fix(policy): rich: verify ipset exists

Resolves: RHEL-95582
2025-06-17 15:18:49 -04:00 · 2025-06-17 15:18:49 -04:00 · c440185bad
commit c440185bad
parent 5c9efe4d73
3 changed files with 114 additions and 1 deletions
--- a/0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch
+++ b/0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch
@ -0,0 +1,42 @@
+From b3c8cbff1bd9867150f804a8f7f67098de515d6b Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 3 Jun 2025 16:36:10 -0400
+Subject: [PATCH 33/34] v2.4.0: fix(policy): rich: verify ipset exists
+
+Fixes: RHEL-67103
+Fixes: RHEL-67331
+(cherry picked from commit bd9b7fe87f337aff29142034282e7156cb678b41)
+---
+ src/firewall/core/io/policy.py | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py
+index f9a1114d7969..de636631d28c 100644
+--- a/src/firewall/core/io/policy.py
+++ b/src/firewall/core/io/policy.py
+@@ -479,6 +479,22 @@ def common_check_config(obj, config, item, all_config, all_io_objects):
+                             obj_type, obj.name, obj_rich.element.name
+                         ),
+                     )
+            elif obj_rich.source and obj_rich.source.ipset:
+                if obj_rich.source.ipset not in all_io_objects["ipsets"]:
+                    raise FirewallError(
+                        errors.INVALID_IPSET,
+                        "{} '{}': '{}' not among existing ipsets".format(
+                            obj_type, obj.name, obj_rich.source.ipset
+                        ),
+                    )
+            elif obj_rich.destination and obj_rich.destination.ipset:
+                if obj_rich.destination.ipset not in all_io_objects["ipsets"]:
+                    raise FirewallError(
+                        errors.INVALID_IPSET,
+                        "{} '{}': '{}' not among existing ipsets".format(
+                            obj_type, obj.name, obj_rich.destination.ipset
+                        ),
+                    )
+ 
+ def common_writer(obj, handler):
+     # short
+-- 
+2.47.1
+
--- a/0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch
+++ b/0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch
@ -0,0 +1,66 @@
+From 7d2e41d3bcbf23765efc01e55d73dda6c0bced78 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 3 Jun 2025 16:20:11 -0400
+Subject: [PATCH 34/34] v2.4.0: test: rich: rule reference invalid ipset
+
+Coverage: RHEL-67103
+Coverage: RHEL-67331
+(cherry picked from commit d99076a59692af306e4dd6c909351a69e80b082a)
+---
+ src/tests/regression/RHEL-67103.at | 34 ++++++++++++++++++++++++++++++
+ src/tests/regression/regression.at |  1 +
+ 2 files changed, 35 insertions(+)
+ create mode 100644 src/tests/regression/RHEL-67103.at
+
+diff --git a/src/tests/regression/RHEL-67103.at b/src/tests/regression/RHEL-67103.at
+new file mode 100644
+index 000000000000..0cca717246bf
+--- /dev/null
+++ b/src/tests/regression/RHEL-67103.at
+@@ -0,0 +1,34 @@
+FWD_START_TEST([rich rule invalid ipset])
+AT_KEYWORDS(rich ipset RHEL-67103 RHEL-67331)
+
+dnl valid ipset
+FWD_CHECK([--permanent --new-ipset thisexists --type=hash:net], 0, [ignore])
+FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 source ipset=thisexists accept"], 0, [ignore])
+FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 destination ipset=thisexists accept"], 0, [ignore])
+FWD_RELOAD()
+
+dnl invalid ipset
+FWD_CHECK([            --add-rich-rule="rule family=ipv4 source ipset=doesnotexist accept"], 135, [ignore], [ignore])
+FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 source ipset=doesnotexist accept"], 135, [ignore], [ignore])
+FWD_CHECK([            --add-rich-rule="rule family=ipv4 destination ipset=doesnotexist accept"], 135, [ignore], [ignore])
+FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 destination ipset=doesnotexist accept"], 135, [ignore], [ignore])
+
+dnl verify checks for manually added XML
+AT_DATA([./zones/broken.xml], [m4_strip([dnl
+  <?xml version="1.0" encoding="utf-8"?>
+  <zone>
+    <short>broken</short>
+    <rule family="ipv4">
+      <source ipset="doesnotexist"/>
+      <accept/>
+    </rule>
+    <rule family="ipv4">
+      <destination ipset="doesnotexist"/>
+      <accept/>
+    </rule>
+    <forward/>
+  </zone>
+])])
+FWD_RELOAD(135, [ignore], [ignore])
+
+FWD_END_TEST([-e '/ERROR: INVALID_IPSET/d'])
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index e85641932b58..ea1357a91d44 100644
+--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
+@@ -57,3 +57,4 @@ m4_include([regression/ipset_scale.at])
+ m4_include([regression/gh1129.at])
+ m4_include([regression/gh1146.at])
+ m4_include([regression/rhbz2222044.at])
+m4_include([regression/RHEL-67103.at])
+-- 
+2.47.1
+
--- a/firewalld.spec
+++ b/firewalld.spec
@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 1.3.4
-Release: 14%{?dist}
+Release: 15%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2
@ -37,6 +37,8 @@ Patch29: 0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch
 Patch30: 0030-v2.4.0-chore-ipset-remove-set_supported_types.patch
 Patch31: 0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch
 Patch32: 0032-v2.4.0-fix-systemd-allow-start-code-251-RUNNING_BUT_FAILED.patch
+Patch33: 0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch
+Patch34: 0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch
 BuildArch: noarch
 BuildRequires: autoconf
 BuildRequires: automake
@ -260,6 +262,9 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite
 %{_mandir}/man1/firewall-config*.1*

 %changelog
+* Tue Jun 17 2025 Eric Garver <egarver@redhat.com> - 1.3.4-15
+- fix(policy): rich: verify ipset exists
+
 * Mon Jun 02 2025 Eric Garver <egarver@redhat.com> - 1.3.4-14
 - fix(systemd): allow start code 251 (RUNNING_BUT_FAILED)