rpms/firewalld
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import firewalld-0.8.2-6.el8

Browse Source
This commit is contained in:
CentOS Sources 2021-02-04 06:12:03 +00:00 committed by Andrew Lukoshko
parent 86bcc4af9e
commit cc5b8020e9
5 changed files with 307 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch Normal file
View File

@ -0,0 +1,107 @@
From dbce20e28a898c394274109904d471d84cfa7fea Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Fri, 13 Nov 2020 10:40:51 -0500
Subject: [PATCH 65/66] fix(rich): non-printable characters removed from rich
rules
Fixes: rhbz 1596304
Fixes: #480
(cherry picked from commit ac5960856991a00ddf7a558e31fd3248c8279a1f)
(cherry picked from commit a55416ea5f79f1a7cb1a97b6ee39524a542a8663)
---
src/firewall/core/rich.py | 2 ++
src/firewall/functions.py | 9 ++++++++-
src/tests/regression/regression.at | 1 +
src/tests/regression/rhbz1596304.at | 23 +++++++++++++++++++++++
4 files changed, 34 insertions(+), 1 deletion(-)
create mode 100644 src/tests/regression/rhbz1596304.at
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index 86c0c998a478..03bc194c2b28 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -307,6 +307,8 @@ class Rich_Rule(object):
if not rule_str:
raise FirewallError(errors.INVALID_RULE, 'empty rule')
+ rule_str = functions.stripNonPrintableCharacters(rule_str)
+
self.priority = 0
self.family = None
self.source = None
diff --git a/src/firewall/functions.py b/src/firewall/functions.py
index 6af220619f17..d20b702e047e 100644
--- a/src/firewall/functions.py
+++ b/src/firewall/functions.py
@@ -27,7 +27,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName",
"check_single_address", "check_mac", "uniqify", "ppid_of_pid",
"max_zone_name_len", "checkUser", "checkUid", "checkCommand",
"checkContext", "joinArgs", "splitArgs",
- "b2u", "u2b", "u2b_if_py2" ]
+ "b2u", "u2b", "u2b_if_py2", "stripNonPrintableCharacters"]
import socket
import os
@@ -42,6 +42,10 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
PY2 = sys.version < '3'
+NOPRINT_TRANS_TABLE = {
+ i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
+}
+
def getPortID(port):
""" Check and Get port id from port string or port id using socket.getservbyname
@@ -226,6 +230,9 @@ def checkIPnMask(ip):
return False
return True
+def stripNonPrintableCharacters(rule_str):
+ return rule_str.translate(NOPRINT_TRANS_TABLE)
+
def checkIP6nMask(ip):
if "/" in ip:
addr = ip[:ip.index("/")]
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index 65540840f50e..c1e8620ee700 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -35,3 +35,4 @@ m4_include([regression/rhbz1483921.at])
m4_include([regression/rhbz1541077.at])
m4_include([regression/rhbz1855140.at])
m4_include([regression/rhbz1871298.at])
+m4_include([regression/rhbz1596304.at])
diff --git a/src/tests/regression/rhbz1596304.at b/src/tests/regression/rhbz1596304.at
new file mode 100644
index 000000000000..98a33934e271
--- /dev/null
+++ b/src/tests/regression/rhbz1596304.at
@@ -0,0 +1,23 @@
+FWD_START_TEST([rich rules strip non-printable characters])
+AT_KEYWORDS(rich rhbz1596304)
+
+dnl source address contains a tab character
+FWD_CHECK([--permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="104.243.250.0/22 " port port=80 protocol=tcp accept'],0,ignore)
+FWD_RELOAD
+FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ public
+ target: default
+ icmp-block-inversion: no
+ interfaces:
+ sources:
+ services: cockpit dhcpv6-client ssh
+ ports:
+ protocols:
+ masquerade: no
+ forward-ports:
+ source-ports:
+ icmp-blocks:
+ rich rules:
+ rule family="ipv4" source address="104.243.250.0/22" port port="80" protocol="tcp" accept
+ ])])
+FWD_END_TEST
--
2.28.0

