From c440185bad0161ccb9a99f408b3064279b60cf72 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Tue, 17 Jun 2025 15:18:49 -0400 Subject: [PATCH] fix(policy): rich: verify ipset exists Resolves: RHEL-95582 --- ...-fix-policy-rich-verify-ipset-exists.patch | 42 ++++++++++++ ...st-rich-rule-reference-invalid-ipset.patch | 66 +++++++++++++++++++ firewalld.spec | 7 +- 3 files changed, 114 insertions(+), 1 deletion(-) create mode 100644 0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch create mode 100644 0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch diff --git a/0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch b/0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch new file mode 100644 index 0000000..69f65f6 --- /dev/null +++ b/0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch @@ -0,0 +1,42 @@ +From b3c8cbff1bd9867150f804a8f7f67098de515d6b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 3 Jun 2025 16:36:10 -0400 +Subject: [PATCH 33/34] v2.4.0: fix(policy): rich: verify ipset exists + +Fixes: RHEL-67103 +Fixes: RHEL-67331 +(cherry picked from commit bd9b7fe87f337aff29142034282e7156cb678b41) +--- + src/firewall/core/io/policy.py | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py +index f9a1114d7969..de636631d28c 100644 +--- a/src/firewall/core/io/policy.py ++++ b/src/firewall/core/io/policy.py +@@ -479,6 +479,22 @@ def common_check_config(obj, config, item, all_config, all_io_objects): + obj_type, obj.name, obj_rich.element.name + ), + ) ++ elif obj_rich.source and obj_rich.source.ipset: ++ if obj_rich.source.ipset not in all_io_objects["ipsets"]: ++ raise FirewallError( ++ errors.INVALID_IPSET, ++ "{} '{}': '{}' not among existing ipsets".format( ++ obj_type, obj.name, obj_rich.source.ipset ++ ), ++ ) ++ elif obj_rich.destination and obj_rich.destination.ipset: ++ if obj_rich.destination.ipset not in all_io_objects["ipsets"]: ++ raise FirewallError( ++ errors.INVALID_IPSET, ++ "{} '{}': '{}' not among existing ipsets".format( ++ obj_type, obj.name, obj_rich.destination.ipset ++ ), ++ ) + + def common_writer(obj, handler): + # short +-- +2.47.1 + diff --git a/0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch b/0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch new file mode 100644 index 0000000..153358c --- /dev/null +++ b/0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch @@ -0,0 +1,66 @@ +From 7d2e41d3bcbf23765efc01e55d73dda6c0bced78 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 3 Jun 2025 16:20:11 -0400 +Subject: [PATCH 34/34] v2.4.0: test: rich: rule reference invalid ipset + +Coverage: RHEL-67103 +Coverage: RHEL-67331 +(cherry picked from commit d99076a59692af306e4dd6c909351a69e80b082a) +--- + src/tests/regression/RHEL-67103.at | 34 ++++++++++++++++++++++++++++++ + src/tests/regression/regression.at | 1 + + 2 files changed, 35 insertions(+) + create mode 100644 src/tests/regression/RHEL-67103.at + +diff --git a/src/tests/regression/RHEL-67103.at b/src/tests/regression/RHEL-67103.at +new file mode 100644 +index 000000000000..0cca717246bf +--- /dev/null ++++ b/src/tests/regression/RHEL-67103.at +@@ -0,0 +1,34 @@ ++FWD_START_TEST([rich rule invalid ipset]) ++AT_KEYWORDS(rich ipset RHEL-67103 RHEL-67331) ++ ++dnl valid ipset ++FWD_CHECK([--permanent --new-ipset thisexists --type=hash:net], 0, [ignore]) ++FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 source ipset=thisexists accept"], 0, [ignore]) ++FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 destination ipset=thisexists accept"], 0, [ignore]) ++FWD_RELOAD() ++ ++dnl invalid ipset ++FWD_CHECK([ --add-rich-rule="rule family=ipv4 source ipset=doesnotexist accept"], 135, [ignore], [ignore]) ++FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 source ipset=doesnotexist accept"], 135, [ignore], [ignore]) ++FWD_CHECK([ --add-rich-rule="rule family=ipv4 destination ipset=doesnotexist accept"], 135, [ignore], [ignore]) ++FWD_CHECK([--permanent --add-rich-rule="rule family=ipv4 destination ipset=doesnotexist accept"], 135, [ignore], [ignore]) ++ ++dnl verify checks for manually added XML ++AT_DATA([./zones/broken.xml], [m4_strip([dnl ++ ++ ++ broken ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++])]) ++FWD_RELOAD(135, [ignore], [ignore]) ++ ++FWD_END_TEST([-e '/ERROR: INVALID_IPSET/d']) +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index e85641932b58..ea1357a91d44 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -57,3 +57,4 @@ m4_include([regression/ipset_scale.at]) + m4_include([regression/gh1129.at]) + m4_include([regression/gh1146.at]) + m4_include([regression/rhbz2222044.at]) ++m4_include([regression/RHEL-67103.at]) +-- +2.47.1 + diff --git a/firewalld.spec b/firewalld.spec index 5eb7218..649cc18 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 1.3.4 -Release: 14%{?dist} +Release: 15%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2 @@ -37,6 +37,8 @@ Patch29: 0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch Patch30: 0030-v2.4.0-chore-ipset-remove-set_supported_types.patch Patch31: 0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch Patch32: 0032-v2.4.0-fix-systemd-allow-start-code-251-RUNNING_BUT_FAILED.patch +Patch33: 0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch +Patch34: 0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch BuildArch: noarch BuildRequires: autoconf BuildRequires: automake @@ -260,6 +262,9 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite %{_mandir}/man1/firewall-config*.1* %changelog +* Tue Jun 17 2025 Eric Garver - 1.3.4-15 +- fix(policy): rich: verify ipset exists + * Mon Jun 02 2025 Eric Garver - 1.3.4-14 - fix(systemd): allow start code 251 (RUNNING_BUT_FAILED)