import firewalld-0.8.2-6.el8

2021-02-04 06:12:03 +00:00 · 2021-02-04 06:12:03 +00:00 · cc5b8020e9
commit cc5b8020e9
parent 86bcc4af9e
5 changed files with 307 additions and 1 deletions
--- a/SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch
+++ b/SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch
@ -0,0 +1,107 @@
 From dbce20e28a898c394274109904d471d84cfa7fea Mon Sep 17 00:00:00 2001
 From: Vrinda Punj <vpunj@redhat.com>
 Date: Fri, 13 Nov 2020 10:40:51 -0500
 Subject: [PATCH 65/66] fix(rich): non-printable characters removed from rich
 rules
 Fixes: rhbz 1596304
 Fixes: #480
 (cherry picked from commit ac5960856991a00ddf7a558e31fd3248c8279a1f)
 (cherry picked from commit a55416ea5f79f1a7cb1a97b6ee39524a542a8663)
 ---
 src/firewall/core/rich.py           |  2 ++
 src/firewall/functions.py           |  9 ++++++++-
 src/tests/regression/regression.at  |  1 +
 src/tests/regression/rhbz1596304.at | 23 +++++++++++++++++++++++
 4 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 src/tests/regression/rhbz1596304.at
 diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
 index 86c0c998a478..03bc194c2b28 100644
 --- a/src/firewall/core/rich.py
 +++ b/src/firewall/core/rich.py
@@ -307,6 +307,8 @@ class Rich_Rule(object):
         if not rule_str:
             raise FirewallError(errors.INVALID_RULE, 'empty rule')
 +        rule_str = functions.stripNonPrintableCharacters(rule_str)
 +
         self.priority = 0
         self.family = None
         self.source = None
 diff --git a/src/firewall/functions.py b/src/firewall/functions.py
 index 6af220619f17..d20b702e047e 100644
 --- a/src/firewall/functions.py
 +++ b/src/firewall/functions.py
@@ -27,7 +27,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName",
             "check_single_address", "check_mac", "uniqify", "ppid_of_pid",
             "max_zone_name_len", "checkUser", "checkUid", "checkCommand",
             "checkContext", "joinArgs", "splitArgs",
 -            "b2u", "u2b", "u2b_if_py2" ]
 +            "b2u", "u2b", "u2b_if_py2", "stripNonPrintableCharacters"]
 import socket
 import os
@@ -42,6 +42,10 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
 PY2 = sys.version < '3'
 +NOPRINT_TRANS_TABLE = {
 +    i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
 +}
 +
 def getPortID(port):
     """ Check and Get port id from port string or port id using socket.getservbyname
@@ -226,6 +230,9 @@ def checkIPnMask(ip):
                 return False
     return True
 +def stripNonPrintableCharacters(rule_str):
 +    return rule_str.translate(NOPRINT_TRANS_TABLE)
 +
 def checkIP6nMask(ip):
     if "/" in ip:
         addr = ip[:ip.index("/")]
 diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
 index 65540840f50e..c1e8620ee700 100644
 --- a/src/tests/regression/regression.at
 +++ b/src/tests/regression/regression.at
@@ -35,3 +35,4 @@ m4_include([regression/rhbz1483921.at])
 m4_include([regression/rhbz1541077.at])
 m4_include([regression/rhbz1855140.at])
 m4_include([regression/rhbz1871298.at])
 +m4_include([regression/rhbz1596304.at])
 diff --git a/src/tests/regression/rhbz1596304.at b/src/tests/regression/rhbz1596304.at
 new file mode 100644
 index 000000000000..98a33934e271
 --- /dev/null
 +++ b/src/tests/regression/rhbz1596304.at
@@ -0,0 +1,23 @@
 +FWD_START_TEST([rich rules strip non-printable characters])
 +AT_KEYWORDS(rich rhbz1596304)
 +
 +dnl source address contains a tab character
 +FWD_CHECK([--permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="104.243.250.0/22	" port port=80 protocol=tcp accept'],0,ignore)
 +FWD_RELOAD
 +FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl
 +        public
 +        target: default
 +        icmp-block-inversion: no
 +        interfaces:
 +        sources:
 +        services: cockpit dhcpv6-client ssh
 +        ports:
 +        protocols:
 +        masquerade: no
 +        forward-ports:
 +        source-ports:
 +        icmp-blocks:
 +        rich rules:
 +	rule family="ipv4" source address="104.243.250.0/22" port port="80" protocol="tcp" accept
 +    ])])
 +FWD_END_TEST
 -- 
 2.28.0
--- a/SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch
+++ b/SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch
@ -0,0 +1,38 @@
 From ff6e65737413d54b6f6964f72827a92fdbecc182 Mon Sep 17 00:00:00 2001
 From: Eric Garver <eric@garver.life>
 Date: Fri, 8 Jan 2021 13:38:15 -0500
 Subject: [PATCH 68/68] fix(rich): limit table to strip non-printables to C0
 and C1
 Generating the table was taking an unreasonable amount of memory.
