 0
src/tests/testsuite.at | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename src/tests/{ => dbus}/dbus.at (100%)
diff --git a/src/tests/dbus.at b/src/tests/dbus/dbus.at
similarity index 100%
rename from src/tests/dbus.at
rename to src/tests/dbus/dbus.at
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index 2a925fd77dd6..546b301f1cb2 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -8,7 +8,7 @@ m4_define([m4_include], [m4_builtin([include], [$1])])
m4_include([functions.at])
m4_include([firewall-offline-cmd.at])
-m4_include([dbus.at])
+m4_include([dbus/dbus.at])
m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
m4_include([firewall-cmd.at])
--
2.23.0

47
SOURCES/0025-test-functions-add-macro-IF_HOST_SUPPORTS_NFT_RULE_I.patch Normal file
View File

@ -0,0 +1,47 @@
From 571c32c466f0516d0543926828ce49b004ce584f Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 11 May 2020 17:19:12 -0400
Subject: [PATCH 25/45] test(functions): add macro
IF_HOST_SUPPORTS_NFT_RULE_INDEX
(cherry picked from commit 735eb589b2a18129b2b8a9d4dfe8b9375757619a)
(cherry picked from commit cda25d11a9e333ee5cdd9d7e084e7075cb1550bb)
---
src/tests/functions.at | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 8f5ceba4d3f2..f83720595d2f 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -598,3 +598,27 @@ m4_define([NMCLI_CHECK], [
NS_CHECK([PIPESTATUS0([nmcli $1], [TRIM_WHITESPACE])],
[$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6])
])
+
+m4_define([IF_HOST_SUPPORTS_NFT_RULE_INDEX], [
+ m4_if(nftables, FIREWALL_BACKEND, [
+ AT_DATA([./nft_rule_index.nft], [
+ add table inet firewalld_check_rule_index
+ add chain inet firewalld_check_rule_index foobar { type filter hook input priority 0 ; }
+ add rule inet firewalld_check_rule_index foobar tcp dport 1234 accept
+ add rule inet firewalld_check_rule_index foobar accept
+ insert rule inet firewalld_check_rule_index foobar index 1 udp dport 4321 accept
+])
+ NS_CHECK([nft -f ./nft_rule_index.nft])
+
+ if test "$( NS_CMD([nft list chain inet firewalld_check_rule_index foobar | head -n 5 |tail -n 1 | TRIM_WHITESPACE]) )" = "udp dport 4321 accept"; then
+ :
+ $1
+ else
+ :
+ $2
+ fi
+
+ NS_CHECK([rm ./nft_rule_index.nft])
+ NS_CHECK([nft delete table inet firewalld_check_rule_index])
+ ], [$1])
+])
--
2.27.0

57
SOURCES/0026-improvement-test-move-firewall-cmd.at-and-firewall-o.patch
View File

@ -1,57 +0,0 @@
From 529c233fca75fc302a86b01251b7c7bf31e188ad Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 13:46:42 -0500
Subject: [PATCH 26/37] improvement: test: move firewall-cmd.at and
firewall-offline-cmd.at inside directory
(cherry picked from commit 60197b143b1abf1cae618649fcb4ca595c6fb46d)
(cherry picked from commit 8f6dd39747b00b6cf5b0dfb526b75b4dd7ef9077)
---
src/tests/{ => cli}/firewall-cmd.at | 0
src/tests/{ => cli}/firewall-offline-cmd.at | 2 +-
src/tests/testsuite.at | 4 ++--
3 files changed, 3 insertions(+), 3 deletions(-)
rename src/tests/{ => cli}/firewall-cmd.at (100%)
rename src/tests/{ => cli}/firewall-offline-cmd.at (98%)
diff --git a/src/tests/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
similarity index 100%
rename from src/tests/firewall-cmd.at
rename to src/tests/cli/firewall-cmd.at
diff --git a/src/tests/firewall-offline-cmd.at b/src/tests/cli/firewall-offline-cmd.at
similarity index 98%
rename from src/tests/firewall-offline-cmd.at
rename to src/tests/cli/firewall-offline-cmd.at
index 8cd6b6c5550f..e763eeb95839 100644
--- a/src/tests/firewall-offline-cmd.at
+++ b/src/tests/cli/firewall-offline-cmd.at
@@ -8,7 +8,7 @@ dnl
dnl !!! DO NOT ADD TESTS HERE !!!
m4_define([TESTING_FIREWALL_OFFLINE_CMD])
-m4_include([firewall-cmd.at])
+m4_include([cli/firewall-cmd.at])
m4_include([features/features.at])
dnl Now begin the tests explicitly for firewall-offline-cmd
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index 546b301f1cb2..c48123cea910 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -7,11 +7,11 @@ m4_define([m4_include], [m4_builtin([include], [$1])])
m4_include([functions.at])
-m4_include([firewall-offline-cmd.at])
+m4_include([cli/firewall-offline-cmd.at])
m4_include([dbus/dbus.at])
m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
- m4_include([firewall-cmd.at])
+ m4_include([cli/firewall-cmd.at])
m4_include([regression/regression.at])
m4_include([python/python.at])
m4_include([features/features.at])
--
2.23.0

57
SOURCES/0026-test-functions-use-IndividualCalls-if-host-doesn-t-s.patch Normal file
View File

@ -0,0 +1,57 @@
From 5e35e5d183773984bc69ff035e7f0c69cc99b282 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 11 May 2020 17:22:39 -0400
Subject: [PATCH 26/45] test(functions): use IndividualCalls if host doesn't
support nft rule index
(cherry picked from commit 5418d89006665e90f7f742bbdc9a551d9d9a1ca7)
(cherry picked from commit 4224d86814ac6aa80fbc58c2b6f8e53a89adcaba)
---
src/tests/dbus/firewalld.conf.at | 8 +++++++-
src/tests/functions.at | 4 ++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 1c957957b3da..14d87767a267 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -7,6 +7,12 @@ IF_HOST_SUPPORTS_NFT_FIB([
EXPECTED_IPV6_RPFILTER_VALUE=no
])
+IF_HOST_SUPPORTS_NFT_RULE_INDEX([
+ EXPECTED_INDIVIDUAL_CALLS_VALUE=no
+], [
+ EXPECTED_INDIVIDUAL_CALLS_VALUE=yes
+])
+
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
DBUS_GETALL([config], [config], 0, [dnl
string "AllowZoneDrifting" : variant string "yes"
@@ -16,7 +22,7 @@ string "DefaultZone" : variant string "public"
string "FirewallBackend" : variant string "nftables"
string "FlushAllOnReload" : variant string "yes"
string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"])
-string "IndividualCalls" : variant string "no"
+string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"])
string "Lockdown" : variant string "no"
string "LogDenied" : variant string "off"
string "MinimalMark" : variant int32 100
diff --git a/src/tests/functions.at b/src/tests/functions.at
index f83720595d2f..1cde4997f920 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -221,6 +221,10 @@ m4_define([FWD_START_TEST], [
fi
echo "kill $DBUS_PID" >> ./cleanup_late
+ IF_HOST_SUPPORTS_NFT_RULE_INDEX([], [
+ AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf])
+ ])
+
FWD_START_FIREWALLD
])
])
--
2.27.0

57
SOURCES/0027-test-check-container-add-support-for-centos8-stream.patch Normal file
View File

@ -0,0 +1,57 @@
From 4c90b4a07d2b3f935f5ea8b4607a77f12b66d855 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 10 Dec 2019 10:34:16 -0500
Subject: [PATCH 27/45] test(check-container): add support for centos8 stream
(cherry picked from commit 47be9c516344243750b68d570c69e7a5c4022805)
(cherry picked from commit fdf7eb8c8d7b82e68c6488e4755568fd0a5442a1)
---
src/tests/Makefile.am | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 6be678146b99..b7556b30ecc8 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -48,7 +48,7 @@ $(TESTSUITE) $(TESTSUITE_INTEGRATION): $(TESTSUITE_FILES) $(srcdir)/package.m4
$(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at
mv $@.tmp $@
-CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide
+CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide check-container-centos8-stream
check-container-debian-sid-image: check-container-%-image:
(cd $(abs_top_srcdir) && { \
@@ -76,11 +76,28 @@ check-container-fedora-rawhide-image: check-container-%-image:
echo "COPY . /tmp/firewalld"; \
} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
+check-container-centos8-stream-image: check-container-%-image:
+ (cd $(abs_top_srcdir) && { \
+ echo "FROM centos:8" && \
+ echo "RUN dnf -y makecache" && \
+ echo "RUN dnf -y install centos-release-stream" && \
+ echo "RUN dnf -y install autoconf automake conntrack-tools desktop-file-utils \
+ docbook-style-xsl file gettext glib2-devel intltool ipset \
+ iptables iptables-ebtables nftables libtool libxml2 \
+ libxslt make nftables python3-nftables python3-slip-dbus \
+ python3-gobject-base diffutils procps-ng iproute which dbus-daemon \
+ NetworkManager" && \
+ echo "COPY . /tmp/firewalld"; \
+ } | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
+
+check-container-debian-sid: PYTHON=/usr/bin/python3
+check-container-fedora-rawhide: PYTHON=/usr/bin/python3
+check-container-centos8-stream: PYTHON=/usr/libexec/platform-python
$(CONTAINER_TARGETS): check-container-%: check-container-%-image
$(PODMAN) run -i --rm --privileged firewalld-testsuite-$* bash -c " \
cd /tmp/firewalld && \
./autogen.sh && \
- ./configure PYTHON=/usr/bin/python3 && \
+ ./configure PYTHON=\"${PYTHON}\" && \
make && \
{ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" || \
make -C src/tests check-local TESTSUITEFLAGS=\"--recheck --errexit --verbose\" ; } && \
--
2.27.0

133
SOURCES/0027-test-enhance-test-for-rhbz1729097.patch
View File

@ -1,133 +0,0 @@
From a698ca94c40b6edf058995f9f2b1fc197a16efe4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 16 Jan 2020 09:02:28 -0500
Subject: [PATCH 27/37] test: enhance test for rhbz1729097
(cherry picked from commit c2b8059559c210e586b03b44eaf189370b976770)
(cherry picked from commit 47368842f5519b43cb02cb4f2cca59b9049e5268)
---
src/tests/regression/rhbz1715977.at | 107 +++++++++++++++++++++++++++-
1 file changed, 105 insertions(+), 2 deletions(-)
diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at
index ce6dd075c2b5..5de9b5679023 100644
--- a/src/tests/regression/rhbz1715977.at
+++ b/src/tests/regression/rhbz1715977.at
@@ -1,9 +1,112 @@
-FWD_START_TEST([rich rule destination with service destination])
-AT_KEYWORDS(rich service rhbz1715977)
+FWD_START_TEST([rich rule source/destination with service destination])
+AT_KEYWORDS(rich service rhbz1715977 rhbz1729097 rhbz1791783)
FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0])
FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="ssh" accept'])
FWD_RELOAD
+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
+ table inet firewalld {
+ chain filter_IN_internal_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+ udp dport 137 ct helper set "helper-netbios-ns-udp"
+ udp dport 137 ct state new,untracked accept
+ udp dport 138 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
+ }
+ }
+])
+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
+])
+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+])
+
+FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept'])
+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
+ table inet firewalld {
+ chain filter_IN_internal_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+ udp dport 137 ct helper set "helper-netbios-ns-udp"
+ udp dport 137 ct state new,untracked accept
+ udp dport 138 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
+ ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
+ }
+ }
+])
+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
+])
+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+])
+
+FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept'])
+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
+ table inet firewalld {
+ chain filter_IN_internal_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+ udp dport 137 ct helper set "helper-netbios-ns-udp"
+ udp dport 137 ct state new,untracked accept
+ udp dport 138 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
+ ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
+ ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept
+ }
+ }
+])
+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED
+])
+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore])
FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'])
--
2.23.0

33
SOURCES/0028-fix-firewall-offline-cmd-remove-instances-of-P-in-he.patch Normal file
View File

@ -0,0 +1,33 @@
From fe902f0be61bb0fe25418e5e13f7aa0131e042db Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 19 May 2020 13:24:25 -0400
Subject: [PATCH 28/45] fix(firewall-offline-cmd): remove instances of "[P]" in
help text
All commands are permanent. The "[P]" tag is unnecessary.
(cherry picked from commit 32f7ea86eaf86705d8f52eeb1195e7549653fdce)
(cherry picked from commit 1a22a093088eb7cc23f3b6c4b4ba6fb3323902aa)
---
src/firewall-offline-cmd.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/firewall-offline-cmd.in b/src/firewall-offline-cmd.in
index 98ca3e81ad7b..c0ad9ec8f64e 100755
--- a/src/firewall-offline-cmd.in
+++ b/src/firewall-offline-cmd.in
@@ -168,9 +168,9 @@ IPSet Options
--ipset=<ipset> --get-entries
List entries of an ipset
--ipset=<ipset> --add-entries-from-file=<entry>
- Add a new entries to an ipset [P]
+ Add a new entries to an ipset
--ipset=<ipset> --remove-entries-from-file=<entry>
- Remove entries from an ipset [P]
+ Remove entries from an ipset
IcmpType Options
--new-icmptype=<icmptype>
--
2.27.0

29
SOURCES/0028-fix-test-functions-FWD_END_TEST-grep-for-errors-warn.patch
View File

@ -1,29 +0,0 @@
From 77c098b455f8de72118a4ba40c371c1dde905325 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 22 Jan 2020 09:46:52 -0500
Subject: [PATCH 28/37] fix: test/functions: FWD_END_TEST: grep for
errors/warnings
Fixes: 5f67a78a68a4 ("fix: test/functions: FWD_END_TEST: improve grep for errors/warnings")
(cherry picked from commit 9f397528f5c7c6a155ba081a2e048ccf14c004b4)
(cherry picked from commit 171d3ce9b1724989b3a98d4cfe58470b36ce3be0)
---
src/tests/functions.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index e79557350558..cd4e31c7f9d4 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -234,7 +234,7 @@ m4_define([FWD_END_TEST], [
if test -n "$1"; then
sed -i $1 ./firewalld.log
fi
- AT_FAIL_IF([grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log])
+ AT_FAIL_IF([[grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log]])
fi
m4_undefine([CURRENT_DBUS_ADDRESS])
m4_undefine([CURRENT_TEST_NS])
--
2.23.0

30
SOURCES/0029-fix-rich-source-mac-with-nftables-backend.patch Normal file
View File

@ -0,0 +1,30 @@
From 53e62b6640c2d52ca6385120e3215b18d4ea70bf Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 8 Jun 2020 14:58:50 -0400
Subject: [PATCH 29/45] fix(rich): source mac with nftables backend
Fixes: #643
Fixes: rhbz 1843398
Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface")
(cherry picked from commit e255e7357358b5fe1593225e6bd995850421825a)
(cherry picked from commit d78607ca4862a7b20551a98387ff285499d73440)
---
src/firewall/core/nftables.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 69ee63b32f8b..97b1cd9f7f1e 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1064,7 +1064,7 @@ class nftables(object):
if addr_field == "daddr":
raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__))
family = "ether"
- if check_single_address("ipv4", address):
+ elif check_single_address("ipv4", address):
family = "ip"
elif check_address("ipv4", address):
family = "ip"
--
2.27.0

27
SOURCES/0029-improvement-tests-regression-rhbz1715977-shorten-tes.patch
View File

@ -1,27 +0,0 @@
From 207f97c8f8aa0043742521016065f35115e31436 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 22 Jan 2020 08:11:48 -0500
Subject: [PATCH 29/37] improvement: tests/regression/rhbz1715977: shorten test
name
Shorten the test name so it fits on 80 columns.
(cherry picked from commit d7920d34359074be68497da666cefd175e00d5f6)
(cherry picked from commit e63d2f72d68d366ca3e693d8de6cdcc21fcd44e5)
---
src/tests/regression/rhbz1715977.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at
index 5de9b5679023..b9886e1a0a2b 100644
--- a/src/tests/regression/rhbz1715977.at
+++ b/src/tests/regression/rhbz1715977.at
@@ -1,4 +1,4 @@
-FWD_START_TEST([rich rule source/destination with service destination])
+FWD_START_TEST([rich rule src/dst with service destination])
AT_KEYWORDS(rich service rhbz1715977 rhbz1729097 rhbz1791783)
FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0])
--
2.23.0

