rpms/firewalld
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import firewalld-0.8.0-4.el8

Browse Source
This commit is contained in:
CentOS Sources 2020-04-28 05:42:01 -04:00 committed by Andrew Lukoshko
parent 6ce620f216
commit dd14143383
71 changed files with 7072 additions and 3833 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.firewalld.metadata
View File

@ -1 +1 @@
0861cc649bffc66b18bb70fb7e33fe03fe31fe33 SOURCES/firewalld-0.7.0.tar.gz
e558ccbfd8a0e08d9339cf1506d8856d3533ed82 SOURCES/firewalld-0.8.0.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/firewalld-0.7.0.tar.gz
SOURCES/firewalld-0.8.0.tar.gz

29
SOURCES/0001-fix-src-test-Makefile-use-wildcard-in-variable-expan.patch
View File

@ -1,29 +0,0 @@
From 57ca11e82eeb4ac6aecefa19729ec7e19d21a4e1 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 13 Jun 2019 10:48:38 -0400
Subject: [PATCH 01/20] fix: src/test/Makefile: use wildcard in variable
expansion
It's more correct to use the wildcard function when setting a variable.
(cherry picked from commit 40fc3b5fd327ec4a8bcbd3f6a2b34047ef16b732)
---
src/tests/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 9240484a3109..f1f83ec7eb52 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -8,7 +8,7 @@ TESTSUITE_FILES = \
EXTRA_DIST = \
$(TESTSUITE) \
$(TESTSUITE_FILES) \
- $(srcdir)/python/*.py \
+ $(wildcard $(srcdir)/python/*.py) \
$(srcdir)/package.m4
$(srcdir)/package.m4: $(top_srcdir)/configure.ac $(top_srcdir)/firewalld.spec $(srcdir)/Makefile
--
2.20.1

132
SOURCES/0002-fix-CLI-service-also-output-helpers-for-service-info.patch Normal file
View File

@ -0,0 +1,132 @@
From ff17d85fd863e7be2b4088c92360185aca6693b0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 7 Nov 2019 08:21:52 -0500
Subject: [PATCH] fix: CLI: service: also output helpers for service info
Fixes: 0c07b704f76d ("feat: CLI: add "helper" support for services")
Fixes: rhbz 1769520
(cherry picked from commit 6bfffe65f55b727afc37a8c1fb4068f6589bb890)
---
src/firewall/command.py | 2 ++
src/tests/features/helpers_custom.at | 42 ++++++++++++++++++++++++++-
src/tests/features/service_include.at | 3 ++
3 files changed, 46 insertions(+), 1 deletion(-)
diff --git a/src/firewall/command.py b/src/firewall/command.py
index 85e58d731a80..c371dc23584c 100644
--- a/src/firewall/command.py
+++ b/src/firewall/command.py
@@ -449,6 +449,7 @@ class FirewallCommand(object):
destinations = settings.getDestinations()
short_description = settings.getShort()
includes = settings.getIncludes()
+ helpers = settings.getHelpers()
self.print_msg(service)
if self.verbose:
self.print_msg(" summary: " + short_description)
@@ -464,6 +465,7 @@ class FirewallCommand(object):
" ".join(["%s:%s" % (k, v)
for k, v in destinations.items()]))
self.print_msg(" includes: " + " ".join(sorted(includes)))
+ self.print_msg(" helpers: " + " ".join(sorted(helpers)))
def print_icmptype_info(self, icmptype, settings):
destinations = settings.getDestinations()
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index c65f067a06ec..4c9024d1e2b8 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -1,5 +1,5 @@
FWD_START_TEST([customer helpers])
-AT_KEYWORDS(helpers rhbz1733066 gh514)
+AT_KEYWORDS(helpers rhbz1733066 gh514 rhbz1769520)
FWD_CHECK([-q --permanent --new-helper="ftptest" --module="nf_conntrack_ftp"])
FWD_CHECK([-q --permanent --helper=ftptest --add-port="2121/tcp"])
@@ -8,7 +8,27 @@ FWD_CHECK([-q --permanent --new-service="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --add-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --add-port="2121/tcp"])
+FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules: ftptest
+ destination:
+ includes:
+ helpers:
+])])
FWD_RELOAD
+FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules: ftptest
+ destination:
+ includes:
+ helpers:
+])])
FWD_CHECK([-q --add-service=ftptest])
@@ -42,7 +62,27 @@ dnl Same thing as above, but with the new "helper" in service.
FWD_CHECK([-q --permanent --service=ftptest --remove-module="ftptest"])
FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"], 1)
FWD_CHECK([-q --permanent --service=ftptest --add-helper="ftptest"])
+FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules:
+ destination:
+ includes:
+ helpers: ftptest
+])])
FWD_RELOAD
+FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+ ports: 2121/tcp
+ protocols:
+ source-ports:
+ modules:
+ destination:
+ includes:
+ helpers: ftptest
+])])
FWD_CHECK([-q --add-service=ftptest])
diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
index 219d5b42767b..7f02701a9419 100644
--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
@@ -76,6 +76,7 @@ my-service-with-include
modules:
destination:
includes: mdns recursive-service ssdp
+ helpers:
])])
FWD_CHECK([--info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl
my-service-with-include
@@ -85,6 +86,7 @@ my-service-with-include
modules:
destination:
includes: mdns recursive-service ssdp
+ helpers:
])])
dnl firewall-offline-cmd
@@ -106,6 +108,7 @@ my-service-with-include
modules:
destination:
includes: mdns recursive-service ssdp
+ helpers:
])])
dnl negative test for including service that doesn't exist
--
2.23.0

87
SOURCES/0002-fix-CLI-show-service-includes-with-info-service.patch
View File

@ -1,87 +0,0 @@
From 86d498cfd51b8a89d90a639951ff392671a5364b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 13 Jun 2019 12:08:52 -0400
Subject: [PATCH 02/20] fix: CLI: show service includes with --info-service
Fixes: rhbz 1720300
(cherry picked from commit 36c49fc5a0ec531ad8268347f1f511e6740c9e0c)
---
src/firewall/command.py | 2 ++
src/tests/features/service_include.at | 29 ++++++++++++++++++++++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/src/firewall/command.py b/src/firewall/command.py
index 1449b6dfc3ea..85e58d731a80 100644
--- a/src/firewall/command.py
+++ b/src/firewall/command.py
@@ -448,6 +448,7 @@ class FirewallCommand(object):
description = settings.getDescription()
destinations = settings.getDestinations()
short_description = settings.getShort()
+ includes = settings.getIncludes()
self.print_msg(service)
if self.verbose:
self.print_msg(" summary: " + short_description)
@@ -462,6 +463,7 @@ class FirewallCommand(object):
self.print_msg(" destination: " +
" ".join(["%s:%s" % (k, v)
for k, v in destinations.items()]))
+ self.print_msg(" includes: " + " ".join(sorted(includes)))
def print_icmptype_info(self, icmptype, settings):
destinations = settings.getDestinations()
diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
index 992c5ef0ba92..0bf59f63b81b 100644
--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
@@ -1,5 +1,5 @@
FWD_START_TEST([service include])
-AT_KEYWORDS(service xml gh273)
+AT_KEYWORDS(service xml gh273 rhbz1720300)
AT_CHECK([mkdir -p ./services])
AT_CHECK([cat <<HERE > ./services/my-service-with-include.xml
@@ -68,6 +68,24 @@ AT_CHECK([grep '<include service="ssh"/>' ./services/my-service-with-include.xml
FWD_CHECK([--permanent --service=my-service-with-include --get-includes], 0, [dnl
mdns recursive-service ssdp
])
+FWD_CHECK([--permanent --info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl
+my-service-with-include
+ ports: 12345/tcp
+ protocols:
+ source-ports:
+ modules:
+ destination:
+ includes: mdns recursive-service ssdp
+])])
+FWD_CHECK([--info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl
+my-service-with-include
+ ports: 12345/tcp
+ protocols:
+ source-ports:
+ modules:
+ destination:
+ includes: mdns recursive-service ssdp
+])])
dnl firewall-offline-cmd
FWD_OFFLINE_CHECK([--service=my-service-with-include --query-include=recursive-service], 0, [ignore], [ignore])
@@ -80,6 +98,15 @@ AT_CHECK([grep '<include service="ssh"/>' ./services/my-service-with-include.xml
FWD_OFFLINE_CHECK([--service=my-service-with-include --get-includes], 0, [dnl
mdns recursive-service ssdp
])
+FWD_OFFLINE_CHECK([--info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl
+my-service-with-include
+ ports: 12345/tcp
+ protocols:
+ source-ports:
+ modules:
+ destination:
+ includes: mdns recursive-service ssdp
+])])
dnl negative test for including service that doesn't exist
FWD_CHECK([-q --permanent --zone=drop --add-interface=foobar0])
--
2.20.1

32
SOURCES/0003-fix-reload-let-NM-interface-assignments-override-per.patch Normal file
View File

@ -0,0 +1,32 @@
From d4866bf76574a436372204583f4194ca01beb265 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 19 Nov 2019 11:34:03 -0500
Subject: [PATCH 03/37] fix: reload: let NM interface assignments override
permanent config
Use the change interface call instead of add interface. This lets NM
override the permanent interface assignment.
Fixes: rhbz 1773809
(cherry picked from commit a3265daf5b8092878e82fc7840e56bb0b36a43ea)
(cherry picked from commit 48bde3b3343cbdd35af58958467b8e64e10f3821)
---
src/firewall/core/fw.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 4dc6a4f47aff..050fb9cd976d 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -988,7 +988,7 @@ class Firewall(object):
if nm_bus_name:
for zone in self.zone.get_zones() + [""]:
for interface in nm_get_interfaces_in_zone(zone):
- self.zone.add_interface(zone, interface, sender=nm_bus_name)
+ self.zone.change_zone_of_interface(zone, interface, sender=nm_bus_name)
self._panic = _panic
if not self._panic:
--
2.23.0

162
SOURCES/0003-fix-tests-always-list-rules-using-macros.patch
View File

@ -1,162 +0,0 @@
From cc2b632a51ad32e7b3966f44057add92e45e60a5 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 14 Jun 2019 09:44:41 -0400
Subject: [PATCH 03/20] fix: tests: always list rules using macros
This is to make sure certain flags are used, e.g. "-w" for iptables.
Fixes: rhbz 1720650
(cherry picked from commit e527818500be462a724cd34c94948a2704560eb1)
---
src/tests/features/rfc3964_ipv4.at | 4 +-
.../regression/icmp_block_in_forward_chain.at | 27 +++++--
src/tests/regression/rhbz1514043.at | 80 +++++++++++++++++--
3 files changed, 98 insertions(+), 13 deletions(-)
diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at
index cce828c0b3de..baff411793b2 100644
--- a/src/tests/features/rfc3964_ipv4.at
+++ b/src/tests/features/rfc3964_ipv4.at
@@ -93,8 +93,8 @@ NFT_LIST_RULES([inet], [filter_OUTPUT], 0, [dnl
}
])
-m4_if(iptables, FIREWALL_BACKEND, [
-NS_CHECK([ip6tables -w -n -t filter -L RFC3964_IPv4], 1, [ignore], [ignore])
+IP6TABLES_LIST_RULES([filter], [RFC3964_IPv4], 0, [ignore], [dnl
+iptables: No chain/target/match by that name.
])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
diff --git a/src/tests/regression/icmp_block_in_forward_chain.at b/src/tests/regression/icmp_block_in_forward_chain.at
index 769315d9534e..7580bc179470 100644
--- a/src/tests/regression/icmp_block_in_forward_chain.at
+++ b/src/tests/regression/icmp_block_in_forward_chain.at
@@ -2,12 +2,27 @@ FWD_START_TEST([ICMP block present FORWARD chain])
AT_KEYWORDS(icmp)
FWD_CHECK([-q --zone=public --add-icmp-block=host-prohibited])
-m4_if(iptables, FIREWALL_BACKEND, [
- NS_CHECK([IPTABLES -L IN_public_deny | grep "host-prohibited"], 0, ignore)
- NS_CHECK([IPTABLES -L FWDI_public_deny | grep "host-prohibited"], 0, ignore)
-], [
- NS_CHECK([nft list chain inet firewalld filter_IN_public_deny | grep "destination-unreachable" |grep "\(code 10\|host-prohibited\)"], 0, ignore)
- NS_CHECK([nft list chain inet firewalld filter_FWDI_public_deny | grep "destination-unreachable" |grep "\(code 10\|host-prohibited\)"], 0, ignore)
+
+NFT_LIST_RULES([inet], [filter_IN_public_deny | sed -e 's/icmp code 10/icmp code host-prohibited/'], 0, [dnl
+ table inet firewalld {
+ chain filter_IN_public_deny {
+ icmp type destination-unreachable icmp code host-prohibited reject with icmp type admin-prohibited
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FWDI_public_deny | sed -e 's/icmp code 10/icmp code host-prohibited/'], 0, [dnl
+ table inet firewalld {
+ chain filter_FWDI_public_deny {
+ icmp type destination-unreachable icmp code host-prohibited reject with icmp type admin-prohibited
+ }
+ }
+])
+
+IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
+ REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 10 reject-with icmp-host-prohibited
+])
+IPTABLES_LIST_RULES([filter], [FWDI_public_deny], 0, [dnl
+ REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 code 10 reject-with icmp-host-prohibited
])
FWD_END_TEST
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
index 88ce4934e5ea..241cf547f7f3 100644
--- a/src/tests/regression/rhbz1514043.at
+++ b/src/tests/regression/rhbz1514043.at
@@ -7,11 +7,81 @@ FWD_RELOAD
FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl
services: cockpit dhcpv6-client samba ssh
])
+
dnl check that log denied actually took effect
-m4_if(iptables, FIREWALL_BACKEND, [
- NS_CHECK([IPTABLES -t filter -L | grep "FINAL_REJECT:"], 0, ignore)
-], [
- NS_CHECK([nft list chain inet firewalld filter_INPUT | grep "FINAL_REJECT"], 0, ignore)
- NS_CHECK([nft list chain inet firewalld filter_FORWARD | grep "FINAL_REJECT"], 0, ignore)
+NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT {
+ ct state established,related accept
+ ct status dnat accept
+ iifname "lo" accept
+ jump filter_INPUT_ZONES
+ ct state invalid log prefix "STATE_INVALID_DROP: "
+ ct state invalid drop
+ log prefix "FINAL_REJECT: "
+ reject with icmpx type admin-prohibited
+ }
+ }
+])
+NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl
+ table inet firewalld {
+ chain filter_FORWARD {
+ ct state established,related accept
+ ct status dnat accept
+ iifname "lo" accept
+ ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 type addr-unreachable
+ jump filter_FORWARD_IN_ZONES
+ jump filter_FORWARD_OUT_ZONES
+ ct state invalid log prefix "STATE_INVALID_DROP: "
+ ct state invalid drop
+ log prefix "FINAL_REJECT: "
+ reject with icmpx type admin-prohibited
+ }
+ }
+])
+
+IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+ INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
+ INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
+ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
+ LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
+ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
+IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
+ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
+ LOG all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
+ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
+ LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
+ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
+])
+IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
+ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+ ACCEPT all ::/0 ::/0
+ INPUT_direct all ::/0 ::/0
+ INPUT_ZONES all ::/0 ::/0
+ LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
+ DROP all ::/0 ::/0 ctstate INVALID
+ LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
+ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
+])
+IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
+ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
+ ACCEPT all ::/0 ::/0
+ FORWARD_direct all ::/0 ::/0
+ RFC3964_IPv4 all ::/0 ::/0
+ FORWARD_IN_ZONES all ::/0 ::/0
+ FORWARD_OUT_ZONES all ::/0 ::/0
+ LOG all ::/0 ::/0 ctstate INVALID LOG flags 0 level 4 prefix "STATE_INVALID_DROP: "
+ DROP all ::/0 ::/0 ctstate INVALID
+ LOG all ::/0 ::/0 LOG flags 0 level 4 prefix "FINAL_REJECT: "
+ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
+])
+
FWD_END_TEST
--
2.20.1

31
SOURCES/0004-fix-dbus-firewall.conf-fix-check-for-AutomaticHelper.patch Normal file
View File

@ -0,0 +1,31 @@
From e4d104ed8546e457d223dc1472942427241f0e44 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 2 Dec 2019 08:47:47 -0500
Subject: [PATCH 04/37] fix: dbus/firewall.conf: fix check for AutomaticHelpers
If nft fib is not available the test was checking for "system", but it
always yields "no".
Fixes: 6cd756b15685 ("chore: deprecate AutomaticHelpers")
(cherry picked from commit 58c19a06e9b47bc16cc00d2b7d26d5fce6f91a7a)
(cherry picked from commit 3fbeb0d92fa632ecd7174afccd8e5cb71c9adaa6)
---
src/tests/dbus/firewalld.conf.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index a26be3213d79..06f6df9bdd70 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -17,7 +17,7 @@ string "MinimalMark" : variant int32 100
string "RFC3964_IPv4" : variant string "yes"
])], [
DBUS_GETALL([config], [config], 0, [dnl
-string "AutomaticHelpers" : variant string "system"
+string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
string "FirewallBackend" : variant string "nftables"
--
2.23.0

35
SOURCES/0004-test-new-macro-PIPESTATUS0.patch
View File

@ -1,35 +0,0 @@
From 818d297b17a55fc9c3b21784f45b23875501d654 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 17 Jun 2019 10:57:55 -0400
Subject: [PATCH 04/20] test: new macro PIPESTATUS0
It's essentially a portable version of bash's PIPESTATUS[0]. It passes
down the return code of the first command in the pipeline.
(cherry picked from commit 1c4bb9337f5d5c734a2a8bab10782423408d4026)
---
src/tests/functions.at | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 800dd92c7826..932e288f1597 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -242,6 +242,14 @@ m4_define([NS_CHECK], [
AT_CHECK([NS_CMD([$1])], [$2], [$3], [$4], [$5], [$6])
])
+dnl implement PIPESTATUS[0] in a portable way
+dnl
+m4_define([PIPESTATUS0], [dnl
+ sh <<-"HERE"
+ { { { { $1; echo $? >&3; } | $2 >&4; } 3>&1; } | { read RC; exit $RC; } } 4>&1
+HERE
+])
+
m4_define([EBTABLES_LIST_RULES], [
dnl ebtables commit 5f508b76a0ce change list output for inversion.
m4_define([EBTABLES_LIST_RULES_NORMALIZE], [[sed -e 's/\([-][-][-a-zA-Z0-9]\+\)[ ]\+[!]/! \1/g']])
--
2.20.1

38
SOURCES/0005-fix-test-CHECK_NAT_COEXISTENCE-only-check-for-kernel.patch Normal file
View File

@ -0,0 +1,38 @@
From f9dc97f5161eea0900b9e99bb29e8a4d5cda3109 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 2 Dec 2019 09:08:00 -0500
Subject: [PATCH 05/37] fix: test: CHECK_NAT_COEXISTENCE: only check for kernel
version
Calling modprobe is problematic inside a container. Just check if the
running kernel is >4.18 as this is when NAT coexistence was fixed.
(cherry picked from commit 2b7d150d4b15b4b3876df0179cd08aaae33f2e38)
(cherry picked from commit fd54fafb9e43f2e0a396b8c502ef81bc738affeb)
---
src/tests/functions.at | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index fc53f591b1bf..31d1a3c187e4 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -436,13 +436,8 @@ m4_define([CHECK_NAT_COEXISTENCE], [
m4_if(nftables, FIREWALL_BACKEND, [
KERNEL_MAJOR=`uname -r | cut -d. -f1`
KERNEL_MINOR=`uname -r | cut -d. -f2`
- if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 16 || test ${KERNEL_MAJOR} -gt 4; then
- dnl Only check >=4.16 kernels. Previous versions did not explicitly
- dnl deny it, but had undefined behavior.
- AT_SKIP_IF([! modprobe iptable_nat])
- AT_SKIP_IF([! NS_CMD([nft add table ip foobar])])
- AT_SKIP_IF([! NS_CMD([nft add chain ip foobar foobar_chain { type nat hook postrouting priority 100 \; }])])
- NS_CHECK([nft delete table ip foobar])
+ if test ${KERNEL_MAJOR} -eq 4 && test ${KERNEL_MINOR} -ge 18 || test ${KERNEL_MAJOR} -gt 4; then
+ :
else
AT_SKIP_IF([true])
fi
--
2.23.0

141
SOURCES/0005-test-use-PIPESTATUS0-in-LIST-macros.patch
View File

@ -1,141 +0,0 @@
From 7bfd5446e2926f9a061d883c60c78c88532a34da Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 17 Jun 2019 11:00:01 -0400
Subject: [PATCH 05/20] test: use PIPESTATUS0 in LIST macros
This so we get the return code from the first command instead of all the
sed/filtering we do afterwards.
Also moves the NORMALIZE functions into the top-level. Avoids
unnecessary define/undefine.
(cherry picked from commit ae18f69bdf2ef664646751787dd7ab44988912f3)
---
src/tests/functions.at | 67 +++++++++++++++++++++++++++++-------------
1 file changed, 47 insertions(+), 20 deletions(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 932e288f1597..69f71c133d15 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -250,18 +250,29 @@ m4_define([PIPESTATUS0], [dnl
HERE
])
+m4_define([EBTABLES_LIST_RULES_NORMALIZE], [dnl
+ TRIM_WHITESPACE | dnl
+ grep -v "^Bridge" | dnl
+ [sed -e 's/\([-][-][-a-zA-Z0-9]\+\)[ ]\+[!]/! \1/g'] dnl
+])
+
m4_define([EBTABLES_LIST_RULES], [
dnl ebtables commit 5f508b76a0ce change list output for inversion.
- m4_define([EBTABLES_LIST_RULES_NORMALIZE], [[sed -e 's/\([-][-][-a-zA-Z0-9]\+\)[ ]\+[!]/! \1/g']])
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
- NS_CHECK([ebtables --concurrent -t $1 -L $2 | TRIM_WHITESPACE | grep -v "^Bridge" | EBTABLES_LIST_RULES_NORMALIZE], [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
+ NS_CHECK([PIPESTATUS0([ebtables --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])],
+ [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
])
- m4_undefine([EBTABLES_LIST_RULES_NORMALIZE])
+])
+
+m4_define([IPTABLES_LIST_RULES_NORMALIZE], [dnl
+ TRIM_WHITESPACE | dnl
+ tail -n +3 dnl
])
m4_define([IPTABLES_LIST_RULES_ALWAYS], [
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
- NS_CHECK([IPTABLES -w -n -t $1 -L $2 | TRIM_WHITESPACE | tail -n +3], [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
+ NS_CHECK([PIPESTATUS0([IPTABLES -w -n -t $1 -L $2], [IPTABLES_LIST_RULES_NORMALIZE])],
+ [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
])
])
@@ -271,11 +282,17 @@ m4_define([IPTABLES_LIST_RULES], [
])
])
+m4_define([IP6TABLES_LIST_RULES_NORMALIZE], [dnl
+ TRIM_WHITESPACE | dnl
+ tail -n +3 dnl
+])
+
m4_define([IP6TABLES_LIST_RULES_ALWAYS], [
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
- m4_if(yes, HOST_SUPPORTS_IP6TABLES, [
- NS_CHECK([IP6TABLES -w -n -t $1 -L $2 | TRIM_WHITESPACE | tail -n +3], [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
- ])
+ m4_if(yes, HOST_SUPPORTS_IP6TABLES, [
+ NS_CHECK([PIPESTATUS0([IP6TABLES -w -n -t $1 -L $2], [IP6TABLES_LIST_RULES_NORMALIZE])],
+ [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
+ ])
])
])
@@ -285,20 +302,21 @@ m4_define([IP6TABLES_LIST_RULES], [
])
])
-m4_define([NFT_LIST_RULES_ALWAYS], [
+m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
+ TRIM_WHITESPACE | dnl
dnl nftables commit 6dd848339444 change list output to show "meta mark"
dnl instead of just "mark".
- m4_define([NFT_LIST_RULES_NORMALIZE], [dnl
- sed -e 's/meta mark/mark/g'dnl
- -e '/type.*hook.*priority.*policy.*/d'dnl
- dnl tranform ct state { established,related } to ct state established,related
- -e '/ct \(state\|status\)/{s/\(ct \(state\|status\)\) {/\1/g; s/ }//; s/\(@<:@a-z@:>@*\), /\1,/g;}' dnl
- ])
+ sed -e 's/meta mark/mark/g'dnl
+ -e '/type.*hook.*priority.*policy.*/d'dnl
+ dnl tranform ct state { established,related } to ct state established,related
+ -e '/ct \(state\|status\)/{s/\(ct \(state\|status\)\) {/\1/g; s/ }//; s/\(@<:@a-z@:>@*\), /\1,/g;}' dnl
+])
+m4_define([NFT_LIST_RULES_ALWAYS], [
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
- NS_CHECK([nft NFT_NUMERIC_ARGS list chain $1 firewalld $2 | TRIM_WHITESPACE | NFT_LIST_RULES_NORMALIZE], [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
+ NS_CHECK([PIPESTATUS0([nft NFT_NUMERIC_ARGS list chain $1 firewalld $2], [NFT_LIST_RULES_NORMALIZE])],
+ [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
])
- m4_undefine([NFT_LIST_RULES_NORMALIZE])
])
m4_define([NFT_LIST_RULES], [
@@ -307,18 +325,27 @@ m4_define([NFT_LIST_RULES], [
])
])
+m4_define([IPSET_LIST_SET_NORMALIZE], [dnl
+ TRIM_WHITESPACE |dnl
+ grep -v "^\(Revision\|Header\|Size\|References\|Number\)" |dnl
+ awk 'NR <= 3; NR > 3 {print | "sort"}' dnl
+])
+
m4_define([IPSET_LIST_SET], [
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
- NS_CHECK([ipset list $1 | TRIM_WHITESPACE |dnl
- grep -v "^\(Revision\|Header\|Size\|References\|Number\)" |dnl
- awk 'NR <= 3; NR > 3 {print | "sort"}'],
+ NS_CHECK([PIPESTATUS0([ipset list $1], [IPSET_LIST_SET_NORMALIZE])],
[$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6])
])
])
+m4_define([NFT_LIST_SET_NORMALIZE], [dnl
+ TRIM_WHITESPACE dnl
+])
+
m4_define([NFT_LIST_SET_ALWAYS], [
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
- NS_CHECK([nft NFT_NUMERIC_ARGS list set inet firewalld $1 | TRIM_WHITESPACE], [$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6])
+ NS_CHECK([PIPESTATUS0([nft NFT_NUMERIC_ARGS list set inet firewalld $1], [NFT_LIST_SET_NORMALIZE])],
+ [$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6])
])
])
--
2.20.1

28
SOURCES/0006-fix-test-direct-passthrough-no-need-to-check-for-dum.patch Normal file
View File

@ -0,0 +1,28 @@
From 3268ec28df668efcf8fd8fc3017d0768b0c70fe1 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 5 Dec 2019 12:31:06 -0500
Subject: [PATCH 06/37] fix: test: direct passthrough: no need to check for
dummy module
(cherry picked from commit 3b9e8565a224937bb6c6b950ae3596abacc14c5d)
(cherry picked from commit 7b2740294a86cca114e8ce3938b5b0ba8f5bd28f)
---
src/tests/firewall-cmd.at | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index 540bdb8b1065..51b367e7a0f0 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -866,8 +866,6 @@ FWD_END_TEST
FWD_START_TEST([direct passthrough])
AT_KEYWORDS(direct passthrough)
- AT_CHECK([if ! modprobe dummy; then exit 77; fi])
-
FWD_CHECK([--direct --passthrough ipv4 --table mangle --append POSTROUTING --out-interface dummy0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill], 0, ignore)
FWD_CHECK([--direct --passthrough ipv4 --table mangle --delete POSTROUTING --out-interface dummy0 --protocol udp --destination-port 68 --jump CHECKSUM --checksum-fill], 0, ignore)
--
2.23.0

32
SOURCES/0006-fix-test-features-rfc3964_ipv4-use-return-code-not-o.patch
View File

@ -1,32 +0,0 @@
From 0f3ae3ae56b7a27ec3ff85646a87b6488b1f05d6 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 17 Jun 2019 11:01:27 -0400
Subject: [PATCH 06/20] fix: test/features/rfc3964_ipv4: use return code not
output for negative test
The output varies between -nft and -legacy iptables variants.
Fixes: e527818500be ("fix: tests: always list rules using macros")
(cherry picked from commit 7149ff26c88a86c9a485f8e59d3ceb3eb4a292d4)
---
src/tests/features/rfc3964_ipv4.at | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at
index baff411793b2..54f5f756270b 100644
--- a/src/tests/features/rfc3964_ipv4.at
+++ b/src/tests/features/rfc3964_ipv4.at
@@ -93,9 +93,7 @@ NFT_LIST_RULES([inet], [filter_OUTPUT], 0, [dnl
}
])
-IP6TABLES_LIST_RULES([filter], [RFC3964_IPv4], 0, [ignore], [dnl
-iptables: No chain/target/match by that name.
-])
+IP6TABLES_LIST_RULES([filter], [RFC3964_IPv4], 1, [ignore], [ignore])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all ::/0 ::/0
--
2.20.1

