diff --git a/SOURCES/0037-docs-firewall-cmd-client-conntrack-helpers-must-use-.patch b/SOURCES/0037-docs-firewall-cmd-client-conntrack-helpers-must-use-.patch new file mode 100644 index 0000000..6b2607d --- /dev/null +++ b/SOURCES/0037-docs-firewall-cmd-client-conntrack-helpers-must-use-.patch @@ -0,0 +1,74 @@ +From 78060c945be591b4fe8a1b0d3f206585d3948676 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 2 Jul 2021 11:19:18 -0400 +Subject: [PATCH 37/50] docs(firewall-*cmd): client conntrack helpers must use + a policy + +Fixes: rhbz 1899933 +Fixes: rhbz 1975484 +(cherry picked from commit adb4ccd88e6c1fd460c9c674d89fdf89299c3970) +(cherry picked from commit 8cd0da7032080ada6b80b7f97faec6a30a8d45f5) +--- + doc/xml/firewall-cmd.xml.in | 17 +++++++++++++++++ + doc/xml/firewall-offline-cmd.xml | 17 +++++++++++++++++ + 2 files changed, 34 insertions(+) + +diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in +index 691117f3dbff..8cd67e388ef5 100644 +--- a/doc/xml/firewall-cmd.xml.in ++++ b/doc/xml/firewall-cmd.xml.in +@@ -634,6 +634,23 @@ + + The option is not combinable with the option. + ++ ++ Note: Some services define connection tracking helpers. ++ Helpers that may operate in client mode (e.g. tftp) must be added to an ++ outbound policy instead of a zone to take effect for clients. Otherwise ++ the helper will not be applied to the outbound traffic. The related ++ traffic, as defined by the connection tracking helper, on the return ++ path (ingress) will be allowed by the stateful firewall rules. ++ ++ ++ An example of an outbound policy for connection tracking helpers: ++ ++# firewall-cmd --permanent --new-policy clientConntrack ++# firewall-cmd --permanent --policy clientConntrack --add-ingress-zone HOST ++# firewall-cmd --permanent --policy clientConntrack --add-egress-zone ANY ++# firewall-cmd --permanent --policy clientConntrack --add-service tftp ++ ++ + + + +diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml +index 92ec55be4623..8e2dd7989956 100644 +--- a/doc/xml/firewall-offline-cmd.xml ++++ b/doc/xml/firewall-offline-cmd.xml +@@ -722,6 +722,23 @@ + + The service is one of the firewalld provided services. To get a list of the supported services, use firewall-cmd --get-services. + ++ ++ Note: Some services define connection tracking helpers. ++ Helpers that may operate in client mode (e.g. tftp) must be added to an ++ outbound policy instead of a zone to take effect for clients. Otherwise ++ the helper will not be applied to the outbound traffic. The related ++ traffic, as defined by the connection tracking helper, on the return ++ path (ingress) will be allowed by the stateful firewall rules. ++ ++ ++ An example of an outbound policy for connection tracking helpers: ++ ++# firewall-cmd --new-policy clientConntrack ++# firewall-cmd --policy clientConntrack --add-ingress-zone HOST ++# firewall-cmd --policy clientConntrack --add-egress-zone ANY ++# firewall-cmd --policy clientConntrack --add-service tftp ++ ++ + + + +-- +2.27.0 + diff --git a/SOURCES/0038-fix-nftables-do-not-log-icmp-block-if-inversion.patch b/SOURCES/0038-fix-nftables-do-not-log-icmp-block-if-inversion.patch new file mode 100644 index 0000000..f6c5b0b --- /dev/null +++ b/SOURCES/0038-fix-nftables-do-not-log-icmp-block-if-inversion.patch @@ -0,0 +1,29 @@ +From de28755c4e14224f6303c864327fffe7d2639268 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 13 Sep 2021 15:45:53 -0400 +Subject: [PATCH 38/50] fix(nftables): do not log icmp block if inversion + +Fixes: #696 +Fixes: rhbz1945833 +(cherry picked from commit 50a5ed2d0fa6169c6780488dae931a3b4fce47ab) +(cherry picked from commit