292
SOURCES/0030-feat-AllowZoneDrifting-config-option.patch
View File

@ -1,292 +0,0 @@
From 982024e6775c9a9c78713be82519c729107ca4e2 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Sun, 19 Jan 2020 14:13:36 -0500
Subject: [PATCH 30/37] feat: AllowZoneDrifting config option
Older versions of firewalld had undocumented behavior known as "zone
drifting". This allowed packets to ingress multiple zones - this is a
violation of zone based firewalls. However, some users rely on this
behavior to have a "catch-all" zone, e.g. the default zone. You can
enable this if you desire such behavior. It's disabled by default for
security reasons.
Note: If "yes" packets will only drift from source based zones to
interface based zones (including the default zone). Packets never drift
from interface based zones to other interfaces based zones (including
the default zone).
(cherry picked from commit afadd377b09dc62b340d24bcf891d31f040d1a18)
(cherry picked from commit afbd6c0e82b77ca9b687169d69bf6c2dc17a9317)
---
config/firewalld.conf | 12 ++++++++++++
doc/xml/firewalld.conf.xml | 19 +++++++++++++++++++
doc/xml/firewalld.dbus.xml | 16 ++++++++++++++++
src/firewall/config/__init__.py.in | 1 +
src/firewall/core/fw.py | 14 ++++++++++++++
src/firewall/core/io/firewalld_conf.py | 13 +++++++++++--
src/firewall/server/config.py | 20 +++++++++++++++++---
src/tests/dbus/firewalld.conf.at | 3 +++
8 files changed, 93 insertions(+), 5 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index 82ad062b8a66..532f0452212e 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -61,3 +61,15 @@ FlushAllOnReload=yes
# internet.
# Defaults to "yes".
RFC3964_IPv4=yes
+
+# AllowZoneDrifting
+# Older versions of firewalld had undocumented behavior known as "zone
+# drifting". This allowed packets to ingress multiple zones - this is a
+# violation of zone based firewalls. However, some users rely on this behavior
+# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
+# desire such behavior. It's disabled by default for security reasons.
+# Note: If "yes" packets will only drift from source based zones to interface
+# based zones (including the default zone). Packets never drift from interface
+# based zones to other interfaces based zones (including the default zone).
+# Possible values; "yes", "no". Defaults to "no".
+AllowZoneDrifting=no
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index 6003a6fae855..fcfbfd2b68c1 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -183,6 +183,25 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>AllowZoneDrifting</option></term>
+ <listitem>
+ <para>
+ Older versions of firewalld had undocumented behavior known
+ as "zone drifting". This allowed packets to ingress multiple
+ zones - this is a violation of zone based firewalls. However,
+ some users rely on this behavior to have a "catch-all" zone,
+ e.g. the default zone. You can enable this if you desire such
+ behavior. It's disabled by default for security reasons.
+ Note: If "yes" packets will only drift from source based zones
+ to interface based zones (including the default zone). Packets
+ never drift from interface based zones to other interfaces
+ based zones (including the default zone).
+ Valid values; "yes", "no". Defaults to "no".
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</refsect1>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 66b0475ec0c8..5d77af976443 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2578,6 +2578,22 @@
<refsect3 id="FirewallD1.config.Properties">
<title>Properties</title>
<variablelist>
+ <varlistentry id="FirewallD1.config.Properties.AllowZoneDrifting">
+ <term><parameter>AllowZoneDrifting</parameter> - s - (rw)</term>
+ <listitem><para>
+ Older versions of firewalld had undocumented behavior known
+ as "zone drifting". This allowed packets to ingress multiple
+ zones - this is a violation of zone based firewalls. However,
+ some users rely on this behavior to have a "catch-all" zone,
+ e.g. the default zone. You can enable this if you desire such
+ behavior. It's disabled by default for security reasons.
+ Note: If "yes" packets will only drift from source based zones
+ to interface based zones (including the default zone). Packets
+ never drift from interface based zones to other interfaces
+ based zones (including the default zone).
+ Valid values; "yes", "no". Defaults to "no".
+ </para></listitem>
+ </varlistentry>
<varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
<term>AutomaticHelpers - s - (rw)</term>
<listitem>
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 3274dd430e4e..481eb8de758d 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -130,3 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"
FALLBACK_FIREWALL_BACKEND = "nftables"
FALLBACK_FLUSH_ALL_ON_RELOAD = True
FALLBACK_RFC3964_IPV4 = True
+FALLBACK_ALLOW_ZONE_DRIFTING = False
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 050fb9cd976d..6206ed586988 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -123,6 +123,7 @@ class Firewall(object):
self._firewall_backend = config.FALLBACK_FIREWALL_BACKEND
self._flush_all_on_reload = config.FALLBACK_FLUSH_ALL_ON_RELOAD
self._rfc3964_ipv4 = config.FALLBACK_RFC3964_IPV4
+ self._allow_zone_drifting = config.FALLBACK_ALLOW_ZONE_DRIFTING
def individual_calls(self):
return self._individual_calls
@@ -286,6 +287,19 @@ class Firewall(object):
log.debug1("RFC3964_IPv4 is set to '%s'",
self._rfc3964_ipv4)
+ if self._firewalld_conf.get("AllowZoneDrifting"):
+ value = self._firewalld_conf.get("AllowZoneDrifting")
+ if value.lower() in [ "no", "false" ]:
+ self._allow_zone_drifting = False
+ else:
+ self._allow_zone_drifting = True
+ log.warning("AllowZoneDrifting is enabled. This is considered "
+ "an insecure configuration option. It will be "
+ "removed in a future release. Please consider "
+ "disabling it now.")
+ log.debug1("AllowZoneDrifting is set to '%s'",
+ self._allow_zone_drifting)
+
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
self._select_firewall_backend(self._firewall_backend)
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 9e2205f93d63..7c7092120676 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -28,10 +28,10 @@ from firewall import config
from firewall.core.logger import log
from firewall.functions import b2u, u2b, PY2
-valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
+valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
"IPv6_rpfilter", "IndividualCalls", "LogDenied",
"AutomaticHelpers", "FirewallBackend", "FlushAllOnReload",
- "RFC3964_IPv4" ]
+ "RFC3964_IPv4", "AllowZoneDrifting" ]
class firewalld_conf(object):
def __init__(self, filename):
@@ -83,6 +83,7 @@ class firewalld_conf(object):
self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no")
self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no")
+ self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no")
raise
for line in f:
@@ -202,6 +203,14 @@ class firewalld_conf(object):
config.FALLBACK_RFC3964_IPV4)
self.set("RFC3964_IPv4", str(config.FALLBACK_RFC3964_IPV4))
+ value = self.get("AllowZoneDrifting")
+ if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
+ if value is not None:
+ log.warning("AllowZoneDrifting '%s' is not valid, using default "
+ "value %s", value if value else '',
+ config.FALLBACK_ALLOW_ZONE_DRIFTING)
+ self.set("AllowZoneDrifting", str(config.FALLBACK_ALLOW_ZONE_DRIFTING))
+
# save to self.filename if there are key/value changes
def write(self):
if len(self._config) < 1:
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index 1c35f5663d29..b3e193d7e468 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -107,6 +107,7 @@ class FirewallDConfig(slip.dbus.service.Object):
"FirewallBackend": "readwrite",
"FlushAllOnReload": "readwrite",
"RFC3964_IPv4": "readwrite",
+ "AllowZoneDrifting": "readwrite",
})
@handle_exceptions
@@ -487,7 +488,8 @@ class FirewallDConfig(slip.dbus.service.Object):
if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
"LogDenied", "AutomaticHelpers", "FirewallBackend",
- "FlushAllOnReload", "RFC3964_IPv4" ]:
+ "FlushAllOnReload", "RFC3964_IPv4",
+ "AllowZoneDrifting" ]:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
"Property '%s' does not exist" % prop)
@@ -540,6 +542,10 @@ class FirewallDConfig(slip.dbus.service.Object):
if value is None:
value = "yes" if config.FALLBACK_RFC3964_IPV4 else "no"
return dbus.String(value)
+ elif prop == "AllowZoneDrifting":
+ if value is None:
+ value = "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no"
+ return dbus.String(value)
@dbus_handle_exceptions
def _get_dbus_property(self, prop):
@@ -565,6 +571,8 @@ class FirewallDConfig(slip.dbus.service.Object):
return dbus.String(self._get_property(prop))
elif prop == "RFC3964_IPv4":
return dbus.String(self._get_property(prop))
+ elif prop == "AllowZoneDrifting":
+ return dbus.String(self._get_property(prop))
else:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
@@ -605,7 +613,8 @@ class FirewallDConfig(slip.dbus.service.Object):
for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
"LogDenied", "AutomaticHelpers", "FirewallBackend",
- "FlushAllOnReload", "RFC3964_IPv4" ]:
+ "FlushAllOnReload", "RFC3964_IPv4",
+ "AllowZoneDrifting" ]:
ret[x] = self._get_property(x)
elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
@@ -633,7 +642,7 @@ class FirewallDConfig(slip.dbus.service.Object):
"IPv6_rpfilter", "IndividualCalls",
"LogDenied", "AutomaticHelpers",
"FirewallBackend", "FlushAllOnReload",
- "RFC3964_IPv4" ]:
+ "RFC3964_IPv4", "AllowZoneDrifting" ]:
if property_name == "MinimalMark":
try:
int(new_value)
@@ -677,6 +686,11 @@ class FirewallDConfig(slip.dbus.service.Object):
raise FirewallError(errors.INVALID_VALUE,
"'%s' for %s" % \
(new_value, property_name))
+ if property_name == "AllowZoneDrifting":
+ if new_value.lower() not in ["yes", "true", "no", "false"]:
+ raise FirewallError(errors.INVALID_VALUE,
+ "'%s' for %s" % \
+ (new_value, property_name))
self.config.get_firewalld_conf().set(property_name, new_value)
self.config.get_firewalld_conf().write()
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 06f6df9bdd70..35aead759a9c 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -4,6 +4,7 @@ AT_KEYWORDS(dbus)
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
IF_HOST_SUPPORTS_NFT_FIB([
DBUS_GETALL([config], [config], 0, [dnl
+string "AllowZoneDrifting" : variant string "no"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
@@ -17,6 +18,7 @@ string "MinimalMark" : variant int32 100
string "RFC3964_IPv4" : variant string "yes"
])], [
DBUS_GETALL([config], [config], 0, [dnl
+string "AllowZoneDrifting" : variant string "no"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
@@ -49,6 +51,7 @@ _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
_helper([FlushAllOnReload], [string:"no"], [variant string "no"])
_helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
_helper([RFC3964_IPv4], [string:"no"], [variant string "no"])
+_helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"])
dnl Note: DefaultZone is RO
m4_undefine([_helper])
--
2.23.0

42
SOURCES/0030-test-rich-source-mac-with-nftables-backend.patch Normal file
View File

@ -0,0 +1,42 @@
From 8058fda3072600ce65851b43cd3422fe0acdecb4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 8 Jun 2020 14:11:27 -0400
Subject: [PATCH 30/45] test(rich): source mac with nftables backend
With the nftables backend firewalld fails to add a rule that matches the
source mac address.
(cherry picked from commit ef555fa1538b8df414fecaf400653fb0a95322db)
(cherry picked from commit a1fe0b082aec4ea5f175854412cd7ab4eef4e294)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1843398.at | 8 ++++++++
2 files changed, 9 insertions(+)
create mode 100644 src/tests/regression/rhbz1843398.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index c3a5706c6406..984d299bfd4e 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -29,3 +29,4 @@ m4_include([regression/rhbz1779835.at])
m4_include([regression/gh330.at])
m4_include([regression/gh599.at])
m4_include([regression/rhbz1829104.at])
+m4_include([regression/rhbz1843398.at])
diff --git a/src/tests/regression/rhbz1843398.at b/src/tests/regression/rhbz1843398.at
new file mode 100644
index 000000000000..4606e8497223
--- /dev/null
+++ b/src/tests/regression/rhbz1843398.at
@@ -0,0 +1,8 @@
+FWD_START_TEST([rich rule source mac])
+AT_KEYWORDS(rich rhbz1843398 gh643)
+
+FWD_CHECK([--permanent --add-rich-rule='rule source mac="11:22:33:44:55:66" reject'], 0, [ignore])
+FWD_CHECK([ --add-rich-rule='rule source mac="11:22:33:44:55:66" reject'], 0, [ignore])
+FWD_RELOAD
+
+FWD_END_TEST
--
2.27.0

27
SOURCES/0031-docs-README-add-libxslt-for-doc-generation.patch Normal file
View File

@ -0,0 +1,27 @@
From 944b49770943ec485212f2ca50d73231b7495d65 Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Wed, 10 Jun 2020 17:55:54 -0400
Subject: [PATCH 31/45] docs(README): add libxslt for doc generation
(cherry picked from commit 1e9638b07a9c740a4ab5128708f9a40acc2d4668)
(cherry picked from commit 32c7f4c7eeafa4298ca403f45db8fda49f01ed2e)
---
README | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README b/README
index 120543588540..7c00c3094949 100644
--- a/README
+++ b/README
@@ -58,7 +58,7 @@ For use with Python 2:
To be able to create man pages and documentation from docbook files:
docbook-style-xsl
-
+ libxslt
Use the usual autoconf/automake incantation to generate makefiles
--
2.27.0