38
SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch Normal file
View File

@ -0,0 +1,38 @@
From ff6e65737413d54b6f6964f72827a92fdbecc182 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 8 Jan 2021 13:38:15 -0500
Subject: [PATCH 68/68] fix(rich): limit table to strip non-printables to C0
and C1
Generating the table was taking an unreasonable amount of memory.
Stripping C0 and C1 should cover most scenarios while limiting memory
usage.
Fixes: ac5960856991 ("fix(rich): non-printable characters removed from rich rules")
(cherry picked from commit 015704b44f81d535a868fe28368f977cefd28638)
(cherry picked from commit 629a53ef027146f8e4e486c40c8bde04cda830d3)
---
src/firewall/functions.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/firewall/functions.py b/src/firewall/functions.py
index d20b702e047e..1ea9f4309234 100644
--- a/src/firewall/functions.py
+++ b/src/firewall/functions.py
@@ -43,7 +43,12 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
PY2 = sys.version < '3'
NOPRINT_TRANS_TABLE = {
- i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
+ # Limit to C0 and C1 code points. Building entries for all unicode code
+ # points requires too much memory.
+ # C0 = [0, 31]
+ # C1 = [127, 159]
+ #
+ i: None for i in range(0, 160) if not (i > 31 and i < 127)
}
def getPortID(port):
--
2.27.0

93
SOURCES/0067-fix-zone-add-source-with-mac-address.patch Normal file
View File

@ -0,0 +1,93 @@
From 2871abfceceba37c6ba38aa0ef25e23a059294ec Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Wed, 18 Nov 2020 13:14:44 -0500
Subject: [PATCH 67/68] fix(zone): add source with mac address
nftables supports matching the destination MAC, but iptables does not.
As such, lift the restriction from nftables. For iptables, gracefully
ignore the scenarios in which we attempt to match destination MAC.
Fixes: #703
Fixes: df4aefcbe7b7 ("improvement(ipXtables): add utility function match sources")
Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface")
Co-authored-by: Eric Garver <eric@garver.life>
(cherry picked from commit 20151fbb5c5104e3d4dbc4ea938b9a68bdbcf225)
(cherry picked from commit 79bb113a2a108ce1c69dc7bc7af60297b8ec2ad0)
---
src/firewall/core/ipXtables.py | 4 ++++
src/firewall/core/nftables.py | 2 --
src/tests/regression/gh703.at | 23 +++++++++++++++++++++++
src/tests/regression/regression.at | 1 +
4 files changed, 28 insertions(+), 2 deletions(-)
create mode 100644 src/tests/regression/gh703.at
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 450e427c08b5..b28146edd060 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -814,6 +814,10 @@ class ip4tables(object):
else:
zone_dispatch_chain = "%s_ZONES" % (chain)
+ # iptables can not match destination MAC
+ if check_mac(address) and chain in ["POSTROUTING", "FORWARD_OUT", "OUTPUT"]:
+ return []
+
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
action = "-g"
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 0a73c2c2669d..a0a899dd3eef 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -1067,8 +1067,6 @@ class nftables(object):
return self._set_match_fragment(address[len("ipset:"):], True if "daddr" == addr_field else False, invert)
else:
if check_mac(address):
- if addr_field == "daddr":
- raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__))
family = "ether"
elif check_single_address("ipv4", address):
family = "ip"
diff --git a/src/tests/regression/gh703.at b/src/tests/regression/gh703.at
new file mode 100644
index 000000000000..af724a7713a7
--- /dev/null
+++ b/src/tests/regression/gh703.at
@@ -0,0 +1,23 @@
+FWD_START_TEST([add source with mac address])
+AT_KEYWORDS(gh703)
+
+FWD_CHECK([--zone=home --add-source=34:7e:5c:3a:4c:32], 0, [ignore])
+
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES_SOURCE {
+ ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING_ZONES_SOURCE {
+ ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
+ }
+ }
+])
+
+dnl NOTE: iptables does _not_ support matching mac destination.
+
+FWD_END_TEST
diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
index c1e8620ee700..7597a458076c 100644
--- a/src/tests/regression/regression.at
+++ b/src/tests/regression/regression.at
@@ -36,3 +36,4 @@ m4_include([regression/rhbz1541077.at])
m4_include([regression/rhbz1855140.at])
m4_include([regression/rhbz1871298.at])
m4_include([regression/rhbz1596304.at])
+m4_include([regression/gh703.at])
--
2.27.0