32
SOURCES/0007-fix-test-functions-FWD_END_TEST-improve-grep-for-err.patch Normal file
View File

@ -0,0 +1,32 @@
From 0c254abccf3553192e13f736351926c5fa45df0b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 9 Dec 2019 16:57:13 -0500
Subject: [PATCH 07/37] fix: test/functions: FWD_END_TEST: improve grep for
errors/warnings
Match more specifically so we don't accidentally match a debug log that
also has "ERROR:" or "WARNING:" as is common for modprobes.
(cherry picked from commit 5f67a78a68a4b5117d7be3402fc9dd639f318a60)
(cherry picked from commit ec0e86677372e994151263a3cb0f1124e2df219b)
---
src/tests/functions.at | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 31d1a3c187e4..1bed8a4f3a6c 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -150,8 +150,7 @@ m4_define([FWD_END_TEST], [
if test -n "$1"; then
sed -i $1 ./firewalld.log
fi
- AT_FAIL_IF([grep ERROR ./firewalld.log])
- AT_FAIL_IF([grep WARNING ./firewalld.log])
+ AT_FAIL_IF([grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log])
fi
m4_undefine([CURRENT_DBUS_ADDRESS])
m4_undefine([CURRENT_TEST_NS])
--
2.23.0

28
SOURCES/0007-test-new-macro-CHECK_MODULE_PROTO_GRE.patch
View File

@ -1,28 +0,0 @@
From cedbd55380bfcb60bc600d8d8833a4d9abab1080 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 17 Jun 2019 14:30:34 -0400
Subject: [PATCH 07/20] test: new macro CHECK_MODULE_PROTO_GRE
(cherry picked from commit af89dacab41d6dc6a42e992aa74a2d6f4a420abc)
---
src/tests/functions.at | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 69f71c133d15..7a0242cb33fb 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -444,6 +444,10 @@ m4_define([CHECK_NFT_CT_HELPER], [
])
])
+m4_define([CHECK_MODULE_PROTO_GRE], [
+ AT_SKIP_IF([! NS_CMD([modinfo nf_conntrack_proto_gre])])
+])
+
m4_define([HOST_SUPPORTS_NFT_FIB], m4_esyscmd([
KERNEL_MAJOR=`uname -r | cut -d. -f1`
KERNEL_MINOR=`uname -r | cut -d. -f2`
--
2.20.1

30
SOURCES/0008-fix-test-regression-pr323-skip-if-GRE-module-doesn-t.patch
View File

@ -1,30 +0,0 @@
From c4601cf33ba1c21c3233a33f39dff286c04a1872 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 17 Jun 2019 14:31:15 -0400
Subject: [PATCH 08/20] fix: test/regression/pr323: skip if GRE module doesn't
exist
Newer kernels use a built-in so the module nf_conntrack_proto_gre
doesn't exist.
(cherry picked from commit 6cda87d3a532c5ca6e8ef74c03f2e7a6bb45627a)
---
src/tests/regression/pr323.at | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/tests/regression/pr323.at b/src/tests/regression/pr323.at
index 7fd719d0ada2..25b09930c34a 100644
--- a/src/tests/regression/pr323.at
+++ b/src/tests/regression/pr323.at
@@ -1,6 +1,8 @@
FWD_START_TEST([GRE proto helper])
AT_KEYWORDS(helper gh323)
+CHECK_MODULE_PROTO_GRE
+
FWD_CHECK([-q --add-protocol=gre])
FWD_CHECK([-q --remove-protocol=gre])
--
2.20.1

75
SOURCES/0008-test-build-add-support-for-running-in-containers.patch Normal file
View File

@ -0,0 +1,75 @@
From d059664e2de82a2e212fe14f3799450ca4ef5a51 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 27 Nov 2019 13:32:42 -0500
Subject: [PATCH 08/37] test: build: add support for running in containers
This is just a dummy target at the moment.
(cherry picked from commit df13ebc5d8df69b0b0b15c6777c8bb906a67bf5b)
(cherry picked from commit 11c36a3c81987f4e34bf87e99d0800401c24561f)
---
Makefile.am | 3 +++
README | 7 +++++++
configure.ac | 1 +
src/tests/Makefile.am | 4 ++++
4 files changed, 15 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index b3dbce1f2b11..c377d6f63792 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -78,6 +78,9 @@ dist-check:
exit 1; \
fi
+check-container:
+ $(MAKE) -C src/tests $@
+
update-docs:
$(MAKE) -C doc/xml
diff --git a/README b/README
index 181d50f301e9..9cb2ef4a15b7 100644
--- a/README
+++ b/README
@@ -102,6 +102,13 @@ Or just the keywords
|awk '/^[[:space:]]*[[:digit:]]+/{getline; print $0}' \
|tr ' ' '\n' |sort |uniq
+There is also a check-container target that will run the testsuite inside
+various podman/docker containers. This is useful for coverage of multiple
+distributions. As a bonus, it allows us to run tests that may be destructive to
+the host (container) such as NetworkManager integration tests.
+
+ make check-container TESTSUITEFLAGS="-j4"
+
RPM package
-----------
diff --git a/configure.ac b/configure.ac
index 39d6af1f89f1..0758c69d442c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,6 +36,7 @@ AC_PATH_PROG([RMMOD], [rmmod], [/sbin/rmmod])
AC_PATH_PROG([SYSCTL], [sysctl], [/sbin/sysctl])
AC_CONFIG_TESTDIR([src/tests])
+AC_PATH_PROGS([PODMAN], [podman docker], [/bin/false])
GLIB_GSETTINGS
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 09bf699b81d0..84c076c847b0 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -41,3 +41,7 @@ AUTOTEST = $(AUTOM4TE) --language=autotest
$(TESTSUITE): $(TESTSUITE_FILES) $(srcdir)/package.m4
$(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at
mv $@.tmp $@
+
+check-container:
+
+.PHONY: check-container
--
2.23.0

43
SOURCES/0009-test-check-container-add-support-for-debian-sid.patch Normal file
View File

@ -0,0 +1,43 @@
From 616ab06147e174ac69b2e1cfff73e4519058676c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 10 Dec 2019 10:18:00 -0500
Subject: [PATCH 09/37] test: check-container: add support for debian sid
(cherry picked from commit be2a4c06c7bc7fcf9efc710ffc459b2a24118457)
(cherry picked from commit f7252214a08c33c81bb613514e24af95dc2ed096)
---
src/tests/Makefile.am | 19 ++++++++++++++++++-
1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 84c076c847b0..4939fb818459 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -42,6 +42,23 @@ $(TESTSUITE): $(TESTSUITE_FILES) $(srcdir)/package.m4
$(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at
mv $@.tmp $@
-check-container:
+check-container-debian-sid:
+ (cd $(abs_top_srcdir) && tar -c . ) | \
+ $(PODMAN) run -i --rm --privileged debian:sid bash -c \
+ "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \
+ apt-get update && \
+ apt-get install -y autoconf automake pkg-config intltool libglib2.0-dev \
+ xsltproc docbook-xsl docbook-xml iptables ipset ebtables \
+ nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \
+ python3-dbus python3-gi python3-slip-dbus python3-nftables \
+ procps && \
+ apt-get install -y libnftables-dev && \
+ ./autogen.sh && \
+ ./configure PYTHON=/usr/bin/python3 && \
+ make && \
+ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" "
+
+check-container: check-container-debian-sid
.PHONY: check-container
+.PHONY: check-container-debian-sid
--
2.23.0

36
SOURCES/0009-test-service-coverage-for-import-from-file.patch
View File

@ -1,36 +0,0 @@
From e34b1005145d950382808b7f1d776511b2d710fa Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 3 Jul 2019 10:41:07 -0400
Subject: [PATCH 09/20] test: service: coverage for import from file
(cherry picked from commit 40d8d6a105a7212db138e3afacf0f471676a8b78)
---
src/tests/firewall-cmd.at | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index 6444b4566af5..7bb13aee0221 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -319,6 +319,18 @@ FWD_START_TEST([user services])
FWD_CHECK([--permanent --zone=public --list-services | grep foobar], 0, ignore)
FWD_CHECK([--permanent --delete-service=foobar], 0, ignore)
FWD_CHECK([--permanent --zone=public --list-services | grep foobar], 1, ignore)
+
+ AT_DATA([./foobar-to-be-renamed], [m4_strip([dnl
+ <?xml version="1.0" encoding="utf-8"?>
+ <service>
+ <protocol value="icmp" />
+ <port protocol="tcp" port="1234" />
+ </service>
+ ])
+ FWD_CHECK([--permanent --new-service-from-file="./foobar-to-be-renamed" --name="foobar-from-file"])
+ FWD_CHECK([--permanent --get-services | grep foobar-from-file], 0, [ignore])
+])
+
FWD_END_TEST([-e '/ERROR: NAME_CONFLICT: new_service():/d' dnl
-e '/ERROR: INVALID_ADDR:/d'])
--
2.20.1

238
SOURCES/0010-fix-dbus-fix-service-API-break.patch
View File

@ -1,238 +0,0 @@
From 905f7eb62dd31a58b86fbfa191b2ce2482361b0b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 24 Jun 2019 10:36:40 -0400
Subject: [PATCH 10/20] fix: dbus: fix service API break
This fixes a dbus API break that occurred when introducing service
includes. The includes were added to the method's tuple, but doing so
changed the dbus signature and thus broke the API. This restores the old
signature.
Move to using key,value based import/export and sanity checking.
Previously we were using a tuple with semi-undocumented positions.
Fixes: 1fc208bf9317 ("feat: service includes")
Fixes: rhbz 1721414
(cherry picked from commit 335a68c1bba5b1b1fbd430505a485a9eb035360c)
---
doc/xml/firewalld.dbus.xml | 5 ++-
src/firewall/core/fw_config.py | 59 +++++++++++++++++++++++++++++++-
src/firewall/core/io/service.py | 35 ++++++++++++++++---
src/firewall/server/firewalld.py | 13 ++++++-
4 files changed, 103 insertions(+), 9 deletions(-)
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 64d4d2b9c73b..cb4e1eac0fb9 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -242,12 +242,12 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.Methods.getServiceSettings">
- <term><methodname>getServiceSettings</methodname>(s: <parameter>service</parameter>) &rarr; (sssa(ss)asa{ss}asa(ss)as)</term>
+ <term><methodname>getServiceSettings</methodname>(s: <parameter>service</parameter>) &rarr; (sssa(ss)asa{ss}asa(ss))</term>
<listitem>
<para>
Return runtime settings of given <replaceable>service</replaceable>.
For getting permanent settings see <link linkend="FirewallD1.config.service.Methods.getSettings">org.fedoraproject.FirewallD1.config.service.Methods.getSettings</link>.
- Settings are in format: <parameter>version</parameter>, <parameter>name</parameter>, <parameter>description</parameter>, array of <parameter>ports</parameter> (port, protocol), array of <parameter>module names</parameter>, dictionary of <parameter>destinations</parameter>, array of <parameter>protocols</parameter>, array of <parameter>source-ports</parameter> (port, protocol) and array of service <parameter>includes</parameter>.
+ Settings are in format: <parameter>version</parameter>, <parameter>name</parameter>, <parameter>description</parameter>, array of <parameter>ports</parameter> (port, protocol), array of <parameter>module names</parameter>, dictionary of <parameter>destinations</parameter>, array of <parameter>protocols</parameter>, array of <parameter>source-ports</parameter> (port, protocol).
</para>
<para>
<variablelist>
@@ -259,7 +259,6 @@
<varlistentry><term><parameter>destinations (a{ss})</parameter>: dictionary of {IP family : IP address} where 'IP family' key can be either 'ipv4' or 'ipv6'. See <literal>destination</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
<varlistentry><term><parameter>protocols (as)</parameter>: array of protocols, see <literal>protocol</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
<varlistentry><term><parameter>source-ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>source-port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
- <varlistentry><term><parameter>includes (as)</parameter>: array of service includes, see <literal>include</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
</variablelist>
</para>
<para>
diff --git a/src/firewall/core/fw_config.py b/src/firewall/core/fw_config.py
index a759cfdf83b3..8f29f0c416d2 100644
--- a/src/firewall/core/fw_config.py
+++ b/src/firewall/core/fw_config.py
@@ -545,9 +545,43 @@ class FirewallConfig(object):
return self._builtin_services[obj.name]
def get_service_config(self, obj):
+ conf_dict = obj.export_config()
+ conf_list = []
+ for i in range(8): # tuple based dbus API has 8 elements
+ if obj.IMPORT_EXPORT_STRUCTURE[i][0] not in conf_dict:
+ # old API needs the empty elements as well. Grab it from the
+ # object otherwise we don't know the type.
+ conf_list.append(copy.deepcopy(getattr(obj, obj.IMPORT_EXPORT_STRUCTURE[i][0])))
+ else:
+ conf_list.append(conf_dict[obj.IMPORT_EXPORT_STRUCTURE[i][0]])
+ return tuple(conf_list)
+
+ def get_service_config_dict(self, obj):
return obj.export_config()
def set_service_config(self, obj, conf):
+ conf_dict = {}
+ for i,value in enumerate(conf):
+ conf_dict[obj.IMPORT_EXPORT_STRUCTURE[i][0]] = value
+
+ if obj.builtin:
+ x = copy.copy(obj)
+ x.cleanup()
+ x.import_config(conf_dict)
+ x.path = config.ETC_FIREWALLD_SERVICES
+ x.builtin = False
+ if obj.path != x.path:
+ x.default = False
+ self.add_service(x)
+ service_writer(x)
+ return x
+ else:
+ obj.cleanup()
+ obj.import_config(conf_dict)
+ service_writer(obj)
+ return obj
+
+ def set_service_config_dict(self, obj, conf):
if obj.builtin:
x = copy.copy(obj)
x.import_config(conf)
@@ -568,6 +602,29 @@ class FirewallConfig(object):
raise FirewallError(errors.NAME_CONFLICT,
"new_service(): '%s'" % name)
+ conf_dict = {}
+ for i,value in enumerate(conf):
+ conf_dict[Service.IMPORT_EXPORT_STRUCTURE[i][0]] = value
+
+ x = Service()
+ x.check_name(name)
+ x.import_config(conf_dict)
+ x.name = name
+ x.filename = "%s.xml" % name
+ x.path = config.ETC_FIREWALLD_SERVICES
+ # It is not possible to add a new one with a name of a buitin
+ x.builtin = False
+ x.default = True
+
+ service_writer(x)
+ self.add_service(x)
+ return x
+
+ def new_service_dict(self, name, conf):
+ if name in self._services or name in self._builtin_services:
+ raise FirewallError(errors.NAME_CONFLICT,
+ "new_service(): '%s'" % name)
+
x = Service()
x.check_name(name)
x.import_config(conf)
@@ -684,7 +741,7 @@ class FirewallConfig(object):
return new_service
def _copy_service(self, obj, name):
- return self.new_service(name, obj.export_config())
+ return self.new_service_dict(name, obj.export_config())
# zones
diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py
index 3479dab7f175..44dc0ff8a9b0 100644
--- a/src/firewall/core/io/service.py
+++ b/src/firewall/core/io/service.py
@@ -25,6 +25,8 @@ import xml.sax as sax
import os
import io
import shutil
+import copy
+from collections import OrderedDict
from firewall import config
from firewall.functions import u2b_if_py2
@@ -47,7 +49,7 @@ class Service(IO_Object):
( "source_ports", [ ( "", "" ), ], ), # a(ss)
( "includes", [ "" ], ), # as
)
- DBUS_SIGNATURE = '(sssa(ss)asa{ss}asa(ss)as)'
+ DBUS_SIGNATURE = '(sssa(ss)asa{ss}asa(ss))'
ADDITIONAL_ALNUM_CHARS = [ "_", "-" ]
PARSER_REQUIRED_ELEMENT_ATTRS = {
"short": None,
@@ -76,6 +78,34 @@ class Service(IO_Object):
self.source_ports = [ ]
self.includes = [ ]
+ def import_config(self, conf):
+ self.check_config(conf)
+
+ for key in conf:
+ if not hasattr(self, key):
+ raise FirewallError(errors.UNKNOWN_ERROR, "Internal error. '{}' is not a valid attribute".format(key))
+ if isinstance(conf[key], list):
+ # maintain list order while removing duplicates
+ setattr(self, key, list(OrderedDict.fromkeys(copy.deepcopy(conf[key]))))
+ else:
+ setattr(self, key, copy.deepcopy(conf[key]))
+
+ def export_config(self):
+ conf = {}
+ type_formats = dict([(x[0], x[1]) for x in self.IMPORT_EXPORT_STRUCTURE])
+ for key in type_formats:
+ if getattr(self, key):
+ conf[key] = copy.deepcopy(getattr(self, key))
+ return conf
+
+ def check_config(self, conf):
+ type_formats = dict([(x[0], x[1]) for x in self.IMPORT_EXPORT_STRUCTURE])
+ for key in conf:
+ if key not in [x for (x,y) in self.IMPORT_EXPORT_STRUCTURE]:
+ raise FirewallError(errors.INVALID_OPTION, "service option '{}' is not valid".format(key))
+ self._check_config_structure(conf[key], type_formats[key])
+ self._check_config(conf[key], key)
+
def cleanup(self):
self.version = ""
self.short = ""
@@ -138,9 +168,6 @@ class Service(IO_Object):
if len(module) < 2:
raise FirewallError(errors.INVALID_MODULE, module)
- elif item == "includes":
- pass
-
# PARSER
class service_ContentHandler(IO_Object_ContentHandler):
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index bc04f2d0f4c3..233160b64b18 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -26,6 +26,7 @@ from gi.repository import GLib, GObject
import sys
sys.modules['gobject'] = GObject
+import copy
import dbus
import dbus.service
import slip.dbus
@@ -921,7 +922,17 @@ class FirewallD(slip.dbus.service.Object):
# returns service settings for service
service = dbus_to_python(service, str)
log.debug1("getServiceSettings(%s)", service)
- return self.fw.service.get_service(service).export_config()
+ obj = self.fw.service.get_service(service)
+ conf_dict = obj.export_config()
+ conf_list = []
+ for i in range(8): # tuple based dbus API has 8 elements
+ if obj.IMPORT_EXPORT_STRUCTURE[i][0] not in conf_dict:
+ # old API needs the empty elements as well. Grab it from the
+ # object otherwise we don't know the type.
+ conf_list.append(copy.deepcopy(getattr(obj, obj.IMPORT_EXPORT_STRUCTURE[i][0])))
+ else:
+ conf_list.append(conf_dict[obj.IMPORT_EXPORT_STRUCTURE[i][0]])
+ return tuple(conf_list)
@slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO)
@dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='',
--
2.20.1

44
SOURCES/0010-test-check-container-add-support-for-fedora-rawhide.patch Normal file
View File

@ -0,0 +1,44 @@
From c9b56988eeee3da0b987adce79536ae4a4f2b6d0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 10 Dec 2019 10:15:13 -0500
Subject: [PATCH 10/37] test: check-container: add support for fedora rawhide
(cherry picked from commit 8168904f2dd1ecdec17638854e7630f2ccc90860)
(cherry picked from commit 25f35e1c400f68f33773d162d84f9a7af8aa9938)
---
src/tests/Makefile.am | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index 4939fb818459..cef17b6eba4b 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -58,7 +58,25 @@ check-container-debian-sid:
make && \
make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" "
+check-container-fedora-rawhide:
+ (cd $(abs_top_srcdir) && tar -c . ) | \
+ $(PODMAN) run -i --rm --privileged fedora:rawhide bash -c \
+ "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \
+ dnf -y makecache && \
+ dnf -y install autoconf automake conntrack-tools desktop-file-utils \
+ docbook-style-xsl file gettext glib2-devel intltool ipset \
+ iptables iptables-nft libtool libxml2 libxslt make nftables \
+ python3-nftables python3-slip-dbus python3-gobject-base \
+ diffutils procps-ng iproute which dbus-daemon && \
+ alternatives --set ebtables /usr/sbin/ebtables-nft && \
+ ./autogen.sh && \
+ ./configure PYTHON=/usr/bin/python3 && \
+ make && \
+ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" "
+
check-container: check-container-debian-sid
+check-container: check-container-fedora-rawhide
.PHONY: check-container
.PHONY: check-container-debian-sid
+.PHONY: check-container-fedora-rawhide
--
2.23.0

83
SOURCES/0011-fix-dbus-add-missing-APIs-for-service-includes.patch
View File

@ -1,83 +0,0 @@
From 464add2ad05781e72e54d05cc06150c21e1c282d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 1 Jul 2019 10:27:51 -0400
Subject: [PATCH 11/20] fix: dbus: add missing APIs for service includes
Fixes: 1fc208bf9317 ("feat: service includes")
(cherry picked from commit bcdc1e2bf1e71c32606fdaadabd9a913e2e1d651)
---
src/firewall/server/config_service.py | 61 +++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
diff --git a/src/firewall/server/config_service.py b/src/firewall/server/config_service.py
index 47530d319bdb..05ded1c78da7 100644
--- a/src/firewall/server/config_service.py
+++ b/src/firewall/server/config_service.py
@@ -652,3 +652,64 @@ class FirewallDConfigService(slip.dbus.service.Object):
settings = self.getSettings()
return (family in settings[5] and
address == settings[5][family])
+
+ # includes
+
+ @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
+ out_signature='as')
+ @dbus_handle_exceptions
+ def getIncludes(self, sender=None):
+ log.debug1("%s.getIncludes()", self._log_prefix)
+ self.parent.accessCheck(sender)
+ settings = list(self.config.get_service_config(self.obj))
+ return settings[8]
+
+ @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
+ in_signature='as')
+ @dbus_handle_exceptions
+ def setIncludes(self, includes, sender=None):
+ includes = dbus_to_python(includes, list)
+ log.debug1("%s.setIncludes('%s')", self._log_prefix, includes)
+ self.parent.accessCheck(sender)
+ settings = list(self.config.get_service_config(self.obj))
+ settings[8] = includes[:]
+ self.config.set_service_config(self.obj, tuple(settings))
+ self.Updated(self.obj.name)
+
+ @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
+ in_signature='s')
+ @dbus_handle_exceptions
+ def addInclude(self, include, sender=None):
+ include = dbus_to_python(include, str)
+ log.debug1("%s.addInclude('%s')", self._log_prefix, include)
+ self.parent.accessCheck(sender)
+ settings = list(self.config.get_service_config(self.obj))
+ settings[8].append(include)
+ self.config.set_service_config(self.obj, tuple(settings))
+ self.Updated(self.obj.name)
+
+ @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
+ in_signature='s')
+ @dbus_handle_exceptions
+ def removeInclude(self, include, sender=None):
+ include = dbus_to_python(include, str)
+ log.debug1("%s.removeInclude('%s')", self._log_prefix, include)
+ self.parent.accessCheck(sender)
+ settings = list(self.config.get_service_config(self.obj))
+ settings[8].remove(include)
+ self.config.set_service_config(self.obj, tuple(settings))
+ self.Updated(self.obj.name)
+
+ @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
+ in_signature='s', out_signature='b')
+ @dbus_handle_exceptions
+ def queryInclude(self, include, sender=None):
+ include = dbus_to_python(include, str)
+ log.debug1("%s.queryInclude('%s')", self._log_prefix, include)
+ settings = list(self.config.get_service_config(self.obj))
+ try:
+ settings[8].index(include)
+ except ValueError:
+ return False
+ else:
+ return True
--
2.20.1

45
SOURCES/0011-fix-test-leave-cleanup-for-tests-cases.patch Normal file
View File

@ -0,0 +1,45 @@
From 1fff192d3dcc8dfaf1e9f8ef4a5e427772ce23bc Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 16 Dec 2019 15:47:24 -0500
Subject: [PATCH 11/37] fix: test: leave "cleanup" for tests cases
Introduce "cleanup_late" for high level stuff not used by test cases.
(cherry picked from commit ebe4ee52658bb26d976bd2e7149c3ac1a5be65c7)
(cherry picked from commit 6068bb9ae8fca3f87edc194567909b34ee071276)
---
src/tests/functions.at | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 1bed8a4f3a6c..46bcd369864f 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -89,12 +89,13 @@ m4_define([FWD_START_TEST], [
dnl run cleanup commands on test exit
echo "" > cleanup
- trap ". ./cleanup; kill_firewalld" EXIT
+ echo "" > cleanup_late
+ trap ". ./cleanup; kill_firewalld; . ./cleanup_late" EXIT
dnl create a namespace and dbus-daemon
m4_define([CURRENT_DBUS_ADDRESS], [unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}])
m4_define([CURRENT_TEST_NS], [fwd-test-${at_group_normalized}])
- echo "ip netns delete CURRENT_TEST_NS" >> ./cleanup
+ echo "ip netns delete CURRENT_TEST_NS" >> ./cleanup_late
AT_CHECK([ip netns add CURRENT_TEST_NS])
AT_DATA([./dbus.conf], [
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
@@ -135,7 +136,7 @@ m4_define([FWD_START_TEST], [
if test $? -ne 0; then
AT_FAIL_IF([:])
fi
- echo "kill $DBUS_PID" >> ./cleanup
+ echo "kill $DBUS_PID" >> ./cleanup_late
FWD_START_FIREWALLD
])
--
2.23.0

44
SOURCES/0012-fix-tests-functions-use-gdbus-instead-of-dbus-send.patch
View File

@ -1,44 +0,0 @@
From 4d2a2b79aefac90d4656b0d9c3b58661d2b88a07 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 25 Jun 2019 14:04:34 -0400
Subject: [PATCH 12/20] fix: tests/functions: use gdbus instead of dbus-send
dbus-send doesn't support all the types and nested types that we need
for testing.
(cherry picked from commit 15346d6ff16e75bbbd05e40ac2e8cbe051e08dd9)
---
src/tests/functions.at | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 7a0242cb33fb..28af5a7fc532 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -355,10 +355,20 @@ m4_define([NFT_LIST_SET], [
])
])
+m4_define([DBUS_CHECK_NORMALIZE], [dnl
+ [sed -e 's/^({//' -e 's/},)$//' -e 's/>,/>\n/g'] | dnl truncate dictionary output
+ TRIM_WHITESPACE | dnl
+ sort dnl sort dictionaries by keys
+])
+
m4_define([DBUS_CHECK], [
- NS_CHECK([dbus-send --system --print-reply --dest=org.fedoraproject.FirewallD1 dnl
- /org/fedoraproject/FirewallD1/$1 org.fedoraproject.FirewallD1.$2 $3],
- [$4], [$5], [$6], [$7], [$8])
+ AT_SKIP_IF([! NS_CMD([which gdbus >/dev/null 2>&1])])
+ NS_CHECK([PIPESTATUS0([gdbus call --system --dest=org.fedoraproject.FirewallD1 dnl
+ m4_ifblank([$1], [--object-path /org/fedoraproject/FirewallD1],
+ [--object-path /org/fedoraproject/FirewallD1/$1]) dnl
+ --method org.fedoraproject.FirewallD1.$2 $3],
+ [DBUS_CHECK_NORMALIZE])],
+ [$4], [m4_strip([$5])], [m4_strip([$6])], [$7], [$8])
])
m4_define([DBUS_GETALL_NORMALIZE], dnl
--
2.20.1