177
SOURCES/0031-feat-nftables-support-AllowZoneDrifting-yes.patch
View File

@ -1,177 +0,0 @@
From 8d480dea4b3fd4ecce20c1569d000cb999dd50f6 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Sun, 19 Jan 2020 14:37:31 -0500
Subject: [PATCH 31/37] feat: nftables: support AllowZoneDrifting=yes
(cherry picked from commit 517a061c5886f2ebfb4aa7d73804aa7f3c5a3004)
(cherry picked from commit 92c5926bb9e493545f8d949ba00cbf72e4c7f202)
---
src/firewall/core/nftables.py | 91 ++++++++++++++++++++---------------
1 file changed, 52 insertions(+), 39 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index cb8521fb7a5a..c8e893b5dbf6 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -208,8 +208,11 @@ class nftables(object):
index = zone_source_index_cache[family].index(zone_source)
else:
- index = len(zone_source_index_cache[family])
-
+ if self._fw._allow_zone_drifting:
+ index = 0
+ else:
+ index = len(zone_source_index_cache[family])
+
_verb_snippet = rule[verb]
del rule[verb]
if index == 0:
@@ -506,13 +509,14 @@ class nftables(object):
"prio": IPTABLES_TO_NFT_HOOK["raw"][chain][1]}}})
for chain in ["PREROUTING"]:
- default_rules.append({"add": {"chain": {"family": "inet",
- "table": TABLE_NAME,
- "name": "raw_%s_ZONES" % chain}}})
- default_rules.append({"add": {"rule": {"family": "inet",
- "table": TABLE_NAME,
- "chain": "raw_%s" % chain,
- "expr": [{"jump": {"target": "raw_%s_ZONES" % chain}}]}}})
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules.append({"add": {"chain": {"family": "inet",
+ "table": TABLE_NAME,
+ "name": "raw_%s_%s" % (chain, dispatch_suffix)}}})
+ default_rules.append({"add": {"rule": {"family": "inet",
+ "table": TABLE_NAME,
+ "chain": "raw_%s" % chain,
+ "expr": [{"jump": {"target": "raw_%s_%s" % (chain, dispatch_suffix)}}]}}})
for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys():
default_rules.append({"add": {"chain": {"family": "inet",
@@ -521,13 +525,14 @@ class nftables(object):
"type": "filter",
"hook": "%s" % IPTABLES_TO_NFT_HOOK["mangle"][chain][0],
"prio": IPTABLES_TO_NFT_HOOK["mangle"][chain][1]}}})
- default_rules.append({"add": {"chain": {"family": "inet",
- "table": TABLE_NAME,
- "name": "mangle_%s_ZONES" % chain}}})
- default_rules.append({"add": {"rule": {"family": "inet",
- "table": TABLE_NAME,
- "chain": "mangle_%s" % chain,
- "expr": [{"jump": {"target": "mangle_%s_ZONES" % chain}}]}}})
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules.append({"add": {"chain": {"family": "inet",
+ "table": TABLE_NAME,
+ "name": "mangle_%s_%s" % (chain, dispatch_suffix)}}})
+ default_rules.append({"add": {"rule": {"family": "inet",
+ "table": TABLE_NAME,
+ "chain": "mangle_%s" % chain,
+ "expr": [{"jump": {"target": "mangle_%s_%s" % (chain, dispatch_suffix)}}]}}})
for family in ["ip", "ip6"]:
for chain in IPTABLES_TO_NFT_HOOK["nat"].keys():
@@ -537,13 +542,15 @@ class nftables(object):
"type": "nat",
"hook": "%s" % IPTABLES_TO_NFT_HOOK["nat"][chain][0],
"prio": IPTABLES_TO_NFT_HOOK["nat"][chain][1]}}})
- default_rules.append({"add": {"chain": {"family": family,
- "table": TABLE_NAME,
- "name": "nat_%s_ZONES" % chain}}})
- default_rules.append({"add": {"rule": {"family": family,
- "table": TABLE_NAME,
- "chain": "nat_%s" % chain,
- "expr": [{"jump": {"target": "nat_%s_ZONES" % chain}}]}}})
+
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules.append({"add": {"chain": {"family": family,
+ "table": TABLE_NAME,
+ "name": "nat_%s_%s" % (chain, dispatch_suffix)}}})
+ default_rules.append({"add": {"rule": {"family": family,
+ "table": TABLE_NAME,
+ "chain": "nat_%s" % chain,
+ "expr": [{"jump": {"target": "nat_%s_%s" % (chain, dispatch_suffix)}}]}}})
for chain in IPTABLES_TO_NFT_HOOK["filter"].keys():
default_rules.append({"add": {"chain": {"family": "inet",
@@ -554,9 +561,6 @@ class nftables(object):
"prio": IPTABLES_TO_NFT_HOOK["filter"][chain][1]}}})
# filter, INPUT
- default_rules.append({"add": {"chain": {"family": "inet",
- "table": TABLE_NAME,
- "name": "filter_%s_ZONES" % "INPUT"}}})
default_rules.append({"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
"chain": "filter_%s" % "INPUT",
@@ -578,10 +582,14 @@ class nftables(object):
"op": "==",
"right": "lo"}},
{"accept": None}]}}})
- default_rules.append({"add": {"rule": {"family": "inet",
- "table": TABLE_NAME,
- "chain": "filter_%s" % "INPUT",
- "expr": [{"jump": {"target": "filter_%s_ZONES" % "INPUT"}}]}}})
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules.append({"add": {"chain": {"family": "inet",
+ "table": TABLE_NAME,
+ "name": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}})
+ default_rules.append({"add": {"rule": {"family": "inet",
+ "table": TABLE_NAME,
+ "chain": "filter_%s" % "INPUT",
+ "expr": [{"jump": {"target": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}]}}})
if log_denied != "off":
default_rules.append({"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
@@ -610,10 +618,6 @@ class nftables(object):
"expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}})
# filter, FORWARD
- for direction in ["IN", "OUT"]:
- default_rules.append({"add": {"chain": {"family": "inet",
- "table": TABLE_NAME,
- "name": "filter_%s_%s_ZONES" % ("FORWARD", direction)}}})
default_rules.append({"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
"chain": "filter_%s" % "FORWARD",
@@ -636,10 +640,14 @@ class nftables(object):
"right": "lo"}},
{"accept": None}]}}})
for direction in ["IN", "OUT"]:
- default_rules.append({"add": {"rule": {"family": "inet",
- "table": TABLE_NAME,
- "chain": "filter_%s" % "FORWARD",
- "expr": [{"jump": {"target": "filter_%s_%s_ZONES" % ("FORWARD", direction)}}]}}})
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules.append({"add": {"chain": {"family": "inet",
+ "table": TABLE_NAME,
+ "name": "filter_%s_%s_%s" % ("FORWARD", direction, dispatch_suffix)}}})
+ default_rules.append({"add": {"rule": {"family": "inet",
+ "table": TABLE_NAME,
+ "chain": "filter_%s" % "FORWARD",
+ "expr": [{"jump": {"target": "filter_%s_%s_%s" % ("FORWARD", direction, dispatch_suffix)}}]}}})
if log_denied != "off":
default_rules.append({"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
@@ -778,12 +786,17 @@ class nftables(object):
"OUTPUT": "daddr",
}[chain]
+ if self._fw._allow_zone_drifting:
+ zone_dispatch_chain = "%s_%s_ZONES_SOURCE" % (table, chain)
+ else:
+ zone_dispatch_chain = "%s_%s_ZONES" % (table, chain)
+
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
action = "goto"
rule = {"family": family,
"table": TABLE_NAME,
- "chain": "%s_%s_ZONES" % (table, chain),
+ "chain": zone_dispatch_chain,
"expr": [self._rule_addr_fragment(opt, address),
{action: {"target": "%s_%s" % (table, target)}}]}
rule.update(self._zone_source_fragment(zone, address))
--
2.23.0

56
SOURCES/0032-docs-replace-occurrences-of-the-term-blacklist-with-.patch Normal file
View File

@ -0,0 +1,56 @@
From d48ffab0a49db8c937bbd62b0b8b755b3dbca4a8 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 23 Jun 2020 13:39:49 -0400
Subject: [PATCH 32/45] docs: replace occurrences of the term blacklist with
denylist
(cherry picked from commit af3f7cd074f737c584a42cf1028f18e6fa597204)
(cherry picked from commit 621916b2dbb4cb04da4a0babc3b741202fd709b4)
---
doc/xml/firewalld.direct.xml | 12 ++++++------
src/firewall-config.glade | 2 +-
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/doc/xml/firewalld.direct.xml b/doc/xml/firewalld.direct.xml
index de7b5973dd7f..d65b66f74513 100644
--- a/doc/xml/firewalld.direct.xml
+++ b/doc/xml/firewalld.direct.xml
@@ -273,16 +273,16 @@
<title>Example</title>
<para>
- Blacklisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with logging and dropping early in the raw table:
+ Denylisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with logging and dropping early in the raw table:
<programlisting>
&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;direct&gt;
- &lt;chain ipv="ipv4" table="raw" chain="blacklist"/&gt;
- &lt;rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0"&gt;-s 192.168.1.0/24 -j blacklist&lt;/rule&gt;
- &lt;rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1"&gt;-s 192.168.5.0/24 -j blacklist&lt;/rule&gt;
- &lt;rule ipv="ipv4" table="raw" chain="blacklist" priority="0"&gt;-m limit --limit 1/min -j LOG --log-prefix "blacklisted: "&lt;/rule&gt;
- &lt;rule ipv="ipv4" table="raw" chain="blacklist" priority="1"&gt;-j DROP&lt;/rule&gt;
+ &lt;chain ipv="ipv4" table="raw" chain="denylist"/&gt;
+ &lt;rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0"&gt;-s 192.168.1.0/24 -j denylist&lt;/rule&gt;
+ &lt;rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1"&gt;-s 192.168.5.0/24 -j denylist&lt;/rule&gt;
+ &lt;rule ipv="ipv4" table="raw" chain="denylist" priority="0"&gt;-m limit --limit 1/min -j LOG --log-prefix "denylisted: "&lt;/rule&gt;
+ &lt;rule ipv="ipv4" table="raw" chain="denylist" priority="1"&gt;-j DROP&lt;/rule&gt;
&lt;/direct&gt;
</programlisting>
diff --git a/src/firewall-config.glade b/src/firewall-config.glade
index 689433c47eca..6c057f66f401 100644
--- a/src/firewall-config.glade
+++ b/src/firewall-config.glade
@@ -9761,7 +9761,7 @@
<object class="GtkLabel" id="label38">
<property name="can_focus">False</property>
<property name="halign">start</property>
- <property name="label" translatable="yes">For host or network white or blacklisting deactivate the element.</property>
+ <property name="label" translatable="yes">For host or network allow or denylisting deactivate the element.</property>
<property name="wrap">True</property>
<property name="xalign">0</property>
<property name="yalign">0</property>
--
2.27.0

178
SOURCES/0032-feat-ipXtables-support-AllowZoneDrifting-yes.patch
View File

@ -1,178 +0,0 @@
From e6a56f32e2eced533a8edbc97652de6b436df63a Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Sun, 19 Jan 2020 16:16:59 -0500
Subject: [PATCH 32/37] feat: ipXtables: support AllowZoneDrifting=yes
(cherry picked from commit 1f7b5ffcd40daf2a7f2ef1ec0cccb95080e74fb6)
(cherry picked from commit c6b6ab1c0625bfd906a7783e3924b676b514cf6b)
---
src/firewall/core/ipXtables.py | 93 +++++++++++++++++++---------------
1 file changed, 51 insertions(+), 42 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 973bf5bbae04..61c307d0e05a 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -323,8 +323,11 @@ class ip4tables(object):
index = zone_source_index_cache.index(zone_source)
else:
- index = len(zone_source_index_cache)
-
+ if self._fw._allow_zone_drifting:
+ index = 0
+ else:
+ index = len(zone_source_index_cache)
+
rule[0] = "-I"
rule.insert(2, "%d" % (index + 1))
@@ -666,9 +669,10 @@ class ip4tables(object):
self.our_chains["raw"].add("%s_direct" % chain)
if chain == "PREROUTING":
- default_rules["raw"].append("-N %s_ZONES" % chain)
- default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain))
- self.our_chains["raw"].update(set(["%s_ZONES" % chain]))
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules["raw"].append("-N %s_%s" % (chain, dispatch_suffix))
+ default_rules["raw"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
+ self.our_chains["raw"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
if self.get_available_tables("mangle"):
default_rules["mangle"] = [ ]
@@ -679,9 +683,10 @@ class ip4tables(object):
self.our_chains["mangle"].add("%s_direct" % chain)
if chain == "PREROUTING":
- default_rules["mangle"].append("-N %s_ZONES" % chain)
- default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain))
- self.our_chains["mangle"].update(set(["%s_ZONES" % chain]))
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules["mangle"].append("-N %s_%s" % (chain, dispatch_suffix))
+ default_rules["mangle"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
+ self.our_chains["mangle"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
if self.get_available_tables("nat"):
default_rules["nat"] = [ ]
@@ -692,19 +697,22 @@ class ip4tables(object):
self.our_chains["nat"].add("%s_direct" % chain)
if chain in [ "PREROUTING", "POSTROUTING" ]:
- default_rules["nat"].append("-N %s_ZONES" % chain)
- default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain))
- self.our_chains["nat"].update(set(["%s_ZONES" % chain]))
-
- default_rules["filter"] = [
- "-N INPUT_direct",
- "-N INPUT_ZONES",
-
- "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT",
- "-A INPUT -i lo -j ACCEPT",
- "-A INPUT -j INPUT_direct",
- "-A INPUT -j INPUT_ZONES",
- ]
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules["nat"].append("-N %s_%s" % (chain, dispatch_suffix))
+ default_rules["nat"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
+ self.our_chains["nat"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
+
+ default_rules["filter"] = []
+ self.our_chains["filter"] = set()
+ default_rules["filter"].append("-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT")
+ default_rules["filter"].append("-A INPUT -i lo -j ACCEPT")
+ default_rules["filter"].append("-N INPUT_direct")
+ default_rules["filter"].append("-A INPUT -j INPUT_direct")
+ self.our_chains["filter"].update(set("INPUT_direct"))
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules["filter"].append("-N INPUT_%s" % (dispatch_suffix))
+ default_rules["filter"].append("-A INPUT -j INPUT_%s" % (dispatch_suffix))
+ self.our_chains["filter"].update(set("INPUT_%s" % (dispatch_suffix)))
if log_denied != "off":
default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID -j DROP")
@@ -712,17 +720,16 @@ class ip4tables(object):
default_rules["filter"].append("-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '")
default_rules["filter"].append("-A INPUT -j %%REJECT%%")
- default_rules["filter"] += [
- "-N FORWARD_direct",
- "-N FORWARD_IN_ZONES",
- "-N FORWARD_OUT_ZONES",
-
- "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT",
- "-A FORWARD -i lo -j ACCEPT",
- "-A FORWARD -j FORWARD_direct",
- "-A FORWARD -j FORWARD_IN_ZONES",
- "-A FORWARD -j FORWARD_OUT_ZONES",
- ]
+ default_rules["filter"].append("-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT")
+ default_rules["filter"].append("-A FORWARD -i lo -j ACCEPT")
+ default_rules["filter"].append("-N FORWARD_direct")
+ default_rules["filter"].append("-A FORWARD -j FORWARD_direct")
+ self.our_chains["filter"].update(set("FORWARD_direct"))
+ for direction in ["IN", "OUT"]:
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules["filter"].append("-N FORWARD_%s_%s" % (direction, dispatch_suffix))
+ default_rules["filter"].append("-A FORWARD -j FORWARD_%s_%s" % (direction, dispatch_suffix))
+ self.our_chains["filter"].update(set("FORWARD_%s_%s" % (direction, dispatch_suffix)))
if log_denied != "off":
default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID -j DROP")
@@ -736,10 +743,7 @@ class ip4tables(object):
"-A OUTPUT -o lo -j ACCEPT",
"-A OUTPUT -j OUTPUT_direct",
]
-
- self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES",
- "FORWARD_direct", "FORWARD_IN_ZONES",
- "FORWARD_OUT_ZONES", "OUTPUT_direct"])
+ self.our_chains["filter"].update(set("OUTPUT_direct"))
final_default_rules = []
for table in default_rules:
@@ -805,6 +809,11 @@ class ip4tables(object):
"OUTPUT": "-d",
}[chain]
+ if self._fw._allow_zone_drifting:
+ zone_dispatch_chain = "%s_ZONES_SOURCE" % (chain)
+ else:
+ zone_dispatch_chain = "%s_ZONES" % (chain)
+
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
action = "-g"
@@ -815,8 +824,8 @@ class ip4tables(object):
else:
opt = "src"
flags = ",".join([opt] * self._fw.ipset.get_dimension(name))
- rule = [ add_del,
- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
+ rule = [ add_del, zone_dispatch_chain,
+ "%%ZONE_SOURCE%%", zone,
"-t", table,
"-m", "set", "--match-set", name,
flags, action, target ]
@@ -825,14 +834,14 @@ class ip4tables(object):
# outgoing can not be set
if opt == "-d":
return ""
- rule = [ add_del,
- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
+ rule = [ add_del, zone_dispatch_chain,
+ "%%ZONE_SOURCE%%", zone,
"-t", table,
"-m", "mac", "--mac-source", address.upper(),
action, target ]
else:
- rule = [ add_del,
- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
+ rule = [ add_del, zone_dispatch_chain,
+ "%%ZONE_SOURCE%%", zone,
"-t", table,
opt, address, action, target ]
return [rule]
--
2.23.0

31
SOURCES/0033-fix-update-dynamic-DCE-RPC-ports-in-freeipa-trust-se.patch Normal file
View File

@ -0,0 +1,31 @@
From 542e44f2ba257b7f643770c9e2eedcf9a9f87c9c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Jun 2020 11:08:58 +0300
Subject: [PATCH 33/45] fix: update dynamic DCE RPC ports in freeipa-trust
service
Samba did change DCE RPC dynamic port range to 49152-65535 with version
4.7.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
(cherry picked from commit 0753d6e653b804779f7301737809767f0d5cf9af)
(cherry picked from commit 88bbe05e5bdd510cc2544f2fb201186ef2abb8bb)
---
config/services/freeipa-trust.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/services/freeipa-trust.xml b/config/services/freeipa-trust.xml
index 100cab614abe..315f69cce150 100644
--- a/config/services/freeipa-trust.xml
+++ b/config/services/freeipa-trust.xml
@@ -9,6 +9,6 @@
<port protocol="udp" port="389"/>
<port protocol="tcp" port="445"/>
<port protocol="udp" port="445"/>
- <port protocol="tcp" port="1024-1300"/>
+ <port protocol="tcp" port="49152-65535"/><!-- Dynamic RPC Ports -->
<port protocol="tcp" port="3268"/>
</service>
--
2.27.0