a451b033200b289c6fac823f7dce23c37a38a3d1) +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index e3ae988bbdab..29a9a2492032 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1601,7 +1601,7 @@ class nftables(object): + rule.update(self._rich_rule_priority_fragment(rich_rule)) + rules.append({add_del: {"rule": rule}}) + else: +- if self._fw.get_log_denied() != "off" and self._fw.policy.query_icmp_block_inversion(policy): ++ if self._fw.get_log_denied() != "off" and not self._fw.policy.query_icmp_block_inversion(policy): + rules.append({add_del: {"rule": {"family": "inet", + "table": TABLE_NAME, + "chain": final_chain, +-- +2.27.0 + diff --git a/SOURCES/0039-test-icmp-don-t-log-blocked-if-ICMP-inversion.patch b/SOURCES/0039-test-icmp-don-t-log-blocked-if-ICMP-inversion.patch new file mode 100644 index 0000000..bcc8fe3 --- /dev/null +++ b/SOURCES/0039-test-icmp-don-t-log-blocked-if-ICMP-inversion.patch @@ -0,0 +1,135 @@ +From b2075eb46f1798ba897ca443ea14872b17267d69 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 13 Sep 2021 14:54:42 -0400 +Subject: [PATCH 39/50] test(icmp): don't log blocked if ICMP inversion + +Coverage: #696 +Coverage: rhbz1945833 +(cherry picked from commit b7d9a74731f9c5a1a6faf0f2959adcc315d2ca16) +(cherry picked from commit d45c614967cec6a608c93c1e8531089d7b1150bb) +--- + src/tests/regression/gh696.at | 102 +++++++++++++++++++++++++++++ + src/tests/regression/regression.at | 1 + + 2 files changed, 103 insertions(+) + create mode 100644 src/tests/regression/gh696.at + +diff --git a/src/tests/regression/gh696.at b/src/tests/regression/gh696.at +new file mode 100644 +index 000000000000..19b8d485a0a5 +--- /dev/null ++++ b/src/tests/regression/gh696.at +@@ -0,0 +1,102 @@ ++FWD_START_TEST([icmp-block-inversion no log blocked]) ++AT_KEYWORDS(icmp gh696 rhbz1945833) ++ ++FWD_CHECK([--permanent --zone public --remove-icmp-block-inversion], 0, [ignore], [ignore]) ++FWD_CHECK([--permanent --zone public --add-icmp-block echo-request], 0, [ignore]) ++FWD_RELOAD() ++ ++NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl ++ table inet firewalld { ++ chain filter_IN_public_deny { ++ icmp type echo-request reject with icmpx type admin-prohibited ++ icmpv6 type echo-request reject with icmpx type admin-prohibited ++ } ++ } ++]) ++ ++IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl ++ REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited ++]) ++IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl ++ REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited ++]) ++ ++dnl since inversion is disabled we should get logs when the ICMP is blocked. ++FWD_CHECK([--set-log-denied all], 0, [ignore]) ++ ++NFT_LIST_RULES([inet], [filter_IN_public_deny], 0, [dnl ++ table inet firewalld { ++ chain filter_IN_public_deny { ++ icmp type echo-request log prefix ""filter_zone_public_HOST_ICMP_BLOCK: "" ++ icmp type echo-request reject with icmpx type admin-prohibited ++ icmpv6 type echo-request log prefix ""filter_zone_public_HOST_ICMP_BLOCK: "" ++ icmpv6 type echo-request reject with icmpx type admin-prohibited ++ } ++ } ++]) ++ ++IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl ++ LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 LOG flags 0 level 4 prefix "zone_public_HOST_ICMP_BLOCK: " ++ REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 reject-with icmp-host-prohibited ++]) ++IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl ++ LOG icmpv6 ::/0 ::/0 ipv6-icmptype 128 LOG flags 0 level 4 prefix "zone_public_HOST_ICMP_BLOCK: " ++ REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 128 reject-with icmp6-adm-prohibited ++]) ++ ++dnl ######################################## ++dnl ######################################## ++dnl Same as above, but with icmp block inversion. ++dnl ######################################## ++dnl ######################################## ++ ++FWD_CHECK([--permanent --zone public --add-icmp-block-inversion], 0, [ignore]) ++FWD_CHECK([--set-log-denied off], 0, [ignore]) ++ ++NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl ++ table inet firewalld { ++ chain filter_IN_public_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ icmp type echo-request accept ++ icmpv6 type echo-request accept ++ } ++ } ++]) ++ ++IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ++]) ++IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ++ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128 ++]) ++ ++dnl since inversion is enabled, it should be the same whether set-log-denied is ++dnl enabled or not. ++FWD_CHECK([--set-log-denied all], 0, [ignore]) ++ ++NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl ++ table inet firewalld { ++ chain filter_IN_public_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ icmp type echo-request accept ++ icmpv6 type echo-request accept ++ } ++ } ++]) ++ ++IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ++]) ++IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ++ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128 ++]) ++ ++FWD_END_TEST([-d '/WARNING: NOT_ENABLED: icmp-block-inversion/d']) +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index aadd948a459f..ba41a56b29b5 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -42,3 +42,4 @@ m4_include([regression/ipset_netmask_allowed.at]) + m4_include([regression/rhbz1940928.at]) + m4_include([regression/rhbz1936896.at]) + m4_include([regression/rhbz1914935.at]) ++m4_include([regression/gh696.at]) +-- +2.27.0 + diff --git a/SOURCES/0040-fix-nftables-rich-source-address-with-netmask.patch b/SOURCES/0040-fix-nftables-rich-source-address-with-netmask.patch new file mode 100644 index 0000000..740dcf0 --- /dev/null +++ b/SOURCES/0040-fix-nftables-rich-source-address-with-netmask.patch @@ -0,0 +1,38 @@ +From 12fd98893d190df9581d04155fa9207d2adb5573 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 15 Sep 2021 14:12:37 -0400 +Subject: [PATCH 40/50] fix(nftables): rich: source address with netmask + +Fixes: rhbz1917766 +(cherry picked from commit 3809fef17dc779052a3f050041fe90e3599f35be) +(cherry picked from commit 32d5eb8d94a2b39a4dda10fec351ad6fbab7d486) +--- + src/firewall/core/nftables.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 29a9a2492032..059cd8869dbb 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -22,6 +22,7 @@ from __future__ import absolute_import + + import copy + import json ++import ipaddress + + from firewall.core.logger import log + from firewall.functions import check_mac, getPortRange, normalizeIP6, \ +@@ -1213,8 +1214,8 @@ class nftables(object): + family = "ip" + elif check_address("ipv4", address): + family = "ip" +- addr_len = address.split("/") +- address = {"prefix": {"addr": addr_len[0], "len": int(addr_len[1])}} ++ normalized_address = ipaddress.IPv4Network(address, strict=False) ++ address = {"prefix": {"addr": normalized_address.network_address.compressed, "len": normalized_address.prefixlen}} + elif check_single_address("ipv6", address): + family = "ip6" + address = normalizeIP6(address) +-- +2.27.0 + diff --git a/SOURCES/0041-test-rich-source-address-with-netmask.patch b/SOURCES/0041-test-rich-source-address-with-netmask.patch new file mode 100644 index 0000000..51f4366 --- /dev/null +++ b/SOURCES/0041-test-rich-source-address-with-netmask.patch @@ -0,0 +1,56 @@ +From 0be3d6ba5d6a1cb17c965a5454cc156fbb2ac867 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 15 Sep 2021 13:47:01 -0400 +Subject: [PATCH 41/50] test(rich): source address with netmask + +Coverage: rhbz1917766 +(cherry picked from commit 9e9f94061b129e22e8c6fc2f8985d782bfe09689) +(cherry picked from commit 498c6b221ebbca09401ae5f98498c6a148ae602f) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1917766.at | 24 ++++++++++++++++++++++++ + 2 files changed, 25 insertions(+) + create mode 100644 src/tests/regression/rhbz1917766.