129
SOURCES/0012-test-functions-new-macros-for-starting-stopping-Netw.patch Normal file
View File

@ -0,0 +1,129 @@
From 8a1ee3a46ca31d36e1b5702971d8f0b6240edc93 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 19 Nov 2019 15:31:28 -0500
Subject: [PATCH 12/37] test: functions: new macros for starting/stopping
NetworkManager
(cherry picked from commit fd99d328cf9713445428d4b8c4317377ee494981)
(cherry picked from commit 689c833fc83e2f858792f7f5e979b413421a8e0d)
---
src/tests/functions.at | 85 +++++++++++++++++++++++++++++++++++++++++-
1 file changed, 84 insertions(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 46bcd369864f..f59eef80c348 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -34,6 +34,48 @@ m4_define([FWD_START_FIREWALLD], [
AT_FAIL_IF([test $up -ne 1])
])
+m4_define([START_NETWORKMANAGER], [
+ AT_SKIP_IF([! NS_CMD([which NetworkManager >/dev/null 2>&1])])
+ AT_SKIP_IF([! NS_CMD([which nmcli >/dev/null 2>&1])])
+
+ AT_DATA([./NetworkManager.conf], [dnl
+[[main]]
+plugins=
+
+[[logging]]
+#level=DEBUG
+#domains=ALL
+])
+
+ NM_ARGS="--no-daemon --config ./NetworkManager.conf"
+ NS_CMD([NetworkManager $NM_ARGS &])
+ if test $? -ne 0; then
+ AT_FAIL_IF([:])
+ fi
+ echo "$!" > networkmanager.pid
+
+ dnl Give it some time for the dbus interface to come up
+ up=0
+ for I in 1 2 3 4 5 6 7 8 9 0; do
+ if NS_CMD([nmcli general status >/dev/null 2>&1]); then
+ up=1
+ break
+ fi
+ sleep 1
+ done
+ AT_FAIL_IF([test $up -ne 1])
+])
+
+m4_define([STOP_NETWORKMANAGER], [
+ pid=$(< networkmanager.pid)
+ kill $pid
+ for I in 1 2 3 4 5 6 7 8 9 0; do
+ ps --pid $pid >/dev/null || { pid=0; break; }
+ sleep 1
+ done
+ test $pid -eq 0 || { kill -9 $pid; sleep 3; }
+])
+
m4_define([FWD_RELOAD], [
FWD_CHECK([-q --reload], [$1], [$2], [$3])
FWD_CHECK([-q --state], [$4], [$5], [$6])
@@ -86,11 +128,16 @@ m4_define([FWD_START_TEST], [
function kill_firewalld() {
FWD_STOP_FIREWALLD
}
+ function kill_networkmanager() {
+ if test -f networkmanager.pid; then
+ STOP_NETWORKMANAGER
+ fi
+ }
dnl run cleanup commands on test exit
echo "" > cleanup
echo "" > cleanup_late
- trap ". ./cleanup; kill_firewalld; . ./cleanup_late" EXIT
+ trap ". ./cleanup; kill_firewalld; kill_networkmanager; . ./cleanup_late" EXIT
dnl create a namespace and dbus-daemon
m4_define([CURRENT_DBUS_ADDRESS], [unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}])
@@ -130,6 +177,42 @@ m4_define([FWD_START_TEST], [
send_interface="org.freedesktop.DBus.Properties"/>
<allow send_destination="org.fedoraproject.FirewallD1.config"/>
</policy>
+
+ <!-- from org.freedesktop.NetworkManager.conf -->
+ <policy user="root">
+ <allow own="org.freedesktop.NetworkManager"/>
+ <allow send_destination="org.freedesktop.NetworkManager"/>
+
+ <allow send_destination="org.freedesktop.NetworkManager"
+ send_interface="org.freedesktop.NetworkManager.PPP"/>
+
+ <allow send_interface="org.freedesktop.NetworkManager.SecretAgent"/>
+ <!-- These are there because some broken policies do
+ <deny send_interface="..." /> (see dbus-daemon(8) for details).
+ This seems to override that for the known VPN plugins.
+ -->
+ <allow send_destination="org.freedesktop.NetworkManager.openconnect"/>
+ <allow send_destination="org.freedesktop.NetworkManager.openswan"/>
+ <allow send_destination="org.freedesktop.NetworkManager.openvpn"/>
+ <allow send_destination="org.freedesktop.NetworkManager.pptp"/>
+ <allow send_destination="org.freedesktop.NetworkManager.vpnc"/>
+ <allow send_destination="org.freedesktop.NetworkManager.ssh"/>
+ <allow send_destination="org.freedesktop.NetworkManager.iodine"/>
+ <allow send_destination="org.freedesktop.NetworkManager.l2tp"/>
+ <allow send_destination="org.freedesktop.NetworkManager.libreswan"/>
+ <allow send_destination="org.freedesktop.NetworkManager.fortisslvpn"/>
+ <allow send_destination="org.freedesktop.NetworkManager.strongswan"/>
+ <allow send_interface="org.freedesktop.NetworkManager.VPN.Plugin"/>
+
+ <allow send_destination="org.fedoraproject.FirewallD1"/>
+
+ <!-- Allow the custom name for the dnsmasq instance spawned by NM
+ from the dns dnsmasq plugin to own it's dbus name, and for
+ messages to be sent to it.
+ -->
+ <allow own="org.freedesktop.NetworkManager.dnsmasq"/>
+ <allow send_destination="org.freedesktop.NetworkManager.dnsmasq"/>
+ </policy>
</busconfig>
])
DBUS_PID=`NS_CMD([dbus-daemon --address="CURRENT_DBUS_ADDRESS" --print-pid --config-file="./dbus.conf"])`
--
2.23.0

30
SOURCES/0013-test-functions-add-CHOMP-macro-for-shell-output.patch
View File

@ -1,30 +0,0 @@
From d74f03af843c71872e60af4a59204a6cab4cd934 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 22 Jul 2019 14:48:19 -0400
Subject: [PATCH 13/20] test: functions: add CHOMP macro for shell output
chomps all trailing newlines by exploiting posix shell behavior for
variable expansion.
(cherry picked from commit a8b90c38c19732f3dc9ca5cfedc10bb54c0d84bf)
---
src/tests/functions.at | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 28af5a7fc532..8aeaf158a066 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -226,7 +226,8 @@ m4_define([FWD_GREP_LOG], [
m4_define([TRIM], [[sed -e 's/^[ \t]*//' -e 's/[ \t]*$//']])
m4_define([TRIMV], [[sed -e '/^[ \t]*$/d']])
m4_define([TRIM_INTERNAL], [[sed -e 's/[ \t]\+/ /g']])
-m4_define([TRIM_WHITESPACE], [TRIM | TRIMV | TRIM_INTERNAL])
+m4_define([CHOMP], [printf "%s" "$(cat /dev/stdin)"])
+m4_define([TRIM_WHITESPACE], [TRIM | TRIMV | TRIM_INTERNAL | { CHOMP; echo; }])
dnl m4sugar's m4_strip has a bug that causes it to print a space after
dnl newlines. So implement our own suck-less version.
--
2.20.1

30
SOURCES/0013-test-functions-add-macro-NMCLI_CHECK.patch Normal file
View File

@ -0,0 +1,30 @@
From 520420aa83eda967cdb8b30527886eed5dcec8fe Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 19 Nov 2019 13:14:45 -0500
Subject: [PATCH 13/37] test: functions: add macro NMCLI_CHECK
Useful for NetworkManager integration tests.
(cherry picked from commit 608f00749967ba71b04c4cbb86f5877382aaee07)
(cherry picked from commit ca41c60bde8897d218e1046fab2549278a3105da)
---
src/tests/functions.at | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index f59eef80c348..e79557350558 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -586,3 +586,9 @@ m4_define([IF_HOST_SUPPORTS_IPV6_RULES], [
IF_HOST_SUPPORTS_IP6TABLES([$1], [$2])
])])
])
+
+m4_define([NMCLI_CHECK], [
+ AT_SKIP_IF([! NS_CMD([nmcli connection show >/dev/null 2>&1])])
+ NS_CHECK([PIPESTATUS0([nmcli $1], [TRIM_WHITESPACE])],
+ [$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6])
+])
--
2.23.0

100
SOURCES/0014-test-build-support-integration-tests.patch Normal file
View File

@ -0,0 +1,100 @@
From a49f1e42bc8ac34df7790446e3a421d376c4d216 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 16 Dec 2019 13:11:24 -0500
Subject: [PATCH 14/37] test: build: support integration tests
These use the target "check-integration". We use a separate target
because these tests may be destructive to the host. The plan is to run
them from within the "check-container" target.
(cherry picked from commit ab6c22b8419f5eb333484376ea41d592c809eb2a)
(cherry picked from commit 50c393d5618bf34110b59a3805963444e5f41e3a)
---
Makefile.am | 4 +++-
src/tests/Makefile.am | 17 ++++++++++++++++-
src/tests/integration/testsuite.at | 11 +++++++++++
3 files changed, 30 insertions(+), 2 deletions(-)
create mode 100644 src/tests/integration/testsuite.at
diff --git a/Makefile.am b/Makefile.am
index c377d6f63792..85da0b5857d2 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -78,9 +78,11 @@ dist-check:
exit 1; \
fi
-check-container:
+check-container check-integration installcheck-integration:
$(MAKE) -C src/tests $@
+.PHONY: check-container check-integration installcheck-integration
+
update-docs:
$(MAKE) -C doc/xml
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index cef17b6eba4b..c00c198bf9bb 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -1,12 +1,16 @@
TESTSUITE = $(srcdir)/testsuite
+TESTSUITE_INTEGRATION = $(srcdir)/integration/testsuite
+
TESTSUITE_FILES = \
$(wildcard $(srcdir)/*.at) \
$(wildcard $(srcdir)/dbus/*.at) \
$(wildcard $(srcdir)/features/*.at) \
+ $(wildcard $(srcdir)/integration/*.at) \
$(wildcard $(srcdir)/regression/*.at)
EXTRA_DIST = \
$(TESTSUITE) \
+ $(TESTSUITE_INTEGRATION) \
$(TESTSUITE_FILES) \
$(wildcard $(srcdir)/python/*.py) \
$(srcdir)/package.m4 \
@@ -38,7 +42,7 @@ clean-local:
AUTOM4TE = $(SHELL) $(top_srcdir)/missing --run autom4te
AUTOTEST = $(AUTOM4TE) --language=autotest
-$(TESTSUITE): $(TESTSUITE_FILES) $(srcdir)/package.m4
+$(TESTSUITE) $(TESTSUITE_INTEGRATION): $(TESTSUITE_FILES) $(srcdir)/package.m4
$(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at
mv $@.tmp $@
@@ -80,3 +84,14 @@ check-container: check-container-fedora-rawhide
.PHONY: check-container
.PHONY: check-container-debian-sid
.PHONY: check-container-fedora-rawhide
+
+check-integration: atconfig atlocal $(TESTSUITE_INTEGRATION)
+ $(SHELL) '$(TESTSUITE_INTEGRATION)' $(TESTSUITEFLAGS) \
+ AUTOTEST_PATH="src" \
+ PYTHONPATH="${abs_top_srcdir}/src:${PYTHONPATH}" \
+ FIREWALLD_DEFAULT_CONFIG="${abs_top_srcdir}/config"
+
+installcheck-integration: atconfig atlocal $(TESTSUITE_INTEGRATION)
+ $(SHELL) '$(TESTSUITE_INTEGRATION)' $(TESTSUITEFLAGS)
+
+.PHONY: check-integration installcheck-integration
diff --git a/src/tests/integration/testsuite.at b/src/tests/integration/testsuite.at
new file mode 100644
index 000000000000..bbaf07a191b9
--- /dev/null
+++ b/src/tests/integration/testsuite.at
@@ -0,0 +1,11 @@
+AT_INIT
+AT_COLOR_TESTS
+
+dnl Override m4_include to avoid warning about inclusion
+dnl
+m4_define([m4_include], [m4_builtin([include], [$1])])
+
+m4_include([functions.at])
+
+m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
+])
--
2.23.0

36
SOURCES/0014-test-functions-add-macro-DBUS_INTROSPECT.patch
View File

@ -1,36 +0,0 @@
From aba9e384a4de8785717e569905a4459a2fc15b4d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 5 Jul 2019 17:13:20 -0400
Subject: [PATCH 14/20] test: functions: add macro DBUS_INTROSPECT
We'll use this to introspect and verify the API.
(cherry picked from commit 5f32c24dec88c60e4f43d27ea56ea208016c339b)
---
src/tests/functions.at | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 8aeaf158a066..3771bb8bd5a7 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -356,6 +356,16 @@ m4_define([NFT_LIST_SET], [
])
])
+m4_define([DBUS_INTROSPECT], [
+ AT_SKIP_IF([! NS_CMD([which gdbus >/dev/null 2>&1])])
+ AT_SKIP_IF([! NS_CMD([which xmllint >/dev/null 2>&1])])
+ NS_CHECK([PIPESTATUS0([gdbus introspect --xml --system --dest=org.fedoraproject.FirewallD1 dnl
+ m4_ifblank([$1], [--object-path /org/fedoraproject/FirewallD1],
+ [--object-path /org/fedoraproject/FirewallD1/$1])], dnl
+ [m4_ifnblank([$2], [xmllint --xpath '$2' - |]) TRIM_WHITESPACE])],
+ [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
+])
+
m4_define([DBUS_CHECK_NORMALIZE], [dnl
[sed -e 's/^({//' -e 's/},)$//' -e 's/>,/>\n/g'] | dnl truncate dictionary output
TRIM_WHITESPACE | dnl
--
2.20.1

319
SOURCES/0015-test-dbus-service-API-coverage.patch
View File

@ -1,319 +0,0 @@
From 0d526d6f20695b48d374b1966038ac5c4397e17c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 24 Jun 2019 10:20:23 -0400
Subject: [PATCH 15/20] test: dbus: service API coverage
(cherry picked from commit b0ecd9e3916a691fa7adefa258e7ab0df2e9e1ea)
---
src/tests/dbus.at | 1 +
src/tests/dbus/service.at | 290 ++++++++++++++++++++++++++++++++++++++
2 files changed, 291 insertions(+)
create mode 100644 src/tests/dbus/service.at
diff --git a/src/tests/dbus.at b/src/tests/dbus.at
index 4cb0568cbc9c..46fec2ff4024 100644
--- a/src/tests/dbus.at
+++ b/src/tests/dbus.at
@@ -1,2 +1,3 @@
AT_BANNER([dbus])
m4_include([dbus/firewalld.conf.at])
+m4_include([dbus/service.at])
diff --git a/src/tests/dbus/service.at b/src/tests/dbus/service.at
new file mode 100644
index 000000000000..579548d66509
--- /dev/null
+++ b/src/tests/dbus/service.at
@@ -0,0 +1,290 @@
+FWD_START_TEST([dbus api - services])
+AT_KEYWORDS(dbus service rhbz1721414)
+
+DBUS_INTROSPECT([config], [[//method[@name="addService"]]], 0, [dnl
+ <method name="addService">
+ <arg direction="in" name="service" type="s"/>
+ <arg direction="in" name="settings" type="(sssa(ss)asa{ss}asa(ss))"/>
+ <arg direction="out" type="o"/>
+ </method>
+])
+DBUS_CHECK([config], [config.addService],
+ ["foobar" dnl name
+ '("1.0", dnl version
+ "foobar", dnl short
+ "foobar service is for foobar", dnl description
+ @<:@("1234", "udp"), ("22", "tcp"), ("1234", "udp")@:>@, dnl ports, deliberate duplicate
+ @<:@"ftp"@:>@, dnl modules
+ {"ipv4": "1.2.3.4"}, dnl destination
+ @<:@"icmp", "igmp"@:>@, dnl protocols
+ @<:@("4321", "tcp"), ("4321", "udp")@:>@ dnl source ports
+ )'dnl
+ ], 0, [stdout])
+SERVICE_OBJ=[$(sed -e "s/.*config\/service\/\([^']\+\)['].*/\1/" ./stdout)]
+export SERVICE_OBJ
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getSettings"]]], 0, [dnl
+ <method name="getSettings">
+ <arg direction="out" type="(sssa(ss)asa{ss}asa(ss))"/>
+ </method>
+])
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.getSettings], [], 0, [dnl
+ [(('1.0', 'foobar', 'foobar service is for foobar', [('1234', 'udp'), ('22', 'tcp')], ['ftp'], {'ipv4': '1.2.3.4'}, ['icmp', 'igmp'], [('4321', 'tcp'), ('4321', 'udp')]),)]
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="update"]]], 0, [dnl
+ <method name="update">
+ <arg direction="in" name="settings" type="(sssa(ss)asa{ss}asa(ss))"/>
+ </method>
+])
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.update],
+ ['("1.1", dnl version
+ "foobar new", dnl short
+ "foobar new service is for foobar", dnl description
+ @<:@("12345", "udp"), ("2222", "tcp")@:>@, dnl ports
+ @<:@"ftp"@:>@, dnl modules
+ {}, dnl destination
+ @<:@"icmp"@:>@, dnl protocols
+ @<:@("4321", "tcp")@:>@ dnl source ports
+ )'dnl
+ ], 0, [ignore])
+
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.getSettings], [], 0, [dnl
+ [(('1.1', 'foobar new', 'foobar new service is for foobar', [('12345', 'udp'), ('2222', 'tcp')], ['ftp'], @a{ss} {}, ['icmp'], [('4321', 'tcp')]),)]
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="loadDefaults"]]], 0, [dnl
+ <method name="loadDefaults">
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="remove"]]], 0, [dnl
+ <method name="remove">
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="rename"]]], 0, [dnl
+ <method name="rename">
+ <arg direction="in" name="name" type="s"/>
+ </method>
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getVersion"]]], 0, [dnl
+ <method name="getVersion">
+ <arg direction="out" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="setVersion"]]], 0, [dnl
+ <method name="setVersion">
+ <arg direction="in" name="version" type="s"/>
+ </method>
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getShort"]]], 0, [dnl
+ <method name="getShort">
+ <arg direction="out" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="setShort"]]], 0, [dnl
+ <method name="setShort">
+ <arg direction="in" name="short" type="s"/>
+ </method>
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getDescription"]]], 0, [dnl
+ <method name="getDescription">
+ <arg direction="out" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="setDescription"]]], 0, [dnl
+ <method name="setDescription">
+ <arg direction="in" name="description" type="s"/>
+ </method>
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getPorts"]]], 0, [dnl
+ <method name="getPorts">
+ <arg direction="out" type="a(ss)"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="setPorts"]]], 0, [dnl
+ <method name="setPorts">
+ <arg direction="in" name="ports" type="a(ss)"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="addPort"]]], 0, [dnl
+ <method name="addPort">
+ <arg direction="in" name="port" type="s"/>
+ <arg direction="in" name="protocol" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="removePort"]]], 0, [dnl
+ <method name="removePort">
+ <arg direction="in" name="port" type="s"/>
+ <arg direction="in" name="protocol" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="queryPort"]]], 0, [dnl
+ <method name="queryPort">
+ <arg direction="in" name="port" type="s"/>
+ <arg direction="in" name="protocol" type="s"/>
+ <arg direction="out" type="b"/>
+ </method>
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getSourcePorts"]]], 0, [dnl
+ <method name="getSourcePorts">
+ <arg direction="out" type="a(ss)"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="setSourcePorts"]]], 0, [dnl
+ <method name="setSourcePorts">
+ <arg direction="in" name="ports" type="a(ss)"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="addSourcePort"]]], 0, [dnl
+ <method name="addSourcePort">
+ <arg direction="in" name="port" type="s"/>
+ <arg direction="in" name="protocol" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="removeSourcePort"]]], 0, [dnl
+ <method name="removeSourcePort">
+ <arg direction="in" name="port" type="s"/>
+ <arg direction="in" name="protocol" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="querySourcePort"]]], 0, [dnl
+ <method name="querySourcePort">
+ <arg direction="in" name="port" type="s"/>
+ <arg direction="in" name="protocol" type="s"/>
+ <arg direction="out" type="b"/>
+ </method>
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getProtocols"]]], 0, [dnl
+ <method name="getProtocols">
+ <arg direction="out" type="as"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="setProtocols"]]], 0, [dnl
+ <method name="setProtocols">
+ <arg direction="in" name="protocols" type="as"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="addProtocol"]]], 0, [dnl
+ <method name="addProtocol">
+ <arg direction="in" name="protocol" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="removeProtocol"]]], 0, [dnl
+ <method name="removeProtocol">
+ <arg direction="in" name="protocol" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="queryProtocol"]]], 0, [dnl
+ <method name="queryProtocol">
+ <arg direction="in" name="protocol" type="s"/>
+ <arg direction="out" type="b"/>
+ </method>
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getModules"]]], 0, [dnl
+ <method name="getModules">
+ <arg direction="out" type="as"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="setModules"]]], 0, [dnl
+ <method name="setModules">
+ <arg direction="in" name="modules" type="as"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="addModule"]]], 0, [dnl
+ <method name="addModule">
+ <arg direction="in" name="module" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="removeModule"]]], 0, [dnl
+ <method name="removeModule">
+ <arg direction="in" name="module" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="queryModule"]]], 0, [dnl
+ <method name="queryModule">
+ <arg direction="in" name="module" type="s"/>
+ <arg direction="out" type="b"/>
+ </method>
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getDestinations"]]], 0, [dnl
+ <method name="getDestinations">
+ <arg direction="out" type="a{ss}"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="setDestinations"]]], 0, [dnl
+ <method name="setDestinations">
+ <arg direction="in" name="destinations" type="a{ss}"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="setDestination"]]], 0, [dnl
+ <method name="setDestination">
+ <arg direction="in" name="family" type="s"/>
+ <arg direction="in" name="address" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getDestination"]]], 0, [dnl
+ <method name="getDestination">
+ <arg direction="in" name="family" type="s"/>
+ <arg direction="out" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="removeDestination"]]], 0, [dnl
+ <method name="removeDestination">
+ <arg direction="in" name="family" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="queryDestination"]]], 0, [dnl
+ <method name="queryDestination">
+ <arg direction="in" name="family" type="s"/>
+ <arg direction="in" name="address" type="s"/>
+ <arg direction="out" type="b"/>
+ </method>
+])
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getIncludes"]]], 0, [dnl
+ <method name="getIncludes">
+ <arg direction="out" type="as"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="setIncludes"]]], 0, [dnl
+ <method name="setIncludes">
+ <arg direction="in" name="includes" type="as"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="addInclude"]]], 0, [dnl
+ <method name="addInclude">
+ <arg direction="in" name="include" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="removeInclude"]]], 0, [dnl
+ <method name="removeInclude">
+ <arg direction="in" name="include" type="s"/>
+ </method>
+])
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="queryInclude"]]], 0, [dnl
+ <method name="queryInclude">
+ <arg direction="in" name="include" type="s"/>
+ <arg direction="out" type="b"/>
+ </method>
+])
+
+FWD_RELOAD
+DBUS_INTROSPECT([], [[//method[@name="getServiceSettings"]]], 0, [dnl
+ <method name="getServiceSettings">
+ <arg direction="in" name="service" type="s"/>
+ <arg direction="out" type="(sssa(ss)asa{ss}asa(ss))"/>
+ </method>
+])
+DBUS_CHECK([], [getServiceSettings], ["foobar"], 0, [dnl
+ [(('1.1', 'foobar new', 'foobar new service is for foobar', [('12345', 'udp'), ('2222', 'tcp')], ['ftp'], @a{ss} {}, ['icmp'], [('4321', 'tcp')]),)]
+])
+
+FWD_END_TEST
--
2.20.1

72
SOURCES/0015-test-integration-NM-zone-overrides-interface-on-relo.patch Normal file
View File

@ -0,0 +1,72 @@
From f8283f747843e50d6d088bc864ae232744a085d5 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 16 Dec 2019 13:33:08 -0500
Subject: [PATCH 15/37] test: integration: NM zone overrides interface on
reload
Coverage for rhbz 1773809
(cherry picked from commit ea97fb2bde6fb683b1ba2c41882d6d4f63299255)
(cherry picked from commit 04b8394c0a8344d5225b0716e23dc0558d2fc594)
---
src/tests/integration/networkmanager.at | 2 ++
src/tests/integration/rhbz1773809.at | 27 +++++++++++++++++++++++++
src/tests/integration/testsuite.at | 1 +
3 files changed, 30 insertions(+)
create mode 100644 src/tests/integration/networkmanager.at
create mode 100644 src/tests/integration/rhbz1773809.at
diff --git a/src/tests/integration/networkmanager.at b/src/tests/integration/networkmanager.at
new file mode 100644
index 000000000000..08cf6d28451a
--- /dev/null
+++ b/src/tests/integration/networkmanager.at
@@ -0,0 +1,2 @@
+AT_BANNER([NetworkManager (FIREWALL_BACKEND)])
+m4_include([integration/rhbz1773809.at])
diff --git a/src/tests/integration/rhbz1773809.at b/src/tests/integration/rhbz1773809.at
new file mode 100644
index 000000000000..e58a4337c716
--- /dev/null
+++ b/src/tests/integration/rhbz1773809.at
@@ -0,0 +1,27 @@
+FWD_START_TEST([NM overrides interface on reload])
+AT_KEYWORDS(zone reload rhbz1773809)
+
+START_NETWORKMANAGER
+
+NMCLI_CHECK([connection add type dummy con-name dummy0 ifname dummy0 ip4 10.0.0.2 gw4 10.0.0.1], 0, [ignore])
+echo NS_CMD([nmcli connection delete dummy0]) >> ./cleanup
+NMCLI_CHECK([connection show dummy0], 0, [ignore])
+NMCLI_CHECK([connection up dummy0], 0, [ignore])
+
+dnl Use firewall-offline-cmd otherwise the request will be forwarded to
+dnl NetworkManager.
+FWD_OFFLINE_CHECK([-q --zone internal --add-interface dummy0])
+FWD_RELOAD
+
+dnl firewall-cmd should forward the request to NetworkManager.
+FWD_CHECK([-q --permanent --zone trusted --change-interface dummy0])
+NMCLI_CHECK([-f connection.zone connection show dummy0], 0, [dnl
+connection.zone: trusted
+])
+
+FWD_RELOAD
+FWD_CHECK([--get-zone-of-interface dummy0], 0, [dnl
+trusted
+])
+
+FWD_END_TEST
diff --git a/src/tests/integration/testsuite.at b/src/tests/integration/testsuite.at
index bbaf07a191b9..6c957033bae2 100644
--- a/src/tests/integration/testsuite.at
+++ b/src/tests/integration/testsuite.at
@@ -8,4 +8,5 @@ m4_define([m4_include], [m4_builtin([include], [$1])])
m4_include([functions.at])
m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
+ m4_include([integration/networkmanager.at])
])
--
2.23.0