939
SOURCES/0033-test-verify-AllowZoneDrifting-yes.patch
View File

@ -1,939 +0,0 @@
From 3e3369ef14f4eba22a5c37113ba6d5e19c7ebc24 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Sun, 19 Jan 2020 16:49:14 -0500
Subject: [PATCH 33/37] test: verify AllowZoneDrifting=yes
Verify the zone dispatch layout.
(cherry picked from commit bca4e6af91fc4c6a55f7c2bce9e4fe7bcee526a1)
(cherry picked from commit 8f9ba9bc80f039408992e1b780bca0beab8bd92c)
---
src/tests/regression/gh258.at | 536 +++++++++++++++++++++++++---
src/tests/regression/rhbz1734765.at | 180 +++++++++-
2 files changed, 671 insertions(+), 45 deletions(-)
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
index 4bbea4c25442..d414c611fa26 100644
--- a/src/tests/regression/gh258.at
+++ b/src/tests/regression/gh258.at
@@ -1,12 +1,15 @@
FWD_START_TEST([zone dispatch layout])
-AT_KEYWORDS(zone gh258 gh441 rhbz1713823)
+AT_KEYWORDS(zone gh258 gh441 rhbz1713823 rhbz1772208 rhbz1796055)
-FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore)
+FWD_CHECK([--permanent --zone=trusted --add-source="1.2.3.0/24"], 0, ignore)
IF_HOST_SUPPORTS_IPV6_RULES([
-FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore)
+FWD_CHECK([--permanent --zone=public --add-source="dead:beef::/54"], 0, ignore)
])
-FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore)
-FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore)
+FWD_CHECK([--permanent --zone=trusted --add-interface=dummy0], 0, ignore)
+FWD_CHECK([--permanent --zone=public --add-interface=dummy1], 0, ignore)
+
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+FWD_RELOAD
dnl verify layout of zone dispatch
NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
@@ -25,9 +28,9 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
table inet firewalld {
chain filter_INPUT_ZONES {
ip6 saddr dead:beef::/54 goto filter_IN_public
- ip saddr 1.2.3.0/24 goto filter_IN_work
+ ip saddr 1.2.3.0/24 goto filter_IN_trusted
+ iifname "dummy0" goto filter_IN_trusted
iifname "dummy1" goto filter_IN_public
- iifname "dummy0" goto filter_IN_work
goto filter_IN_public
}
}
@@ -50,9 +53,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
table inet firewalld {
chain filter_FORWARD_IN_ZONES {
ip6 saddr dead:beef::/54 goto filter_FWDI_public
- ip saddr 1.2.3.0/24 goto filter_FWDI_work
+ ip saddr 1.2.3.0/24 goto filter_FWDI_trusted
+ iifname "dummy0" goto filter_FWDI_trusted
iifname "dummy1" goto filter_FWDI_public
- iifname "dummy0" goto filter_FWDI_work
goto filter_FWDI_public
}
}
@@ -61,9 +64,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
table inet firewalld {
chain filter_FORWARD_OUT_ZONES {
ip6 daddr dead:beef::/54 goto filter_FWDO_public
- ip daddr 1.2.3.0/24 goto filter_FWDO_work
+ ip daddr 1.2.3.0/24 goto filter_FWDO_trusted
+ oifname "dummy0" goto filter_FWDO_trusted
oifname "dummy1" goto filter_FWDO_public
- oifname "dummy0" goto filter_FWDO_work
goto filter_FWDO_public
}
}
@@ -91,9 +94,9 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
table inet firewalld {
chain raw_PREROUTING_ZONES {
ip6 saddr dead:beef::/54 goto raw_PRE_public
- ip saddr 1.2.3.0/24 goto raw_PRE_work
+ ip saddr 1.2.3.0/24 goto raw_PRE_trusted
+ iifname "dummy0" goto raw_PRE_trusted
iifname "dummy1" goto raw_PRE_public
- iifname "dummy0" goto raw_PRE_work
goto raw_PRE_public
}
}
@@ -109,9 +112,9 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
table inet firewalld {
chain mangle_PREROUTING_ZONES {
ip6 saddr dead:beef::/54 goto mangle_PRE_public
- ip saddr 1.2.3.0/24 goto mangle_PRE_work
+ ip saddr 1.2.3.0/24 goto mangle_PRE_trusted
+ iifname "dummy0" goto mangle_PRE_trusted
iifname "dummy1" goto mangle_PRE_public
- iifname "dummy0" goto mangle_PRE_work
goto mangle_PRE_public
}
}
@@ -126,9 +129,9 @@ NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
table ip firewalld {
chain nat_PREROUTING_ZONES {
- ip saddr 1.2.3.0/24 goto nat_PRE_work
+ ip saddr 1.2.3.0/24 goto nat_PRE_trusted
+ iifname "dummy0" goto nat_PRE_trusted
iifname "dummy1" goto nat_PRE_public
- iifname "dummy0" goto nat_PRE_work
goto nat_PRE_public
}
}
@@ -143,9 +146,9 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
table ip firewalld {
chain nat_POSTROUTING_ZONES {
- ip daddr 1.2.3.0/24 goto nat_POST_work
+ ip daddr 1.2.3.0/24 goto nat_POST_trusted
+ oifname "dummy0" goto nat_POST_trusted
oifname "dummy1" goto nat_POST_public
- oifname "dummy0" goto nat_POST_work
goto nat_POST_public
}
}
@@ -161,8 +164,8 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
table ip6 firewalld {
chain nat_PREROUTING_ZONES {
ip6 saddr dead:beef::/54 goto nat_PRE_public
+ iifname "dummy0" goto nat_PRE_trusted
iifname "dummy1" goto nat_PRE_public
- iifname "dummy0" goto nat_PRE_work
goto nat_PRE_public
}
}
@@ -178,8 +181,8 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
table ip6 firewalld {
chain nat_POSTROUTING_ZONES {
ip6 daddr dead:beef::/54 goto nat_POST_public
+ oifname "dummy0" goto nat_POST_trusted
oifname "dummy1" goto nat_POST_public
- oifname "dummy0" goto nat_POST_work
goto nat_POST_public
}
}
@@ -194,9 +197,9 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
- [[IN_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
- IN_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
@@ -209,15 +212,15 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
- [[FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
- FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
- [[FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]
+ [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
+ FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
- FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
@@ -225,9 +228,9 @@ IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
@@ -235,9 +238,9 @@ IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
@@ -245,9 +248,9 @@ IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
@@ -255,9 +258,9 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
- [[POST_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]
+ [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
+ POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
- POST_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
@@ -271,8 +274,8 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
])
IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
[[IN_public all dead:beef::/54 ::/0 [goto]
+ IN_trusted all ::/0 ::/0 [goto]
IN_public all ::/0 ::/0 [goto]
- IN_work all ::/0 ::/0 [goto]
IN_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
@@ -287,14 +290,14 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
])
IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
[[FWDI_public all dead:beef::/54 ::/0 [goto]
+ FWDI_trusted all ::/0 ::/0 [goto]
FWDI_public all ::/0 ::/0 [goto]
- FWDI_work all ::/0 ::/0 [goto]
FWDI_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
[[FWDO_public all ::/0 dead:beef::/54 [goto]
+ FWDO_trusted all ::/0 ::/0 [goto]
FWDO_public all ::/0 ::/0 [goto]
- FWDO_work all ::/0 ::/0 [goto]
FWDO_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
@@ -306,8 +309,8 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
])
IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
[[PRE_public all dead:beef::/54 ::/0 [goto]
+ PRE_trusted all ::/0 ::/0 [goto]
PRE_public all ::/0 ::/0 [goto]
- PRE_work all ::/0 ::/0 [goto]
PRE_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
@@ -316,8 +319,8 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
])
IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
[[PRE_public all dead:beef::/54 ::/0 [goto]
+ PRE_trusted all ::/0 ::/0 [goto]
PRE_public all ::/0 ::/0 [goto]
- PRE_work all ::/0 ::/0 [goto]
PRE_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
@@ -326,8 +329,8 @@ IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
])
IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
[[PRE_public all dead:beef::/54 ::/0 [goto]
+ PRE_trusted all ::/0 ::/0 [goto]
PRE_public all ::/0 ::/0 [goto]
- PRE_work all ::/0 ::/0 [goto]
PRE_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
@@ -336,9 +339,456 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
])
IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
[[POST_public all ::/0 dead:beef::/54 [goto]
+ POST_trusted all ::/0 ::/0 [goto]
+ POST_public all ::/0 ::/0 [goto]
+ POST_public all ::/0 ::/0 [goto]
+]])
+
+dnl ##########################################################################
+dnl ##########################################################################
+dnl We also support zone drifting in which source based zones fall through to
+dnl interface based zones (including default zone).
+dnl ##########################################################################
+dnl ##########################################################################
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf])
+FWD_RELOAD
+
+NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT {
+ ct state established,related accept
+ ct status dnat accept
+ iifname "lo" accept
+ jump filter_INPUT_ZONES_SOURCE
+ jump filter_INPUT_ZONES
+ ct state invalid drop
+ reject with icmpx type admin-prohibited
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT_ZONES_SOURCE {
+ ip6 saddr dead:beef::/54 goto filter_IN_public
+ ip saddr 1.2.3.0/24 goto filter_IN_trusted
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT_ZONES {
+ iifname "dummy0" goto filter_IN_trusted
+ iifname "dummy1" goto filter_IN_public
+ goto filter_IN_public
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD {
+ ct state established,related accept
+ ct status dnat accept
+ iifname "lo" accept
+ ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
+ jump filter_FORWARD_IN_ZONES_SOURCE
+ jump filter_FORWARD_IN_ZONES
+ jump filter_FORWARD_OUT_ZONES_SOURCE
+ jump filter_FORWARD_OUT_ZONES
+ ct state invalid drop
+ reject with icmpx type admin-prohibited
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_SOURCE], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD_IN_ZONES_SOURCE {
+ ip6 saddr dead:beef::/54 goto filter_FWDI_public
+ ip saddr 1.2.3.0/24 goto filter_FWDI_trusted
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD_IN_ZONES {
+ iifname "dummy0" goto filter_FWDI_trusted
+ iifname "dummy1" goto filter_FWDI_public
+ goto filter_FWDI_public
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_SOURCE], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD_OUT_ZONES_SOURCE {
+ ip6 daddr dead:beef::/54 goto filter_FWDO_public
+ ip daddr 1.2.3.0/24 goto filter_FWDO_trusted
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD_OUT_ZONES {
+ oifname "dummy0" goto filter_FWDO_trusted
+ oifname "dummy1" goto filter_FWDO_public
+ goto filter_FWDO_public
+ }
+ }
+])
+IF_HOST_SUPPORTS_NFT_FIB([
+ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING {
+ icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
+ meta nfproto ipv6 fib saddr . iif oif missing drop
+ jump raw_PREROUTING_ZONES_SOURCE
+ jump raw_PREROUTING_ZONES
+ }
+ }
+ ])
+], [
+ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING {
+ jump raw_PREROUTING_ZONES_SOURCE
+ jump raw_PREROUTING_ZONES
+ }
+ }
+ ])
+])
+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_SOURCE], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING_ZONES_SOURCE {
+ ip6 saddr dead:beef::/54 goto raw_PRE_public
+ ip saddr 1.2.3.0/24 goto raw_PRE_trusted
+ }
+ }
+])
+NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING_ZONES {
+ iifname "dummy0" goto raw_PRE_trusted
+ iifname "dummy1" goto raw_PRE_public
+ goto raw_PRE_public
+ }
+ }
+])
+NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain mangle_PREROUTING {
+ jump mangle_PREROUTING_ZONES_SOURCE
+ jump mangle_PREROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_SOURCE], 0, [dnl
+ table inet firewalld {
+ chain mangle_PREROUTING_ZONES_SOURCE {
+ ip6 saddr dead:beef::/54 goto mangle_PRE_public
+ ip saddr 1.2.3.0/24 goto mangle_PRE_trusted
+ }
+ }
+])
+NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
+ table inet firewalld {
+ chain mangle_PREROUTING_ZONES {
+ iifname "dummy0" goto mangle_PRE_trusted
+ iifname "dummy1" goto mangle_PRE_public
+ goto mangle_PRE_public
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
+ table ip firewalld {
+ chain nat_PREROUTING {
+ jump nat_PREROUTING_ZONES_SOURCE
+ jump nat_PREROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl
+ table ip firewalld {
+ chain nat_PREROUTING_ZONES_SOURCE {
+ ip saddr 1.2.3.0/24 goto nat_PRE_trusted
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
+ table ip firewalld {
+ chain nat_PREROUTING_ZONES {
+ iifname "dummy0" goto nat_PRE_trusted
+ iifname "dummy1" goto nat_PRE_public
+ goto nat_PRE_public
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING {
+ jump nat_POSTROUTING_ZONES_SOURCE
+ jump nat_POSTROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES_SOURCE {
+ ip daddr 1.2.3.0/24 goto nat_POST_trusted
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES {
+ oifname "dummy0" goto nat_POST_trusted
+ oifname "dummy1" goto nat_POST_public
+ goto nat_POST_public
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl
+ table ip6 firewalld {
+ chain nat_PREROUTING {
+ jump nat_PREROUTING_ZONES_SOURCE
+ jump nat_PREROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl
+ table ip6 firewalld {
+ chain nat_PREROUTING_ZONES_SOURCE {
+ ip6 saddr dead:beef::/54 goto nat_PRE_public
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
+ table ip6 firewalld {
+ chain nat_PREROUTING_ZONES {
+ iifname "dummy0" goto nat_PRE_trusted
+ iifname "dummy1" goto nat_PRE_public
+ goto nat_PRE_public
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING {
+ jump nat_POSTROUTING_ZONES_SOURCE
+ jump nat_POSTROUTING_ZONES
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING_ZONES_SOURCE {
+ ip6 daddr dead:beef::/54 goto nat_POST_public
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING_ZONES {
+ oifname "dummy0" goto nat_POST_trusted
+ oifname "dummy1" goto nat_POST_public
+ goto nat_POST_public
+ }
+ }
+])
+
+IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+ INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
+ INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
+ INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
+ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+])
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
+ [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
+ [[IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
+ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+])
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0,
+ [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
+ [[FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0,
+ [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
+]])
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
+ [[FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
+ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
+ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+])
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0,
+ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
+ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
+ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
+ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+])
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0,
+ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
+ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
+ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
+ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+])
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0,
+ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
+ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
+ POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
+ POSTROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
+ POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+])
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
+ [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto]
+]])
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+ [[POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+
+IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
+ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+ ACCEPT all ::/0 ::/0
+ INPUT_direct all ::/0 ::/0
+ INPUT_ZONES_SOURCE all ::/0 ::/0
+ INPUT_ZONES all ::/0 ::/0
+ DROP all ::/0 ::/0 ctstate INVALID
+ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
+])
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
+ [[IN_public all dead:beef::/54 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
+ [[IN_trusted all ::/0 ::/0 [goto]
+ IN_public all ::/0 ::/0 [goto]
+ IN_public all ::/0 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
+ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+ ACCEPT all ::/0 ::/0
+ FORWARD_direct all ::/0 ::/0
+ RFC3964_IPv4 all ::/0 ::/0
+ FORWARD_IN_ZONES_SOURCE all ::/0 ::/0
+ FORWARD_IN_ZONES all ::/0 ::/0
+ FORWARD_OUT_ZONES_SOURCE all ::/0 ::/0
+ FORWARD_OUT_ZONES all ::/0 ::/0
+ DROP all ::/0 ::/0 ctstate INVALID
+ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
+])
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0,
+ [[FWDI_public all dead:beef::/54 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
+ [[FWDI_trusted all ::/0 ::/0 [goto]
+ FWDI_public all ::/0 ::/0 [goto]
+ FWDI_public all ::/0 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0,
+ [[FWDO_public all ::/0 dead:beef::/54 [goto]
+]])
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
+ [[FWDO_trusted all ::/0 ::/0 [goto]
+ FWDO_public all ::/0 ::/0 [goto]
+ FWDO_public all ::/0 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
+ DROP all ::/0 ::/0 rpfilter invert
+ PREROUTING_direct all ::/0 ::/0
+ PREROUTING_ZONES_SOURCE all ::/0 ::/0
+ PREROUTING_ZONES all ::/0 ::/0
+])
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0,
+ [[PRE_public all dead:beef::/54 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
+ [[PRE_trusted all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
+ PREROUTING_direct all ::/0 ::/0
+ PREROUTING_ZONES_SOURCE all ::/0 ::/0
+ PREROUTING_ZONES all ::/0 ::/0
+])
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0,
+ [[PRE_public all dead:beef::/54 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
+ [[PRE_trusted all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
+ PREROUTING_direct all ::/0 ::/0
+ PREROUTING_ZONES_SOURCE all ::/0 ::/0
+ PREROUTING_ZONES all ::/0 ::/0
+])
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0,
+ [[PRE_public all dead:beef::/54 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
+ [[PRE_trusted all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
+ POSTROUTING_direct all ::/0 ::/0
+ POSTROUTING_ZONES_SOURCE all ::/0 ::/0
+ POSTROUTING_ZONES all ::/0 ::/0
+])
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
+ [[POST_public all ::/0 dead:beef::/54 [goto]
+]])
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+ [[POST_trusted all ::/0 ::/0 [goto]
POST_public all ::/0 ::/0 [goto]
- POST_work all ::/0 ::/0 [goto]
POST_public all ::/0 ::/0 [goto]
]])
-FWD_END_TEST
+FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d'])
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
index 972457e3126e..bb054bdb0361 100644
--- a/src/tests/regression/rhbz1734765.at
+++ b/src/tests/regression/rhbz1734765.at
@@ -1,9 +1,12 @@
FWD_START_TEST([zone sources ordered by name])
-AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545)
+AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545 rhbz1772208 rhbz1796055)
dnl
dnl Users depend on firewalld ordering source-based zone dispatch by zone name.
dnl
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+FWD_RELOAD
+
FWD_CHECK([-q --permanent --new-zone=foobar_00])
FWD_CHECK([-q --permanent --new-zone=foobar_05])
FWD_CHECK([-q --permanent --new-zone=foobar_02])
@@ -196,4 +199,177 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
POST_public all ::/0 ::/0 [goto]
]])
-FWD_END_TEST
+dnl ##########################################################################
+dnl ##########################################################################
+dnl We also support zone drifting in which source based zones fall through to
+dnl interface based zones (including default zone). So make sure the zones are
+dnl sorted by name in this mode.
+dnl ##########################################################################
+dnl ##########################################################################
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf])
+FWD_RELOAD
+
+FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"])
+FWD_CHECK([-q --zone=public --add-source="20.20.20.20"])
+IF_HOST_SUPPORTS_IPV6_RULES([
+FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"])
+FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"])
+FWD_CHECK([-q --zone=foobar_012 --add-source ipset:ipsetv6])
+])
+FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2])
+
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT_ZONES_SOURCE {
+ ip saddr 10.1.1.1 goto filter_IN_foobar_00
+ ip6 saddr 1234:5678::1:1:1 goto filter_IN_foobar_00
+ ip saddr 10.1.1.0/24 goto filter_IN_foobar_01
+ ip6 saddr 1234:5678::1:1:0/112 goto filter_IN_foobar_01
+ ip saddr 10.10.10.10 goto filter_IN_foobar_010
+ ip6 saddr 1234:5678::10:10:10 goto filter_IN_foobar_010
+ ip saddr @ipsetv4 goto filter_IN_foobar_011
+ ip6 saddr @ipsetv6 goto filter_IN_foobar_012
+ ip saddr 10.1.0.0/16 goto filter_IN_foobar_02
+ ip6 saddr 1234:5678::1:0:0/96 goto filter_IN_foobar_02
+ ip saddr 10.2.2.0/24 goto filter_IN_foobar_03
+ ip6 saddr 1234:5678::2:2:0/112 goto filter_IN_foobar_03
+ ip saddr 10.2.0.0/16 goto filter_IN_foobar_04
+ ip6 saddr 1234:5678::2:0:0/96 goto filter_IN_foobar_04
+ ip saddr 10.0.0.0/8 goto filter_IN_foobar_05
+ ip6 saddr 1234:5678::/80 goto filter_IN_foobar_05
+ ip saddr 20.20.20.20 goto filter_IN_public
+ ip6 saddr 1234:5678::20:20:20 goto filter_IN_public
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT_ZONES {
+ iifname "foobar2" goto filter_IN_foobar_010
+ iifname "foobar1" goto filter_IN_trusted
+ iifname "foobar0" goto filter_IN_internal
+ goto filter_IN_public
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES_SOURCE {
+ ip daddr 10.1.1.1 goto nat_POST_foobar_00
+ ip daddr 10.1.1.0/24 goto nat_POST_foobar_01
+ ip daddr 10.10.10.10 goto nat_POST_foobar_010
+ ip daddr @ipsetv4 goto nat_POST_foobar_011
+ ip daddr 10.1.0.0/16 goto nat_POST_foobar_02
+ ip daddr 10.2.2.0/24 goto nat_POST_foobar_03
+ ip daddr 10.2.0.0/16 goto nat_POST_foobar_04
+ ip daddr 10.0.0.0/8 goto nat_POST_foobar_05
+ ip daddr 20.20.20.20 goto nat_POST_public
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES {
+ oifname "foobar2" goto nat_POST_foobar_010
+ oifname "foobar1" goto nat_POST_trusted
+ oifname "foobar0" goto nat_POST_internal
+ goto nat_POST_public
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING_ZONES_SOURCE {
+ ip6 daddr 1234:5678::1:1:1 goto nat_POST_foobar_00
+ ip6 daddr 1234:5678::1:1:0/112 goto nat_POST_foobar_01
+ ip6 daddr 1234:5678::10:10:10 goto nat_POST_foobar_010
+ ip6 daddr @ipsetv6 goto nat_POST_foobar_012
+ ip6 daddr 1234:5678::1:0:0/96 goto nat_POST_foobar_02
+ ip6 daddr 1234:5678::2:2:0/112 goto nat_POST_foobar_03
+ ip6 daddr 1234:5678::2:0:0/96 goto nat_POST_foobar_04
+ ip6 daddr 1234:5678::/80 goto nat_POST_foobar_05
+ ip6 daddr 1234:5678::20:20:20 goto nat_POST_public
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING_ZONES {
+ oifname "foobar2" goto nat_POST_foobar_010
+ oifname "foobar1" goto nat_POST_trusted
+ oifname "foobar0" goto nat_POST_internal
+ goto nat_POST_public
+ }
+ }
+])
+
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
+ [[IN_foobar_00 all -- 10.1.1.1 0.0.0.0/0 [goto]
+ IN_foobar_01 all -- 10.1.1.0/24 0.0.0.0/0 [goto]
+ IN_foobar_010 all -- 10.10.10.10 0.0.0.0/0 [goto]
+ IN_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 src
+ IN_foobar_02 all -- 10.1.0.0/16 0.0.0.0/0 [goto]
+ IN_foobar_03 all -- 10.2.2.0/24 0.0.0.0/0 [goto]
+ IN_foobar_04 all -- 10.2.0.0/16 0.0.0.0/0 [goto]
+ IN_foobar_05 all -- 10.0.0.0/8 0.0.0.0/0 [goto]
+ IN_public all -- 20.20.20.20 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
+ [[IN_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0,
+ [[IN_foobar_00 all 1234:5678::1:1:1 ::/0 [goto]
+ IN_foobar_01 all 1234:5678::1:1:0/112 ::/0 [goto]
+ IN_foobar_010 all 1234:5678::10:10:10 ::/0 [goto]
+ IN_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 src
+ IN_foobar_02 all 1234:5678::1:0:0/96 ::/0 [goto]
+ IN_foobar_03 all 1234:5678::2:2:0/112 ::/0 [goto]
+ IN_foobar_04 all 1234:5678::2:0:0/96 ::/0 [goto]
+ IN_foobar_05 all 1234:5678::/80 ::/0 [goto]
+ IN_public all 1234:5678::20:20:20 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
+ [[IN_foobar_010 all ::/0 ::/0 [goto]
+ IN_trusted all ::/0 ::/0 [goto]
+ IN_internal all ::/0 ::/0 [goto]
+ IN_public all ::/0 ::/0 [goto]
+]])
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
+ [[POST_foobar_00 all -- 0.0.0.0/0 10.1.1.1 [goto]
+ POST_foobar_01 all -- 0.0.0.0/0 10.1.1.0/24 [goto]
+ POST_foobar_010 all -- 0.0.0.0/0 10.10.10.10 [goto]
+ POST_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 dst
+ POST_foobar_02 all -- 0.0.0.0/0 10.1.0.0/16 [goto]
+ POST_foobar_03 all -- 0.0.0.0/0 10.2.2.0/24 [goto]
+ POST_foobar_04 all -- 0.0.0.0/0 10.2.0.0/16 [goto]
+ POST_foobar_05 all -- 0.0.0.0/0 10.0.0.0/8 [goto]
+ POST_public all -- 0.0.0.0/0 20.20.20.20 [goto]
+]])
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+ [[POST_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0,
+ [[POST_foobar_00 all ::/0 1234:5678::1:1:1 [goto]
+ POST_foobar_01 all ::/0 1234:5678::1:1:0/112 [goto]
+ POST_foobar_010 all ::/0 1234:5678::10:10:10 [goto]
+ POST_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 dst
+ POST_foobar_02 all ::/0 1234:5678::1:0:0/96 [goto]
+ POST_foobar_03 all ::/0 1234:5678::2:2:0/112 [goto]
+ POST_foobar_04 all ::/0 1234:5678::2:0:0/96 [goto]
+ POST_foobar_05 all ::/0 1234:5678::/80 [goto]
+ POST_public all ::/0 1234:5678::20:20:20 [goto]
+]])
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+ [[POST_foobar_010 all ::/0 ::/0 [goto]
+ POST_trusted all ::/0 ::/0 [goto]
+ POST_internal all ::/0 ::/0 [goto]
+ POST_public all ::/0 ::/0 [goto]
+]])
+
+FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d'])
--
2.23.0