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index ba41a56b29b5..f9d42d6e2765 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -43,3 +43,4 @@ m4_include([regression/rhbz1940928.at]) + m4_include([regression/rhbz1936896.at]) + m4_include([regression/rhbz1914935.at]) + m4_include([regression/gh696.at]) ++m4_include([regression/rhbz1917766.at]) +diff --git a/src/tests/regression/rhbz1917766.at b/src/tests/regression/rhbz1917766.at +new file mode 100644 +index 000000000000..b25d0a2f9740 +--- /dev/null ++++ b/src/tests/regression/rhbz1917766.at +@@ -0,0 +1,24 @@ ++FWD_START_TEST([rich rule source with netmask]) ++AT_KEYWORDS(rich rhbz1917766) ++ ++dnl Note: IPv6 only supports CIDR notation. It does not support address/netmask ++dnl notation. ++ ++FWD_CHECK([ --zone public --add-rich-rule='rule family=ipv4 source address="192.168.1.0/255.255.255.0" accept'], 0, [ignore]) ++FWD_CHECK([--permanent --zone public --add-rich-rule='rule family=ipv4 source address="192.168.1.0/255.255.255.0" accept'], 0, [ignore]) ++ ++AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ foobar ++ foobar ++ ++ ++ ++ ++ ++]) ++FWD_RELOAD() ++FWD_CHECK([--zone foobar --add-interface foobar0], 0, [ignore]) ++ ++FWD_END_TEST() +-- +2.27.0 + diff --git a/SOURCES/0042-test-zone-source-with-netmask.patch b/SOURCES/0042-test-zone-source-with-netmask.patch new file mode 100644 index 0000000..b63d66e --- /dev/null +++ b/SOURCES/0042-test-zone-source-with-netmask.patch @@ -0,0 +1,26 @@ +From 8ef0683614704039f1dc7bfe22ace159f9961f15 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 15 Sep 2021 14:38:28 -0400 +Subject: [PATCH 42/50] test(zone): source with netmask + +(cherry picked from commit e635bdffa630c827ff0ed2fc2bb201d560631be0) +(cherry picked from commit 818f39d4c3b029b12e744505cfe35b0b47bed7db) +--- + src/tests/cli/firewall-cmd.at | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index 450737776a9f..f36f634853fa 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -214,6 +214,7 @@ sources: $1 + + check_zone_source([1.2.3.4]) + check_zone_source([192.168.1.0/24]) ++ check_zone_source([192.168.1.1/255.255.255.0]) + IF_HOST_SUPPORTS_IPV6_RULES([ + check_zone_source([3ffe:501:ffff::/64]) + check_zone_source([dead:beef::babe]) +-- +2.27.0 + diff --git a/SOURCES/0043-fix-fw_config-zone-on-rename-remove-then-add.patch b/SOURCES/0043-fix-fw_config-zone-on-rename-remove-then-add.patch new file mode 100644 index 0000000..2c597fd --- /dev/null +++ b/SOURCES/0043-fix-fw_config-zone-on-rename-remove-then-add.patch @@ -0,0 +1,43 @@ +From b2c9302e8a4ad1ab7535a557b2f9c9aa49b49629 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 27 Oct 2021 11:09:39 -0400 +Subject: [PATCH 43/50] fix(fw_config): zone: on rename remove then add + +Remove the old object before creating the new one. This avoids issues +such as conflicting configuration in the objects that check_config() may +trip over. + +(cherry picked from commit 3aec1dfe449d0bcb52884341770e4def0de27f56) +(cherry picked from commit a58b45d8ee3221309ec0c6f919c266b5cfc6f89a) +--- + src/firewall/core/fw_config.py | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/firewall/core/fw_config.py b/src/firewall/core/fw_config.py +index 148ce1b4e32c..a97d0b23a6ac 100644 +--- a/src/firewall/core/fw_config.py ++++ b/src/firewall/core/fw_config.py +@@ -984,13 +984,16 @@ class FirewallConfig(object): + + def rename_zone(self, obj, name): + self.check_builtin_zone(obj) +- new_zone = self._copy_zone(obj, name) ++ obj_conf = obj.export_config_dict() + self._remove_zone(obj) ++ try: ++ new_zone = self.new_zone_dict(name, obj_conf) ++ except: ++ # re-add original if rename failed ++ self.new_zone_dict(obj.name, obj_conf) ++ raise + return new_zone + +- def _copy_zone(self, obj, name): +- return self.new_zone_dict(name, obj.export_config_dict()) +- + # policy objects + + def get_policy_objects(self): +-- +2.27.0 + diff --git a/SOURCES/0044-fix-io-functions-check_config-against-on-disk-conf.patch b/SOURCES/0044-fix-io-functions-check_config-against-on-disk-conf.patch new file mode 100644 index 0000000..39bce67 --- /dev/null +++ b/SOURCES/0044-fix-io-functions-check_config-against-on-disk-conf.patch @@ -0,0 +1,98 @@ +From 0e28840f5c3362d032f2f805cbbe6fbbaa217437 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 27 Oct 2021 13:58:27 -0400 +Subject: [PATCH 44/50] fix(io/functions): check_config against on disk conf + +Before this change the runtime FirewallConfig() instance was used. This +caused some permanent configuration issues to not be caught due to +comparing against the runtime instances of all objects. + +For example, two zones in permanent configuration may use the same +interface (which is not valid), but if the runtime configuration does +not have have these interface assignments then check_config() won't +catch the issue since it compares against the runtime configuration. + +Fix is to build a temporary FirewallConfig() instance for all the +on-disk/permanent configuration. + +(cherry picked from commit 35d4facc8962cd1b66bc245fe03f658d491e1061) +(cherry picked from commit 55a799e872dc88b1341a6bc38af33e77dfedb72f) +--- + src/firewall/core/io/functions.py | 47 ++++++++++++++++++++++--------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +diff --git a/src/firewall/core/io/functions.py b/src/firewall/core/io/functions.py +index 0c7b1886426c..35a7eaf8dec8 100644 +--- a/src/firewall/core/io/functions.py ++++ b/src/firewall/core/io/functions.py +@@ -24,6 +24,7 @@ import os + from firewall import config + from firewall.errors import FirewallError + ++from firewall.core.fw_config import FirewallConfig + from firewall.core.io.zone import zone_reader + from firewall.core.io.service import service_reader + from firewall.core.io.ipset import ipset_reader +@@ -34,26 +35,46 @@ from firewall.core.io.direct import Direct + from firewall.core.io.lockdown_whitelist import LockdownWhitelist + from firewall.core.io.firewalld_conf import firewalld_conf + +-def check_config(fw=None): ++def check_config(fw): ++ fw_config = FirewallConfig(fw) + readers = { +- "ipset" : (ipset_reader, [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS]), +- "helper" : (helper_reader, [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS]), +- "icmptype" : (icmptype_reader, [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES]), +- "service" : (service_reader, [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES]), +- "zone" : (zone_reader, [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES]), +- "policy" : (policy_reader, [config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES]), ++ "ipset": {"reader": ipset_reader, ++ "add": fw_config.add_ipset, ++ "dirs": [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS], ++ }, ++ "helper": {"reader": helper_reader, ++ "add": fw_config.add_helper, ++ "dirs": [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS], ++ }, ++ "icmptype": {"reader": icmptype_reader, ++ "add": fw_config.add_icmptype, ++ "dirs": [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES], ++ }, ++ "service": {"reader": service_reader, ++ "add": fw_config.add_service, ++ "dirs": [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES], ++ }, ++ "zone": {"reader": zone_reader, ++ "add": fw_config.add_zone, ++ "dirs": [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES], ++ }, ++ "policy": {"reader": policy_reader, ++ "add": fw_config.add_policy_object, ++ "dirs": [config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES], ++ }, + } + for reader in readers.keys(): +- for dir in readers[reader][1]: +- if not os.path.isdir(dir): ++ for _dir in readers[reader]["dirs"]: ++ if not os.path.isdir(_dir): + continue +- for file in sorted(os.listdir(dir)): ++ for file in sorted(os.listdir(_dir)): + if file.endswith(".xml"): + try: +- obj = readers[reader][0](file, dir) +- if fw and reader in ["zone", "policy"]: +- obj.fw_config = fw.config ++ obj = readers[reader]["reader"](file, _dir) ++ if reader in ["zone", "policy"]: ++ obj.fw_config = fw_config + obj.check_config(obj.export_config()) ++ readers[reader]["add"](obj) + except FirewallError as error: + raise FirewallError(error.code, "'%s': %s" % (file, error.msg)) + except Exception as msg: +-- +2.27.0 + diff --git a/SOURCES/0045-fix-zone-detect-same-source-interface-in-zones.patch b/SOURCES/0045-fix-zone-detect-same-source-interface-in-zones.patch new file mode 100644 index 0000000..a5542f3 --- /dev/null +++ b/SOURCES/0045-fix-zone-detect-same-source-interface-in-zones.patch @@ -0,0 +1,46 @@ +From 8311259a6e2a6ac475c3d8c9a2df099469bf8277 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 27 Oct 2021 10:13:59 -0400 +Subject: [PATCH 45/50] fix(zone): detect same source/interface in zones + +Fixes: rhbz2014383 +(cherry picked from commit 4b721abb087a529596722a045a63a65af2e0566a) +(cherry picked from commit 081fcfe7b255b2e0f91c4a3dc55539e4cfd4b7d1) +--- + src/firewall/core/io/zone.py | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py +index 3aea94a13155..4291ec9cba00 100644 +--- a/src/firewall/core/io/zone.py ++++ b/src/firewall/core/io/zone.py +@@ -193,11 +193,26 @@ class Zone(IO_Object): + for interface in config: + if not checkInterface(interface): + raise FirewallError(errors.INVALID_INTERFACE, interface) ++ if self.fw_config: ++ for zone in self.fw_config.get_zones(): ++ if zone == self.name: ++ continue ++ if interface in self.fw_config.get_zone(zone).interfaces: ++ raise FirewallError(errors.INVALID_INTERFACE, ++ "interface '{}' already bound to zone '{}'".format(interface, zone)) + elif item == "sources": + for source in config: + if not checkIPnMask(source) and not checkIP6nMask(source) and \ + not check_mac(source) and not source.startswith("ipset:"): + raise FirewallError(errors.INVALID_ADDR, source) ++ if self.fw_config: ++ for zone in self.fw_config.get_zones(): ++ if zone == self.name: ++ continue ++ if source in self.fw_config.get_zone(zone).sources: ++ raise FirewallError(errors.INVALID_ADDR, ++ "source '{}' already bound to zone '{}'".format(source, zone)) ++ + + def check_name(self, name): + super(Zone, self).check_name(name) +-- +2.27.0 + diff --git a/SOURCES/0046-test-zone-detect-same-source-interface-in-zones.patch b/SOURCES/0046-test-zone-detect-same-source-interface-in-zones.patch new file mode 100644 index 0000000..3ee2c37 --- /dev/null +++ b/SOURCES/0046-test-zone-detect-same-source-interface-in-zones.patch @@ -0,0 +1,88 @@ +From 63754e688baba56c7e625b53d39aa7380a754094 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 25 Oct 2021 09:35:51 -0400 +Subject: [PATCH 46/50] test(zone): detect same source/interface in zones + +Coverage: rhbz2014383 +(cherry picked from commit 6f68d295ac5edcdb10c062e2fba7b810ce2db58c) +(cherry picked from commit a15069d5542c2af391266f2da5f4137766d11a57) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz2014383.at | 56 +++++++++++++++++++++++++++++ + 2 files changed, 57 insertions(+) + create mode 100644 src/tests/regression/rhbz2014383.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index f9d42d6e2765..a20b913fbe59 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -44,3 +44,4 @@ m4_include([regression/rhbz1936896.at]) + m4_include([regression/rhbz1914935.at]) + m4_include([regression/gh696.at]) + m4_include([regression/rhbz1917766.at]) ++m4_include([regression/rhbz2014383.at]) +diff --git a/src/tests/regression/rhbz2014383.at b/src/tests/regression/rhbz2014383.at +new file mode 100644 +index 000000000000..f2ef766dc1b2 +--- /dev/null ++++ b/src/tests/regression/rhbz2014383.at +@@ -0,0 +1,56 @@ ++FWD_START_TEST([same source in two zone xml]) ++AT_KEYWORDS(zone rhbz2014383) ++ ++AT_CHECK([mkdir -p ./zones]) ++ ++AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ foobar ++ foobar ++ ++ ++ ++ ++]) ++ ++AT_DATA([./zones/foobar2.xml], [dnl ++ ++ ++ foobar2 ++ foobar2 ++ ++ ++ ++ ++]) ++ ++FWD_CHECK([--check-config], 105, [ignore], [ignore]) ++ ++dnl Do the same thing, but with interfaces ++ ++AT_DATA([./zones/foobar.xml], [dnl ++ ++ ++ foobar ++ foobar ++ ++ ++ ++ ++]) ++ ++AT_DATA([./zones/foobar2.xml], [dnl ++ ++ ++ foobar2 ++ foobar2 ++ ++ ++ ++ ++]) ++ ++FWD_CHECK([--check-config], 104, [ignore], [ignore]) ++ ++FWD_END_TEST([ignore]) +-- +2.27.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index 675dd16..e66d386 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.9.3 -Release: 7%{?dist} +Release: 11%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz @@ -41,6 +41,16 @@ Patch33: 0033-fix-policy-warn-instead-of-error-for-overlapping-por.patch Patch34: 0034-test-zone-verify-overlapping-ports-don-t-halt-zone-l.patch Patch35: v1.0.0-0035-fix-ipset-normalize-entries-in-CIDR-notation.patch Patch36: v1.0.0-0036-fix-ipset-disallow-overlapping-entries.patch +Patch37: 0037-docs-firewall-cmd-client-conntrack-helpers-must-use-.patch +Patch38: 0038-fix-nftables-do-not-log-icmp-block-if-inversion.patch +Patch39: 0039-test-icmp-don-t-log-blocked-if-ICMP-inversion.patch +Patch40: 0040-fix-nftables-rich-source-address-with-netmask.patch +Patch41: 0041-test-rich-source-address-with-netmask.patch +Patch42: 0042-test-zone-source-with-netmask.patch +Patch43: 0043-fix-fw_config-zone-on-rename-remove-then-add.patch +Patch44: 0044-fix-io-functions-check_config-against-on-disk-conf.patch +Patch45: 0045-fix-zone-detect-same-source-interface-in-zones.patch +Patch46: 0046-test-zone-detect-same-source-interface-in-zones.patch BuildArch: noarch BuildRequires: autoconf @@ -242,6 +252,18 @@ desktop-file-install --delete-original \ %{_mandir}/man1/firewall-config*.1* %changelog +* Tue Nov 16 2021 Eric Garver - 0.9.3-11 +- fix(zone): detect same source/interface in zones + +* Tue Nov 16 2021 Eric Garver - 0.9.3-10 +- fix(nftables): rich: source address with netmask + +* Tue Nov 16 2021 Eric Garver - 0.9.3-9 +- fix(nftables): do not log icmp block if inversion + +* Tue Nov 16 2021 Eric Garver - 0.9.3-8 +- docs(firewall-*cmd): client conntrack helpers must use a policy + * Tue Jul 13 2021 Eric Garver - 0.9.3-7 - fix(ipset): disallow overlapping entries