362
SOURCES/0016-fix-dbus-new-dict-based-APIs-for-services.patch
View File

@ -1,362 +0,0 @@
From 08101a69d8b06f176c6f5e975ddfc1a562864bd2 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 19 Jun 2019 17:52:55 -0400
Subject: [PATCH 16/20] fix: dbus: new dict based APIs for services
Since we can't change the dbus APIs, we need new ones that are more
flexible. This adds a few for manipulating services using a dictionary
of key,value pairs. All new code should use these new APIs. The old APIs
have been marked deprecated.
Fixes: 1fc208bf9317 ("feat: service includes")
(cherry picked from commit bbadd3943dabcc11e864223503a46144b0c03007)
---
doc/xml/firewalld.dbus.xml | 92 +++++++++++++++++++--------
src/firewall/core/io/service.py | 19 +++---
src/firewall/server/config.py | 18 +++++-
src/firewall/server/config_service.py | 24 ++++++-
src/firewall/server/firewalld.py | 13 +++-
5 files changed, 123 insertions(+), 43 deletions(-)
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index cb4e1eac0fb9..4a81e8e61858 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -241,13 +241,22 @@
</para>
</listitem>
</varlistentry>
- <varlistentry id="FirewallD1.Methods.getServiceSettings">
+ <varlistentry id="FirewallD1.Methods.getServiceSettings">
+ <annotation name="org.freedesktop.DBus.Deprecated" />
<term><methodname>getServiceSettings</methodname>(s: <parameter>service</parameter>) &rarr; (sssa(ss)asa{ss}asa(ss))</term>
+ <listitem>
+ <para>
+ This function is deprecated, use <link linkend="FirewallD1.Methods.getServiceSettings2">org.fedoraproject.FirewallD1.Methods.getServiceSettings2</link> instead.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry id="FirewallD1.Methods.getServiceSettings2">
+ <term><methodname>getServiceSettings2</methodname>(s: <parameter>service</parameter>) &rarr; s{sv}</term>
<listitem>
<para>
Return runtime settings of given <replaceable>service</replaceable>.
- For getting permanent settings see <link linkend="FirewallD1.config.service.Methods.getSettings">org.fedoraproject.FirewallD1.config.service.Methods.getSettings</link>.
- Settings are in format: <parameter>version</parameter>, <parameter>name</parameter>, <parameter>description</parameter>, array of <parameter>ports</parameter> (port, protocol), array of <parameter>module names</parameter>, dictionary of <parameter>destinations</parameter>, array of <parameter>protocols</parameter>, array of <parameter>source-ports</parameter> (port, protocol).
+ For getting permanent settings see <link linkend="FirewallD1.config.service.Methods.getSettings2">org.fedoraproject.FirewallD1.config.service.Methods.getSettings2</link>.
+ Settings are a dictionary indexed by keywords. For the type of each value see below. If the value is empty it may be ommitted.
</para>
<para>
<variablelist>
@@ -258,12 +267,13 @@
<varlistentry><term><parameter>module names (as)</parameter>: array of kernel netfilter helpers, see <literal>module</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
<varlistentry><term><parameter>destinations (a{ss})</parameter>: dictionary of {IP family : IP address} where 'IP family' key can be either 'ipv4' or 'ipv6'. See <literal>destination</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
<varlistentry><term><parameter>protocols (as)</parameter>: array of protocols, see <literal>protocol</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
- <varlistentry><term><parameter>source-ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>source-port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>source_ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>source-port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>includes (as)</parameter>: array of service includes, see <literal>include</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
</variablelist>
</para>
- <para>
- Possible errors: INVALID_SERVICE
- </para>
+ <para>
+ Possible errors: INVALID_SERVICE
+ </para>
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.Methods.getZoneSettings">
@@ -2293,12 +2303,20 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.Methods.addService">
+ <annotation name="org.freedesktop.DBus.Deprecated" />
<term><methodname>addService</methodname>(s: service, (sssa(ss)asa{ss}asa(ss)): settings) &rarr; o</term>
<listitem>
<para>
- Add <replaceable>service</replaceable> with given <replaceable>settings</replaceable> into permanent configuration.
- Settings are in format: <parameter>version</parameter>, <parameter>name</parameter>, <parameter>description</parameter>, array of <parameter>ports</parameter> (port, protocol), array of <parameter>module names</parameter>, dictionary of <parameter>destinations</parameter>, array of <parameter>protocols</parameter> and array of <parameter>source-ports</parameter> (port, protocol).
- Returns object path of the new icmp type.
+ This function is deprecated, use <link linkend="FirewallD1.config.Methods.addService2">org.fedoraproject.FirewallD1.config.Methods.addService2</link> instead.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry id="FirewallD1.config.Methods.addService2">
+ <term><methodname>addService2</methodname>s: service, a{sv}: settings) &rarr; o</term>
+ <listitem>
+ <para>
+ Add <replaceable>service</replaceable> with given <replaceable>settings</replaceable> into permanent configuration.
+ Settings are a dictionary indexed by keywords. For the type of each value see below. To zero a value pass an empty string or list.
</para>
<para>
<variablelist>
@@ -2308,13 +2326,14 @@
<varlistentry><term><parameter>ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
<varlistentry><term><parameter>module names (as)</parameter>: array of kernel netfilter helpers, see <literal>module</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
<varlistentry><term><parameter>destinations (a{ss})</parameter>: dictionary of {IP family : IP address} where 'IP family' key can be either 'ipv4' or 'ipv6'. See <literal>destination</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
- <varlistentry><term><parameter>protocols (as)</parameter>: array of protocols. See <literal>protocol</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
- <varlistentry><term><parameter>source-ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>source-port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>protocols (as)</parameter>: array of protocols, see <literal>protocol</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>source_ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>source-port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>includes (as)</parameter>: array of service includes, see <literal>include</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
</variablelist>
</para>
- <para>
- Possible errors: NAME_CONFLICT, INVALID_NAME, INVALID_TYPE
- </para>
+ <para>
+ Possible errors: NAME_CONFLICT, INVALID_NAME, INVALID_TYPE
+ </para>
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.Methods.addZone">
@@ -4500,12 +4519,21 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.service.Methods.getSettings">
+ <annotation name="org.freedesktop.DBus.Deprecated" />
<term><methodname>getSettings</methodname>() &rarr; (sssa(ss)asa{ss}asa(ss))</term>
<listitem>
<para>
- Return permanent settings of a <replaceable>service</replaceable>.
- For getting runtime settings see <link linkend="FirewallD1.Methods.getServiceSettings">org.fedoraproject.FirewallD1.Methods.getServiceSettings</link>.
- Settings are in format: <parameter>version</parameter>, <parameter>name</parameter>, <parameter>description</parameter>, array of <parameter>ports</parameter> (port, protocol), array of <parameter>module names</parameter>, dictionary of <parameter>destinations</parameter>, array of <parameter>protocols</parameter> and array of <parameter>source-ports</parameter> (port, protocol).
+ This function is deprecated, use <link linkend="FirewallD1.config.service.Methods.getSettings2">org.fedoraproject.FirewallD1.config.service.Methods.getSettings2</link> instead.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry id="FirewallD1.config.service.Methods.getSettings2">
+ <term><methodname>getSettings2</methodname>(s: <parameter>service</parameter>) &rarr; s{sv}</term>
+ <listitem>
+ <para>
+ Return runtime settings of given <replaceable>service</replaceable>.
+ For getting runtime settings see <link linkend="FirewallD1.Methods.getServiceSettings2">org.fedoraproject.FirewallD1.Methods.getServiceSettings2</link>.
+ Settings are a dictionary indexed by keywords. For the type of each value see below. If the value is empty it may be ommitted.
</para>
<para>
<variablelist>
@@ -4515,8 +4543,9 @@
<varlistentry><term><parameter>ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
<varlistentry><term><parameter>module names (as)</parameter>: array of kernel netfilter helpers, see <literal>module</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
<varlistentry><term><parameter>destinations (a{ss})</parameter>: dictionary of {IP family : IP address} where 'IP family' key can be either 'ipv4' or 'ipv6'. See <literal>destination</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
- <varlistentry><term><parameter>protocols (as)</parameter>: array of protocols. See <literal>protocol</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
- <varlistentry><term><parameter>source-ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>source-port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>protocols (as)</parameter>: array of protocols, see <literal>protocol</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>source_ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>source-port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>includes (as)</parameter>: array of service includes, see <literal>include</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
</variablelist>
</para>
</listitem>
@@ -4774,11 +4803,20 @@
</listitem>
</varlistentry>
<varlistentry id="FirewallD1.config.service.Methods.update">
+ <annotation name="org.freedesktop.DBus.Deprecated" />
<term><methodname>update</methodname>((sssa(ss)asa{ss}asa(ss)): settings) &rarr; Nothing</term>
<listitem>
<para>
- Update settings of service to <replaceable>settings</replaceable>.
- Settings are in format: <parameter>version</parameter>, <parameter>name</parameter>, <parameter>description</parameter>, array of <parameter>ports</parameter> (port, protocol), array of <parameter>module names</parameter>, dictionary of <parameter>destinations</parameter>, array of <parameter>protocols</parameter> and array of <parameter>source-ports</parameter> (port, protocol).
+ This function is deprecated, use <link linkend="FirewallD1.config.service.Methods.update2">org.fedoraproject.FirewallD1.config.service.Methods.update2</link> instead.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry id="FirewallD1.config.service.Methods.update2">
+ <term><methodname>update2</methodname>a{sv}: settings) &rarr; Nothing</term>
+ <listitem>
+ <para>
+ Update settings of service to <replaceable>settings</replaceable>.
+ Settings are a dictionary indexed by keywords. For the type of each value see below. To zero a value pass an empty string or list.
</para>
<para>
<variablelist>
@@ -4788,12 +4826,14 @@
<varlistentry><term><parameter>ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
<varlistentry><term><parameter>module names (as)</parameter>: array of kernel netfilter helpers, see <literal>module</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
<varlistentry><term><parameter>destinations (a{ss})</parameter>: dictionary of {IP family : IP address} where 'IP family' key can be either 'ipv4' or 'ipv6'. See <literal>destination</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
- <varlistentry><term><parameter>protocols (as)</parameter>: array of protocols. See <literal>protocol</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>protocols (as)</parameter>: array of protocols, see <literal>protocol</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>source_ports (a(ss))</parameter>: array of port and protocol pairs. See <literal>source-port</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
+ <varlistentry><term><parameter>includes (as)</parameter>: array of service includes, see <literal>include</literal> tag in <citerefentry><refentrytitle>firewalld.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</term></varlistentry>
</variablelist>
</para>
- <para>
- Possible errors: INVALID_TYPE
- </para>
+ <para>
+ Possible errors: INVALID_TYPE
+ </para>
</listitem>
</varlistentry>
</variablelist>
diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py
index 44dc0ff8a9b0..8236d3078fbe 100644
--- a/src/firewall/core/io/service.py
+++ b/src/firewall/core/io/service.py
@@ -39,17 +39,16 @@ from firewall.errors import FirewallError
class Service(IO_Object):
IMPORT_EXPORT_STRUCTURE = (
- ( "version", "" ), # s
- ( "short", "" ), # s
- ( "description", "" ), # s
- ( "ports", [ ( "", "" ), ], ), # a(ss)
- ( "modules", [ "", ], ), # as
- ( "destination", { "": "", }, ), # a{ss}
- ( "protocols", [ "", ], ), # as
- ( "source_ports", [ ( "", "" ), ], ), # a(ss)
- ( "includes", [ "" ], ), # as
+ ( "version", "" ),
+ ( "short", "" ),
+ ( "description", "" ),
+ ( "ports", [ ( "", "" ), ], ),
+ ( "modules", [ "", ], ),
+ ( "destination", { "": "", }, ),
+ ( "protocols", [ "", ], ),
+ ( "source_ports", [ ( "", "" ), ], ),
+ ( "includes", [ "" ], ),
)
- DBUS_SIGNATURE = '(sssa(ss)asa{ss}asa(ss))'
ADDITIONAL_ALNUM_CHARS = [ "_", "-" ]
PARSER_REQUIRED_ELEMENT_ATTRS = {
"short": None,
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index 971dc7d4a14a..e03c4984e058 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -41,7 +41,6 @@ from firewall.server.config_zone import FirewallDConfigZone
from firewall.server.config_ipset import FirewallDConfigIPSet
from firewall.server.config_helper import FirewallDConfigHelper
from firewall.core.io.zone import Zone
-from firewall.core.io.service import Service
from firewall.core.io.icmptype import IcmpType
from firewall.core.io.ipset import IPSet
from firewall.core.io.helper import Helper
@@ -1065,7 +1064,7 @@ class FirewallDConfig(slip.dbus.service.Object):
raise FirewallError(errors.INVALID_SERVICE, service)
@dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG,
- in_signature='s'+Service.DBUS_SIGNATURE,
+ in_signature='s(sssa(ss)asa{ss}asa(ss))',
out_signature='o')
@dbus_handle_exceptions
def addService(self, service, settings, sender=None):
@@ -1079,6 +1078,21 @@ class FirewallDConfig(slip.dbus.service.Object):
config_service = self._addService(obj)
return config_service
+ @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG,
+ in_signature='sa{sv}',
+ out_signature='o')
+ @dbus_handle_exceptions
+ def addService2(self, service, settings, sender=None):
+ """add service with given name and settings
+ """
+ service = dbus_to_python(service, str)
+ settings = dbus_to_python(settings)
+ log.debug1("config.addService2('%s')", service)
+ self.accessCheck(sender)
+ obj = self.config.new_service_dict(service, settings)
+ config_service = self._addService(obj)
+ return config_service
+
@dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG, signature='s')
@dbus_handle_exceptions
def ServiceAdded(self, service):
diff --git a/src/firewall/server/config_service.py b/src/firewall/server/config_service.py
index 05ded1c78da7..3236b3aee135 100644
--- a/src/firewall/server/config_service.py
+++ b/src/firewall/server/config_service.py
@@ -32,7 +32,6 @@ from firewall import config
from firewall.dbus_utils import dbus_to_python, \
dbus_introspection_prepare_properties, \
dbus_introspection_add_properties
-from firewall.core.io.service import Service
from firewall.core.logger import log
from firewall.server.decorators import handle_exceptions, \
dbus_handle_exceptions, dbus_service_method
@@ -173,7 +172,7 @@ class FirewallDConfigService(slip.dbus.service.Object):
# S E T T I N G S
@dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
- out_signature=Service.DBUS_SIGNATURE)
+ out_signature='(sssa(ss)asa{ss}asa(ss))')
@dbus_handle_exceptions
def getSettings(self, sender=None): # pylint: disable=W0613
"""get settings for service
@@ -182,7 +181,16 @@ class FirewallDConfigService(slip.dbus.service.Object):
return self.config.get_service_config(self.obj)
@dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
- in_signature=Service.DBUS_SIGNATURE)
+ out_signature='a{sv}')
+ @dbus_handle_exceptions
+ def getSettings2(self, sender=None):
+ """get settings for service
+ """
+ log.debug1("%s.getSettings2()", self._log_prefix)
+ return self.config.get_service_config_dict(self.obj)
+
+ @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
+ in_signature='(sssa(ss)asa{ss}asa(ss))')
@dbus_handle_exceptions
def update(self, settings, sender=None):
"""update settings for service
@@ -193,6 +201,16 @@ class FirewallDConfigService(slip.dbus.service.Object):
self.obj = self.config.set_service_config(self.obj, settings)
self.Updated(self.obj.name)
+ @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE,
+ in_signature='a{sv}')
+ @dbus_handle_exceptions
+ def update2(self, settings, sender=None):
+ settings = dbus_to_python(settings)
+ log.debug1("%s.update2('...')", self._log_prefix)
+ self.parent.accessCheck(sender)
+ self.obj = self.config.set_service_config_dict(self.obj, settings)
+ self.Updated(self.obj.name)
+
@dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE)
@dbus_handle_exceptions
def loadDefaults(self, sender=None):
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index 233160b64b18..06c2834c602e 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -49,7 +49,6 @@ from firewall.dbus_utils import dbus_to_python, \
from firewall.core.io.functions import check_config
from firewall.core.io.zone import Zone
from firewall.core.io.ipset import IPSet
-from firewall.core.io.service import Service
from firewall.core.io.icmptype import IcmpType
from firewall.core.io.helper import Helper
from firewall.core.fw_nm import nm_get_bus_name, nm_get_connection_of_interface, \
@@ -916,7 +915,7 @@ class FirewallD(slip.dbus.service.Object):
@slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
@dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='s',
- out_signature=Service.DBUS_SIGNATURE)
+ out_signature='(sssa(ss)asa{ss}asa(ss))')
@dbus_handle_exceptions
def getServiceSettings(self, service, sender=None): # pylint: disable=W0613
# returns service settings for service
@@ -934,6 +933,16 @@ class FirewallD(slip.dbus.service.Object):
conf_list.append(conf_dict[obj.IMPORT_EXPORT_STRUCTURE[i][0]])
return tuple(conf_list)
+ @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO)
+ @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='s',
+ out_signature='a{sv}')
+ @dbus_handle_exceptions
+ def getServiceSettings2(self, service, sender=None): # pylint: disable=W0613
+ service = dbus_to_python(service, str)
+ log.debug1("getServiceSettings2(%s)", service)
+ obj = self.fw.service.get_service(service)
+ return obj.export_config()
+
@slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO)
@dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='',
out_signature='as')
--
2.20.1

54
SOURCES/0016-test-check-container-also-run-check-integration.patch Normal file
View File

@ -0,0 +1,54 @@
From d411807ff46fa6faf8410d994c2f39520b8fc2dc Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 16 Dec 2019 13:36:12 -0500
Subject: [PATCH 16/37] test: check-container: also run check-integration
This ties the integration tests into the "check-container" target.
NOTE: We force "-j1" because the integration tests must be run serially.
(cherry picked from commit c1c8156e267d3680959d9bc8ac092d829bac6719)
(cherry picked from commit fbfc230ed2c2082d0e55b25e551ebc241f7efdf2)
---
src/tests/Makefile.am | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index c00c198bf9bb..bf028c7c5389 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -55,12 +55,13 @@ check-container-debian-sid:
xsltproc docbook-xsl docbook-xml iptables ipset ebtables \
nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \
python3-dbus python3-gi python3-slip-dbus python3-nftables \
- procps && \
+ procps network-manager gir1.2-nm-1.0 && \
apt-get install -y libnftables-dev && \
./autogen.sh && \
./configure PYTHON=/usr/bin/python3 && \
make && \
- make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" "
+ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \
+ make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" "
check-container-fedora-rawhide:
(cd $(abs_top_srcdir) && tar -c . ) | \
@@ -71,12 +72,14 @@ check-container-fedora-rawhide:
docbook-style-xsl file gettext glib2-devel intltool ipset \
iptables iptables-nft libtool libxml2 libxslt make nftables \
python3-nftables python3-slip-dbus python3-gobject-base \
- diffutils procps-ng iproute which dbus-daemon && \
+ diffutils procps-ng iproute which dbus-daemon \
+ NetworkManager && \
alternatives --set ebtables /usr/sbin/ebtables-nft && \
./autogen.sh && \
./configure PYTHON=/usr/bin/python3 && \
make && \
- make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" "
+ make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \
+ make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" "
check-container: check-container-debian-sid
check-container: check-container-fedora-rawhide
--
2.23.0

36
SOURCES/0017-doc-README-add-note-about-integration-tests.patch Normal file
View File

@ -0,0 +1,36 @@
From 4b8338a4635b8485b2890072e89f16e39e30ab29 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 17 Dec 2019 13:04:22 -0500
Subject: [PATCH 17/37] doc: README: add note about integration tests
(cherry picked from commit 18be66cf7e914b128e954c1e97ce29f542ee5fdd)
(cherry picked from commit c3a581d1acc713c2f8a74109e00690c649d4204f)
---
README | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/README b/README
index 9cb2ef4a15b7..287a3021b633 100644
--- a/README
+++ b/README
@@ -102,10 +102,15 @@ Or just the keywords
|awk '/^[[:space:]]*[[:digit:]]+/{getline; print $0}' \
|tr ' ' '\n' |sort |uniq
+There are integration tests. Currently this includes NetworkManager. These may
+be _destructive_ to the host. Run them in a disposable VM or container.
+
+ make check-integration
+
There is also a check-container target that will run the testsuite inside
various podman/docker containers. This is useful for coverage of multiple
-distributions. As a bonus, it allows us to run tests that may be destructive to
-the host (container) such as NetworkManager integration tests.
+distributions. It also runs tests that may be destructive to the host such as
+integration tests.
make check-container TESTSUITEFLAGS="-j4"
--
2.23.0

186
SOURCES/0017-test-dbus-coverage-for-new-service-APIs.patch
View File

@ -1,186 +0,0 @@
From 99ecd06f1f6028bcf9bd7d4ece7f3ce8df39077b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 25 Jun 2019 18:19:08 -0400
Subject: [PATCH 17/20] test: dbus: coverage for new service APIs
(cherry picked from commit 335f238481401e97f3a9bc6773295fe34c89962c)
---
src/tests/dbus/service.at | 165 +++++++++++++++++++++++++++++++++++++-
1 file changed, 164 insertions(+), 1 deletion(-)
diff --git a/src/tests/dbus/service.at b/src/tests/dbus/service.at
index 579548d66509..8ad9334aaa56 100644
--- a/src/tests/dbus/service.at
+++ b/src/tests/dbus/service.at
@@ -287,4 +287,167 @@ DBUS_CHECK([], [getServiceSettings], ["foobar"], 0, [dnl
[(('1.1', 'foobar new', 'foobar new service is for foobar', [('12345', 'udp'), ('2222', 'tcp')], ['ftp'], @a{ss} {}, ['icmp'], [('4321', 'tcp')]),)]
])
-FWD_END_TEST
+
+dnl ===============
+dnl New APIs tests
+dnl ===============
+
+dnl modify service with new API that was created with old API
+dnl Verify old APIs also reflect the change.
+DBUS_CHECK([config], [config.addService],
+ ["foobar-old" dnl name
+ '("1.0", dnl version
+ "foobar-old", dnl short
+ "foobar-old service is for foobar-old", dnl description
+ @<:@("1234", "udp"), ("22", "tcp"), ("1234", "udp")@:>@, dnl ports, deliberate duplicate
+ @<:@"ftp"@:>@, dnl modules
+ {}, dnl destination
+ @<:@@:>@, dnl protocols
+ @<:@("4321", "tcp"), ("4321", "udp")@:>@ dnl source ports
+ )'dnl
+ ], 0, [stdout])
+SERVICE_OBJ=[$(sed -e "s/.*config\/service\/\([^']\+\)['].*/\1/" ./stdout)]
+export SERVICE_OBJ
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.update2],
+ ['{"version": <"1.1">,
+ "includes": <@<:@"https"@:>@>,
+ "protocols": <@<:@"icmp"@:>@>
+ }'dnl
+ ], 0, [ignore])
+
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.getSettings], [], 0, [dnl
+ [(('1.1', 'foobar-old', 'foobar-old service is for foobar-old', [('1234', 'udp'), ('22', 'tcp')], ['ftp'], @a{ss} {}, ['icmp'], [('4321', 'tcp'), ('4321', 'udp')]),)]
+])
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.getSettings2], [], 0, [dnl
+ ['description': <'foobar-old service is for foobar-old'>
+ 'includes': <['https']>
+ 'modules': <['ftp']>
+ 'ports': <[('1234', 'udp'), ('22', 'tcp')]>
+ 'protocols': <['icmp']>
+ 'short': <'foobar-old'>
+ 'source_ports': <[('4321', 'tcp'), ('4321', 'udp')]>
+ 'version': <'1.1'>]
+])
+
+FWD_RELOAD
+DBUS_CHECK([], [getServiceSettings], ["foobar-old"], 0, [dnl
+ [(('1.1', 'foobar-old', 'foobar-old service is for foobar-old', [('1234', 'udp'), ('22', 'tcp')], ['ftp'], @a{ss} {}, ['icmp'], [('4321', 'tcp'), ('4321', 'udp')]),)]
+])
+DBUS_CHECK([], [getServiceSettings2], ["foobar-old"], 0, [dnl
+ ['description': <'foobar-old service is for foobar-old'>
+ 'includes': <['https']>
+ 'modules': <['ftp']>
+ 'ports': <[('1234', 'udp'), ('22', 'tcp')]>
+ 'protocols': <['icmp']>
+ 'short': <'foobar-old'>
+ 'source_ports': <[('4321', 'tcp'), ('4321', 'udp')]>
+ 'version': <'1.1'>]
+])
+
+dnl add service with new API
+DBUS_INTROSPECT([config], [[//method[@name="addService2"]]], 0, [dnl
+ <method name="addService2">
+ <arg direction="in" name="service" type="s"/>
+ <arg direction="in" name="settings" type="a{sv}"/>
+ <arg direction="out" type="o"/>
+ </method>
+])
+DBUS_CHECK([config], [config.addService2],
+ ["foobar-dict" dnl name
+ '{"version": <"1.0">,
+ "short": <"foobar-dict">,
+ "description": <"foobar-dict service is for foobar-dict">,
+ "ports": <@<:@("1234", "udp"), ("22", "tcp"), ("1234", "udp")@:>@>,
+ "modules": <@<:@"ftp"@:>@>,
+ "destination": <{"ipv6": "1234::4321"}>,
+ "protocols": <@<:@"icmp", "igmp"@:>@>,
+ "source_ports": <@<:@("4321", "tcp"), ("4321", "udp")@:>@>,
+ "includes": <@<:@"https", "samba"@:>@>
+ }'dnl
+ ], 0, [stdout])
+SERVICE_OBJ=[$(sed -e "s/.*config\/service\/\([^']\+\)['].*/\1/" ./stdout)]
+export SERVICE_OBJ
+
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="getSettings2"]]], 0, [dnl
+ <method name="getSettings2">
+ <arg direction="out" type="a{sv}"/>
+ </method>
+])
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.getSettings2], [], 0, [dnl
+ ['description': <'foobar-dict service is for foobar-dict'>
+ 'destination': <{'ipv6': '1234::4321'}>
+ 'includes': <['https', 'samba']>
+ 'modules': <['ftp']>
+ 'ports': <[('1234', 'udp'), ('22', 'tcp')]>
+ 'protocols': <['icmp', 'igmp']>
+ 'short': <'foobar-dict'>
+ 'source_ports': <[('4321', 'tcp'), ('4321', 'udp')]>
+ 'version': <'1.0'>]
+])
+
+dnl New API allows partial updates to service object
+DBUS_INTROSPECT([config/service/${SERVICE_OBJ}], [[//method[@name="update2"]]], 0, [dnl
+ <method name="update2">
+ <arg direction="in" name="settings" type="a{sv}"/>
+ </method>
+])
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.update2],
+ ['{"version": <"1.1">,
+ "includes": <@<:@"https", "samba", "http"@:>@>
+ }'dnl
+ ], 0, [ignore])
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.getSettings2], [], 0, [dnl
+ ['description': <'foobar-dict service is for foobar-dict'>
+ 'destination': <{'ipv6': '1234::4321'}>
+ 'includes': <['https', 'samba', 'http']>
+ 'modules': <['ftp']>
+ 'ports': <[('1234', 'udp'), ('22', 'tcp')]>
+ 'protocols': <['icmp', 'igmp']>
+ 'short': <'foobar-dict'>
+ 'source_ports': <[('4321', 'tcp'), ('4321', 'udp')]>
+ 'version': <'1.1'>]
+])
+
+dnl To zero a field you have to set it with an empty value
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.update2],
+ ['{"version": <"1.2">,
+ "includes": <@as @<:@@:>@>
+ }'dnl
+ ], 0, [ignore])
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.getSettings2], [], 0, [dnl
+ ['description': <'foobar-dict service is for foobar-dict'>
+ 'destination': <{'ipv6': '1234::4321'}>
+ 'modules': <['ftp']>
+ 'ports': <[('1234', 'udp'), ('22', 'tcp')]>
+ 'protocols': <['icmp', 'igmp']>
+ 'short': <'foobar-dict'>
+ 'source_ports': <[('4321', 'tcp'), ('4321', 'udp')]>
+ 'version': <'1.2'>]
+])
+
+FWD_RELOAD
+DBUS_INTROSPECT([], [[//method[@name="getServiceSettings2"]]], 0, [dnl
+ <method name="getServiceSettings2">
+ <arg direction="in" name="service" type="s"/>
+ <arg direction="out" type="a{sv}"/>
+ </method>
+])
+DBUS_CHECK([], [getServiceSettings2], ["foobar-dict"], 0, [dnl
+ ['description': <'foobar-dict service is for foobar-dict'>
+ 'destination': <{'ipv6': '1234::4321'}>
+ 'modules': <['ftp']>
+ 'ports': <[('1234', 'udp'), ('22', 'tcp')]>
+ 'protocols': <['icmp', 'igmp']>
+ 'short': <'foobar-dict'>
+ 'source_ports': <[('4321', 'tcp'), ('4321', 'udp')]>
+ 'version': <'1.2'>]
+])
+
+dnl bogus arguments
+DBUS_CHECK([config/service/${SERVICE_OBJ}], [config.service.update2],
+ ['{"version": <"1.3">,
+ "thisdoesnotexist": <"">
+ }'dnl
+ ], 1, [ignore], [ignore])
+
+FWD_END_TEST([-e '/ERROR: INVALID_OPTION: service option/d'])
--
2.20.1