328
SOURCES/0034-chore-test-retab-some-test-cases.patch
View File

@ -1,328 +0,0 @@
From 9ffa72e5b9b3d36f8a2b52a3dcaac519f7f08b5e Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 29 Jan 2020 10:56:06 -0500
Subject: [PATCH 34/37] chore: test: retab some test cases
Replace leading tabs with spaces.
(cherry picked from commit 890d8a60893a0c3975b792bcbd3a6c65419a8e8c)
(cherry picked from commit 9b2609406c0f20681bc02f98b24091e8f509e26f)
---
src/tests/features/helpers_custom.at | 120 +++++++++++++--------------
src/tests/regression/gh453.at | 68 +++++++--------
src/tests/regression/rhbz1506742.at | 2 +-
src/tests/regression/rhbz1734765.at | 28 +++----
4 files changed, 109 insertions(+), 109 deletions(-)
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index bf673bd70b33..bd4b52cfb1d6 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -33,32 +33,32 @@ ftptest
FWD_CHECK([-q --add-service=ftptest])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
- table inet firewalld {
- chain filter_IN_public_allow {
- tcp dport 22 ct state new,untracked accept
- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
- tcp dport 9090 ct state new,untracked accept
- tcp dport 2121 ct helper set "helper-ftptest-tcp"
- tcp dport 2121 ct state new,untracked accept
- }
- }
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ tcp dport 2121 ct helper set "helper-ftptest-tcp"
+ tcp dport 2121 ct state new,untracked accept
+ }
+ }
])
IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
+ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
+ CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
dnl Same thing as above, but with the new "helper" in service.
@@ -90,32 +90,32 @@ ftptest
FWD_CHECK([-q --add-service=ftptest])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
- table inet firewalld {
- chain filter_IN_public_allow {
- tcp dport 22 ct state new,untracked accept
- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
- tcp dport 9090 ct state new,untracked accept
- tcp dport 2121 ct helper set "helper-ftptest-tcp"
- tcp dport 2121 ct state new,untracked accept
- }
- }
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ tcp dport 2121 ct helper set "helper-ftptest-tcp"
+ tcp dport 2121 ct state new,untracked accept
+ }
+ }
])
IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
+ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
+ CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
dnl again, but with both "module" and "helper"
@@ -128,38 +128,38 @@ FWD_RELOAD
FWD_CHECK([-q --add-service=ftptest])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
- table inet firewalld {
- chain filter_IN_public_allow {
- tcp dport 22 ct state new,untracked accept
- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
- tcp dport 9090 ct state new,untracked accept
- tcp dport 21 ct helper set "helper-ftp-tcp"
- tcp dport 2121 ct helper set "helper-ftptest-tcp"
- tcp dport 2121 ct state new,untracked accept
- tcp dport 21 ct state new,untracked accept
- }
- }
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ tcp dport 21 ct helper set "helper-ftp-tcp"
+ tcp dport 2121 ct helper set "helper-ftptest-tcp"
+ tcp dport 2121 ct state new,untracked accept
+ tcp dport 21 ct state new,untracked accept
+ }
+ }
])
IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 CT helper ftp
- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
+ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 CT helper ftp
+ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp ::/0 ::/0 tcp dpt:21 CT helper ftp
- CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
+ CT tcp ::/0 ::/0 tcp dpt:21 CT helper ftp
+ CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
FWD_END_TEST
diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at
index 6d820fce840a..61bc90aae673 100644
--- a/src/tests/regression/gh453.at
+++ b/src/tests/regression/gh453.at
@@ -8,50 +8,50 @@ FWD_CHECK([-q --set-automatic-helpers=no])
FWD_CHECK([-q --add-service=ftp])
NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-ftp-tcp"], 0, [m4_strip([dnl
- ct helper helper-ftp-tcp {
- type "ftp" protocol tcp
- l3proto inet
- }
+ ct helper helper-ftp-tcp {
+ type "ftp" protocol tcp
+ l3proto inet
+ }
])])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
- table inet firewalld {
- chain filter_IN_public_allow {
- tcp dport 22 ct state new,untracked accept
- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
- tcp dport 9090 ct state new,untracked accept
- tcp dport 21 ct helper set "helper-ftp-tcp"
- tcp dport 21 ct state new,untracked accept
- }
- }
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ tcp dport 21 ct helper set "helper-ftp-tcp"
+ tcp dport 21 ct state new,untracked accept
+ }
+ }
])
FWD_CHECK([-q --add-service=sip])
NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-sip-tcp"], 0, [m4_strip([dnl
- ct helper helper-sip-tcp {
- type "sip" protocol tcp
- l3proto inet
- }
+ ct helper helper-sip-tcp {
+ type "sip" protocol tcp
+ l3proto inet
+ }
])])
NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-sip-udp"], 0, [m4_strip([dnl
- ct helper helper-sip-udp {
- type "sip" protocol udp
- l3proto inet
- }
+ ct helper helper-sip-udp {
+ type "sip" protocol udp
+ l3proto inet
+ }
])])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
- table inet firewalld {
- chain filter_IN_public_allow {
- tcp dport 22 ct state new,untracked accept
- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
- tcp dport 9090 ct state new,untracked accept
- tcp dport 21 ct helper set "helper-ftp-tcp"
- tcp dport 21 ct state new,untracked accept
- tcp dport 5060 ct helper set "helper-sip-tcp"
- udp dport 5060 ct helper set "helper-sip-udp"
- tcp dport 5060 ct state new,untracked accept
- udp dport 5060 ct state new,untracked accept
- }
- }
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ tcp dport 21 ct helper set "helper-ftp-tcp"
+ tcp dport 21 ct state new,untracked accept
+ tcp dport 5060 ct helper set "helper-sip-tcp"
+ udp dport 5060 ct helper set "helper-sip-udp"
+ tcp dport 5060 ct state new,untracked accept
+ udp dport 5060 ct state new,untracked accept
+ }
+ }
])
FWD_END_TEST
diff --git a/src/tests/regression/rhbz1506742.at b/src/tests/regression/rhbz1506742.at
index 48b224731fbc..2ab4f1a9cef1 100644
--- a/src/tests/regression/rhbz1506742.at
+++ b/src/tests/regression/rhbz1506742.at
@@ -20,4 +20,4 @@ FWD_CHECK([-q --ipset=foobar --query-entry=1.2.3.4], 32, ignore, ignore)
FWD_CHECK([-q --ipset=foobar --remove-entries-from-file=foobar_entries.txt])
FWD_END_TEST([-e '/Error: IPSET_WITH_TIMEOUT/d' dnl
-e '/ERROR: IPSET_WITH_TIMEOUT/d' dnl
- -e '/WARNING: NOT_ENABLED/d'])
+ -e '/WARNING: NOT_ENABLED/d'])
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
index bb054bdb0361..b5023a058a55 100644
--- a/src/tests/regression/rhbz1734765.at
+++ b/src/tests/regression/rhbz1734765.at
@@ -44,22 +44,22 @@ FWD_CHECK([-q --permanent --zone=trusted --add-interface=foobar1])
FWD_RELOAD
NFT_LIST_SET([ipsetv4], 0, [dnl
- table inet firewalld {
- set ipsetv4 {
- type ipv4_addr
- flags interval
- elements = { 192.0.2.12 }
- }
- }
+ table inet firewalld {
+ set ipsetv4 {
+ type ipv4_addr
+ flags interval
+ elements = { 192.0.2.12 }
+ }
+ }
])
NFT_LIST_SET([ipsetv6], 0, [dnl
- table inet firewalld {
- set ipsetv6 {
- type ipv6_addr
- flags interval
- elements = { ::2 }
- }
- }
+ table inet firewalld {
+ set ipsetv6 {
+ type ipv6_addr
+ flags interval
+ elements = { ::2 }
+ }
+ }
])
FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"])
--
2.23.0