 Stripping C0 and C1 should cover most scenarios while limiting memory
 usage.
 Fixes: ac5960856991 ("fix(rich): non-printable characters removed from rich rules")
 (cherry picked from commit 015704b44f81d535a868fe28368f977cefd28638)
 (cherry picked from commit 629a53ef027146f8e4e486c40c8bde04cda830d3)
 ---
 src/firewall/functions.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/src/firewall/functions.py b/src/firewall/functions.py
 index d20b702e047e..1ea9f4309234 100644
 --- a/src/firewall/functions.py
 +++ b/src/firewall/functions.py
@@ -43,7 +43,12 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
 PY2 = sys.version < '3'
 NOPRINT_TRANS_TABLE = {
 -    i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
 +    # Limit to C0 and C1 code points. Building entries for all unicode code
 +    # points requires too much memory.
 +    # C0 = [0, 31]
 +    # C1 = [127, 159]
 +    #
 +    i: None for i in range(0, 160) if not (i > 31 and i < 127)
 }
 def getPortID(port):
 -- 
 2.27.0
--- a/SOURCES/0067-fix-zone-add-source-with-mac-address.patch
+++ b/SOURCES/0067-fix-zone-add-source-with-mac-address.patch
@ -0,0 +1,93 @@
 From 2871abfceceba37c6ba38aa0ef25e23a059294ec Mon Sep 17 00:00:00 2001
 From: Vrinda Punj <vpunj@redhat.com>
 Date: Wed, 18 Nov 2020 13:14:44 -0500
 Subject: [PATCH 67/68] fix(zone): add source with mac address
 nftables supports matching the destination MAC, but iptables does not.
 As such, lift the restriction from nftables. For iptables, gracefully
 ignore the scenarios in which we attempt to match destination MAC.
 Fixes: #703
 Fixes: df4aefcbe7b7 ("improvement(ipXtables): add utility function match sources")
 Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface")
 Co-authored-by: Eric Garver <eric@garver.life>
 (cherry picked from commit 20151fbb5c5104e3d4dbc4ea938b9a68bdbcf225)
 (cherry picked from commit 79bb113a2a108ce1c69dc7bc7af60297b8ec2ad0)
 ---
 src/firewall/core/ipXtables.py     |  4 ++++
 src/firewall/core/nftables.py      |  2 --
 src/tests/regression/gh703.at      | 23 +++++++++++++++++++++++
 src/tests/regression/regression.at |  1 +
 4 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 src/tests/regression/gh703.at
 diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
 index 450e427c08b5..b28146edd060 100644
 --- a/src/firewall/core/ipXtables.py
 +++ b/src/firewall/core/ipXtables.py
@@ -814,6 +814,10 @@ class ip4tables(object):
         else:
             zone_dispatch_chain = "%s_ZONES" % (chain)
 +        # iptables can not match destination MAC
 +        if check_mac(address) and chain in ["POSTROUTING", "FORWARD_OUT", "OUTPUT"]:
 +            return []
 +
         target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
         action = "-g"
 diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
 index 0a73c2c2669d..a0a899dd3eef 100644
 --- a/src/firewall/core/nftables.py
 +++ b/src/firewall/core/nftables.py
@@ -1067,8 +1067,6 @@ class nftables(object):
             return self._set_match_fragment(address[len("ipset:"):], True if "daddr" == addr_field else False, invert)
         else:
             if check_mac(address):
 -                if addr_field == "daddr":
 -                    raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__))
                 family = "ether"
             elif check_single_address("ipv4", address):
                 family = "ip"
 diff --git a/src/tests/regression/gh703.at b/src/tests/regression/gh703.at
 new file mode 100644
 index 000000000000..af724a7713a7
 --- /dev/null
 +++ b/src/tests/regression/gh703.at
@@ -0,0 +1,23 @@
 +FWD_START_TEST([add source with mac address])
 +AT_KEYWORDS(gh703)
 +
 +FWD_CHECK([--zone=home --add-source=34:7e:5c:3a:4c:32], 0, [ignore])
 +
 +NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
 +    table ip firewalld {
 +        chain nat_POSTROUTING_ZONES_SOURCE {
 +            ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
 +        }          
 +    }          
 +])
 +NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
 +    table ip6 firewalld {
 +        chain nat_POSTROUTING_ZONES_SOURCE {
 +            ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
 +        }          
 +    }          
 +])
 +
 +dnl NOTE: iptables does _not_ support matching mac destination.