684
SOURCES/0018-chore-update-translations.patch Normal file
View File

@ -0,0 +1,684 @@
From 98b36302a635c70a0b986d7f77a310d13fcca259 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 7 Jan 2020 09:22:42 -0500
Subject: [PATCH 18/37] chore: update translations
(cherry picked from commit cfe26b5f4febf0c9c8c4935750702f0257b5a7b7)
---
po/ar.po | 2 +-
po/as.po | 2 +-
po/bg.po | 2 +-
po/bn_IN.po | 2 +-
po/ca.po | 2 +-
po/cs.po | 2 +-
po/da.po | 2 +-
po/de.po | 2 +-
po/el.po | 2 +-
po/en_GB.po | 2 +-
po/en_US.po | 2 +-
po/es.po | 2 +-
po/et.po | 2 +-
po/eu.po | 2 +-
po/fi.po | 2 +-
po/fr.po | 2 +-
po/gl.po | 2 +-
po/gu.po | 2 +-
po/hi.po | 2 +-
po/hu.po | 2 +-
po/ia.po | 2 +-
po/id.po | 2 +-
po/it.po | 2 +-
po/ja.po | 2 +-
po/ka.po | 2 +-
po/kn.po | 2 +-
po/ko.po | 2 +-
po/lt.po | 2 +-
po/ml.po | 2 +-
po/mr.po | 2 +-
po/nl.po | 2 +-
po/or.po | 2 +-
po/pa.po | 2 +-
po/pl.po | 2 +-
po/pt.po | 2 +-
po/pt_BR.po | 2 +-
po/ru.po | 2 +-
po/sk.po | 2 +-
po/sq.po | 2 +-
po/sr.po | 2 +-
po/sr@latin.po | 2 +-
po/sv.po | 2 +-
po/ta.po | 2 +-
po/te.po | 2 +-
po/tr.po | 2 +-
po/uk.po | 2 +-
po/zh_CN.po | 2 +-
po/zh_TW.po | 2 +-
48 files changed, 48 insertions(+), 48 deletions(-)
diff --git a/po/ar.po b/po/ar.po
index 7eaed07251dd..8abfdee73473 100644
--- a/po/ar.po
+++ b/po/ar.po
@@ -17,7 +17,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:20+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Arabic (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/as.po b/po/as.po
index 8fc9f12fb92a..16999c36c1d8 100644
--- a/po/as.po
+++ b/po/as.po
@@ -13,7 +13,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:15+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Assamese (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/bg.po b/po/bg.po
index 4f4a50bac50b..d2df33305874 100644
--- a/po/bg.po
+++ b/po/bg.po
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:43+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Bulgarian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/bn_IN.po b/po/bn_IN.po
index 3c840080f831..72c8591392de 100644
--- a/po/bn_IN.po
+++ b/po/bn_IN.po
@@ -13,7 +13,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:43+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Bengali (India) (http://www.transifex.com/projects/p/"
diff --git a/po/ca.po b/po/ca.po
index 2802c368224b..d2d8ec80af9c 100644
--- a/po/ca.po
+++ b/po/ca.po
@@ -19,7 +19,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-08-20 10:43+0000\n"
"Last-Translator: Robert Antoni Buj Gelonch <rbuj@fedoraproject.org>\n"
"Language-Team: Catalan (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/cs.po b/po/cs.po
index 66870f4b7e64..7319d3748f0a 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -27,7 +27,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2019-06-14 06:09+0000\n"
"Last-Translator: Pavel Borecki <pavel.borecki@gmail.com>\n"
"Language-Team: Czech (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/da.po b/po/da.po
index 98dfb5b4bebb..978936ce8f5d 100644
--- a/po/da.po
+++ b/po/da.po
@@ -13,7 +13,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-09-20 10:43+0000\n"
"Last-Translator: scootergrisen <scootergrisen@gmail.com>\n"
"Language-Team: Danish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/de.po b/po/de.po
index a27d39c56547..dd610cfed621 100644
--- a/po/de.po
+++ b/po/de.po
@@ -40,7 +40,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:22+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: German (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/el.po b/po/el.po
index 5227bfc9bf4f..26d4a55dc0ba 100644
--- a/po/el.po
+++ b/po/el.po
@@ -16,7 +16,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:27+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Greek (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/en_GB.po b/po/en_GB.po
index b617e4379dd5..d739c60136bd 100644
--- a/po/en_GB.po
+++ b/po/en_GB.po
@@ -11,7 +11,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:44+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: English (United Kingdom) (http://www.transifex.com/projects/p/"
diff --git a/po/en_US.po b/po/en_US.po
index 8ae2ae5bcd8a..f8e2a767a40e 100644
--- a/po/en_US.po
+++ b/po/en_US.po
@@ -7,7 +7,7 @@ msgid ""
msgstr ""
"Project-Id-Version: firewalld\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2014-10-15 14:24+0000\n"
"Last-Translator: Jiří Popelka <jpopelka@redhat.com>\n"
"Language-Team: English (United States) (http://www.transifex.com/projects/p/"
diff --git a/po/es.po b/po/es.po
index a84b9e05343a..0f228150fd2c 100644
--- a/po/es.po
+++ b/po/es.po
@@ -31,7 +31,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:22+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Spanish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/et.po b/po/et.po
index 8da6377bdac7..795090f4abde 100644
--- a/po/et.po
+++ b/po/et.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:21+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Estonian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/eu.po b/po/eu.po
index b8e14e2a1b86..a2fd55d6a404 100644
--- a/po/eu.po
+++ b/po/eu.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:43+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Basque (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/fi.po b/po/fi.po
index 71ad70257f21..752329c32489 100644
--- a/po/fi.po
+++ b/po/fi.po
@@ -15,7 +15,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-08-19 12:28+0000\n"
"Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>\n"
"Language-Team: Finnish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/fr.po b/po/fr.po
index d807315b5826..283dfa6d4dfc 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -34,7 +34,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:23+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: French (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/gl.po b/po/gl.po
index 47f9b6940401..4845df696886 100644
--- a/po/gl.po
+++ b/po/gl.po
@@ -9,7 +9,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:45+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Galician (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/gu.po b/po/gu.po
index 8698b52527b8..00d073043ae6 100644
--- a/po/gu.po
+++ b/po/gu.po
@@ -14,7 +14,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:45+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Gujarati (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/hi.po b/po/hi.po
index 24626fd4b2a3..07520b920e9f 100644
--- a/po/hi.po
+++ b/po/hi.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:28+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Hindi (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/hu.po b/po/hu.po
index f12170b0247c..8d02f894e92e 100644
--- a/po/hu.po
+++ b/po/hu.po
@@ -24,7 +24,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:24+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Hungarian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/ia.po b/po/ia.po
index d9d26140acd1..59bfc3f3f4b6 100644
--- a/po/ia.po
+++ b/po/ia.po
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:58+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Interlingua (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/id.po b/po/id.po
index f53a785bdcc1..3304d54878b2 100644
--- a/po/id.po
+++ b/po/id.po
@@ -3,7 +3,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-05-22 09:00+0000\n"
"Last-Translator: Ferdi Saptanera <ferdisn@fedoraproject.org>\n"
"Language-Team: Indonesian\n"
diff --git a/po/it.po b/po/it.po
index 7c2b4c02ed87..6358ba40bd31 100644
--- a/po/it.po
+++ b/po/it.po
@@ -36,7 +36,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:24+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Italian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/ja.po b/po/ja.po
index 340a68a9dfa5..ea830261b855 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -22,7 +22,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:25+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Japanese (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/ka.po b/po/ka.po
index ca538252795e..864b3c8058c6 100644
--- a/po/ka.po
+++ b/po/ka.po
@@ -9,7 +9,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:24+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Georgian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/kn.po b/po/kn.po
index a62e59eb5a3e..1826797aa9cd 100644
--- a/po/kn.po
+++ b/po/kn.po
@@ -13,7 +13,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 09:59+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Kannada (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/ko.po b/po/ko.po
index c928658f0195..c36161b7163b 100644
--- a/po/ko.po
+++ b/po/ko.po
@@ -18,7 +18,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:25+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Korean (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/lt.po b/po/lt.po
index bf3b73972c75..07a03e594ae7 100644
--- a/po/lt.po
+++ b/po/lt.po
@@ -4,7 +4,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2019-05-13 08:05+0000\n"
"Last-Translator: Moo <hazap@hotmail.com>\n"
"Language-Team: Lithuanian\n"
diff --git a/po/ml.po b/po/ml.po
index c265a921804c..93b6b6b63d05 100644
--- a/po/ml.po
+++ b/po/ml.po
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 10:00+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Malayalam (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/mr.po b/po/mr.po
index 04c29128fe3d..2b7159fdd370 100644
--- a/po/mr.po
+++ b/po/mr.po
@@ -15,7 +15,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 10:00+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Marathi (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/nl.po b/po/nl.po
index ac384020ad3a..351b9906332a 100644
--- a/po/nl.po
+++ b/po/nl.po
@@ -17,7 +17,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:26+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Dutch (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/or.po b/po/or.po
index 4b846a9f615d..90ffdcb7ca97 100644
--- a/po/or.po
+++ b/po/or.po
@@ -12,7 +12,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:33+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Oriya (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/pa.po b/po/pa.po
index 5a52ff6ccca9..3480e4223dce 100644
--- a/po/pa.po
+++ b/po/pa.po
@@ -22,7 +22,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2017-11-26 02:37+0000\n"
"Last-Translator: A S Alam <aalam@fedoraproject.org>\n"
"Language-Team: Panjabi (Punjabi) (http://www.transifex.com/projects/p/"
diff --git a/po/pl.po b/po/pl.po
index 843c883dd05d..83703401460b 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -17,7 +17,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:26+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Polish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/pt.po b/po/pt.po
index 27d3e7d44abd..7d5e816e2e7e 100644
--- a/po/pt.po
+++ b/po/pt.po
@@ -12,7 +12,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2019-09-07 12:26+0000\n"
"Last-Translator: Manuela Silva <mmsrs@sky.com>\n"
"Language-Team: Portuguese (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/pt_BR.po b/po/pt_BR.po
index 322fd5f69f3d..c381fa07343f 100644
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
@@ -34,7 +34,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:27+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Portuguese (Brazil) (http://www.transifex.com/projects/p/"
diff --git a/po/ru.po b/po/ru.po
index e15835624511..38cede8b55e6 100644
--- a/po/ru.po
+++ b/po/ru.po
@@ -22,7 +22,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:27+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Russian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/sk.po b/po/sk.po
index 23634d087ae3..4d6e67eb05b2 100644
--- a/po/sk.po
+++ b/po/sk.po
@@ -14,7 +14,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-08-13 06:16+0000\n"
"Last-Translator: feonsu <feonsu@gmail.com>\n"
"Language-Team: Slovak (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/sq.po b/po/sq.po
index 109b4d6e29c5..91c16e57045d 100644
--- a/po/sq.po
+++ b/po/sq.po
@@ -4,7 +4,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2017-04-20 11:49+0000\n"
"Last-Translator: Sidorela Uku <uku.sidorela@gmail.com>\n"
"Language-Team: Albanian\n"
diff --git a/po/sr.po b/po/sr.po
index d742901dd676..7c45f703a716 100644
--- a/po/sr.po
+++ b/po/sr.po
@@ -12,7 +12,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:42+0000\n"
"Last-Translator: Momcilo Medic <medicmomcilo@gmail.com>\n"
"Language-Team: Serbian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/sr@latin.po b/po/sr@latin.po
index 7045f7510b33..6bde5c3dafb6 100644
--- a/po/sr@latin.po
+++ b/po/sr@latin.po
@@ -10,7 +10,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 10:03+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Serbian (Latin) (http://www.transifex.com/projects/p/"
diff --git a/po/sv.po b/po/sv.po
index d89a7c261fdd..f7e2ee9c9ec7 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -15,7 +15,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:28+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Swedish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/ta.po b/po/ta.po
index a53847a694fb..3370eb155992 100644
--- a/po/ta.po
+++ b/po/ta.po
@@ -16,7 +16,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2015-02-26 10:04+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Tamil (http://www.transifex.com/projects/p/firewalld/language/"
diff --git a/po/te.po b/po/te.po
index 542b57c404ad..6365c4adf6e3 100644
--- a/po/te.po
+++ b/po/te.po
@@ -15,7 +15,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2016-01-04 12:44+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Telugu (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/tr.po b/po/tr.po
index 29d589174412..404c8687de5e 100644
--- a/po/tr.po
+++ b/po/tr.po
@@ -12,7 +12,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2019-03-08 01:23+0000\n"
"Last-Translator: Serdar Sağlam <teknomobil@msn.com>\n"
"Language-Team: Turkish (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/uk.po b/po/uk.po
index 4408f372a319..f237acc315e4 100644
--- a/po/uk.po
+++ b/po/uk.po
@@ -14,7 +14,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-07-29 04:00+0000\n"
"Last-Translator: Yuri Chornoivan <yurchor@ukr.net>\n"
"Language-Team: Ukrainian (http://www.transifex.com/projects/p/firewalld/"
diff --git a/po/zh_CN.po b/po/zh_CN.po
index bcb5a75283a4..ee57808023f1 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -24,7 +24,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2019-03-10 05:14+0000\n"
"Last-Translator: Pany <pany@fedoraproject.org>\n"
"Language-Team: Chinese (China) (http://www.transifex.com/projects/p/"
diff --git a/po/zh_TW.po b/po/zh_TW.po
index 27e8dff208f9..47f1e2c9f55d 100644
--- a/po/zh_TW.po
+++ b/po/zh_TW.po
@@ -21,7 +21,7 @@ msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-11-05 08:47-0500\n"
+"POT-Creation-Date: 2020-01-07 09:22-0500\n"
"PO-Revision-Date: 2018-11-16 08:29+0000\n"
"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
"Language-Team: Chinese (Taiwan) (http://www.transifex.com/projects/p/"
--
2.23.0

107
SOURCES/0018-fix-client-service-use-dict-based-dbus-APIs.patch
View File

@ -1,107 +0,0 @@
From f0e4beea7c96478661dd1e3088392400f7cec66e Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 26 Jun 2019 15:07:16 -0400
Subject: [PATCH 18/20] fix: client: service: use dict based dbus APIs
Fixes: 1fc208bf9317 ("feat: service includes")
(cherry picked from commit 632380e6efcdfd2282216002bd92f8f6d96467b9)
---
src/firewall/client.py | 51 ++++++++++++++++++++++++++++++++++--------
1 file changed, 42 insertions(+), 9 deletions(-)
diff --git a/src/firewall/client.py b/src/firewall/client.py
index 242c3a0ab0f4..3c4ea5c63559 100644
--- a/src/firewall/client.py
+++ b/src/firewall/client.py
@@ -818,15 +818,46 @@ class FirewallClientConfigZone(object):
class FirewallClientServiceSettings(object):
@handle_exceptions
def __init__(self, settings=None):
+ self.settings = ["", "", "", [], [], {}, [], [], []]
+ self.settings_name = ["version", "short", "description", "ports",
+ "modules", "destination", "protocols",
+ "source_ports", "includes"]
+ self.settings_dbus_type = ["s", "s", "s", "(ss)",
+ "s", "ss", "s",
+ "(ss)", "s"]
if settings:
- self.settings = settings
- else:
- self.settings = ["", "", "", [], [], {}, [], [], []]
+ if type(settings) is list:
+ for i,v in enumerate(settings):
+ self.settings[i] = settings[i]
+ elif type(settings) is dict:
+ self.setSettingsDict(settings)
@handle_exceptions
def __repr__(self):
return '%s(%r)' % (self.__class__, self.settings)
+ @handle_exceptions
+ def getSettingsDict(self):
+ settings = {}
+ for key,value in zip(self.settings_name, self.settings):
+ settings[key] = value
+ return settings
+ @handle_exceptions
+ def setSettingsDict(self, settings):
+ for key in settings:
+ self.settings[self.settings_name.index(key)] = settings[key]
+ @handle_exceptions
+ def getSettingsDbusDict(self):
+ settings = {}
+ for key,value,sig in zip(self.settings_name, self.settings, self.settings_dbus_type):
+ if type(value) is list:
+ settings[key] = dbus.Array(value, signature=sig)
+ elif type(value) is dict:
+ settings[key] = dbus.Dictionary(value, signature=sig)
+ else:
+ settings[key] = value
+ return settings
+
@handle_exceptions
def getVersion(self):
return self.settings[0]
@@ -1467,13 +1498,13 @@ class FirewallClientConfigService(object):
@slip.dbus.polkit.enable_proxy
@handle_exceptions
def getSettings(self):
- return FirewallClientServiceSettings(list(dbus_to_python(\
- self.fw_service.getSettings())))
+ return FirewallClientServiceSettings(dbus_to_python(
+ self.fw_service.getSettings2()))
@slip.dbus.polkit.enable_proxy
@handle_exceptions
def update(self, settings):
- self.fw_service.update(tuple(settings.settings))
+ self.fw_service.update2(settings.getSettingsDbusDict())
@slip.dbus.polkit.enable_proxy
@handle_exceptions
@@ -2431,7 +2462,9 @@ class FirewallClientConfig(object):
@handle_exceptions
def addService(self, name, settings):
if isinstance(settings, FirewallClientServiceSettings):
- path = self.fw_config.addService(name, tuple(settings.settings))
+ path = self.fw_config.addService2(name, settings.getSettingsDbusDict())
+ elif type(settings) is dict:
+ path = self.fw_config.addService2(name, settings)
else:
path = self.fw_config.addService(name, tuple(settings))
return FirewallClientConfigService(self.bus, path)
@@ -2899,8 +2932,8 @@ class FirewallClient(object):
@slip.dbus.polkit.enable_proxy
@handle_exceptions
def getServiceSettings(self, service):
- return FirewallClientServiceSettings(list(dbus_to_python(\
- self.fw.getServiceSettings(service))))
+ return FirewallClientServiceSettings(dbus_to_python(
+ self.fw.getServiceSettings2(service)))
@slip.dbus.polkit.enable_proxy
@handle_exceptions
--
2.20.1

32
SOURCES/0019-doc-README-add-note-about-language-translations.patch Normal file
View File

@ -0,0 +1,32 @@
From 7b2f75ecf57dd3f46da24db640aec63aac3e703d Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 14 Jan 2020 09:15:22 -0500
Subject: [PATCH 19/37] doc: README: add note about language translations
(cherry picked from commit 1b829ebb1d79e674b191d7f201787688b8a1d609)
(cherry picked from commit 86b4a2643882e1d70c92859bfdfca24d768102f9)
---
README | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/README b/README
index 287a3021b633..120543588540 100644
--- a/README
+++ b/README
@@ -17,6 +17,13 @@ To check out the source repository, you can use:
This will create a local copy of the repository.
+Language Translations
+---------------------
+Firewalld uses GNU gettext for localization support. Translations can be done
+using Fedora's Weblate instance [1]. Translations are periodically merged into
+the main firewalld repository.
+
+[1] https://translate.stg.fedoraproject.org/projects/firewalld/
Working With The Source Repository
----------------------------------
--
2.23.0

155
SOURCES/0019-fix-firewall-offline-cmd-service-use-dict-based-APIs.patch
View File

@ -1,155 +0,0 @@
From 588b7960abb8a6191fb8e8e5974d52c961d3aa67 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 2 Jul 2019 15:53:29 -0400
Subject: [PATCH 19/20] fix: firewall-offline-cmd: service: use dict based APIs
Fixes: ce631f8515a6 ("feat: CLI: service includes")
(cherry picked from commit 91c1434de8617f547576355ce3028a1bd67f408f)
---
src/firewall-offline-cmd.in | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
diff --git a/src/firewall-offline-cmd.in b/src/firewall-offline-cmd.in
index 1a8315f8e230..91736c1fafc5 100755
--- a/src/firewall-offline-cmd.in
+++ b/src/firewall-offline-cmd.in
@@ -1245,8 +1245,8 @@ try:
cmd.print_and_exit(" ".join(services))
elif a.new_service:
- fw.config.new_service(a.new_service,
- FirewallClientServiceSettings().settings)
+ fw.config.new_service_dict(a.new_service,
+ FirewallClientServiceSettings().getSettingsDict())
elif a.new_service_from_file:
filename = os.path.basename(a.new_service_from_file)
@@ -1287,7 +1287,7 @@ try:
elif a.info_service:
service = fw.config.get_service(a.info_service)
settings = FirewallClientServiceSettings(
- list(fw.config.get_service_config(service)))
+ fw.config.get_service_config_dict(service))
cmd.print_service_info(a.info_service, settings)
sys.exit(0)
@@ -1402,17 +1402,17 @@ try:
elif a.service and options_service:
service = fw.config.get_service(a.service)
settings = FirewallClientServiceSettings(
- list(fw.config.get_service_config(service)))
+ fw.config.get_service_config_dict(service))
if a.add_port:
cmd.add_sequence(a.add_port, settings.addPort,
settings.queryPort, cmd.parse_port, "%s/%s")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.remove_port:
cmd.remove_sequence(a.remove_port, settings.removePort,
settings.queryPort, cmd.parse_port, "%s/%s")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.query_port:
cmd.query_sequence(a.query_port, settings.queryPort,
@@ -1425,12 +1425,12 @@ try:
elif a.add_protocol:
cmd.add_sequence(a.add_protocol, settings.addProtocol,
settings.queryProtocol, None, "'%s'")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.remove_protocol:
cmd.remove_sequence(a.remove_protocol, settings.removeProtocol,
settings.queryProtocol, None, "'%s'")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.query_protocol:
cmd.query_sequence(a.query_protocol, settings.queryProtocol,
@@ -1443,13 +1443,13 @@ try:
elif a.add_source_port:
cmd.add_sequence(a.add_source_port, settings.addSourcePort,
settings.querySourcePort, cmd.parse_port, "%s/%s")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.remove_source_port:
cmd.remove_sequence(a.remove_source_port, settings.removeSourcePort,
settings.querySourcePort, cmd.parse_port,
"%s/%s")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.query_source_port:
cmd.query_sequence(a.query_source_port, settings.querySourcePort,
@@ -1462,12 +1462,12 @@ try:
elif a.add_module:
cmd.add_sequence(a.add_module, settings.addModule,
settings.queryModule, None, "'%s'")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.remove_module:
cmd.remove_sequence(a.remove_module, settings.removeModule,
settings.queryModule, None, "'%s'")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.query_module:
cmd.query_sequence(a.query_module, settings.queryModule,
@@ -1481,7 +1481,7 @@ try:
cmd.add_sequence(a.set_destination, settings.setDestination,
settings.queryDestination,
cmd.parse_service_destination, "%s:%s")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.remove_destination:
# special case for removeDestination: Only ipv, no address
@@ -1496,7 +1496,7 @@ try:
code)
else:
settings.removeDestination(ipv)
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.query_destination:
cmd.query_sequence(a.query_destination, settings.queryDestination,
@@ -1509,12 +1509,12 @@ try:
elif a.add_include:
cmd.add_sequence(a.add_include, settings.addInclude,
settings.queryInclude, None, "'%s'")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.remove_include:
cmd.remove_sequence(a.remove_include, settings.removeInclude,
settings.queryInclude, None, "'%s'")
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.query_include:
cmd.query_sequence(a.query_include, settings.queryInclude,
@@ -1526,14 +1526,14 @@ try:
elif a.set_description:
settings.setDescription(a.set_description)
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.get_description:
cmd.print_and_exit(settings.getDescription())
elif a.set_short:
settings.setShort(a.set_short)
- fw.config.set_service_config(service, settings.settings)
+ fw.config.set_service_config_dict(service, settings.getSettingsDict())
elif a.get_short:
cmd.print_and_exit(settings.getShort())
--
2.20.1

34
SOURCES/0020-fix-direct-removeRules-was-mistakenly-removing-all-r.patch
View File

@ -1,34 +0,0 @@
From b91b7cbeeb62cb2ba316918acd0e60a53ed676aa Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 26 Jul 2019 13:32:44 -0400
Subject: [PATCH 20/26] fix: direct: removeRules() was mistakenly removing all
rules
Only remove the rules that match the specified criteria (ipv, table,
chain).
Fixes: #385
Fixes: rhbz 1723610
(cherry picked from commit 174005b15059db054b2f8dcf3b35c23fcbaf44ec)
---
src/firewall/server/config.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index e03c4984e058..b1b839da82ea 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -1422,7 +1422,9 @@ class FirewallDConfig(slip.dbus.service.Object):
(ipv, table, chain, ))
self.accessCheck(sender)
settings = list(self.getSettings())
- settings[1] = []
+ for rule in settings[1]:
+ if (ipv, table, chain) == (rule[0], rule[1], rule[2]):
+ settings[1].remove(rule)
self.update(tuple(settings))
@dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
--
2.20.1

31
SOURCES/0020-fix-rich-source-dest-only-matching-with-mark-action.patch Normal file
View File

@ -0,0 +1,31 @@
From b15d3998fc9cbc6fbaa5f54596cf6ae4af80c6b4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 10:41:29 -0500
Subject: [PATCH 20/37] fix: rich: source/dest only matching with mark action
We need to make sure the pre-requisite chains exist before generating
the rule for the mark action.
Fixes: #567
(cherry picked from commit 4997385a269b2128281f346ba6e049a41767d165)
(cherry picked from commit 16c70554005a2a8dc7947c94f0fcc7cc401de3d0)
---
src/firewall/core/fw_zone.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index cbb80f09e02f..5cda560a30e1 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1720,6 +1720,8 @@ class FirewallZone(object):
elif rule.element is None:
if enable:
transaction.add_chain(zone, "filter", "INPUT")
+ if enable and type(rule.action) == Rich_Mark:
+ transaction.add_chain(zone, "mangle", "PREROUTING")
rules = backend.build_zone_rich_source_destination_rules(
enable, zone, rule)
--
2.23.0

39
SOURCES/0021-test-coverage-for-gh-567.patch Normal file
View File

@ -0,0 +1,39 @@
From ff7fed03e2026b0f3e2959bcb4b71c57b48b33a4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 10:04:47 -0500
Subject: [PATCH 21/37] test: coverage for gh #567
(cherry picked from commit cdf3227ea9e1c14ca47fcd73c42b3c94f78b01a6)
(cherry picked from commit 846363e2ced0b5ec0eecd58574245a4f7a66235c)
---
src/tests/regression.at | 1 +
src/tests/regression/gh567.at | 8 ++++++++
2 files changed, 9 insertions(+)
create mode 100644 src/tests/regression/gh567.at
diff --git a/src/tests/regression.at b/src/tests/regression.at
index 3bc99543a9b1..4532d730fbe7 100644
--- a/src/tests/regression.at
+++ b/src/tests/regression.at
@@ -24,3 +24,4 @@ m4_include([regression/rhbz1715977.at])
m4_include([regression/rhbz1723610.at])
m4_include([regression/rhbz1734765.at])
m4_include([regression/gh509.at])
+m4_include([regression/gh567.at])
diff --git a/src/tests/regression/gh567.at b/src/tests/regression/gh567.at
new file mode 100644
index 000000000000..03c3bde4a0fe
--- /dev/null
+++ b/src/tests/regression/gh567.at
@@ -0,0 +1,8 @@
+FWD_START_TEST([rich rule source w/ mark action])
+AT_KEYWORDS(gh567 rich ipset)
+
+FWD_CHECK([-q --permanent --new-ipset=Teste --type=hash:net])
+FWD_CHECK([-q --permanent --add-rich-rule "rule family=ipv4 source ipset=Teste mark set=2"])
+FWD_RELOAD
+
+FWD_END_TEST
--
2.23.0

60
SOURCES/0021-test-coverage-for-rhbz-1723610-and-gh-385.patch
View File

@ -1,60 +0,0 @@
From 53a4e15b72087a84bc59b69936d6bdaa91fa15fd Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 26 Jul 2019 08:26:50 -0400
Subject: [PATCH 21/26] test: coverage for rhbz 1723610 and gh #385
(cherry picked from commit 75fc4876dbfbdb1de09a67c48630fa8503ed152d)
---
src/tests/regression.at | 1 +
src/tests/regression/rhbz1723610.at | 30 +++++++++++++++++++++++++++++
2 files changed, 31 insertions(+)
create mode 100644 src/tests/regression/rhbz1723610.at
diff --git a/src/tests/regression.at b/src/tests/regression.at
index 3438c97f4633..919fc32f9bfb 100644
--- a/src/tests/regression.at
+++ b/src/tests/regression.at
@@ -21,3 +21,4 @@ m4_include([regression/gh478.at])
m4_include([regression/gh453.at])
m4_include([regression/gh258.at])
m4_include([regression/rhbz1715977.at])
+m4_include([regression/rhbz1723610.at])
diff --git a/src/tests/regression/rhbz1723610.at b/src/tests/regression/rhbz1723610.at
new file mode 100644
index 000000000000..f020141e1808
--- /dev/null
+++ b/src/tests/regression/rhbz1723610.at
@@ -0,0 +1,30 @@
+FWD_START_TEST([direct remove-rules per family])
+AT_KEYWORDS(direct rhbz1723610 gh385)
+
+FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT])
+FWD_CHECK([--permanent --direct --get-all-rules], 0, [dnl
+ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT
+])
+FWD_RELOAD
+FWD_CHECK([--direct --get-all-rules], 0, [dnl
+ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT
+])
+
+FWD_CHECK([-q --permanent --direct --remove-rules ipv6 filter input])
+FWD_CHECK([-q --permanent --direct --remove-rules ipv4 filter INPUT])
+FWD_CHECK([--permanent --direct --get-all-rules], 0, [dnl
+ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT
+])
+FWD_RELOAD
+FWD_CHECK([--direct --get-all-rules], 0, [dnl
+ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT
+])
+FWD_CHECK([-q --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT])
+FWD_CHECK([-q --direct --remove-rules ipv4 filter OUTPUT])
+FWD_CHECK([--direct --get-all-rules], 0, [dnl
+ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT
+ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT
+])
+
+FWD_END_TEST
--
2.20.1

32
SOURCES/0022-fix-tests-regression-rhbz1723610-make-output-reliabl.patch
View File

@ -1,32 +0,0 @@
From 395720e73e84b9b92bd92c5297faf7caa5d10242 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 26 Jul 2019 13:56:54 -0400
Subject: [PATCH 22/26] fix: tests/regression/rhbz1723610: make output reliable
The rule listing is unordered, so lets make it reliable.
Fixes: 75fc4876dbfb ("test: coverage for rhbz 1723610 and gh #385")
(cherry picked from commit 645fc816c09d2d5f767fcecf4bea3d61219780e9)
---
src/tests/regression/rhbz1723610.at | 2 --
1 file changed, 2 deletions(-)
diff --git a/src/tests/regression/rhbz1723610.at b/src/tests/regression/rhbz1723610.at
index f020141e1808..3eccc0436ed7 100644
--- a/src/tests/regression/rhbz1723610.at
+++ b/src/tests/regression/rhbz1723610.at
@@ -19,11 +19,9 @@ FWD_RELOAD
FWD_CHECK([--direct --get-all-rules], 0, [dnl
ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT
])
-FWD_CHECK([-q --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT])
FWD_CHECK([-q --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT])
FWD_CHECK([-q --direct --remove-rules ipv4 filter OUTPUT])
FWD_CHECK([--direct --get-all-rules], 0, [dnl
-ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT
ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT
])
--
2.20.1

33
SOURCES/0022-improvement-test-move-regression.at-inside-directory.patch Normal file
View File

@ -0,0 +1,33 @@
From e02639f73c9515ce4780b878ed0fc1308b46fc88 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 13:41:21 -0500
Subject: [PATCH 22/37] improvement: test: move regression.at inside directory
(cherry picked from commit 97066392d174bafbeaf4fce6d040352e64f1822c)
(cherry picked from commit a340e4767bef62d2ae6d000447ea162bb8dd016b)
---
src/tests/{ => regression}/regression.at | 0
src/tests/testsuite.at | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename src/tests/{ => regression}/regression.at (100%)
diff --git a/src/tests/regression.at b/src/tests/regression/regression.at
similarity index 100%
rename from src/tests/regression.at
rename to src/tests/regression/regression.at
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index b4dc05a59f55..be43c3bd4756 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -12,7 +12,7 @@ m4_include([dbus.at])
m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
m4_include([firewall-cmd.at])
- m4_include([regression.at])
+ m4_include([regression/regression.at])
m4_include([python.at])
m4_include([features.at])
])
--
2.23.0

35
SOURCES/0023-fix-tests-regression-rhbz1723610-avoid-calling-IPv6-.patch
View File

@ -1,35 +0,0 @@
From 05d7ecbd8d50e4b80c64443a8351bc943b4bf4a0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 26 Jul 2019 14:17:28 -0400
Subject: [PATCH 23/26] fix: tests/regression/rhbz1723610: avoid calling IPv6
backend
We support running without IPv6, so calling the backend in the test
case.
Fixes: 75fc4876dbfb ("test: coverage for rhbz 1723610 and gh #385")
(cherry picked from commit 38978bfde28a3fea9fb4cc61d2bb30ee5474e341)
---
src/tests/regression/rhbz1723610.at | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/tests/regression/rhbz1723610.at b/src/tests/regression/rhbz1723610.at
index 3eccc0436ed7..35feed2bda9f 100644
--- a/src/tests/regression/rhbz1723610.at
+++ b/src/tests/regression/rhbz1723610.at
@@ -19,10 +19,10 @@ FWD_RELOAD
FWD_CHECK([--direct --get-all-rules], 0, [dnl
ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT
])
-FWD_CHECK([-q --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT])
+FWD_CHECK([-q --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT])
FWD_CHECK([-q --direct --remove-rules ipv4 filter OUTPUT])
FWD_CHECK([--direct --get-all-rules], 0, [dnl
-ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT
+ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT
])
FWD_END_TEST
--
2.20.1

45
SOURCES/0023-improvement-test-move-features.at-inside-directory.patch Normal file
View File

@ -0,0 +1,45 @@
From 469c9a24f6fb1ae7073a412755201d5a093a46d0 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 13:42:31 -0500
Subject: [PATCH 23/37] improvement: test: move features.at inside directory
(cherry picked from commit 87ebf867d4c1f81ecba44346126fcb6a5b4e4e3e)
(cherry picked from commit 04891ae837b317b293f14aaa28c683375afee4a5)
---
src/tests/{ => features}/features.at | 0
src/tests/firewall-offline-cmd.at | 2 +-
src/tests/testsuite.at | 2 +-
3 files changed, 2 insertions(+), 2 deletions(-)
rename src/tests/{ => features}/features.at (100%)
diff --git a/src/tests/features.at b/src/tests/features/features.at
similarity index 100%
rename from src/tests/features.at
rename to src/tests/features/features.at
diff --git a/src/tests/firewall-offline-cmd.at b/src/tests/firewall-offline-cmd.at
index 0b05ee70ea9f..8cd6b6c5550f 100644
--- a/src/tests/firewall-offline-cmd.at
+++ b/src/tests/firewall-offline-cmd.at
@@ -9,7 +9,7 @@ dnl !!! DO NOT ADD TESTS HERE !!!
m4_define([TESTING_FIREWALL_OFFLINE_CMD])
m4_include([firewall-cmd.at])
-m4_include([features.at])
+m4_include([features/features.at])
dnl Now begin the tests explicitly for firewall-offline-cmd
dnl
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index be43c3bd4756..364b0ca30e04 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -14,5 +14,5 @@ m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
m4_include([firewall-cmd.at])
m4_include([regression/regression.at])
m4_include([python.at])
- m4_include([features.at])
+ m4_include([features/features.at])
])
--
2.23.0