70
SOURCES/0034-fix-core-rich-Catch-ValueError-on-non-numeric-priori.patch Normal file
View File

@ -0,0 +1,70 @@
From 4b2fecb2288fdd345f98890f9c801b1e4e2a5474 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 25 Jun 2020 16:42:36 +0200
Subject: [PATCH 34/45] fix: core: rich: Catch ValueError on non-numeric
priority values
Be a bit more user-friendly by printing:
| Error: INVALID_RULE: invalid 'priority' attribute value 'ab'.
instead of Python's default, which is:
| Error: invalid literal for int() with base 10: 'ab'
Fixes: rhbz 1689429
(cherry picked from commit 3a0e79b1cfe4344d21d30eb47c038252d728cc44)
(cherry picked from commit fa21382cc513cc0dba56ba085782a3e23c863afc)
---
src/firewall/core/rich.py | 5 ++++-
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1689429.at | 12 ++++++++++++
3 files changed, 17 insertions(+), 1 deletion(-)
create mode 100644 src/tests/regression/rhbz1689429.at
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index dacaeb9c0b70..eb4a2d2d9669 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -379,7 +379,10 @@ class Rich_Rule(object):
raise FirewallError(errors.INVALID_RULE, "'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead." % attr_value)
self.family = attr_value
elif attr_name == 'priority':
- self.priority = int(attr_value)
+ try:
+ self.priority = int(attr_value)
+ except ValueError:
+ raise FirewallError(errors.INVALID_RULE, "invalid 'priority' attribute value '%s'." % attr_value)
elif attr_name:
if attr_name == 'protocol':
err_msg = "wrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'."
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 984d299bfd4e..1c8f76afa87a 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -30,3 +30,4 @@ m4_include([regression/gh330.at])
m4_include([regression/gh599.at])
m4_include([regression/rhbz1829104.at])
m4_include([regression/rhbz1843398.at])
+m4_include([regression/rhbz1689429.at])
diff --git a/src/tests/regression/rhbz1689429.at b/src/tests/regression/rhbz1689429.at
new file mode 100644
index 000000000000..5701607d660f
--- /dev/null
+++ b/src/tests/regression/rhbz1689429.at
@@ -0,0 +1,12 @@
+FWD_START_TEST([rich rule invalid priority])
+AT_KEYWORDS(rich rhbz1689429)
+
+FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 122, [],
+ [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'.
+])
+FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 122, [],
+ [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'.
+])
+FWD_RELOAD
+
+FWD_END_TEST([ignore])
--
2.27.0

55
SOURCES/0035-fix-cli-add-zone-is-an-invalid-option-with-direct.patch Normal file
View File

@ -0,0 +1,55 @@
From 040621b36e72f63482cce6c4e4daefd8b982387c Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Tue, 23 Jun 2020 20:01:17 -0400
Subject: [PATCH 35/45] fix(cli): add --zone is an invalid option with --direct
Fixes: rhbz 1483921
(cherry picked from commit 303f85fc35d230f6e1980996020011dd8c0c2041)
(cherry picked from commit e946d8c8f4717d269b9ca785cf124d83de7b723e)
---
src/firewall-cmd.in | 3 +++
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1483921.at | 8 ++++++++
3 files changed, 12 insertions(+)
create mode 100644 src/tests/regression/rhbz1483921.at
diff --git a/src/firewall-cmd.in b/src/firewall-cmd.in
index 317da5eab6e4..014f3884d64b 100755
--- a/src/firewall-cmd.in
+++ b/src/firewall-cmd.in
@@ -962,6 +962,9 @@ if (a.direct and not options_direct) or (options_direct and not a.direct):
cmd.fail(parser.format_usage() +
"Wrong usage of 'direct' options.")
+if a.zone and a.direct:
+ cmd.fail(parser.format_usage() + "--zone is an invalid option with --direct")
+
if a.name and not (a.new_zone_from_file or a.new_service_from_file or \
a.new_ipset_from_file or a.new_icmptype_from_file or \
a.new_helper_from_file):
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 1c8f76afa87a..5241a11a830d 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -31,3 +31,4 @@ m4_include([regression/gh599.at])
m4_include([regression/rhbz1829104.at])
m4_include([regression/rhbz1843398.at])
m4_include([regression/rhbz1689429.at])
+m4_include([regression/rhbz1483921.at])
diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at
new file mode 100644
index 000000000000..d3dd60bc8faf
--- /dev/null
+++ b/src/tests/regression/rhbz1483921.at
@@ -0,0 +1,8 @@
+FWD_START_TEST([direct zone])
+ AT_KEYWORDS(direct rhbz1483921)
+
+ FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
+
+ FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
+FWD_END_TEST
+
--
2.27.0

43
SOURCES/0035-improvement-translations-build-target-to-merge-from-.patch
View File

@ -1,43 +0,0 @@
From 25c8e71e0acea773b62f4772069b1c8b63257c3e Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 31 Jan 2020 12:24:54 -0500
Subject: [PATCH 35/37] improvement: translations: build target to merge from
master
This new target, merge-po, will automatically merge new translations
from the master branch. It's meant to be run only from the stable
branches.
(cherry picked from commit 8f5998c84dbb35edb477e1a98e274fd43b29bdcd)
(cherry picked from commit 3714754699df142c7ec88182603079286a41ef86)
---
Makefile.am | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 85da0b5857d2..72dc039b5591 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -118,6 +118,19 @@ update-po:
ls $(top_srcdir)/po/*.po | sed 's/.*\/po\///;s/.po//' > $(top_srcdir)/po/LINGUAS
$(MAKE) -C po update-po ${PACKAGE_NAME}.pot
+# This merges translations from the upstream master branch.
+# It's only meant to be used from the stable branches. Translations
+# contributions are only done against master.
+merge-po: update-po
+ git fetch -q https://github.com/firewalld/firewalld master; \
+ for po in $(top_srcdir)/po/*.po; do \
+ mv $${po} $${po}.old; \
+ git checkout -q FETCH_HEAD $${po}; \
+ msgcat --use-first -o $${po}.merged $${po} $${po}.old; \
+ mv $${po}.merged $${po}; \
+ git add $${po}; \
+ done
+
clean-po:
@for cat in `cat ${top_srcdir}/po/LINGUAS`; do \
msgattrib --translated --no-fuzzy --no-obsolete --force-po --no-location --clear-previous --strict $(top_srcdir)/po/$$cat.po -o $(top_srcdir)/po/$$cat.out; \
--
2.23.0

3990
SOURCES/0036-chore-translation-merge-from-master.patch
View File

File diff suppressed because it is too large Load Diff

29
SOURCES/0036-test-rhbz1483921-better-test-name.patch Normal file
View File

@ -0,0 +1,29 @@
From 23a0df223fdcb52b96aa0c68d5faabc5d645682d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 29 Jun 2020 14:48:00 -0400
Subject: [PATCH 36/45] test(rhbz1483921): better test name
Fixes: 303f85fc35d2 ("fix(cli): add --zone is an invalid option with --direct")
(cherry picked from commit a844f985f2d160b921ad65c87d91e795ef9a45cb)
(cherry picked from commit 48a97e77452dff84b542006f7e3a64434a993a48)
---
src/tests/regression/rhbz1483921.at | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at
index d3dd60bc8faf..97939919f9af 100644
--- a/src/tests/regression/rhbz1483921.at
+++ b/src/tests/regression/rhbz1483921.at
@@ -1,8 +1,7 @@
-FWD_START_TEST([direct zone])
+FWD_START_TEST([direct and zone mutually exclusive])
AT_KEYWORDS(direct rhbz1483921)
FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
FWD_END_TEST
-
--
2.27.0

71
SOURCES/0037-fix-cli-add-ipset-type-hash-mac-is-incompatible-with.patch Normal file
View File

@ -0,0 +1,71 @@
From 09b9f5a18dbe01d0d3ab9b0db721eadab5e38b35 Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Mon, 29 Jun 2020 17:34:46 -0400
Subject: [PATCH 37/45] fix(cli): add ipset type hash:mac is incompatible with
the family parameter Fixes: rhbz1541077
(cherry picked from commit dddba7b9c276e9c58f6c2bc554c82252fa084eaf)
(cherry picked from commit 15f5691f0dbffcc1d4c1f42e77e79c6600db0d77)
---
src/firewall-cmd.in | 3 +++
src/firewall-offline-cmd.in | 3 +++
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1541077.at | 9 +++++++++
4 files changed, 16 insertions(+)
create mode 100644 src/tests/regression/rhbz1541077.at
diff --git a/src/firewall-cmd.in b/src/firewall-cmd.in
index 014f3884d64b..b6c2f84f5a9e 100755
--- a/src/firewall-cmd.in
+++ b/src/firewall-cmd.in
@@ -1074,6 +1074,9 @@ if a.permanent:
if not a.type:
cmd.fail(parser.format_usage() + "No type specified.")
+ if a.type=='hash:mac' and a.family:
+ cmd.fail(parser.format_usage()+ "--family is not compatible with the hash:mac type")
+
settings = FirewallClientIPSetSettings()
settings.setType(a.type)
if a.option:
diff --git a/src/firewall-offline-cmd.in b/src/firewall-offline-cmd.in
index c0ad9ec8f64e..98c00548e3e5 100755
--- a/src/firewall-offline-cmd.in
+++ b/src/firewall-offline-cmd.in
@@ -1577,6 +1577,9 @@ try:
if not a.type:
cmd.fail(parser.format_usage() + "No type specified.")
+ if a.type=='hash:mac' and a.family:
+ cmd.fail(parser.format_usage() + "--family is not compatible with the hash:mac type")
+
settings = FirewallClientIPSetSettings()
settings.setType(a.type)
if a.option:
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 5241a11a830d..5c8aae7e64d3 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -32,3 +32,4 @@ m4_include([regression/rhbz1829104.at])
m4_include([regression/rhbz1843398.at])
m4_include([regression/rhbz1689429.at])
m4_include([regression/rhbz1483921.at])
+m4_include([regression/rhbz1541077.at])
diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at
new file mode 100644
index 000000000000..765ab0c6290b
--- /dev/null
+++ b/src/tests/regression/rhbz1541077.at
@@ -0,0 +1,9 @@
+FWD_START_TEST([hash:mac and family mutually exclusive])
+ AT_KEYWORDS(ipset rhbz1541077)
+
+ FWD_CHECK([firewall-cmd --permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
+
+ FWD_CHECK([firewall-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
+
+ FWD_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
+FWD_END_TEST
--
2.27.0

102
SOURCES/0037-improvement-check-container-use-docker-build.patch
View File

@ -1,102 +0,0 @@
From e5cf566becc7ffa01e0339e95b20469993af8d2b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 3 Feb 2020 08:38:57 -0500
Subject: [PATCH 37/39] improvement: check-container: use docker build
This is so we can have intermediate images and make use of the cache.
Avoids rebuilding the container every time.
(cherry picked from commit a7fead65d6920c26df5f2a12e53bb8eb5a752ee6)
(cherry picked from commit b79b8a58ffc8ab24d8c0a8e61598452b3407b80f)
---
src/tests/Makefile.am | 65 ++++++++++++++++++++++---------------------
1 file changed, 33 insertions(+), 32 deletions(-)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index bf028c7c5389..c01ee682c0b2 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -46,47 +46,48 @@ $(TESTSUITE) $(TESTSUITE_INTEGRATION): $(TESTSUITE_FILES) $(srcdir)/package.m4
$(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at
mv $@.tmp $@
-check-container-debian-sid:
- (cd $(abs_top_srcdir) && tar -c . ) | \
- $(PODMAN) run -i --rm --privileged debian:sid bash -c \
- "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \
- apt-get update && \
- apt-get install -y autoconf automake pkg-config intltool libglib2.0-dev \
- xsltproc docbook-xsl docbook-xml iptables ipset ebtables \
- nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \
- python3-dbus python3-gi python3-slip-dbus python3-nftables \
- procps network-manager gir1.2-nm-1.0 && \
- apt-get install -y libnftables-dev && \
- ./autogen.sh && \
- ./configure PYTHON=/usr/bin/python3 && \
- make && \
- make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \
- make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" "
+CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide
+
+check-container-debian-sid-image: check-container-%-image:
+ (cd $(abs_top_srcdir) && { \
+ echo "FROM debian:sid" && \
+ echo "RUN apt-get update" && \
+ echo "RUN apt-get install -y autoconf automake pkg-config intltool libglib2.0-dev \
+ xsltproc docbook-xsl docbook-xml iptables ipset ebtables \
+ nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \
+ python3-dbus python3-gi python3-slip-dbus python3-nftables \
+ procps network-manager gir1.2-nm-1.0" && \
+ echo "COPY . /tmp/firewalld"; \
+ } | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
+
+check-container-fedora-rawhide-image: check-container-%-image:
+ (cd $(abs_top_srcdir) && { \
+ echo "FROM fedora:rawhide" && \
+ echo "RUN dnf -y makecache" && \
+ echo "RUN dnf -y install autoconf automake conntrack-tools desktop-file-utils \
+ docbook-style-xsl file gettext glib2-devel intltool ipset \
+ iptables iptables-nft libtool libxml2 libxslt make nftables \
+ python3-nftables python3-slip-dbus python3-gobject-base \
+ diffutils procps-ng iproute which dbus-daemon \
+ NetworkManager" && \
+ echo "RUN alternatives --set ebtables /usr/sbin/ebtables-nft" && \
+ echo "COPY . /tmp/firewalld"; \
+ } | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
-check-container-fedora-rawhide:
- (cd $(abs_top_srcdir) && tar -c . ) | \
- $(PODMAN) run -i --rm --privileged fedora:rawhide bash -c \
- "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \
- dnf -y makecache && \
- dnf -y install autoconf automake conntrack-tools desktop-file-utils \
- docbook-style-xsl file gettext glib2-devel intltool ipset \
- iptables iptables-nft libtool libxml2 libxslt make nftables \
- python3-nftables python3-slip-dbus python3-gobject-base \
- diffutils procps-ng iproute which dbus-daemon \
- NetworkManager && \
- alternatives --set ebtables /usr/sbin/ebtables-nft && \
+$(CONTAINER_TARGETS): check-container-%: check-container-%-image
+ $(PODMAN) run -i --rm --privileged firewalld-testsuite-$* bash -c " \
+ cd /tmp/firewalld && \
./autogen.sh && \
./configure PYTHON=/usr/bin/python3 && \
make && \
make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \
make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" "
+ $(PODMAN) rmi firewalld-testsuite-$*
-check-container: check-container-debian-sid
-check-container: check-container-fedora-rawhide
+check-container: $(CONTAINER_TARGETS)
.PHONY: check-container
-.PHONY: check-container-debian-sid
-.PHONY: check-container-fedora-rawhide
+.PHONY: $(CONTAINER_TARGETS) $(foreach container,$(CONTAINER_TARGETS),$(container)-image)
check-integration: atconfig atlocal $(TESTSUITE_INTEGRATION)
$(SHELL) '$(TESTSUITE_INTEGRATION)' $(TESTSUITEFLAGS) \
--
2.23.0

42
SOURCES/0038-fix-cli-unify-indentation-for-forward-ports-and-rich.patch Normal file
View File

@ -0,0 +1,42 @@
From 15989f86b18c99d79b342e78a2c3bd26c4973868 Mon Sep 17 00:00:00 2001
From: Vladislav Grigoryev <20725816+vgaetera@users.noreply.github.com>
Date: Tue, 23 Jun 2020 13:34:40 +0300
Subject: [PATCH 38/45] fix(cli): unify indentation for forward-ports and rich
rules
Unify indentation for forward-ports and rich rules in the CLI zone listing.
Do not insert redundant newlines when there are no forward-ports or rich rules.
(cherry picked from commit 41df4088cd98f35adb3ac836143e7be34bb07a21)
(cherry picked from commit 809fc4b61321cd459dde65559af3dfbd73f4ce1e)
---
src/firewall/command.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/firewall/command.py b/src/firewall/command.py
index c371dc23584c..8dee63bdda8f 100644
--- a/src/firewall/command.py
+++ b/src/firewall/command.py
@@ -428,7 +428,7 @@ class FirewallCommand(object):
for port in ports]))
self.print_msg(" protocols: " + " ".join(sorted(protocols)))
self.print_msg(" masquerade: %s" % ("yes" if masquerade else "no"))
- self.print_msg(" forward-ports: " +
+ self.print_msg(" forward-ports: " + ("\n\t" if forward_ports else "") +
"\n\t".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % \
(port, proto, toport, toaddr)
for (port, proto, toport, toaddr) in \
@@ -437,8 +437,8 @@ class FirewallCommand(object):
" ".join(["%s/%s" % (port[0], port[1])
for port in source_ports]))
self.print_msg(" icmp-blocks: " + " ".join(icmp_blocks))
- self.print_msg(" rich rules: \n\t" + "\n\t".join(
- sorted(rules, key=rich_rule_sorted_key)))
+ self.print_msg(" rich rules: " + ("\n\t" if rules else "") +
+ "\n\t".join(sorted(rules, key=rich_rule_sorted_key)))
def print_service_info(self, service, settings):
ports = settings.getPorts()
--
2.27.0