 +
 +FWD_END_TEST
 diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
 index c1e8620ee700..7597a458076c 100644
 --- a/src/tests/regression/regression.at
 +++ b/src/tests/regression/regression.at
@@ -36,3 +36,4 @@ m4_include([regression/rhbz1541077.at])
 m4_include([regression/rhbz1855140.at])
 m4_include([regression/rhbz1871298.at])
 m4_include([regression/rhbz1596304.at])
 +m4_include([regression/gh703.at])
 -- 
 2.27.0
--- a/SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch
+++ b/SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch
@ -0,0 +1,55 @@
 From 8d0823923302da39bb1f28e55b907db29b03f664 Mon Sep 17 00:00:00 2001
 From: Vrinda Punj <vpunj@redhat.com>
 Date: Tue, 1 Dec 2020 11:58:19 -0500
 Subject: [PATCH 66/66] feat(service): add galera service Fixes: rhbz1696260
 (cherry picked from commit 11632147677464cb7121d17526ead242e68be041)
 ---
 config/Makefile.am         | 1 +
 config/services/galera.xml | 9 +++++++++
 po/POTFILES.in             | 1 +
 3 files changed, 11 insertions(+)
 create mode 100644 config/services/galera.xml
 diff --git a/config/Makefile.am b/config/Makefile.am
 index 178c2358b117..4b849bd54e32 100644
 --- a/config/Makefile.am
 +++ b/config/Makefile.am
@@ -156,6 +156,7 @@ CONFIG_FILES = \
 	services/freeipa-replication.xml \
 	services/freeipa-trust.xml \
 	services/ftp.xml \
 +	services/galera.xml \
 	services/ganglia-client.xml \
 	services/ganglia-master.xml \
 	services/git.xml \
 diff --git a/config/services/galera.xml b/config/services/galera.xml
 new file mode 100644
 index 000000000000..2305713fbcab
 --- /dev/null
 +++ b/config/services/galera.xml
@@ -0,0 +1,9 @@
 +<?xml version="1.0" encoding="utf-8"?>
 +<service>
 +  <short>Galera</short>
 +  <description>MariaDB-Galera Database Server</description>
 +  <port protocol="tcp" port="3306"/>
 +  <port protocol="tcp" port="4567"/>
 +  <port protocol="tcp" port="4568"/>
 +  <port protocol="tcp" port="4444"/>
 +</service>
 diff --git a/po/POTFILES.in b/po/POTFILES.in
 index 8552b8eca4ab..27003c5ce1ef 100644
 --- a/po/POTFILES.in
 +++ b/po/POTFILES.in
@@ -88,6 +88,7 @@ config/services/freeipa-ldap.xml
 config/services/freeipa-replication.xml
 config/services/freeipa-trust.xml
 config/services/ftp.xml
 +config/services/galera.xml
 config/services/ganglia-client.xml
 config/services/ganglia-master.xml
 config/services/git.xml
 -- 
 2.28.0
--- a/SPECS/firewalld.spec
+++ b/SPECS/firewalld.spec
@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 0.8.2
-Release: 3%{?dist}
+Release: 6%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@ -69,6 +69,10 @@ Patch61: 0061-docs-dbus-fix-invalid-method-names.patch
 Patch62: 0062-docs-firewall-cmd-small-description-grammar-fix.patch
 Patch63: v0.9.0-0063-feat-service-add-collectd-service.patch
 Patch64: v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch
 Patch65: 0065-fix-rich-non-printable-characters-removed-from-rich-.patch
 Patch66: 0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch
 Patch67: 0067-fix-zone-add-source-with-mac-address.patch
 Patch68: v1.0.0-0068-feat-service-add-galera-service.patch
 BuildArch: noarch
 BuildRequires: autoconf
@ -267,6 +271,15 @@ desktop-file-install --delete-original \
 %{_mandir}/man1/firewall-config*.1*
 %changelog
 * Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-6
 - feat(service): add galera service
 * Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-5
 - fix(zone): add source with mac address
 * Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-4
 - fix(rich): non-printable characters removed from rich
 * Mon Oct 26 2020 Eric Garver <egarver@redhat.com> - 0.8.2-3
 - fix(nftables): packet marks with masks
 - fix(nftables): icmp types with code == 0