871
SOURCES/0024-fix-guarantee-zone-source-dispatch-is-sorted-by-zone.patch
View File

@ -1,871 +0,0 @@
From 9cecc7729a8d44fcdec9a4852545286cb7eb8fad Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 31 Jul 2019 13:57:10 -0400
Subject: [PATCH 24/26] fix: guarantee zone source dispatch is sorted by zone
name
Apparently users depend on firewalld sorting zone dispatch for sources
by the zone name. This is used to specify precedence for overlapping
address spaces.
Since we have to track rule positions of source based dispatch we might
as well abuse this and combine the source/interface dispatch into a
single chain.
Fixes: rhbz 1734765
Fixes: 70993581d79b ("fix: do not allow zone drifting")
(cherry picked from commit afc35c20e58b00b81cd2e1f3e863b3b3bac37c77)
---
src/firewall/core/ipXtables.py | 88 ++++++++---
src/firewall/core/nftables.py | 71 +++++++--
src/tests/firewall-cmd.at | 14 +-
src/tests/regression/gh258.at | 277 ++++++++++-----------------------
4 files changed, 211 insertions(+), 239 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 9055e9566d15..2f4ec46d8339 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -178,6 +178,7 @@ class ip4tables(object):
self.fill_exists()
self.available_tables = []
self.rich_rule_priority_counts = {}
+ self.zone_source_index_cache = []
self.our_chains = {} # chains created by firewalld
def fill_exists(self):
@@ -289,6 +290,44 @@ class ip4tables(object):
chain = args[i+1]
return (table, chain)
+ def _run_replace_zone_source(self, rule, zone_source_index_cache):
+ try:
+ i = rule.index("%%ZONE_SOURCE%%")
+ rule.pop(i)
+ zone = rule.pop(i)
+ if "-m" == rule[4]: # ipset/mac
+ zone_source = (zone, rule[7]) # (zone, address)
+ else:
+ zone_source = (zone, rule[5]) # (zone, address)
+ except ValueError:
+ try:
+ i = rule.index("%%ZONE_INTERFACE%%")
+ rule.pop(i)
+ zone_source = None
+ except ValueError:
+ return
+
+ rule_add = True
+ if rule[0] in ["-D", "--delete"]:
+ rule_add = False
+
+ if zone_source and not rule_add:
+ if zone_source in zone_source_index_cache:
+ zone_source_index_cache.remove(zone_source)
+ elif rule_add:
+ if zone_source:
+ # order source based dispatch by zone name
+ if zone_source not in zone_source_index_cache:
+ zone_source_index_cache.append(zone_source)
+ zone_source_index_cache.sort(key=lambda x: x[0])
+
+ index = zone_source_index_cache.index(zone_source)
+ else:
+ index = len(zone_source_index_cache)
+
+ rule[0] = "-I"
+ rule.insert(2, "%d" % (index + 1))
+
def _set_rule_replace_rich_rule_priority(self, rule, rich_rule_priority_counts):
"""
Change something like
@@ -374,6 +413,7 @@ class ip4tables(object):
table_rules = { }
rich_rule_priority_counts = copy.deepcopy(self.rich_rule_priority_counts)
+ zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache)
for _rule in rules:
rule = _rule[:]
@@ -398,6 +438,7 @@ class ip4tables(object):
rule.pop(i)
self._set_rule_replace_rich_rule_priority(rule, rich_rule_priority_counts)
+ self._run_replace_zone_source(rule, zone_source_index_cache)
table = "filter"
# get table form rule
@@ -461,6 +502,7 @@ class ip4tables(object):
raise ValueError("'%s %s' failed: %s" % (self._restore_command,
" ".join(args), ret))
self.rich_rule_priority_counts = rich_rule_priority_counts
+ self.zone_source_index_cache = zone_source_index_cache
return ret
def set_rule(self, rule, log_denied):
@@ -485,9 +527,14 @@ class ip4tables(object):
rule.pop(i)
rich_rule_priority_counts = copy.deepcopy(self.rich_rule_priority_counts)
+ zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache)
self._set_rule_replace_rich_rule_priority(rule, rich_rule_priority_counts)
+ self._run_replace_zone_source(rule, zone_source_index_cache)
+
output = self.__run(rule)
+
self.rich_rule_priority_counts = rich_rule_priority_counts
+ self.zone_source_index_cache = zone_source_index_cache
return output
def get_available_tables(self, table=None):
@@ -539,6 +586,7 @@ class ip4tables(object):
def build_flush_rules(self):
self.rich_rule_priority_counts = {}
+ self.zone_source_index_cache = []
rules = []
for table in BUILT_IN_CHAINS.keys():
if not self.get_available_tables(table):
@@ -620,10 +668,8 @@ class ip4tables(object):
if chain == "PREROUTING":
default_rules["raw"].append("-N %s_ZONES" % chain)
- default_rules["raw"].append("-N %s_ZONES_IFACES" % chain)
default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain))
- default_rules["raw"].append("-A %s_ZONES -g %s_ZONES_IFACES" % (chain, chain))
- self.our_chains["raw"].update(set(["%s_ZONES" % chain, "%s_ZONES_IFACES" % chain]))
+ self.our_chains["raw"].update(set(["%s_ZONES" % chain]))
if self.get_available_tables("mangle"):
default_rules["mangle"] = [ ]
@@ -635,10 +681,8 @@ class ip4tables(object):
if chain == "PREROUTING":
default_rules["mangle"].append("-N %s_ZONES" % chain)
- default_rules["mangle"].append("-N %s_ZONES_IFACES" % chain)
default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain))
- default_rules["mangle"].append("-A %s_ZONES -g %s_ZONES_IFACES" % (chain, chain))
- self.our_chains["mangle"].update(set(["%s_ZONES" % chain, "%s_ZONES_IFACES" % chain]))
+ self.our_chains["mangle"].update(set(["%s_ZONES" % chain]))
if self.get_available_tables("nat"):
default_rules["nat"] = [ ]
@@ -650,21 +694,17 @@ class ip4tables(object):
if chain in [ "PREROUTING", "POSTROUTING" ]:
default_rules["nat"].append("-N %s_ZONES" % chain)
- default_rules["nat"].append("-N %s_ZONES_IFACES" % chain)
default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain))
- default_rules["nat"].append("-A %s_ZONES -g %s_ZONES_IFACES" % (chain, chain))
- self.our_chains["nat"].update(set(["%s_ZONES" % chain, "%s_ZONES_IFACES" % chain]))
+ self.our_chains["nat"].update(set(["%s_ZONES" % chain]))
default_rules["filter"] = [
"-N INPUT_direct",
"-N INPUT_ZONES",
- "-N INPUT_ZONES_IFACES",
"-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT",
"-A INPUT -i lo -j ACCEPT",
"-A INPUT -j INPUT_direct",
"-A INPUT -j INPUT_ZONES",
- "-A INPUT_ZONES -g INPUT_ZONES_IFACES",
]
if log_denied != "off":
default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
@@ -677,16 +717,12 @@ class ip4tables(object):
"-N FORWARD_direct",
"-N FORWARD_IN_ZONES",
"-N FORWARD_OUT_ZONES",
- "-N FORWARD_IN_ZONES_IFACES",
- "-N FORWARD_OUT_ZONES_IFACES",
"-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT",
"-A FORWARD -i lo -j ACCEPT",
"-A FORWARD -j FORWARD_direct",
"-A FORWARD -j FORWARD_IN_ZONES",
"-A FORWARD -j FORWARD_OUT_ZONES",
- "-A FORWARD_IN_ZONES -g FORWARD_IN_ZONES_IFACES",
- "-A FORWARD_OUT_ZONES -g FORWARD_OUT_ZONES_IFACES",
]
if log_denied != "off":
default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
@@ -702,10 +738,9 @@ class ip4tables(object):
"-A OUTPUT -j OUTPUT_direct",
]
- self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES", "INPUT_ZONES_IFACES"
+ self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES",
"FORWARD_direct", "FORWARD_IN_ZONES",
- "FORWARD_IN_ZONES_IFACES" "FORWARD_OUT_ZONES",
- "FORWARD_OUT_ZONES_IFACES", "OUTPUT_direct"])
+ "FORWARD_OUT_ZONES", "OUTPUT_direct"])
final_default_rules = []
for table in default_rules:
@@ -748,11 +783,13 @@ class ip4tables(object):
action = "-g"
if enable and not append:
- rule = [ "-I", "%s_ZONES_IFACES" % chain, "1" ]
+ rule = [ "-I", "%s_ZONES" % chain, "%%ZONE_INTERFACE%%" ]
elif enable:
- rule = [ "-A", "%s_ZONES_IFACES" % chain ]
+ rule = [ "-A", "%s_ZONES" % chain ]
else:
- rule = [ "-D", "%s_ZONES_IFACES" % chain ]
+ rule = [ "-D", "%s_ZONES" % chain ]
+ if not append:
+ rule += ["%%ZONE_INTERFACE%%"]
rule += [ "-t", table, opt, interface, action, target ]
return [rule]
@@ -780,7 +817,8 @@ class ip4tables(object):
opt = "src"
flags = ",".join([opt] * self._fw.ipset.get_dimension(name))
rule = [ add_del,
- "%s_ZONES" % chain, "-t", table,
+ "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
+ "-t", table,
"-m", "set", "--match-set", name,
flags, action, target ]
else:
@@ -789,12 +827,14 @@ class ip4tables(object):
if opt == "-d":
return ""
rule = [ add_del,
- "%s_ZONES" % chain, "-t", table,
+ "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
+ "-t", table,
"-m", "mac", "--mac-source", address.upper(),
action, target ]
else:
rule = [ add_del,
- "%s_ZONES" % chain, "-t", table,
+ "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone,
+ "-t", table,
opt, address, action, target ]
return [rule]
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index ba52a0e87493..c0b48f1501fd 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -157,6 +157,7 @@ class nftables(object):
self.rule_to_handle = {}
self.rule_ref_count = {}
self.rich_rule_priority_counts = {}
+ self.zone_source_index_cache = {}
self.used_families = ["inet", "ip", "ip6"]
def fill_exists(self):
@@ -171,6 +172,48 @@ class nftables(object):
raise FirewallError(INVALID_RULE, "position/handle not allowed in rule")
return " ".join([str(x) for x in rule_key])
+ def _run_replace_zone_source(self, rule_add, rule, zone_source_index_cache):
+ try:
+ i = rule.index("%%ZONE_SOURCE%%")
+ rule.pop(i)
+ zone = rule.pop(i)
+ zone_source = (zone, rule[7]) # (zone, address)
+ except ValueError:
+ try:
+ i = rule.index("%%ZONE_INTERFACE%%")
+ rule.pop(i)
+ zone_source = None
+ except ValueError:
+ return
+
+ family = rule[2]
+
+ if zone_source and not rule_add:
+ if family in zone_source_index_cache and \
+ zone_source in zone_source_index_cache[family]:
+ zone_source_index_cache[family].remove(zone_source)
+ elif rule_add:
+ if family not in zone_source_index_cache:
+ zone_source_index_cache[family] = []
+
+ if zone_source:
+ # order source based dispatch by zone name
+ if zone_source not in zone_source_index_cache[family]:
+ zone_source_index_cache[family].append(zone_source)
+ zone_source_index_cache[family].sort(key=lambda x: x[0])
+
+ index = zone_source_index_cache[family].index(zone_source)
+ else:
+ index = len(zone_source_index_cache[family])
+
+ if index == 0:
+ rule[0] = "insert"
+ else:
+ index -= 1 # point to the rule before insertion point
+ rule[0] = "add"
+ rule.insert(i, "index")
+ rule.insert(i+1, "%d" % index)
+
def __run(self, args):
nft_opts = ["--echo", "--handle"]
_args = args[:]
@@ -257,6 +300,10 @@ class nftables(object):
_args.insert(i, "index")
_args.insert(i+1, "%d" % index)
+ if rule_key:
+ zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache)
+ self._run_replace_zone_source(rule_add, _args, zone_source_index_cache)
+
if not rule_key or (not rule_add and self.rule_ref_count[rule_key] == 0) \
or ( rule_add and rule_key not in self.rule_ref_count):
@@ -274,6 +321,7 @@ class nftables(object):
if rule_key:
self.rich_rule_priority_counts = rich_rule_priority_counts
+ self.zone_source_index_cache = zone_source_index_cache
# nft requires deleting rules by handle. So we must cache the rule
# handle when adding/inserting rules.
@@ -362,6 +410,7 @@ class nftables(object):
self.rule_to_handle = saved_rule_to_handle
self.rule_ref_count = saved_rule_ref_count
self.rich_rule_priority_counts = {}
+ self.zone_source_index_cache = {}
rules = []
for family in self.used_families:
@@ -440,9 +489,7 @@ class nftables(object):
for chain in ["PREROUTING"]:
default_rules.append("add chain inet %s raw_%s_ZONES" % (TABLE_NAME, chain))
- default_rules.append("add chain inet %s raw_%s_ZONES_IFACES" % (TABLE_NAME, chain))
default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES" % (TABLE_NAME, chain, chain))
- default_rules.append("add rule inet %s raw_%s_ZONES goto raw_%s_ZONES_IFACES" % (TABLE_NAME, chain, chain))
for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys():
default_rules.append("add chain inet %s mangle_%s '{ type filter hook %s priority %d ; }'" %
@@ -451,9 +498,7 @@ class nftables(object):
IPTABLES_TO_NFT_HOOK["mangle"][chain][1]))
default_rules.append("add chain inet %s mangle_%s_ZONES" % (TABLE_NAME, chain))
- default_rules.append("add chain inet %s mangle_%s_ZONES_IFACES" % (TABLE_NAME, chain))
default_rules.append("add rule inet %s mangle_%s jump mangle_%s_ZONES" % (TABLE_NAME, chain, chain))
- default_rules.append("add rule inet %s mangle_%s_ZONES goto mangle_%s_ZONES_IFACES" % (TABLE_NAME, chain, chain))
for family in ["ip", "ip6"]:
for chain in IPTABLES_TO_NFT_HOOK["nat"].keys():
@@ -463,9 +508,7 @@ class nftables(object):
IPTABLES_TO_NFT_HOOK["nat"][chain][1]))
default_rules.append("add chain %s %s nat_%s_ZONES" % (family, TABLE_NAME, chain))
- default_rules.append("add chain %s %s nat_%s_ZONES_IFACES" % (family, TABLE_NAME, chain))
default_rules.append("add rule %s %s nat_%s jump nat_%s_ZONES" % (family, TABLE_NAME, chain, chain))
- default_rules.append("add rule %s %s nat_%s_ZONES goto nat_%s_ZONES_IFACES" % (family, TABLE_NAME, chain, chain))
for chain in IPTABLES_TO_NFT_HOOK["filter"].keys():
default_rules.append("add chain inet %s filter_%s '{ type filter hook %s priority %d ; }'" %
@@ -475,12 +518,10 @@ class nftables(object):
# filter, INPUT
default_rules.append("add chain inet %s filter_%s_ZONES" % (TABLE_NAME, "INPUT"))
- default_rules.append("add chain inet %s filter_%s_ZONES_IFACES" % (TABLE_NAME, "INPUT"))
default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "INPUT"))
default_rules.append("add rule inet %s filter_%s ct status dnat accept" % (TABLE_NAME, "INPUT"))
default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "INPUT"))
default_rules.append("add rule inet %s filter_%s jump filter_%s_ZONES" % (TABLE_NAME, "INPUT", "INPUT"))
- default_rules.append("add rule inet %s filter_%s_ZONES goto filter_%s_ZONES_IFACES" % (TABLE_NAME, "INPUT", "INPUT"))
if log_denied != "off":
default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "INPUT"))
default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "INPUT"))
@@ -490,16 +531,12 @@ class nftables(object):
# filter, FORWARD
default_rules.append("add chain inet %s filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD"))
- default_rules.append("add chain inet %s filter_%s_IN_ZONES_IFACES" % (TABLE_NAME, "FORWARD"))
default_rules.append("add chain inet %s filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD"))
- default_rules.append("add chain inet %s filter_%s_OUT_ZONES_IFACES" % (TABLE_NAME, "FORWARD"))
default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "FORWARD"))
default_rules.append("add rule inet %s filter_%s ct status dnat accept" % (TABLE_NAME, "FORWARD"))
default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "FORWARD"))
default_rules.append("add rule inet %s filter_%s jump filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD"))
default_rules.append("add rule inet %s filter_%s jump filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD"))
- default_rules.append("add rule inet %s filter_%s_IN_ZONES goto filter_%s_IN_ZONES_IFACES" % (TABLE_NAME, "FORWARD", "FORWARD"))
- default_rules.append("add rule inet %s filter_%s_OUT_ZONES goto filter_%s_OUT_ZONES_IFACES" % (TABLE_NAME, "FORWARD", "FORWARD"))
if log_denied != "off":
default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "FORWARD"))
default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "FORWARD"))
@@ -554,11 +591,14 @@ class nftables(object):
action = "goto"
if enable and not append:
- rule = ["insert", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES_IFACES" % (table, chain)]
+ rule = ["insert", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain),
+ "%%ZONE_INTERFACE%%"]
elif enable:
- rule = ["add", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES_IFACES" % (table, chain)]
+ rule = ["add", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain)]
else:
- rule = ["delete", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES_IFACES" % (table, chain)]
+ rule = ["delete", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain)]
+ if not append:
+ rule += ["%%ZONE_INTERFACE%%"]
if interface == "*":
rule += [action, "%s_%s" % (table, target)]
else:
@@ -609,6 +649,7 @@ class nftables(object):
rule = [add_del, "rule", family, "%s" % TABLE_NAME,
"%s_%s_ZONES" % (table, chain),
+ "%%ZONE_SOURCE%%", zone,
rule_family, opt, address, action, "%s_%s" % (table, target)]
return [rule]
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index 7bb13aee0221..53f2eb2c7c88 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -148,14 +148,14 @@ FWD_START_TEST([zone interfaces])
FWD_CHECK([--zone=trusted --add-interface=+], 0, ignore)
FWD_CHECK([--add-interface=foobar+++], 0, ignore)
FWD_CHECK([--add-interface=foobar+], 0, ignore)
- NFT_LIST_RULES([inet], [filter_INPUT_ZONES_IFACES], 0, [dnl
+ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
table inet firewalld {
- chain filter_INPUT_ZONES_IFACES {
- iifname "foobar*" goto filter_IN_public
- iifname "foobar++*" goto filter_IN_public
- goto filter_IN_trusted
- goto filter_IN_public
- }
+ chain filter_INPUT_ZONES {
+ iifname "foobar*" goto filter_IN_public
+ iifname "foobar++*" goto filter_IN_public
+ goto filter_IN_trusted
+ goto filter_IN_public
+ }
}
])
FWD_CHECK([--zone=trusted --remove-interface=+], 0, ignore)
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
index ba76946f0333..1896a9bfc61c 100644
--- a/src/tests/regression/gh258.at
+++ b/src/tests/regression/gh258.at
@@ -9,7 +9,6 @@ FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore)
FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore)
dnl verify layout of zone dispatch
-m4_if(nftables, FIREWALL_BACKEND, [
NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl
table inet firewalld {
chain filter_INPUT {
@@ -27,13 +26,6 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
chain filter_INPUT_ZONES {
ip6 saddr dead:beef::/54 goto filter_IN_public
ip saddr 1.2.3.0/24 goto filter_IN_work
- goto filter_INPUT_ZONES_IFACES
- }
- }
-])
-NFT_LIST_RULES([inet], [filter_INPUT_ZONES_IFACES], 0, [dnl
- table inet firewalld {
- chain filter_INPUT_ZONES_IFACES {
iifname "dummy1" goto filter_IN_public
iifname "dummy0" goto filter_IN_work
goto filter_IN_public
@@ -59,13 +51,6 @@ NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl
chain filter_FORWARD_IN_ZONES {
ip6 saddr dead:beef::/54 goto filter_FWDI_public
ip saddr 1.2.3.0/24 goto filter_FWDI_work
- goto filter_FORWARD_IN_ZONES_IFACES
- }
- }
-])
-NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_IFACES], 0, [dnl
- table inet firewalld {
- chain filter_FORWARD_IN_ZONES_IFACES {
iifname "dummy1" goto filter_FWDI_public
iifname "dummy0" goto filter_FWDI_work
goto filter_FWDI_public
@@ -77,13 +62,6 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl
chain filter_FORWARD_OUT_ZONES {
ip6 daddr dead:beef::/54 goto filter_FWDO_public
ip daddr 1.2.3.0/24 goto filter_FWDO_work
- goto filter_FORWARD_OUT_ZONES_IFACES
- }
- }
-])
-NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_IFACES], 0, [dnl
- table inet firewalld {
- chain filter_FORWARD_OUT_ZONES_IFACES {
oifname "dummy1" goto filter_FWDO_public
oifname "dummy0" goto filter_FWDO_work
goto filter_FWDO_public
@@ -106,13 +84,6 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
chain raw_PREROUTING_ZONES {
ip6 saddr dead:beef::/54 goto raw_PRE_public
ip saddr 1.2.3.0/24 goto raw_PRE_work
- goto raw_PREROUTING_ZONES_IFACES
- }
- }
-])
-NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_IFACES], 0, [dnl
- table inet firewalld {
- chain raw_PREROUTING_ZONES_IFACES {
iifname "dummy1" goto raw_PRE_public
iifname "dummy0" goto raw_PRE_work
goto raw_PRE_public
@@ -131,13 +102,6 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
chain mangle_PREROUTING_ZONES {
ip6 saddr dead:beef::/54 goto mangle_PRE_public
ip saddr 1.2.3.0/24 goto mangle_PRE_work
- goto mangle_PREROUTING_ZONES_IFACES
- }
- }
-])
-NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_IFACES], 0, [dnl
- table inet firewalld {
- chain mangle_PREROUTING_ZONES_IFACES {
iifname "dummy1" goto mangle_PRE_public
iifname "dummy0" goto mangle_PRE_work
goto mangle_PRE_public
@@ -155,13 +119,6 @@ NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
table ip firewalld {
chain nat_PREROUTING_ZONES {
ip saddr 1.2.3.0/24 goto nat_PRE_work
- goto nat_PREROUTING_ZONES_IFACES
- }
- }
-])
-NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_IFACES], 0, [dnl
- table ip firewalld {
- chain nat_PREROUTING_ZONES_IFACES {
iifname "dummy1" goto nat_PRE_public
iifname "dummy0" goto nat_PRE_work
goto nat_PRE_public
@@ -179,13 +136,6 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
table ip firewalld {
chain nat_POSTROUTING_ZONES {
ip daddr 1.2.3.0/24 goto nat_POST_work
- goto nat_POSTROUTING_ZONES_IFACES
- }
- }
-])
-NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl
- table ip firewalld {
- chain nat_POSTROUTING_ZONES_IFACES {
oifname "dummy1" goto nat_POST_public
oifname "dummy0" goto nat_POST_work
goto nat_POST_public
@@ -203,13 +153,6 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
table ip6 firewalld {
chain nat_PREROUTING_ZONES {
ip6 saddr dead:beef::/54 goto nat_PRE_public
- goto nat_PREROUTING_ZONES_IFACES
- }
- }
-])
-NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_IFACES], 0, [dnl
- table ip6 firewalld {
- chain nat_PREROUTING_ZONES_IFACES {
iifname "dummy1" goto nat_PRE_public
iifname "dummy0" goto nat_PRE_work
goto nat_PRE_public
@@ -227,20 +170,12 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
table ip6 firewalld {
chain nat_POSTROUTING_ZONES {
ip6 daddr dead:beef::/54 goto nat_POST_public
- goto nat_POSTROUTING_ZONES_IFACES
- }
- }
-])
-NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_IFACES], 0, [dnl
- table ip firewalld {
- chain nat_POSTROUTING_ZONES_IFACES {
oifname "dummy1" goto nat_POST_public
oifname "dummy0" goto nat_POST_work
goto nat_POST_public
}
}
])
-], [
IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
@@ -250,15 +185,12 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
-IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl
- IN_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
- INPUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
-IPTABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl
- IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- IN_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- IN_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
+ [[IN_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
@@ -268,77 +200,58 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
-IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl
- FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
- FORWARD_IN_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
-IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl
- FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
-IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl
- FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@
- FORWARD_OUT_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
-IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl
- FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
+IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
+ [[FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
+ [[FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]
+ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
-IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl
- PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
- PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
-IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl
- PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
+IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
+ [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
-IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl
- PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
- PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
-IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl
- PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
+IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
+ [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
-IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl
- PRE_work all -- 1.2.3.0/24 0.0.0.0/0 @<:@goto@:>@
- PREROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
-IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl
- PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- PRE_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
+IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
+ [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0
POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
-IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl
- POST_work all -- 0.0.0.0/0 1.2.3.0/24 @<:@goto@:>@
- POSTROUTING_ZONES_IFACES all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
-IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl
- POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- POST_work all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
- POST_public all -- 0.0.0.0/0 0.0.0.0/0 @<:@goto@:>@
-])
-
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+ [[POST_work all -- 0.0.0.0/0 1.2.3.0/24 [goto]
+ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_work all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
@@ -348,15 +261,12 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
DROP all ::/0 ::/0 ctstate INVALID
REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
])
-IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, [dnl
- IN_public all dead:beef::/54 ::/0 @<:@goto@:>@
- INPUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
-])
-IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_IFACES], 0, [dnl
- IN_public all ::/0 ::/0 @<:@goto@:>@
- IN_work all ::/0 ::/0 @<:@goto@:>@
- IN_public all ::/0 ::/0 @<:@goto@:>@
-])
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
+ [[IN_public all dead:beef::/54 ::/0 [goto]
+ IN_public all ::/0 ::/0 [goto]
+ IN_work all ::/0 ::/0 [goto]
+ IN_public all ::/0 ::/0 [goto]
+]])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED,DNAT
ACCEPT all ::/0 ::/0
@@ -367,24 +277,18 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
DROP all ::/0 ::/0 ctstate INVALID
REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited
])
-IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, [dnl
- FWDI_public all dead:beef::/54 ::/0 @<:@goto@:>@
- FORWARD_IN_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
-])
-IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_IFACES], 0, [dnl
- FWDI_public all ::/0 ::/0 @<:@goto@:>@
- FWDI_work all ::/0 ::/0 @<:@goto@:>@
- FWDI_public all ::/0 ::/0 @<:@goto@:>@
-])
-IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, [dnl
- FWDO_public all ::/0 dead:beef::/54 @<:@goto@:>@
- FORWARD_OUT_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
-])
-IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_IFACES], 0, [dnl
- FWDO_public all ::/0 ::/0 @<:@goto@:>@
- FWDO_work all ::/0 ::/0 @<:@goto@:>@
- FWDO_public all ::/0 ::/0 @<:@goto@:>@
-])
+IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
+ [[FWDI_public all dead:beef::/54 ::/0 [goto]
+ FWDI_public all ::/0 ::/0 [goto]
+ FWDI_work all ::/0 ::/0 [goto]
+ FWDI_public all ::/0 ::/0 [goto]
+]])
+IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0,
+ [[FWDO_public all ::/0 dead:beef::/54 [goto]
+ FWDO_public all ::/0 ::/0 [goto]
+ FWDO_work all ::/0 ::/0 [goto]
+ FWDO_public all ::/0 ::/0 [goto]
+]])
IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135
@@ -392,54 +296,41 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
PREROUTING_direct all ::/0 ::/0
PREROUTING_ZONES all ::/0 ::/0
])
-IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, [dnl
- PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@
- PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
-])
-IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_IFACES], 0, [dnl
- PRE_public all ::/0 ::/0 @<:@goto@:>@
- PRE_work all ::/0 ::/0 @<:@goto@:>@
- PRE_public all ::/0 ::/0 @<:@goto@:>@
-])
+IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
+ [[PRE_public all dead:beef::/54 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+ PRE_work all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+]])
IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
PREROUTING_direct all ::/0 ::/0
PREROUTING_ZONES all ::/0 ::/0
])
-IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, [dnl
- PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@
- PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
-])
-IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_IFACES], 0, [dnl
- PRE_public all ::/0 ::/0 @<:@goto@:>@
- PRE_work all ::/0 ::/0 @<:@goto@:>@
- PRE_public all ::/0 ::/0 @<:@goto@:>@
-])
+IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
+ [[PRE_public all dead:beef::/54 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+ PRE_work all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+]])
IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
PREROUTING_direct all ::/0 ::/0
PREROUTING_ZONES all ::/0 ::/0
])
-IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, [dnl
- PRE_public all dead:beef::/54 ::/0 @<:@goto@:>@
- PREROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
-])
-IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_IFACES], 0, [dnl
- PRE_public all ::/0 ::/0 @<:@goto@:>@
- PRE_work all ::/0 ::/0 @<:@goto@:>@
- PRE_public all ::/0 ::/0 @<:@goto@:>@
-])
+IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
+ [[PRE_public all dead:beef::/54 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+ PRE_work all ::/0 ::/0 [goto]
+ PRE_public all ::/0 ::/0 [goto]
+]])
IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
POSTROUTING_direct all ::/0 ::/0
POSTROUTING_ZONES all ::/0 ::/0
])
-IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, [dnl
- POST_public all ::/0 dead:beef::/54 @<:@goto@:>@
- POSTROUTING_ZONES_IFACES all ::/0 ::/0 @<:@goto@:>@
-])
-IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_IFACES], 0, [dnl
- POST_public all ::/0 ::/0 @<:@goto@:>@
- POST_work all ::/0 ::/0 @<:@goto@:>@
- POST_public all ::/0 ::/0 @<:@goto@:>@
-])
-])
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+ [[POST_public all ::/0 dead:beef::/54 [goto]
+ POST_public all ::/0 ::/0 [goto]
+ POST_work all ::/0 ::/0 [goto]
+ POST_public all ::/0 ::/0 [goto]
+]])
FWD_END_TEST
--
2.20.1