39
SOURCES/0038-fix-firewall-offline-cmd-Don-t-print-warning-about-A.patch
View File

@ -1,39 +0,0 @@
From e84f00aee61d5055c2da2c9c1aff683f20b84f56 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Feb 2020 13:12:31 -0500
Subject: [PATCH 38/39] fix: firewall-offline-cmd: Don't print warning about
AllowZoneDrifting
If we're called from firewall-offline-cmd, don't log the warning. It's
overly verbose to warn on every invocation.
Fixes: afadd377b09d ("feat: AllowZoneDrifting config option")
(cherry picked from commit eefcb1a712ffca5e08dcefa6aa17c935c16b835f)
(cherry picked from commit ba1f1a744ca543b4e9359ab26b4b1f9ff70fcb64)
---
src/firewall/core/fw.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 6206ed586988..ebadd6cce20e 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -293,10 +293,11 @@ class Firewall(object):
self._allow_zone_drifting = False
else:
self._allow_zone_drifting = True
- log.warning("AllowZoneDrifting is enabled. This is considered "
- "an insecure configuration option. It will be "
- "removed in a future release. Please consider "
- "disabling it now.")
+ if not self._offline:
+ log.warning("AllowZoneDrifting is enabled. This is considered "
+ "an insecure configuration option. It will be "
+ "removed in a future release. Please consider "
+ "disabling it now.")
log.debug1("AllowZoneDrifting is set to '%s'",
self._allow_zone_drifting)
--
2.23.0

40
SOURCES/0039-improvement-service-IPsec-Update-description-and-add.patch Normal file
View File

@ -0,0 +1,40 @@
From 13442af85c144da1eff00cf193db118eb9afb498 Mon Sep 17 00:00:00 2001
From: Paul Wouters <pwouters@redhat.com>
Date: Mon, 6 Jul 2020 20:43:05 -0400
Subject: [PATCH 39/45] improvement(service): IPsec: Update description and add
TCP port 4500
IKE and IPsec over TCP is defined in RFC 8229. It specifically mentions
no ports to allow administrators to configure any port to prevent being
blocked by networks.
However, most IKE/IPsec blocking seems to come from unwanted accidental
UDP blocks, so any TCP would usually ensures IPsec can still work on
such networks. The default is therefor to pick the same TCP port as IKE
and IPsec over UDP uses, port 4500.
(cherry picked from commit 8c4fb4f658719cfb58bacae9e6e82c8e82c3465d)
(cherry picked from commit 0e2733a5b052a4a1d5e1f6f34bca1ff3760948f1)
---
config/services/ipsec.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/services/ipsec.xml b/config/services/ipsec.xml
index 9e70acb40003..824f1f3e539f 100644
--- a/config/services/ipsec.xml
+++ b/config/services/ipsec.xml
@@ -1,9 +1,10 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>IPsec</short>
- <description>Internet Protocol Security (IPsec) incorporates security for network transmissions directly into the Internet Protocol (IP). IPsec provides methods for both encrypting data and authentication for the host or network it sends to. If you plan to use a vpnc server or FreeS/WAN, do not disable this option.</description>
+ <description>Internet Protocol Security (IPsec) is the standarized IETF VPN architecture defined in RFC 4301. IPsec is negotiated using the IKEv1 (RFC 2409) or IKEv2 (RFC 7296) protocol, which in itself uses encryption and authentication. IPsec provides Internet Protocol (IP) packet encryption and authentication. Both IKE and IPsec can be encapsulated in UDP (RFC 3948) or TCP (RFC 8229 to make it easier to traverse NAT. Enabling this service will enable IKE, IPsec and their encapsulation protocols and ports. Note that IKE and IPsec can also be configured to use non-default ports, but this is not common practise.</description>
<port protocol="ah" port=""/>
<port protocol="esp" port=""/>
<port protocol="udp" port="500"/>
<port protocol="udp" port="4500"/>
+ <port protocol="tcp" port="4500"/>
</service>
--
2.27.0

123
SOURCES/0040-doc-direct-add-CAVEATS-section.patch
View File

@ -1,123 +0,0 @@
From 8d899360b8cd33962fa0b73cc17d2b8bb7710252 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 19 Feb 2020 09:48:01 -0500
Subject: [PATCH] doc: direct: add CAVEATS section
This basically covers issues/questions users have been asking about
direct rules and the nftables backend.
Fixes: #555
Fixes: rhbz 1692964
(cherry picked from commit dbcba0433b9986b6da2172bc9a826836af2be9b0)
(cherry picked from commit 0e826f0681da9917f29f26cfdd881f490a210f31)
---
doc/xml/firewall-cmd.xml.in | 3 ++
doc/xml/firewall-offline-cmd.xml | 3 ++
doc/xml/firewalld.direct.xml | 63 ++++++++++++++++++++++++++++++++
3 files changed, 69 insertions(+)
diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
index 3562b4cc7fdc..be65d61166c2 100644
--- a/doc/xml/firewall-cmd.xml.in
+++ b/doc/xml/firewall-cmd.xml.in
@@ -1810,6 +1810,9 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
<para>
Direct options should be used only as a last resort when it's not possible to use for example <option>--add-service</option>=<replaceable>service</replaceable> or <option>--add-rich-rule</option>='<replaceable>rule</replaceable>'.
</para>
+ <para>
+ <emphasis role="bold">Warning</emphasis>: Direct rules behavior is different depending on the value of <literal>FirewallBackend</literal>. See <literal>CAVEATS</literal> in <citerefentry><refentrytitle>firewalld.direct</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
<para>
The first argument of each option has to be <literal>ipv4</literal> or <literal>ipv6</literal> or <literal>eb</literal>. With <literal>ipv4</literal> it will be for IPv4 (<citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>), with <literal>ipv6</literal> for IPv6 (<citerefentry><refentrytitle>ip6tables</refentrytitle><manvolnum>8</manvolnum></citerefentry>) and with <literal>eb</literal> for ethernet bridges (<citerefentry><refentrytitle>ebtables</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
</para>
diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml
index eb2fd75e231c..16159748aea0 100644
--- a/doc/xml/firewall-offline-cmd.xml
+++ b/doc/xml/firewall-offline-cmd.xml
@@ -1784,6 +1784,9 @@
<para>
Direct options should be used only as a last resort when it's not possible to use for example <option>--add-service</option>=<replaceable>service</replaceable> or <option>--add-rich-rule</option>='<replaceable>rule</replaceable>'.
</para>
+ <para>
+ <emphasis role="bold">Warning</emphasis>: Direct rules behavior is different depending on the value of <literal>FirewallBackend</literal>. See <literal>CAVEATS</literal> in <citerefentry><refentrytitle>firewalld.direct</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
<para>
The first argument of each option has to be <literal>ipv4</literal> or <literal>ipv6</literal> or <literal>eb</literal>. With <literal>ipv4</literal> it will be for IPv4 (<citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>), with <literal>ipv6</literal> for IPv6 (<citerefentry><refentrytitle>ip6tables</refentrytitle><manvolnum>8</manvolnum></citerefentry>) and with <literal>eb</literal> for ethernet bridges (<citerefentry><refentrytitle>ebtables</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
</para>
diff --git a/doc/xml/firewalld.direct.xml b/doc/xml/firewalld.direct.xml
index d4e5cd74d590..de7b5973dd7f 100644
--- a/doc/xml/firewalld.direct.xml
+++ b/doc/xml/firewalld.direct.xml
@@ -206,6 +206,69 @@
</refsect1>
+ <refsect1 id="caveats">
+ <title>Caveats</title>
+
+ <para>
+ Depending on the value of <literal>FirewallBackend</literal> (see <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) direct rules behave differently in some scenarios.
+ </para>
+ <refsect2 id="Packet accept/drop precedence">
+ <title>Packet accept/drop precedence</title>
+ <para>
+ Due to implementation details of netfilter inside the kernel, if <literal>FirewallBackend=nftables</literal> is used direct rules that <literal>ACCEPT</literal> packets don't actually cause the packets to be immediately accepted by the system. Those packets are still be subject to firewalld's nftables ruleset. This basically means there are two independent firewalls and packets must be accepted by both (iptables and nftables). As an aside, this scenario also occurs inside of nftables (again due to netfilter) if there are multiple chains attached to the same hook - it's not as simple as iptables vs nftables.
+ </para>
+ <para>
+ There are a handful of options to workaround the <literal>ACCEPT</literal> issue:
+ </para>
+ <orderedlist>
+ <listitem><para>Rich Rules</para>
+ <para>
+ If a rich rule can be used, then they should always be preferred over direct rules. Rich Rules will be converted to the enabled <literal>FirewallBackend</literal>. See <citerefentry><refentrytitle>firewalld.richlanguage</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ <listitem><para>Blanket Accept</para>
+ <para>
+ Users can add an explicit accept to the nftables ruleset. This can be done by adding the interface or source to the <literal>trusted</literal> zone.
+ </para>
+ <para>
+ This strategy is often employed by things that perform their own filtering such as: libvirt, podman, docker.
+ </para>
+ <para>
+ <emphasis role="bold">Warning</emphasis>: This means firewalld will do no filtering on these packets. It must all be done via direct rules or out-of-band iptables rules.
+ </para>
+ </listitem>
+ <listitem><para>Selective Accept</para>
+ <para>
+ Alternatively, enable only the relevant service, port, address, or otherwise in the appropriate zone.
+ </para>
+ </listitem>
+ <listitem><para>Revert to the iptables backend</para>
+ <para>
+ A last resort is to revert to the iptables backend by setting <literal>FirewallBackend=iptables</literal>. Users should be aware that firewalld development focuses on the nftables backend.
+ </para>
+ </listitem>
+ </orderedlist>
+
+ <para>
+ For direct rules that <literal>DROP</literal> packets the packets are immediately dropped regardless of the value of <literal>FirewallBackend</literal>. As such, there is no special consideration needed.
+ </para>
+
+ <para>
+ Firewalld guarantees the above ACCEPT/DROP behavior by registering nftables hooks with a lower precedence than iptables hooks.
+ </para>
+ </refsect2>
+
+ <refsect2 id="Direct interface precedence">
+ <title>Direct interface precedence</title>
+ <para>
+ With <literal>FirewallBackend=iptables</literal> firewalld's top-level internal rules apply before direct rules are executed. This includes rules to accept existing connections. In the past this has surprised users. As an example, if a user adds a direct rule to drop traffic on destination port 22 existing SSH sessions would continue to function, but new connections would be denied.
+ </para>
+ <para>
+ With <literal>FirewallBackend=nftables</literal> direct rules were deliberately given a higher precedence than all other firewalld rules. This includes rules to accept existing connections.
+ </para>
+ </refsect2>
+ </refsect1>
+
<refsect1 id="example">
<title>Example</title>
--
2.23.0

30
SOURCES/0040-fix-rich-nftables-log-level-warning.patch Normal file
View File

@ -0,0 +1,30 @@
From f32a3617acd884f0a1af8e648fe09fa17ac24193 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 21 Jul 2020 15:33:37 -0400
Subject: [PATCH 40/45] fix(rich): nftables: log level "warning"
nftables wants the "warn" keyword not "warning".
(cherry picked from commit f622e65783c4d9f6969701a799d13cb8486d1c0f)
(cherry picked from commit 995cde22cced261c558ecad523befe62eb878d05)
---
src/firewall/core/nftables.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 97b1cd9f7f1e..85c790b5b51e 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -993,7 +993,8 @@ class nftables(object):
if rich_rule.log.prefix:
log_options["prefix"] = "%s" % rich_rule.log.prefix
if rich_rule.log.level:
- log_options["level"] = "%s" % rich_rule.log.level
+ level = "warn" if "warning" == rich_rule.log.level else rich_rule.log.level
+ log_options["level"] = "%s" % level
rule = {"family": "inet",
"table": TABLE_NAME,
--
2.27.0

85
SOURCES/0041-fix-rich-icmptypes-with-one-family.patch Normal file
View File

@ -0,0 +1,85 @@
From 5acbdc31a56f4b680323ba7aa92383da9e9f25fa Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 22 Jul 2020 09:18:42 -0400
Subject: [PATCH 41/45] fix(rich): icmptypes with one family
They were mistakenly being added to both families which fails.
Fixes: rhbz 1855140
(cherry picked from commit 0112e36c4e225504b15a1feef3d453a757a00b21)
(cherry picked from commit bd61af7db6f92d48a79fb1e84405aef4f522ffbf)
---
src/firewall/core/fw_zone.py | 26 +++++++++++---------------
src/firewall/core/nftables.py | 2 +-
2 files changed, 12 insertions(+), 16 deletions(-)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 5677effab146..b9fe1f6aae97 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1522,14 +1522,17 @@ class FirewallZone(object):
transaction.add_rules(backend, rules)
def _rule_prepare(self, enable, zone, rule, transaction):
- if rule.family is not None:
+ ipvs = []
+ if rule.family:
ipvs = [ rule.family ]
- else:
- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
+ elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)):
+ ict = self._fw.icmptype.get_icmptype(rule.element.name)
+ if ict.destination:
+ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination]
source_ipv = self._rule_source_ipv(rule.source)
- if source_ipv is not None and source_ipv != "":
- if rule.family is not None:
+ if source_ipv:
+ if rule.family:
# rule family is defined by user, no way to change it
if rule.family != source_ipv:
raise FirewallError(errors.INVALID_RULE,
@@ -1538,6 +1541,9 @@ class FirewallZone(object):
# use the source family as rule family
ipvs = [ source_ipv ]
+ if not ipvs:
+ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
+
# add an element to object to allow backends to know what ipvs this applies to
rule.ipvs = ipvs
@@ -1699,16 +1705,6 @@ class FirewallZone(object):
# icmp block might have reject or drop action, but not accept
raise FirewallError(errors.INVALID_RULE,
"IcmpBlock not usable with accept action")
- if ict.destination:
- for ipv in ipvs:
- if ipv in ict.destination \
- and not backend.is_ipv_supported(ipv):
- raise FirewallError(
- errors.INVALID_RULE,
- "Icmp%s %s not usable with %s" % \
- ("Block" if type(rule.element) == \
- Rich_IcmpBlock else "Type",
- rule.element.name, backend.name))
table = "filter"
if enable:
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 85c790b5b51e..0198200b2372 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1383,7 +1383,7 @@ class nftables(object):
return ICMP_TYPES_FRAGMENTS[ipv][icmp_type]
else:
raise FirewallError(INVALID_ICMPTYPE,
- "ICMP type '%s' not supported by %s" % (icmp_type, self.name))
+ "ICMP type '%s' not supported by %s for %s" % (icmp_type, self.name, ipv))
def build_zone_icmp_block_rules(self, enable, zone, ict, rich_rule=None):
table = "filter"
--
2.27.0

68
SOURCES/0042-test-rich-icmptypes-with-one-family.patch Normal file
View File

@ -0,0 +1,68 @@
From 210a2580e405a852b5b64da99e6fead6a0d9e069 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Aug 2020 11:59:04 -0400
Subject: [PATCH 42/45] test(rich): icmptypes with one family
Coverage for rhbz 1855140.
(cherry picked from commit 87ec14dddd742ff5fd8cce04e68c8bf9db8237e9)
(cherry picked from commit d5e74f5c4feb4a6ce060c2ded30f67a0fbe44865)
---
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1855140.at | 35 +++++++++++++++++++++++++++++
2 files changed, 36 insertions(+)
create mode 100644 src/tests/regression/rhbz1855140.at
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 5c8aae7e64d3..d7b4d56239d1 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -33,3 +33,4 @@ m4_include([regression/rhbz1843398.at])
m4_include([regression/rhbz1689429.at])
m4_include([regression/rhbz1483921.at])
m4_include([regression/rhbz1541077.at])
+m4_include([regression/rhbz1855140.at])
diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
new file mode 100644
index 000000000000..8059e29fe71a
--- /dev/null
+++ b/src/tests/regression/rhbz1855140.at
@@ -0,0 +1,35 @@
+FWD_START_TEST([rich rule icmptypes with one family])
+AT_KEYWORDS(rich icmp rhbz1855140)
+
+FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
+FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
+FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
+FWD_RELOAD
+NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ icmp type echo-request accept
+ icmpv6 type echo-request accept
+ icmpv6 type nd-neighbor-advert accept
+ icmp type timestamp-request accept
+ }
+ }
+])
+IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
+ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13
+])
+IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
+ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136
+])
+
+FWD_END_TEST
--
2.27.0

59
SOURCES/0043-fix-LastUpdatedOrderedDict-__getitem__-fetch-from-li.patch Normal file
View File

@ -0,0 +1,59 @@
From d76d54277bc51398f7aa20b3dce0863e3520810b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 29 Jul 2020 15:18:38 -0400
Subject: [PATCH 43/45] fix(LastUpdatedOrderedDict): __getitem__(): fetch from
list if int
If the LastUpdatedOrderedDict contains a boolean key, e.g.
myLastUpdatedOrderedDict = LastUpdatedOrderedDict()
myLastUpdatedOrderedDic[True] = "true"
then
myLastUpdatedOrderedDic[1]
yields "true". As such, using the LastUpdatedOrderedDict as an iterable
e.g.
for foo in myLastUpdatedOrderedDict:
...
would mean that the for loop tries integer indexes 0 (returns key True),
and then 1 (also returns key True). This caused duplicate walks of a key
True if it was the first key in the LastUpdatedOrderedDict.
This occurs because
>>> True == 1
True
>>> False == 0
True
(cherry picked from commit 55754b65be6eaa697382992679e6673346e39f78)
(cherry picked from commit 1561dbc6c2b8f8f7f27b89810a8dda9b869b1923)
---
src/firewall/fw_types.py | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/firewall/fw_types.py b/src/firewall/fw_types.py
index 07c69c61702f..3d90c1812aec 100644
--- a/src/firewall/fw_types.py
+++ b/src/firewall/fw_types.py
@@ -54,10 +54,10 @@ class LastUpdatedOrderedDict(object):
self._dict[key] = value
def __getitem__(self, key):
- if key in self._dict:
- return self._dict[key]
- else:
+ if type(key) == int:
return self._list[key]
+ else:
+ return self._dict[key]
def __len__(self):
return len(self._list)
--
2.27.0