55
SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch Normal file
View File

@ -0,0 +1,55 @@
From 8d0823923302da39bb1f28e55b907db29b03f664 Mon Sep 17 00:00:00 2001
From: Vrinda Punj <vpunj@redhat.com>
Date: Tue, 1 Dec 2020 11:58:19 -0500
Subject: [PATCH 66/66] feat(service): add galera service Fixes: rhbz1696260
(cherry picked from commit 11632147677464cb7121d17526ead242e68be041)
---
config/Makefile.am | 1 +
config/services/galera.xml | 9 +++++++++
po/POTFILES.in | 1 +
3 files changed, 11 insertions(+)
create mode 100644 config/services/galera.xml
diff --git a/config/Makefile.am b/config/Makefile.am
index 178c2358b117..4b849bd54e32 100644
--- a/config/Makefile.am
+++ b/config/Makefile.am
@@ -156,6 +156,7 @@ CONFIG_FILES = \
services/freeipa-replication.xml \
services/freeipa-trust.xml \
services/ftp.xml \
+ services/galera.xml \
services/ganglia-client.xml \
services/ganglia-master.xml \
services/git.xml \
diff --git a/config/services/galera.xml b/config/services/galera.xml
new file mode 100644
index 000000000000..2305713fbcab
--- /dev/null
+++ b/config/services/galera.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+ <short>Galera</short>
+ <description>MariaDB-Galera Database Server</description>
+ <port protocol="tcp" port="3306"/>
+ <port protocol="tcp" port="4567"/>
+ <port protocol="tcp" port="4568"/>
+ <port protocol="tcp" port="4444"/>
+</service>
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 8552b8eca4ab..27003c5ce1ef 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -88,6 +88,7 @@ config/services/freeipa-ldap.xml
config/services/freeipa-replication.xml
config/services/freeipa-trust.xml
config/services/ftp.xml
+config/services/galera.xml
config/services/ganglia-client.xml
config/services/ganglia-master.xml
config/services/git.xml
--
2.28.0

15
SPECS/firewalld.spec
View File

@ -1,7 +1,7 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 0.8.2
Release: 3%{?dist}
Release: 6%{?dist}
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@ -69,6 +69,10 @@ Patch61: 0061-docs-dbus-fix-invalid-method-names.patch
Patch62: 0062-docs-firewall-cmd-small-description-grammar-fix.patch
Patch63: v0.9.0-0063-feat-service-add-collectd-service.patch
Patch64: v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch
Patch65: 0065-fix-rich-non-printable-characters-removed-from-rich-.patch
Patch66: 0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch
Patch67: 0067-fix-zone-add-source-with-mac-address.patch
Patch68: v1.0.0-0068-feat-service-add-galera-service.patch
BuildArch: noarch
BuildRequires: autoconf
@ -267,6 +271,15 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewall-config*.1*
%changelog
* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-6
- feat(service): add galera service
* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-5
- fix(zone): add source with mac address
* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-4
- fix(rich): non-printable characters removed from rich
* Mon Oct 26 2020 Eric Garver <egarver@redhat.com> - 0.8.2-3
- fix(nftables): packet marks with masks
- fix(nftables): icmp types with code == 0