32
SOURCES/0024-improvement-test-move-python.at-inside-directory.patch Normal file
View File

@ -0,0 +1,32 @@
From 318e99e5957fd92d6421350096c0dbc73c18f4ec Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 13:43:32 -0500
Subject: [PATCH 24/37] improvement: test: move python.at inside directory
(cherry picked from commit d6dbb79bd0fb470007d958296731e45912470ffe)
(cherry picked from commit 13c4830d4063dc2d76820f2a7db8b77f7427e763)
---
src/tests/{ => python}/python.at | 0
src/tests/testsuite.at | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename src/tests/{ => python}/python.at (100%)
diff --git a/src/tests/python.at b/src/tests/python/python.at
similarity index 100%
rename from src/tests/python.at
rename to src/tests/python/python.at
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index 364b0ca30e04..2a925fd77dd6 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -13,6 +13,6 @@ m4_include([dbus.at])
m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
m4_include([firewall-cmd.at])
m4_include([regression/regression.at])
- m4_include([python.at])
+ m4_include([python/python.at])
m4_include([features/features.at])
])
--
2.23.0

33
SOURCES/0025-improvement-test-move-dbus.at-inside-directory.patch Normal file
View File

@ -0,0 +1,33 @@
From f57c3b19cf5c1ef0b68eab2819f4dafdcbd53b91 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 13:44:22 -0500
Subject: [PATCH 25/37] improvement: test: move dbus.at inside directory
(cherry picked from commit 0dfdf43524fc56d396c47198a7d2a4853373ac4c)
(cherry picked from commit 015229ef5c0f97d1664fb5670b4caef6d8242a68)
---
src/tests/{ => dbus}/dbus.at | 0
src/tests/testsuite.at | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename src/tests/{ => dbus}/dbus.at (100%)
diff --git a/src/tests/dbus.at b/src/tests/dbus/dbus.at
similarity index 100%
rename from src/tests/dbus.at
rename to src/tests/dbus/dbus.at
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index 2a925fd77dd6..546b301f1cb2 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -8,7 +8,7 @@ m4_define([m4_include], [m4_builtin([include], [$1])])
m4_include([functions.at])
m4_include([firewall-offline-cmd.at])
-m4_include([dbus.at])
+m4_include([dbus/dbus.at])
m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
m4_include([firewall-cmd.at])
--
2.23.0

184
SOURCES/0025-test-verify-source-based-zone-dispatch-ordered-by-zo.patch
View File

@ -1,184 +0,0 @@
From 4fc4e688596dc030955fc18f3207b75c8de06452 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 31 Jul 2019 08:53:51 -0400
Subject: [PATCH 25/26] test: verify source-based zone dispatch ordered by zone
name
coverage for rhbz 1734765
(cherry picked from commit 25032eb3a60706f22e1b2c0f34d2be8d0b82c89f)
---
src/tests/regression.at | 1 +
src/tests/regression/rhbz1734765.at | 151 ++++++++++++++++++++++++++++
2 files changed, 152 insertions(+)
create mode 100644 src/tests/regression/rhbz1734765.at
diff --git a/src/tests/regression.at b/src/tests/regression.at
index 919fc32f9bfb..6f57a1122925 100644
--- a/src/tests/regression.at
+++ b/src/tests/regression.at
@@ -22,3 +22,4 @@ m4_include([regression/gh453.at])
m4_include([regression/gh258.at])
m4_include([regression/rhbz1715977.at])
m4_include([regression/rhbz1723610.at])
+m4_include([regression/rhbz1734765.at])
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
new file mode 100644
index 000000000000..3d54ceb6628f
--- /dev/null
+++ b/src/tests/regression/rhbz1734765.at
@@ -0,0 +1,151 @@
+FWD_START_TEST([zone sources ordered by name])
+AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166)
+dnl
+dnl Users depend on firewalld ordering source-based zone dispatch by zone name.
+dnl
+
+FWD_CHECK([-q --permanent --new-zone=foobar_00])
+FWD_CHECK([-q --permanent --new-zone=foobar_05])
+FWD_CHECK([-q --permanent --new-zone=foobar_02])
+FWD_CHECK([-q --permanent --new-zone=foobar_03])
+FWD_CHECK([-q --permanent --new-zone=foobar_01])
+FWD_CHECK([-q --permanent --new-zone=foobar_04])
+FWD_CHECK([-q --permanent --new-zone=foobar_010])
+
+FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="10.1.1.1" --add-source="1234:5678::1:1:1"])
+FWD_CHECK([-q --permanent --zone=foobar_01 --add-source="10.1.1.0/24" --add-source="1234:5678::1:1:0/112"])
+FWD_CHECK([-q --permanent --zone=foobar_02 --add-source="10.1.0.0/16" --add-source="1234:5678::1:0:0/96"])
+FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="10.2.2.0/24" --add-source="1234:5678::2:2:0/112"])
+FWD_CHECK([-q --permanent --zone=foobar_04 --add-source="10.2.0.0/16" --add-source="1234:5678::2:0:0/96"])
+FWD_CHECK([-q --permanent --zone=foobar_05 --add-source="10.0.0.0/8" --add-source="1234:5678::0:0:0/80"])
+
+FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0])
+FWD_CHECK([-q --permanent --zone=trusted --add-interface=foobar1])
+
+FWD_RELOAD
+
+FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10" --add-source="1234:5678::10:10:10"])
+FWD_CHECK([-q --zone=public --add-source="20.20.20.20" --add-source="1234:5678::20:20:20"])
+FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2])
+
+NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
+ table inet firewalld {
+ chain filter_INPUT_ZONES {
+ ip saddr 10.1.1.1 goto filter_IN_foobar_00
+ ip6 saddr 1234:5678::1:1:1 goto filter_IN_foobar_00
+ ip saddr 10.1.1.0/24 goto filter_IN_foobar_01
+ ip6 saddr 1234:5678::1:1:0/112 goto filter_IN_foobar_01
+ ip saddr 10.10.10.10 goto filter_IN_foobar_010
+ ip6 saddr 1234:5678::10:10:10 goto filter_IN_foobar_010
+ ip saddr 10.1.0.0/16 goto filter_IN_foobar_02
+ ip6 saddr 1234:5678::1:0:0/96 goto filter_IN_foobar_02
+ ip saddr 10.2.2.0/24 goto filter_IN_foobar_03
+ ip6 saddr 1234:5678::2:2:0/112 goto filter_IN_foobar_03
+ ip saddr 10.2.0.0/16 goto filter_IN_foobar_04
+ ip6 saddr 1234:5678::2:0:0/96 goto filter_IN_foobar_04
+ ip saddr 10.0.0.0/8 goto filter_IN_foobar_05
+ ip6 saddr 1234:5678::/80 goto filter_IN_foobar_05
+ ip saddr 20.20.20.20 goto filter_IN_public
+ ip6 saddr 1234:5678::20:20:20 goto filter_IN_public
+ iifname "foobar2" goto filter_IN_foobar_010
+ iifname "foobar1" goto filter_IN_trusted
+ iifname "foobar0" goto filter_IN_internal
+ goto filter_IN_public
+ }
+ }
+])
+NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
+ table ip firewalld {
+ chain nat_POSTROUTING_ZONES {
+ ip daddr 10.1.1.1 goto nat_POST_foobar_00
+ ip daddr 10.1.1.0/24 goto nat_POST_foobar_01
+ ip daddr 10.10.10.10 goto nat_POST_foobar_010
+ ip daddr 10.1.0.0/16 goto nat_POST_foobar_02
+ ip daddr 10.2.2.0/24 goto nat_POST_foobar_03
+ ip daddr 10.2.0.0/16 goto nat_POST_foobar_04
+ ip daddr 10.0.0.0/8 goto nat_POST_foobar_05
+ ip daddr 20.20.20.20 goto nat_POST_public
+ oifname "foobar2" goto nat_POST_foobar_010
+ oifname "foobar1" goto nat_POST_trusted
+ oifname "foobar0" goto nat_POST_internal
+ goto nat_POST_public
+ }
+ }
+])
+NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
+ table ip6 firewalld {
+ chain nat_POSTROUTING_ZONES {
+ ip6 daddr 1234:5678::1:1:1 goto nat_POST_foobar_00
+ ip6 daddr 1234:5678::1:1:0/112 goto nat_POST_foobar_01
+ ip6 daddr 1234:5678::10:10:10 goto nat_POST_foobar_010
+ ip6 daddr 1234:5678::1:0:0/96 goto nat_POST_foobar_02
+ ip6 daddr 1234:5678::2:2:0/112 goto nat_POST_foobar_03
+ ip6 daddr 1234:5678::2:0:0/96 goto nat_POST_foobar_04
+ ip6 daddr 1234:5678::/80 goto nat_POST_foobar_05
+ ip6 daddr 1234:5678::20:20:20 goto nat_POST_public
+ oifname "foobar2" goto nat_POST_foobar_010
+ oifname "foobar1" goto nat_POST_trusted
+ oifname "foobar0" goto nat_POST_internal
+ goto nat_POST_public
+ }
+ }
+])
+
+IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
+ [[IN_foobar_00 all -- 10.1.1.1 0.0.0.0/0 [goto]
+ IN_foobar_01 all -- 10.1.1.0/24 0.0.0.0/0 [goto]
+ IN_foobar_010 all -- 10.10.10.10 0.0.0.0/0 [goto]
+ IN_foobar_02 all -- 10.1.0.0/16 0.0.0.0/0 [goto]
+ IN_foobar_03 all -- 10.2.2.0/24 0.0.0.0/0 [goto]
+ IN_foobar_04 all -- 10.2.0.0/16 0.0.0.0/0 [goto]
+ IN_foobar_05 all -- 10.0.0.0/8 0.0.0.0/0 [goto]
+ IN_public all -- 20.20.20.20 0.0.0.0/0 [goto]
+ IN_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
+ [[IN_foobar_00 all 1234:5678::1:1:1 ::/0 [goto]
+ IN_foobar_01 all 1234:5678::1:1:0/112 ::/0 [goto]
+ IN_foobar_010 all 1234:5678::10:10:10 ::/0 [goto]
+ IN_foobar_02 all 1234:5678::1:0:0/96 ::/0 [goto]
+ IN_foobar_03 all 1234:5678::2:2:0/112 ::/0 [goto]
+ IN_foobar_04 all 1234:5678::2:0:0/96 ::/0 [goto]
+ IN_foobar_05 all 1234:5678::/80 ::/0 [goto]
+ IN_public all 1234:5678::20:20:20 ::/0 [goto]
+ IN_foobar_010 all ::/0 ::/0 [goto]
+ IN_trusted all ::/0 ::/0 [goto]
+ IN_internal all ::/0 ::/0 [goto]
+ IN_public all ::/0 ::/0 [goto]
+]])
+IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+ [[POST_foobar_00 all -- 0.0.0.0/0 10.1.1.1 [goto]
+ POST_foobar_01 all -- 0.0.0.0/0 10.1.1.0/24 [goto]
+ POST_foobar_010 all -- 0.0.0.0/0 10.10.10.10 [goto]
+ POST_foobar_02 all -- 0.0.0.0/0 10.1.0.0/16 [goto]
+ POST_foobar_03 all -- 0.0.0.0/0 10.2.2.0/24 [goto]
+ POST_foobar_04 all -- 0.0.0.0/0 10.2.0.0/16 [goto]
+ POST_foobar_05 all -- 0.0.0.0/0 10.0.0.0/8 [goto]
+ POST_public all -- 0.0.0.0/0 20.20.20.20 [goto]
+ POST_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
+]])
+IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
+ [[POST_foobar_00 all ::/0 1234:5678::1:1:1 [goto]
+ POST_foobar_01 all ::/0 1234:5678::1:1:0/112 [goto]
+ POST_foobar_010 all ::/0 1234:5678::10:10:10 [goto]
+ POST_foobar_02 all ::/0 1234:5678::1:0:0/96 [goto]
+ POST_foobar_03 all ::/0 1234:5678::2:2:0/112 [goto]
+ POST_foobar_04 all ::/0 1234:5678::2:0:0/96 [goto]
+ POST_foobar_05 all ::/0 1234:5678::/80 [goto]
+ POST_public all ::/0 1234:5678::20:20:20 [goto]
+ POST_foobar_010 all ::/0 ::/0 [goto]
+ POST_trusted all ::/0 ::/0 [goto]
+ POST_internal all ::/0 ::/0 [goto]
+ POST_public all ::/0 ::/0 [goto]
+]])
+
+FWD_END_TEST
--
2.20.1

59
SOURCES/0026-fix-test-regression-rhbz1734765-guard-IPv6-usage.patch
View File

@ -1,59 +0,0 @@
From c094e3d548374e7b63ce72b2a1deebcde718a567 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 5 Aug 2019 16:06:07 -0400
Subject: [PATCH 26/26] fix: test: regression/rhbz1734765: guard IPv6 usage
Fixes: 25032eb3a607 ("test: verify source-based zone dispatch ordered by zone name")
(cherry picked from commit f4411b95e127fea7a7ed87cd2b01e59c2ce333c5)
---
src/tests/regression/rhbz1734765.at | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
index 3d54ceb6628f..d2158e34b547 100644
--- a/src/tests/regression/rhbz1734765.at
+++ b/src/tests/regression/rhbz1734765.at
@@ -12,20 +12,32 @@ FWD_CHECK([-q --permanent --new-zone=foobar_01])
FWD_CHECK([-q --permanent --new-zone=foobar_04])
FWD_CHECK([-q --permanent --new-zone=foobar_010])
-FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="10.1.1.1" --add-source="1234:5678::1:1:1"])
-FWD_CHECK([-q --permanent --zone=foobar_01 --add-source="10.1.1.0/24" --add-source="1234:5678::1:1:0/112"])
-FWD_CHECK([-q --permanent --zone=foobar_02 --add-source="10.1.0.0/16" --add-source="1234:5678::1:0:0/96"])
-FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="10.2.2.0/24" --add-source="1234:5678::2:2:0/112"])
-FWD_CHECK([-q --permanent --zone=foobar_04 --add-source="10.2.0.0/16" --add-source="1234:5678::2:0:0/96"])
-FWD_CHECK([-q --permanent --zone=foobar_05 --add-source="10.0.0.0/8" --add-source="1234:5678::0:0:0/80"])
+FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="10.1.1.1"])
+FWD_CHECK([-q --permanent --zone=foobar_01 --add-source="10.1.1.0/24"])
+FWD_CHECK([-q --permanent --zone=foobar_02 --add-source="10.1.0.0/16"])
+FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="10.2.2.0/24"])
+FWD_CHECK([-q --permanent --zone=foobar_04 --add-source="10.2.0.0/16"])
+FWD_CHECK([-q --permanent --zone=foobar_05 --add-source="10.0.0.0/8"])
+IF_IPV6_SUPPORTED([
+FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="1234:5678::1:1:1"])
+FWD_CHECK([-q --permanent --zone=foobar_01 --add-source="1234:5678::1:1:0/112"])
+FWD_CHECK([-q --permanent --zone=foobar_02 --add-source="1234:5678::1:0:0/96"])
+FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="1234:5678::2:2:0/112"])
+FWD_CHECK([-q --permanent --zone=foobar_04 --add-source="1234:5678::2:0:0/96"])
+FWD_CHECK([-q --permanent --zone=foobar_05 --add-source="1234:5678::0:0:0/80"])
+])
FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0])
FWD_CHECK([-q --permanent --zone=trusted --add-interface=foobar1])
FWD_RELOAD
-FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10" --add-source="1234:5678::10:10:10"])
-FWD_CHECK([-q --zone=public --add-source="20.20.20.20" --add-source="1234:5678::20:20:20"])
+FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"])
+FWD_CHECK([-q --zone=public --add-source="20.20.20.20"])
+IF_IPV6_SUPPORTED([
+FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"])
+FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"])
+])
FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2])
NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
--
2.20.1

57
SOURCES/0026-improvement-test-move-firewall-cmd.at-and-firewall-o.patch Normal file
View File

@ -0,0 +1,57 @@
From 529c233fca75fc302a86b01251b7c7bf31e188ad Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 15 Jan 2020 13:46:42 -0500
Subject: [PATCH 26/37] improvement: test: move firewall-cmd.at and
firewall-offline-cmd.at inside directory
(cherry picked from commit 60197b143b1abf1cae618649fcb4ca595c6fb46d)
(cherry picked from commit 8f6dd39747b00b6cf5b0dfb526b75b4dd7ef9077)
---
src/tests/{ => cli}/firewall-cmd.at | 0
src/tests/{ => cli}/firewall-offline-cmd.at | 2 +-
src/tests/testsuite.at | 4 ++--
3 files changed, 3 insertions(+), 3 deletions(-)
rename src/tests/{ => cli}/firewall-cmd.at (100%)
rename src/tests/{ => cli}/firewall-offline-cmd.at (98%)
diff --git a/src/tests/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
similarity index 100%
rename from src/tests/firewall-cmd.at
rename to src/tests/cli/firewall-cmd.at
diff --git a/src/tests/firewall-offline-cmd.at b/src/tests/cli/firewall-offline-cmd.at
similarity index 98%
rename from src/tests/firewall-offline-cmd.at
rename to src/tests/cli/firewall-offline-cmd.at
index 8cd6b6c5550f..e763eeb95839 100644
--- a/src/tests/firewall-offline-cmd.at
+++ b/src/tests/cli/firewall-offline-cmd.at
@@ -8,7 +8,7 @@ dnl
dnl !!! DO NOT ADD TESTS HERE !!!
m4_define([TESTING_FIREWALL_OFFLINE_CMD])
-m4_include([firewall-cmd.at])
+m4_include([cli/firewall-cmd.at])
m4_include([features/features.at])
dnl Now begin the tests explicitly for firewall-offline-cmd
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index 546b301f1cb2..c48123cea910 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -7,11 +7,11 @@ m4_define([m4_include], [m4_builtin([include], [$1])])
m4_include([functions.at])
-m4_include([firewall-offline-cmd.at])
+m4_include([cli/firewall-offline-cmd.at])
m4_include([dbus/dbus.at])
m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
- m4_include([firewall-cmd.at])
+ m4_include([cli/firewall-cmd.at])
m4_include([regression/regression.at])
m4_include([python/python.at])
m4_include([features/features.at])
--
2.23.0

41
SOURCES/0027-fix-nftables-fix-zone-dispatch-using-ipset-sources-i.patch
View File

@ -1,41 +0,0 @@
From ec38f84551e7488ca42ce06d028138d40539e47c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 8 Aug 2019 13:40:01 -0400
Subject: [PATCH 27/28] fix: nftables: fix zone dispatch using ipset sources in
nat chains
If using an ipset as a zone source the rules for doing a goto to the
zone's rules were omitted. This means the zone's rules for nat
postrouting/prerouting were not having any effect. Affected features;
masquerade, forward-ports
(cherry picked from commit b363548f2ab0983d7b88dd82620c0c545e2cef39)
---
src/firewall/core/nftables.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index c0b48f1501fd..33a170a76a98 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -610,10 +610,15 @@ class nftables(object):
# nat tables needs to use ip/ip6 family
if table == "nat" and family == "inet":
rules = []
- if check_address("ipv4", address) or check_mac(address):
+ if address.startswith("ipset:"):
+ ipset_family = self._set_get_family(address[len("ipset:"):])
+ else:
+ ipset_family = None
+
+ if check_address("ipv4", address) or check_mac(address) or ipset_family == "ip":
rules.extend(self.build_zone_source_address_rules(enable, zone,
address, table, chain, "ip"))
- if check_address("ipv6", address) or check_mac(address):
+ if check_address("ipv6", address) or check_mac(address) or ipset_family == "ip6":
rules.extend(self.build_zone_source_address_rules(enable, zone,
address, table, chain, "ip6"))
return rules
--
2.20.1

133
SOURCES/0027-test-enhance-test-for-rhbz1729097.patch Normal file
View File

@ -0,0 +1,133 @@
From a698ca94c40b6edf058995f9f2b1fc197a16efe4 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 16 Jan 2020 09:02:28 -0500
Subject: [PATCH 27/37] test: enhance test for rhbz1729097
(cherry picked from commit c2b8059559c210e586b03b44eaf189370b976770)
(cherry picked from commit 47368842f5519b43cb02cb4f2cca59b9049e5268)
---
src/tests/regression/rhbz1715977.at | 107 +++++++++++++++++++++++++++-
1 file changed, 105 insertions(+), 2 deletions(-)
diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at
index ce6dd075c2b5..5de9b5679023 100644
--- a/src/tests/regression/rhbz1715977.at
+++ b/src/tests/regression/rhbz1715977.at
@@ -1,9 +1,112 @@
-FWD_START_TEST([rich rule destination with service destination])
-AT_KEYWORDS(rich service rhbz1715977)
+FWD_START_TEST([rich rule source/destination with service destination])
+AT_KEYWORDS(rich service rhbz1715977 rhbz1729097 rhbz1791783)
FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0])
FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="ssh" accept'])
FWD_RELOAD
+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
+ table inet firewalld {
+ chain filter_IN_internal_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+ udp dport 137 ct helper set "helper-netbios-ns-udp"
+ udp dport 137 ct state new,untracked accept
+ udp dport 138 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
+ }
+ }
+])
+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
+])
+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+])
+
+FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept'])
+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
+ table inet firewalld {
+ chain filter_IN_internal_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+ udp dport 137 ct helper set "helper-netbios-ns-udp"
+ udp dport 137 ct state new,untracked accept
+ udp dport 138 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
+ ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
+ }
+ }
+])
+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
+])
+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+])
+
+FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept'])
+NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
+ table inet firewalld {
+ chain filter_IN_internal_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip daddr 224.0.0.251 udp dport 5353 ct state new,untracked accept
+ ip6 daddr ff02::fb udp dport 5353 ct state new,untracked accept
+ udp dport 137 ct helper set "helper-netbios-ns-udp"
+ udp dport 137 ct state new,untracked accept
+ udp dport 138 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
+ ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
+ ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept
+ }
+ }
+])
+IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED
+])
+IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+])
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore])
FWD_CHECK([-q --permanent --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'])
--
2.23.0

29
SOURCES/0028-fix-test-functions-FWD_END_TEST-grep-for-errors-warn.patch Normal file
View File

@ -0,0 +1,29 @@
From 77c098b455f8de72118a4ba40c371c1dde905325 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 22 Jan 2020 09:46:52 -0500
Subject: [PATCH 28/37] fix: test/functions: FWD_END_TEST: grep for
errors/warnings
Fixes: 5f67a78a68a4 ("fix: test/functions: FWD_END_TEST: improve grep for errors/warnings")
(cherry picked from commit 9f397528f5c7c6a155ba081a2e048ccf14c004b4)
(cherry picked from commit 171d3ce9b1724989b3a98d4cfe58470b36ce3be0)
---
src/tests/functions.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/functions.at b/src/tests/functions.at
index e79557350558..cd4e31c7f9d4 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -234,7 +234,7 @@ m4_define([FWD_END_TEST], [
if test -n "$1"; then
sed -i $1 ./firewalld.log
fi
- AT_FAIL_IF([grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log])
+ AT_FAIL_IF([[grep '^[0-9-]*[ ]\+[0-9:]*[ ]\+\(ERROR\|WARNING\)' ./firewalld.log]])
fi
m4_undefine([CURRENT_DBUS_ADDRESS])
m4_undefine([CURRENT_TEST_NS])
--
2.23.0

147
SOURCES/0028-test-regression-rhbz1734765-add-coverage-for-rhbz-17.patch
View File

@ -1,147 +0,0 @@
From 197b393ddab8d144d869a8a4f024e6ba1e92d941 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 7 Aug 2019 08:41:11 -0400
Subject: [PATCH 28/28] test: regression/rhbz1734765: add coverage for rhbz
1738545
(cherry picked from commit 20cd5c7d29c586fa55e76d6f21adfee6a7ca34bb)
---
src/tests/regression/rhbz1734765.at | 46 +++++++++++++++++++++++++----
1 file changed, 41 insertions(+), 5 deletions(-)
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
index d2158e34b547..168be70a2900 100644
--- a/src/tests/regression/rhbz1734765.at
+++ b/src/tests/regression/rhbz1734765.at
@@ -1,5 +1,5 @@
FWD_START_TEST([zone sources ordered by name])
-AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166)
+AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545)
dnl
dnl Users depend on firewalld ordering source-based zone dispatch by zone name.
dnl
@@ -11,20 +11,28 @@ FWD_CHECK([-q --permanent --new-zone=foobar_03])
FWD_CHECK([-q --permanent --new-zone=foobar_01])
FWD_CHECK([-q --permanent --new-zone=foobar_04])
FWD_CHECK([-q --permanent --new-zone=foobar_010])
+FWD_CHECK([-q --permanent --new-zone=foobar_011])
+FWD_CHECK([-q --permanent --new-zone=foobar_012])
-FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="10.1.1.1"])
+FWD_CHECK([-q --permanent --new-ipset 'ipsetv4' --type hash:ip])
+FWD_CHECK([-q --permanent --new-ipset 'ipsetv6' --type hash:ip --family=inet6])
+FWD_CHECK([-q --permanent --ipset ipsetv4 --add-entry '192.0.2.12'])
+FWD_CHECK([-q --permanent --ipset ipsetv6 --add-entry '::2'])
+
+FWD_CHECK([-q --permanent --zone=foobar_011 --add-source ipset:ipsetv4])
FWD_CHECK([-q --permanent --zone=foobar_01 --add-source="10.1.1.0/24"])
FWD_CHECK([-q --permanent --zone=foobar_02 --add-source="10.1.0.0/16"])
-FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="10.2.2.0/24"])
FWD_CHECK([-q --permanent --zone=foobar_04 --add-source="10.2.0.0/16"])
+FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="10.1.1.1"])
+FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="10.2.2.0/24"])
FWD_CHECK([-q --permanent --zone=foobar_05 --add-source="10.0.0.0/8"])
IF_IPV6_SUPPORTED([
-FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="1234:5678::1:1:1"])
FWD_CHECK([-q --permanent --zone=foobar_01 --add-source="1234:5678::1:1:0/112"])
FWD_CHECK([-q --permanent --zone=foobar_02 --add-source="1234:5678::1:0:0/96"])
-FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="1234:5678::2:2:0/112"])
FWD_CHECK([-q --permanent --zone=foobar_04 --add-source="1234:5678::2:0:0/96"])
+FWD_CHECK([-q --permanent --zone=foobar_03 --add-source="1234:5678::2:2:0/112"])
FWD_CHECK([-q --permanent --zone=foobar_05 --add-source="1234:5678::0:0:0/80"])
+FWD_CHECK([-q --permanent --zone=foobar_00 --add-source="1234:5678::1:1:1"])
])
FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0])
@@ -32,11 +40,31 @@ FWD_CHECK([-q --permanent --zone=trusted --add-interface=foobar1])
FWD_RELOAD
+NFT_LIST_SET([ipsetv4], 0, [dnl
+ table inet firewalld {
+ set ipsetv4 {
+ type ipv4_addr
+ flags interval
+ elements = { 192.0.2.12 }
+ }
+ }
+])
+NFT_LIST_SET([ipsetv6], 0, [dnl
+ table inet firewalld {
+ set ipsetv6 {
+ type ipv6_addr
+ flags interval
+ elements = { ::2 }
+ }
+ }
+])
+
FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"])
FWD_CHECK([-q --zone=public --add-source="20.20.20.20"])
IF_IPV6_SUPPORTED([
FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"])
FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"])
+FWD_CHECK([-q --zone=foobar_012 --add-source ipset:ipsetv6])
])
FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2])
@@ -49,6 +77,8 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl
ip6 saddr 1234:5678::1:1:0/112 goto filter_IN_foobar_01
ip saddr 10.10.10.10 goto filter_IN_foobar_010
ip6 saddr 1234:5678::10:10:10 goto filter_IN_foobar_010
+ ip saddr @ipsetv4 goto filter_IN_foobar_011
+ ip6 saddr @ipsetv6 goto filter_IN_foobar_012
ip saddr 10.1.0.0/16 goto filter_IN_foobar_02
ip6 saddr 1234:5678::1:0:0/96 goto filter_IN_foobar_02
ip saddr 10.2.2.0/24 goto filter_IN_foobar_03
@@ -72,6 +102,7 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
ip daddr 10.1.1.1 goto nat_POST_foobar_00
ip daddr 10.1.1.0/24 goto nat_POST_foobar_01
ip daddr 10.10.10.10 goto nat_POST_foobar_010
+ ip daddr @ipsetv4 goto nat_POST_foobar_011
ip daddr 10.1.0.0/16 goto nat_POST_foobar_02
ip daddr 10.2.2.0/24 goto nat_POST_foobar_03
ip daddr 10.2.0.0/16 goto nat_POST_foobar_04
@@ -90,6 +121,7 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
ip6 daddr 1234:5678::1:1:1 goto nat_POST_foobar_00
ip6 daddr 1234:5678::1:1:0/112 goto nat_POST_foobar_01
ip6 daddr 1234:5678::10:10:10 goto nat_POST_foobar_010
+ ip6 daddr @ipsetv6 goto nat_POST_foobar_012
ip6 daddr 1234:5678::1:0:0/96 goto nat_POST_foobar_02
ip6 daddr 1234:5678::2:2:0/112 goto nat_POST_foobar_03
ip6 daddr 1234:5678::2:0:0/96 goto nat_POST_foobar_04
@@ -107,6 +139,7 @@ IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
[[IN_foobar_00 all -- 10.1.1.1 0.0.0.0/0 [goto]
IN_foobar_01 all -- 10.1.1.0/24 0.0.0.0/0 [goto]
IN_foobar_010 all -- 10.10.10.10 0.0.0.0/0 [goto]
+ IN_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 src
IN_foobar_02 all -- 10.1.0.0/16 0.0.0.0/0 [goto]
IN_foobar_03 all -- 10.2.2.0/24 0.0.0.0/0 [goto]
IN_foobar_04 all -- 10.2.0.0/16 0.0.0.0/0 [goto]
@@ -121,6 +154,7 @@ IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
[[IN_foobar_00 all 1234:5678::1:1:1 ::/0 [goto]
IN_foobar_01 all 1234:5678::1:1:0/112 ::/0 [goto]
IN_foobar_010 all 1234:5678::10:10:10 ::/0 [goto]
+ IN_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 src
IN_foobar_02 all 1234:5678::1:0:0/96 ::/0 [goto]
IN_foobar_03 all 1234:5678::2:2:0/112 ::/0 [goto]
IN_foobar_04 all 1234:5678::2:0:0/96 ::/0 [goto]
@@ -135,6 +169,7 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
[[POST_foobar_00 all -- 0.0.0.0/0 10.1.1.1 [goto]
POST_foobar_01 all -- 0.0.0.0/0 10.1.1.0/24 [goto]
POST_foobar_010 all -- 0.0.0.0/0 10.10.10.10 [goto]
+ POST_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 dst
POST_foobar_02 all -- 0.0.0.0/0 10.1.0.0/16 [goto]
POST_foobar_03 all -- 0.0.0.0/0 10.2.2.0/24 [goto]
POST_foobar_04 all -- 0.0.0.0/0 10.2.0.0/16 [goto]
@@ -149,6 +184,7 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
[[POST_foobar_00 all ::/0 1234:5678::1:1:1 [goto]
POST_foobar_01 all ::/0 1234:5678::1:1:0/112 [goto]
POST_foobar_010 all ::/0 1234:5678::10:10:10 [goto]
+ POST_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 dst
POST_foobar_02 all ::/0 1234:5678::1:0:0/96 [goto]
POST_foobar_03 all ::/0 1234:5678::2:2:0/112 [goto]
POST_foobar_04 all ::/0 1234:5678::2:0:0/96 [goto]
--
2.20.1