35
SOURCES/0044-test-regression-rhbz1483921-correctly-use-macros.patch Normal file
View File

@ -0,0 +1,35 @@
From 38eec50b2a48b586b4dcceb03f119be967690c79 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Aug 2020 12:07:24 -0400
Subject: [PATCH 44/45] test(regression/rhbz1483921): correctly use macros
"firewall-cmd" is implicit in the macro. Specifying it will result in
CLI parse failure.
Fixes: 303f85fc35d2 ("fix(cli): add --zone is an invalid option with --direct")
(cherry picked from commit 0b8a2554463cfb96e17fbd31b8cbf4f6235e8625)
(cherry picked from commit bf6e1b8c1943166c60b9df25ae424e635ba23253)
---
src/tests/regression/rhbz1483921.at | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at
index 97939919f9af..4536615318eb 100644
--- a/src/tests/regression/rhbz1483921.at
+++ b/src/tests/regression/rhbz1483921.at
@@ -1,7 +1,8 @@
FWD_START_TEST([direct and zone mutually exclusive])
- AT_KEYWORDS(direct rhbz1483921)
+AT_KEYWORDS(direct rhbz1483921)
+
+FWD_CHECK([--zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, [ignore], [ignore])
+
+FWD_CHECK([--zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, [ignore], [ignore])
- FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
-
- FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore)
FWD_END_TEST
--
2.27.0

37
SOURCES/0045-test-regression-rhbz1541077-correctly-use-macros.patch Normal file
View File

@ -0,0 +1,37 @@
From 025b24b137cfe8c9ef7145848764f0051084df71 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Aug 2020 12:11:16 -0400
Subject: [PATCH 45/45] test(regression/rhbz1541077): correctly use macros
"firewall-cmd" is implicit in the macro. Specifying it will result in
CLI parse failure.
Fixes: dddba7b9c276 ("fix(cli): add ipset type hash:mac is incompatible with the family parameter")
(cherry picked from commit 6e279ef6517a1ee4e2f9ac60922e8ddac8b096b7)
(cherry picked from commit a9976e7165a5b88eedc30357250add8e690210f1)
---
src/tests/regression/rhbz1541077.at | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at
index 765ab0c6290b..692ca8ecc892 100644
--- a/src/tests/regression/rhbz1541077.at
+++ b/src/tests/regression/rhbz1541077.at
@@ -1,9 +1,9 @@
FWD_START_TEST([hash:mac and family mutually exclusive])
- AT_KEYWORDS(ipset rhbz1541077)
+AT_KEYWORDS(ipset rhbz1541077)
- FWD_CHECK([firewall-cmd --permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
-
- FWD_CHECK([firewall-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
+FWD_CHECK([--permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+FWD_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+
+AT_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
- FWD_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore)
FWD_END_TEST
--
2.27.0

49
SOURCES/0046-fix-rich-use-correct-error-code-for-invalid-priority.patch Normal file
View File

@ -0,0 +1,49 @@
From 32de2767e869970877c19c8919e37de375351bc1 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 6 Aug 2020 08:24:02 -0400
Subject: [PATCH] fix(rich): use correct error code for invalid priority
Fixes: 3a0e79b1cfe4 ("fix: core: rich: Catch ValueError on non-numeric priority values")
(cherry picked from commit e1562ba92caec988c7cf397b2fa77b8d41592c7e)
(cherry picked from commit 5a4e35317a32422dec4acffc845a6651f65680da)
---
src/firewall/core/rich.py | 2 +-
src/tests/regression/rhbz1689429.at | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index eb4a2d2d9669..86c0c998a478 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -382,7 +382,7 @@ class Rich_Rule(object):
try:
self.priority = int(attr_value)
except ValueError:
- raise FirewallError(errors.INVALID_RULE, "invalid 'priority' attribute value '%s'." % attr_value)
+ raise FirewallError(errors.INVALID_PRIORITY, "invalid 'priority' attribute value '%s'." % attr_value)
elif attr_name:
if attr_name == 'protocol':
err_msg = "wrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'."
diff --git a/src/tests/regression/rhbz1689429.at b/src/tests/regression/rhbz1689429.at
index 5701607d660f..9157c9544ffc 100644
--- a/src/tests/regression/rhbz1689429.at
+++ b/src/tests/regression/rhbz1689429.at
@@ -1,11 +1,11 @@
FWD_START_TEST([rich rule invalid priority])
AT_KEYWORDS(rich rhbz1689429)
-FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 122, [],
- [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'.
+FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 139, [],
+ [Error: INVALID_PRIORITY: invalid 'priority' attribute value 'foo'.
])
-FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 122, [],
- [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'.
+FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 139, [],
+ [Error: INVALID_PRIORITY: invalid 'priority' attribute value 'foo'.
])
FWD_RELOAD
--
2.27.0

55
SOURCES/0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch Normal file
View File

@ -0,0 +1,55 @@
From cd284a0cacb0e9c1b75a7651b83848dd51e52ffd Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 7 Aug 2020 07:42:00 -0400
Subject: [PATCH] test(dbus): zone: add nm-shared to expected output if it
exists
newer networkmanager ships with this zone. as such, if nm is installed
the expected "get zones" output changes.
(cherry picked from commit a609c15657e68bacbc05d87cb71f366148cb8ced)
(cherry picked from commit 9f8f9390ef0a1631c07cae37be2ab27f29d0f34d)
---
src/tests/dbus/zone_permanent_functional.at | 6 +++++-
src/tests/dbus/zone_runtime_functional.at | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/tests/dbus/zone_permanent_functional.at b/src/tests/dbus/zone_permanent_functional.at
index 2261832e00a8..75645983dbf7 100644
--- a/src/tests/dbus/zone_permanent_functional.at
+++ b/src/tests/dbus/zone_permanent_functional.at
@@ -30,8 +30,12 @@ export DBUS_FOOBAR_ZONE_OBJ
dnl Get Zones
dnl
+if NS_CMD([firewall-cmd --get-zones |grep "nm-shared" >/dev/null]); then
+ NM_SHARED="'nm-shared', "
+ export NM_SHARED
+fi
DBUS_CHECK([config], [config.getZoneNames], [], 0, [dnl
- [(['block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', 'public', 'trusted', 'work'],)]
+ (@<:@'block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', m4_escape([${NM_SHARED}])'public', 'trusted', 'work'@:>@,)
])
DBUS_CHECK([config], [config.listZones], [], 0, [stdout])
NS_CHECK([sed -e ["s/['][,]/'\n/g"] ./stdout |dnl
diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at
index bb0798abe7da..b5799b9b1ca3 100644
--- a/src/tests/dbus/zone_runtime_functional.at
+++ b/src/tests/dbus/zone_runtime_functional.at
@@ -36,8 +36,12 @@ DBUS_CHECK([], [getDefaultZone], [], 0, [dnl
])
dnl Fetching Zones
+if NS_CMD([firewall-cmd --get-zones |grep "nm-shared" >/dev/null]); then
+ NM_SHARED="'nm-shared', "
+ export NM_SHARED
+fi
DBUS_CHECK([], [zone.getZones], [], 0, [dnl
- [(['block', 'dmz', 'drop', 'external', 'home', 'internal', 'public', 'trusted', 'work'],)]
+ (@<:@'block', 'dmz', 'drop', 'external', 'home', 'internal', m4_escape([${NM_SHARED}])'public', 'trusted', 'work'@:>@,)
])
FWD_CHECK([-q --zone public --add-interface dummy0])
FWD_CHECK([-q --zone public --add-source 10.1.1.1])
--
2.27.0

104
SPECS/firewalld.spec
View File

@ -1,50 +1,57 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 0.8.0
Release: 4%{?dist}
Version: 0.8.2
Release: 2%{?dist}
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
Patch1: RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch
Patch2: 0002-fix-CLI-service-also-output-helpers-for-service-info.patch
Patch3: 0003-fix-reload-let-NM-interface-assignments-override-per.patch
Patch4: 0004-fix-dbus-firewall.conf-fix-check-for-AutomaticHelper.patch
Patch5: 0005-fix-test-CHECK_NAT_COEXISTENCE-only-check-for-kernel.patch
Patch6: 0006-fix-test-direct-passthrough-no-need-to-check-for-dum.patch
Patch7: 0007-fix-test-functions-FWD_END_TEST-improve-grep-for-err.patch
Patch8: 0008-test-build-add-support-for-running-in-containers.patch
Patch9: 0009-test-check-container-add-support-for-debian-sid.patch
Patch10: 0010-test-check-container-add-support-for-fedora-rawhide.patch
Patch11: 0011-fix-test-leave-cleanup-for-tests-cases.patch
Patch12: 0012-test-functions-new-macros-for-starting-stopping-Netw.patch
Patch13: 0013-test-functions-add-macro-NMCLI_CHECK.patch
Patch14: 0014-test-build-support-integration-tests.patch
Patch15: 0015-test-integration-NM-zone-overrides-interface-on-relo.patch
Patch16: 0016-test-check-container-also-run-check-integration.patch
Patch17: 0017-doc-README-add-note-about-integration-tests.patch
Patch18: 0018-chore-update-translations.patch
Patch19: 0019-doc-README-add-note-about-language-translations.patch
Patch20: 0020-fix-rich-source-dest-only-matching-with-mark-action.patch
Patch21: 0021-test-coverage-for-gh-567.patch
Patch22: 0022-improvement-test-move-regression.at-inside-directory.patch
Patch23: 0023-improvement-test-move-features.at-inside-directory.patch
Patch24: 0024-improvement-test-move-python.at-inside-directory.patch
Patch25: 0025-improvement-test-move-dbus.at-inside-directory.patch
Patch26: 0026-improvement-test-move-firewall-cmd.at-and-firewall-o.patch
Patch27: 0027-test-enhance-test-for-rhbz1729097.patch
Patch28: 0028-fix-test-functions-FWD_END_TEST-grep-for-errors-warn.patch
Patch29: 0029-improvement-tests-regression-rhbz1715977-shorten-tes.patch
Patch30: 0030-feat-AllowZoneDrifting-config-option.patch
Patch31: 0031-feat-nftables-support-AllowZoneDrifting-yes.patch
Patch32: 0032-feat-ipXtables-support-AllowZoneDrifting-yes.patch
Patch33: 0033-test-verify-AllowZoneDrifting-yes.patch
Patch34: 0034-chore-test-retab-some-test-cases.patch
Patch35: 0035-improvement-translations-build-target-to-merge-from-.patch
Patch36: 0036-chore-translation-merge-from-master.patch
Patch37: 0037-improvement-check-container-use-docker-build.patch
Patch38: 0038-fix-firewall-offline-cmd-Don-t-print-warning-about-A.patch
Patch39: 0039-RHEL-only-default-to-AllowZoneDrifting-yes.patch
Patch40: 0040-doc-direct-add-CAVEATS-section.patch
Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch
Patch2: 0002-RHEL-only-default-to-AllowZoneDrifting-yes.patch
Patch3: 0003-fix-nftables-ipset-port-ranges-for-non-default-proto.patch
Patch4: 0004-test-ipset-verify-port-ranges-for-non-default-protoc.patch
Patch5: 0005-test-log-verify-logging-still-works-after-truncate.patch
Patch6: 0006-fix-test-regression-gh599-fix-if-not-using-debug-out.patch
Patch7: 0007-test-dbus-zone-verify-permanent-config-API-signature.patch
Patch8: 0008-test-dbus-zone-verify-runtime-config-API-signatures.patch
Patch9: 0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch
Patch10: 0010-fix-systemd-Conflict-with-nftables.service.patch
Patch11: 0011-test-dbus-zone-verify-permanent-config-APIs.patch
Patch12: 0012-test-dbus-zone-verify-runtime-config-APIs.patch
Patch13: 0013-fix-direct-rule-in-a-zone-chain.patch
Patch14: 0014-test-direct-rule-in-a-zone-chain.patch
Patch15: 0015-fix-client-addService-needs-to-reduce-tuple-size.patch
Patch16: 0016-test-dbus-zone-fix-false-failure-due-to-list-order.patch
Patch17: 0017-test-dbus-zone-fix-zone-runtime-functional-test-titl.patch
Patch18: 0018-fix-doc-dbus-signatures-for-zone-tuple-based-APIs.patch
Patch19: 0019-fix-config-bool-values-in-dict-based-import-export.patch
Patch20: 0020-fix-dbus-service-don-t-cleanup-config-for-old-set-AP.patch
Patch21: 0021-test-gh509-only-run-test-for-nftables-backend.patch
Patch22: 0022-test-ipv6-skip-square-bracket-address-tests-if-ipv6-.patch
Patch23: 0023-fix-ipset-flush-the-set-if-IndividiualCalls-yes.patch
Patch24: 0024-test-dbus-better-way-to-check-IPv6_rpfilter-expected.patch
Patch25: 0025-test-functions-add-macro-IF_HOST_SUPPORTS_NFT_RULE_I.patch
Patch26: 0026-test-functions-use-IndividualCalls-if-host-doesn-t-s.patch
Patch27: 0027-test-check-container-add-support-for-centos8-stream.patch
Patch28: 0028-fix-firewall-offline-cmd-remove-instances-of-P-in-he.patch
Patch29: 0029-fix-rich-source-mac-with-nftables-backend.patch
Patch30: 0030-test-rich-source-mac-with-nftables-backend.patch
Patch31: 0031-docs-README-add-libxslt-for-doc-generation.patch
Patch32: 0032-docs-replace-occurrences-of-the-term-blacklist-with-.patch
Patch33: 0033-fix-update-dynamic-DCE-RPC-ports-in-freeipa-trust-se.patch
Patch34: 0034-fix-core-rich-Catch-ValueError-on-non-numeric-priori.patch
Patch35: 0035-fix-cli-add-zone-is-an-invalid-option-with-direct.patch
Patch36: 0036-test-rhbz1483921-better-test-name.patch
Patch37: 0037-fix-cli-add-ipset-type-hash-mac-is-incompatible-with.patch
Patch38: 0038-fix-cli-unify-indentation-for-forward-ports-and-rich.patch
Patch39: 0039-improvement-service-IPsec-Update-description-and-add.patch
Patch40: 0040-fix-rich-nftables-log-level-warning.patch
Patch41: 0041-fix-rich-icmptypes-with-one-family.patch
Patch42: 0042-test-rich-icmptypes-with-one-family.patch
Patch43: 0043-fix-LastUpdatedOrderedDict-__getitem__-fetch-from-li.patch
Patch44: 0044-test-regression-rhbz1483921-correctly-use-macros.patch
Patch45: 0045-test-regression-rhbz1541077-correctly-use-macros.patch
Patch46: 0046-fix-rich-use-correct-error-code-for-invalid-priority.patch
Patch47: 0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch
BuildArch: noarch
BuildRequires: autoconf
@ -188,6 +195,7 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewalld*.1*
%{_mandir}/man5/firewall*.5*
%{_sysconfdir}/modprobe.d/firewalld-sysctls.conf
%{_sysconfdir}/logrotate.d/firewalld
%files -n python3-firewall
%attr(0755,root,root) %dir %{python3_sitelib}/firewall
@ -242,6 +250,18 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewall-config*.1*
%changelog
* Tue Aug 04 2020 Eric Garver <egarver@redhat.com> - 0.8.2-2
- fix(cli): add ipset type hash:mac is incompatible with the family parameter
- fix(cli): add --zone is an invalid option with --direct
- fix: update dynamic DCE RPC ports in freeipa-trust service
- fix: core: rich: Catch ValueError on non-numeric priority values
- fix(rich): icmptypes with one family
- fix(direct): rule in a zone chain
- plus additional upstream stable fixes
* Mon Apr 06 2020 Eric Garver <egarver@redhat.com> - 0.8.2-1
- rebase to v0.8.2
* Thu Feb 27 2020 Eric Garver <egarver@redhat.com> - 0.8.0-4
- doc: direct: add CAVEATS section