27
SOURCES/0029-improvement-tests-regression-rhbz1715977-shorten-tes.patch Normal file
View File

@ -0,0 +1,27 @@
From 207f97c8f8aa0043742521016065f35115e31436 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 22 Jan 2020 08:11:48 -0500
Subject: [PATCH 29/37] improvement: tests/regression/rhbz1715977: shorten test
name
Shorten the test name so it fits on 80 columns.
(cherry picked from commit d7920d34359074be68497da666cefd175e00d5f6)
(cherry picked from commit e63d2f72d68d366ca3e693d8de6cdcc21fcd44e5)
---
src/tests/regression/rhbz1715977.at | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at
index 5de9b5679023..b9886e1a0a2b 100644
--- a/src/tests/regression/rhbz1715977.at
+++ b/src/tests/regression/rhbz1715977.at
@@ -1,4 +1,4 @@
-FWD_START_TEST([rich rule source/destination with service destination])
+FWD_START_TEST([rich rule src/dst with service destination])
AT_KEYWORDS(rich service rhbz1715977 rhbz1729097 rhbz1791783)
FWD_CHECK([-q --permanent --zone=internal --add-interface=foobar0])
--
2.23.0

58
SOURCES/0030-feat-AllowZoneDrifting-config-option.patch
View File

@ -1,7 +1,7 @@
From 3fbf366505d866c042e9dbc29a3fb6f30aff5459 Mon Sep 17 00:00:00 2001
From 982024e6775c9a9c78713be82519c729107ca4e2 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Sun, 19 Jan 2020 14:13:36 -0500
Subject: [PATCH 30/35] feat: AllowZoneDrifting config option
Subject: [PATCH 30/37] feat: AllowZoneDrifting config option
Older versions of firewalld had undocumented behavior known as "zone
drifting". This allowed packets to ingress multiple zones - this is a
@ -16,7 +16,7 @@ from interface based zones to other interfaces based zones (including
the default zone).
(cherry picked from commit afadd377b09dc62b340d24bcf891d31f040d1a18)
(cherry picked from commit cb71601436854404b59e53fbdf3eaea1dec9bd80)
(cherry picked from commit afbd6c0e82b77ca9b687169d69bf6c2dc17a9317)
---
config/firewalld.conf | 12 ++++++++++++
doc/xml/firewalld.conf.xml | 19 +++++++++++++++++++
@ -25,14 +25,14 @@ the default zone).
src/firewall/core/fw.py | 14 ++++++++++++++
src/firewall/core/io/firewalld_conf.py | 13 +++++++++++--
src/firewall/server/config.py | 20 +++++++++++++++++---
src/tests/dbus/firewalld.conf.at | 2 ++
8 files changed, 92 insertions(+), 5 deletions(-)
src/tests/dbus/firewalld.conf.at | 3 +++
8 files changed, 93 insertions(+), 5 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index 423b7ea0733a..ebf8021226b7 100644
index 82ad062b8a66..532f0452212e 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -71,3 +71,15 @@ FlushAllOnReload=yes
@@ -61,3 +61,15 @@ FlushAllOnReload=yes
# internet.
# Defaults to "yes".
RFC3964_IPv4=yes
@ -49,7 +49,7 @@ index 423b7ea0733a..ebf8021226b7 100644
+# Possible values; "yes", "no". Defaults to "no".
+AllowZoneDrifting=no
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index 1e229ed1d8b6..8108066e88bf 100644
index 6003a6fae855..fcfbfd2b68c1 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -183,6 +183,25 @@
@ -79,10 +79,10 @@ index 1e229ed1d8b6..8108066e88bf 100644
</refsect1>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 4a81e8e61858..f72bad526d65 100644
index 66b0475ec0c8..5d77af976443 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2577,6 +2577,22 @@
@@ -2578,6 +2578,22 @@
<refsect3 id="FirewallD1.config.Properties">
<title>Properties</title>
<variablelist>
@ -106,27 +106,27 @@ index 4a81e8e61858..f72bad526d65 100644
<term>AutomaticHelpers - s - (rw)</term>
<listitem>
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 5bb318c5b269..c009d93e4164 100644
index 3274dd430e4e..481eb8de758d 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -132,3 +132,4 @@ FALLBACK_AUTOMATIC_HELPERS = "system"
@@ -130,3 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"
FALLBACK_FIREWALL_BACKEND = "nftables"
FALLBACK_FLUSH_ALL_ON_RELOAD = True
FALLBACK_RFC3964_IPV4 = True
+FALLBACK_ALLOW_ZONE_DRIFTING = False
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index a09c022a2baf..07bc9f375771 100644
index 050fb9cd976d..6206ed586988 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -127,6 +127,7 @@ class Firewall(object):
self.nf_conntrack_helper_setting = 0
self.nf_conntrack_helpers = { }
self.nf_nat_helpers = { }
@@ -123,6 +123,7 @@ class Firewall(object):
self._firewall_backend = config.FALLBACK_FIREWALL_BACKEND
self._flush_all_on_reload = config.FALLBACK_FLUSH_ALL_ON_RELOAD
self._rfc3964_ipv4 = config.FALLBACK_RFC3964_IPV4
+ self._allow_zone_drifting = config.FALLBACK_ALLOW_ZONE_DRIFTING
def individual_calls(self):
return self._individual_calls
@@ -324,6 +325,19 @@ class Firewall(object):
@@ -286,6 +287,19 @@ class Firewall(object):
log.debug1("RFC3964_IPv4 is set to '%s'",
self._rfc3964_ipv4)
@ -147,7 +147,7 @@ index a09c022a2baf..07bc9f375771 100644
self._select_firewall_backend(self._firewall_backend)
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index c7a7ba283e0e..aec62e3a753c 100644
index 9e2205f93d63..7c7092120676 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -28,10 +28,10 @@ from firewall import config
@ -187,7 +187,7 @@ index c7a7ba283e0e..aec62e3a753c 100644
def write(self):
if len(self._config) < 1:
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index b1b839da82ea..4315c6ac1589 100644
index 1c35f5663d29..b3e193d7e468 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -107,6 +107,7 @@ class FirewallDConfig(slip.dbus.service.Object):
@ -260,18 +260,26 @@ index b1b839da82ea..4315c6ac1589 100644
self.config.get_firewalld_conf().set(property_name, new_value)
self.config.get_firewalld_conf().write()
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 45559311eabb..65ac702f4713 100644
index 06f6df9bdd70..35aead759a9c 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -3,6 +3,7 @@ AT_KEYWORDS(dbus)
@@ -4,6 +4,7 @@ AT_KEYWORDS(dbus)
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
IF_HOST_SUPPORTS_NFT_FIB([
DBUS_GETALL([config], [config], 0, [dnl
+string "AllowZoneDrifting" : variant string "no"
string "AutomaticHelpers" : variant string "system"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
@@ -36,6 +37,7 @@ _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
@@ -17,6 +18,7 @@ string "MinimalMark" : variant int32 100
string "RFC3964_IPv4" : variant string "yes"
])], [
DBUS_GETALL([config], [config], 0, [dnl
+string "AllowZoneDrifting" : variant string "no"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
@@ -49,6 +51,7 @@ _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
_helper([FlushAllOnReload], [string:"no"], [variant string "no"])
_helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
_helper([RFC3964_IPv4], [string:"no"], [variant string "no"])

193
SOURCES/0031-feat-nftables-support-AllowZoneDrifting-yes.patch
View File

@ -1,19 +1,19 @@
From 3c2ca67f86de7cd490ae25333e330b4aea0447f1 Mon Sep 17 00:00:00 2001
From 8d480dea4b3fd4ecce20c1569d000cb999dd50f6 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Sun, 19 Jan 2020 14:37:31 -0500
Subject: [PATCH 31/35] feat: nftables: support AllowZoneDrifting=yes
Subject: [PATCH 31/37] feat: nftables: support AllowZoneDrifting=yes
(cherry picked from commit 517a061c5886f2ebfb4aa7d73804aa7f3c5a3004)
(cherry picked from commit d15fb2911a89477f26a800d498fa47d7c2e5ec5f)
(cherry picked from commit 92c5926bb9e493545f8d949ba00cbf72e4c7f202)
---
src/firewall/core/nftables.py | 44 +++++++++++++++++++++++------------
1 file changed, 29 insertions(+), 15 deletions(-)
src/firewall/core/nftables.py | 91 ++++++++++++++++++++---------------
1 file changed, 52 insertions(+), 39 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 33a170a76a98..79799388a923 100644
index cb8521fb7a5a..c8e893b5dbf6 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -204,8 +204,11 @@ class nftables(object):
@@ -208,8 +208,11 @@ class nftables(object):
index = zone_source_index_cache[family].index(zone_source)
else:
@ -24,81 +24,136 @@ index 33a170a76a98..79799388a923 100644
+ else:
+ index = len(zone_source_index_cache[family])
+
_verb_snippet = rule[verb]
del rule[verb]
if index == 0:
rule[0] = "insert"
else:
@@ -488,8 +491,9 @@ class nftables(object):
IPTABLES_TO_NFT_HOOK["raw"][chain][1]))
@@ -506,13 +509,14 @@ class nftables(object):
"prio": IPTABLES_TO_NFT_HOOK["raw"][chain][1]}}})
for chain in ["PREROUTING"]:
- default_rules.append("add chain inet %s raw_%s_ZONES" % (TABLE_NAME, chain))
- default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES" % (TABLE_NAME, chain, chain))
- default_rules.append({"add": {"chain": {"family": "inet",
- "table": TABLE_NAME,
- "name": "raw_%s_ZONES" % chain}}})
- default_rules.append({"add": {"rule": {"family": "inet",
- "table": TABLE_NAME,
- "chain": "raw_%s" % chain,
- "expr": [{"jump": {"target": "raw_%s_ZONES" % chain}}]}}})
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules.append("add chain inet %s raw_%s_%s" % (TABLE_NAME, chain, dispatch_suffix))
+ default_rules.append("add rule inet %s raw_%s jump raw_%s_%s" % (TABLE_NAME, chain, chain, dispatch_suffix))
+ default_rules.append({"add": {"chain": {"family": "inet",
+ "table": TABLE_NAME,
+ "name": "raw_%s_%s" % (chain, dispatch_suffix)}}})
+ default_rules.append({"add": {"rule": {"family": "inet",
+ "table": TABLE_NAME,
+ "chain": "raw_%s" % chain,
+ "expr": [{"jump": {"target": "raw_%s_%s" % (chain, dispatch_suffix)}}]}}})
for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys():
default_rules.append("add chain inet %s mangle_%s '{ type filter hook %s priority %d ; }'" %
@@ -497,8 +501,9 @@ class nftables(object):
IPTABLES_TO_NFT_HOOK["mangle"][chain][0],
IPTABLES_TO_NFT_HOOK["mangle"][chain][1]))
- default_rules.append("add chain inet %s mangle_%s_ZONES" % (TABLE_NAME, chain))
- default_rules.append("add rule inet %s mangle_%s jump mangle_%s_ZONES" % (TABLE_NAME, chain, chain))
default_rules.append({"add": {"chain": {"family": "inet",
@@ -521,13 +525,14 @@ class nftables(object):
"type": "filter",
"hook": "%s" % IPTABLES_TO_NFT_HOOK["mangle"][chain][0],
"prio": IPTABLES_TO_NFT_HOOK["mangle"][chain][1]}}})
- default_rules.append({"add": {"chain": {"family": "inet",
- "table": TABLE_NAME,
- "name": "mangle_%s_ZONES" % chain}}})
- default_rules.append({"add": {"rule": {"family": "inet",
- "table": TABLE_NAME,
- "chain": "mangle_%s" % chain,
- "expr": [{"jump": {"target": "mangle_%s_ZONES" % chain}}]}}})
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules.append("add chain inet %s mangle_%s_%s" % (TABLE_NAME, chain, dispatch_suffix))
+ default_rules.append("add rule inet %s mangle_%s jump mangle_%s_%s" % (TABLE_NAME, chain, chain, dispatch_suffix))
+ default_rules.append({"add": {"chain": {"family": "inet",
+ "table": TABLE_NAME,
+ "name": "mangle_%s_%s" % (chain, dispatch_suffix)}}})
+ default_rules.append({"add": {"rule": {"family": "inet",
+ "table": TABLE_NAME,
+ "chain": "mangle_%s" % chain,
+ "expr": [{"jump": {"target": "mangle_%s_%s" % (chain, dispatch_suffix)}}]}}})
for family in ["ip", "ip6"]:
for chain in IPTABLES_TO_NFT_HOOK["nat"].keys():
@@ -507,8 +512,9 @@ class nftables(object):
IPTABLES_TO_NFT_HOOK["nat"][chain][0],
IPTABLES_TO_NFT_HOOK["nat"][chain][1]))
- default_rules.append("add chain %s %s nat_%s_ZONES" % (family, TABLE_NAME, chain))
- default_rules.append("add rule %s %s nat_%s jump nat_%s_ZONES" % (family, TABLE_NAME, chain, chain))
@@ -537,13 +542,15 @@ class nftables(object):
"type": "nat",
"hook": "%s" % IPTABLES_TO_NFT_HOOK["nat"][chain][0],
"prio": IPTABLES_TO_NFT_HOOK["nat"][chain][1]}}})
- default_rules.append({"add": {"chain": {"family": family,
- "table": TABLE_NAME,
- "name": "nat_%s_ZONES" % chain}}})
- default_rules.append({"add": {"rule": {"family": family,
- "table": TABLE_NAME,
- "chain": "nat_%s" % chain,
- "expr": [{"jump": {"target": "nat_%s_ZONES" % chain}}]}}})
+
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules.append("add chain %s %s nat_%s_%s" % (family, TABLE_NAME, chain, dispatch_suffix))
+ default_rules.append("add rule %s %s nat_%s jump nat_%s_%s" % (family, TABLE_NAME, chain, chain, dispatch_suffix))
+ default_rules.append({"add": {"chain": {"family": family,
+ "table": TABLE_NAME,
+ "name": "nat_%s_%s" % (chain, dispatch_suffix)}}})
+ default_rules.append({"add": {"rule": {"family": family,
+ "table": TABLE_NAME,
+ "chain": "nat_%s" % chain,
+ "expr": [{"jump": {"target": "nat_%s_%s" % (chain, dispatch_suffix)}}]}}})
for chain in IPTABLES_TO_NFT_HOOK["filter"].keys():
default_rules.append("add chain inet %s filter_%s '{ type filter hook %s priority %d ; }'" %
@@ -517,11 +523,12 @@ class nftables(object):
IPTABLES_TO_NFT_HOOK["filter"][chain][1]))
default_rules.append({"add": {"chain": {"family": "inet",
@@ -554,9 +561,6 @@ class nftables(object):
"prio": IPTABLES_TO_NFT_HOOK["filter"][chain][1]}}})
# filter, INPUT
- default_rules.append("add chain inet %s filter_%s_ZONES" % (TABLE_NAME, "INPUT"))
default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "INPUT"))
default_rules.append("add rule inet %s filter_%s ct status dnat accept" % (TABLE_NAME, "INPUT"))
default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "INPUT"))
- default_rules.append("add rule inet %s filter_%s jump filter_%s_ZONES" % (TABLE_NAME, "INPUT", "INPUT"))
- default_rules.append({"add": {"chain": {"family": "inet",
- "table": TABLE_NAME,
- "name": "filter_%s_ZONES" % "INPUT"}}})
default_rules.append({"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
"chain": "filter_%s" % "INPUT",
@@ -578,10 +582,14 @@ class nftables(object):
"op": "==",
"right": "lo"}},
{"accept": None}]}}})
- default_rules.append({"add": {"rule": {"family": "inet",
- "table": TABLE_NAME,
- "chain": "filter_%s" % "INPUT",
- "expr": [{"jump": {"target": "filter_%s_ZONES" % "INPUT"}}]}}})
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules.append("add chain inet %s filter_%s_%s" % (TABLE_NAME, "INPUT", dispatch_suffix))
+ default_rules.append("add rule inet %s filter_%s jump filter_%s_%s" % (TABLE_NAME, "INPUT", "INPUT", dispatch_suffix))
+ default_rules.append({"add": {"chain": {"family": "inet",
+ "table": TABLE_NAME,
+ "name": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}})
+ default_rules.append({"add": {"rule": {"family": "inet",
+ "table": TABLE_NAME,
+ "chain": "filter_%s" % "INPUT",
+ "expr": [{"jump": {"target": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}]}}})
if log_denied != "off":
default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "INPUT"))
default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "INPUT"))
@@ -530,13 +537,15 @@ class nftables(object):
default_rules.append("add rule inet %s filter_%s reject with icmpx type admin-prohibited" % (TABLE_NAME, "INPUT"))
default_rules.append({"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
@@ -610,10 +618,6 @@ class nftables(object):
"expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}})
# filter, FORWARD
- default_rules.append("add chain inet %s filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD"))
- default_rules.append("add chain inet %s filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD"))
default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "FORWARD"))
default_rules.append("add rule inet %s filter_%s ct status dnat accept" % (TABLE_NAME, "FORWARD"))
default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "FORWARD"))
- default_rules.append("add rule inet %s filter_%s jump filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD"))
- default_rules.append("add rule inet %s filter_%s jump filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD"))
+ for direction in ["IN", "OUT"]:
- for direction in ["IN", "OUT"]:
- default_rules.append({"add": {"chain": {"family": "inet",
- "table": TABLE_NAME,
- "name": "filter_%s_%s_ZONES" % ("FORWARD", direction)}}})
default_rules.append({"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
"chain": "filter_%s" % "FORWARD",
@@ -636,10 +640,14 @@ class nftables(object):
"right": "lo"}},
{"accept": None}]}}})
for direction in ["IN", "OUT"]:
- default_rules.append({"add": {"rule": {"family": "inet",
- "table": TABLE_NAME,
- "chain": "filter_%s" % "FORWARD",
- "expr": [{"jump": {"target": "filter_%s_%s_ZONES" % ("FORWARD", direction)}}]}}})
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
+ default_rules.append("add chain inet %s filter_%s_%s_%s" % (TABLE_NAME, "FORWARD", direction, dispatch_suffix))
+ default_rules.append("add chain inet %s filter_%s_%s_%s" % (TABLE_NAME, "FORWARD", direction, dispatch_suffix))
+ default_rules.append("add rule inet %s filter_%s jump filter_%s_%s_%s" % (TABLE_NAME, "FORWARD", "FORWARD", direction, dispatch_suffix))
+ default_rules.append("add rule inet %s filter_%s jump filter_%s_%s_%s" % (TABLE_NAME, "FORWARD", "FORWARD", direction, dispatch_suffix))
+ default_rules.append({"add": {"chain": {"family": "inet",
+ "table": TABLE_NAME,
+ "name": "filter_%s_%s_%s" % ("FORWARD", direction, dispatch_suffix)}}})
+ default_rules.append({"add": {"rule": {"family": "inet",
+ "table": TABLE_NAME,
+ "chain": "filter_%s" % "FORWARD",
+ "expr": [{"jump": {"target": "filter_%s_%s_%s" % ("FORWARD", direction, dispatch_suffix)}}]}}})
if log_denied != "off":
default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "FORWARD"))
default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "FORWARD"))
@@ -634,6 +643,11 @@ class nftables(object):
default_rules.append({"add": {"rule": {"family": "inet",
"table": TABLE_NAME,
@@ -778,12 +786,17 @@ class nftables(object):
"OUTPUT": "daddr",
}[chain]
@ -110,15 +165,13 @@ index 33a170a76a98..79799388a923 100644
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
action = "goto"
@@ -653,7 +667,7 @@ class nftables(object):
rule_family = "ip6"
rule = [add_del, "rule", family, "%s" % TABLE_NAME,
- "%s_%s_ZONES" % (table, chain),
+ zone_dispatch_chain,
"%%ZONE_SOURCE%%", zone,
rule_family, opt, address, action, "%s_%s" % (table, target)]
return [rule]
rule = {"family": family,
"table": TABLE_NAME,
- "chain": "%s_%s_ZONES" % (table, chain),
+ "chain": zone_dispatch_chain,
"expr": [self._rule_addr_fragment(opt, address),
{action: {"target": "%s_%s" % (table, target)}}]}
rule.update(self._zone_source_fragment(zone, address))
--
2.23.0

24
SOURCES/0032-feat-ipXtables-support-AllowZoneDrifting-yes.patch
View File

@ -1,16 +1,16 @@
From 8342a2b3fdea4f78e5c8f842550e87857ccaa277 Mon Sep 17 00:00:00 2001
From e6a56f32e2eced533a8edbc97652de6b436df63a Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Sun, 19 Jan 2020 16:16:59 -0500
Subject: [PATCH 32/35] feat: ipXtables: support AllowZoneDrifting=yes
Subject: [PATCH 32/37] feat: ipXtables: support AllowZoneDrifting=yes
(cherry picked from commit 1f7b5ffcd40daf2a7f2ef1ec0cccb95080e74fb6)
(cherry picked from commit 0435bc024cf9ecf5aad7d3c37f7ef55396de73a4)
(cherry picked from commit c6b6ab1c0625bfd906a7783e3924b676b514cf6b)
---
src/firewall/core/ipXtables.py | 93 +++++++++++++++++++---------------
1 file changed, 51 insertions(+), 42 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 2f4ec46d8339..c9c1acc44a4c 100644
index 973bf5bbae04..61c307d0e05a 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -323,8 +323,11 @@ class ip4tables(object):
@ -27,7 +27,7 @@ index 2f4ec46d8339..c9c1acc44a4c 100644
rule[0] = "-I"
rule.insert(2, "%d" % (index + 1))
@@ -667,9 +670,10 @@ class ip4tables(object):
@@ -666,9 +669,10 @@ class ip4tables(object):
self.our_chains["raw"].add("%s_direct" % chain)
if chain == "PREROUTING":
@ -41,7 +41,7 @@ index 2f4ec46d8339..c9c1acc44a4c 100644
if self.get_available_tables("mangle"):
default_rules["mangle"] = [ ]
@@ -680,9 +684,10 @@ class ip4tables(object):
@@ -679,9 +683,10 @@ class ip4tables(object):
self.our_chains["mangle"].add("%s_direct" % chain)
if chain == "PREROUTING":
@ -55,7 +55,7 @@ index 2f4ec46d8339..c9c1acc44a4c 100644
if self.get_available_tables("nat"):
default_rules["nat"] = [ ]
@@ -693,19 +698,22 @@ class ip4tables(object):
@@ -692,19 +697,22 @@ class ip4tables(object):
self.our_chains["nat"].add("%s_direct" % chain)
if chain in [ "PREROUTING", "POSTROUTING" ]:
@ -91,7 +91,7 @@ index 2f4ec46d8339..c9c1acc44a4c 100644
if log_denied != "off":
default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID -j DROP")
@@ -713,17 +721,16 @@ class ip4tables(object):
@@ -712,17 +720,16 @@ class ip4tables(object):
default_rules["filter"].append("-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '")
default_rules["filter"].append("-A INPUT -j %%REJECT%%")
@ -119,7 +119,7 @@ index 2f4ec46d8339..c9c1acc44a4c 100644
if log_denied != "off":
default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID -j DROP")
@@ -737,10 +744,7 @@ class ip4tables(object):
@@ -736,10 +743,7 @@ class ip4tables(object):
"-A OUTPUT -o lo -j ACCEPT",
"-A OUTPUT -j OUTPUT_direct",
]
@ -131,7 +131,7 @@ index 2f4ec46d8339..c9c1acc44a4c 100644
final_default_rules = []
for table in default_rules:
@@ -806,6 +810,11 @@ class ip4tables(object):
@@ -805,6 +809,11 @@ class ip4tables(object):
"OUTPUT": "-d",
}[chain]
@ -143,7 +143,7 @@ index 2f4ec46d8339..c9c1acc44a4c 100644
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
action = "-g"
@@ -816,8 +825,8 @@ class ip4tables(object):
@@ -815,8 +824,8 @@ class ip4tables(object):
else:
opt = "src"
flags = ",".join([opt] * self._fw.ipset.get_dimension(name))
@ -154,7 +154,7 @@ index 2f4ec46d8339..c9c1acc44a4c 100644
"-t", table,
"-m", "set", "--match-set", name,
flags, action, target ]
@@ -826,14 +835,14 @@ class ip4tables(object):
@@ -825,14 +834,14 @@ class ip4tables(object):
# outgoing can not be set
if opt == "-d":
return ""

52
SOURCES/0033-test-verify-AllowZoneDrifting-yes.patch
View File

@ -1,19 +1,19 @@
From d5fb90bf13f46432292eeeb1fe48727f52333348 Mon Sep 17 00:00:00 2001
From 3e3369ef14f4eba22a5c37113ba6d5e19c7ebc24 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Sun, 19 Jan 2020 16:49:14 -0500
Subject: [PATCH 33/35] test: verify AllowZoneDrifting=yes
Subject: [PATCH 33/37] test: verify AllowZoneDrifting=yes
Verify the zone dispatch layout.
(cherry picked from commit bca4e6af91fc4c6a55f7c2bce9e4fe7bcee526a1)
(cherry picked from commit f60b13d837d2726175d1dae213777dde8025e7ec)
(cherry picked from commit 8f9ba9bc80f039408992e1b780bca0beab8bd92c)
---
src/tests/regression/gh258.at | 536 +++++++++++++++++++++++++---
src/tests/regression/rhbz1734765.at | 180 +++++++++-
2 files changed, 671 insertions(+), 45 deletions(-)
diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at
index 1896a9bfc61c..01b717483d77 100644
index 4bbea4c25442..d414c611fa26 100644
--- a/src/tests/regression/gh258.at
+++ b/src/tests/regression/gh258.at
@@ -1,12 +1,15 @@
@ -23,7 +23,7 @@ index 1896a9bfc61c..01b717483d77 100644
-FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore)
+FWD_CHECK([--permanent --zone=trusted --add-source="1.2.3.0/24"], 0, ignore)
IF_IPV6_SUPPORTED([
IF_HOST_SUPPORTS_IPV6_RULES([
-FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore)
+FWD_CHECK([--permanent --zone=public --add-source="dead:beef::/54"], 0, ignore)
])
@ -73,7 +73,7 @@ index 1896a9bfc61c..01b717483d77 100644
goto filter_FWDO_public
}
}
@@ -83,9 +86,9 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
@@ -91,9 +94,9 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl
table inet firewalld {
chain raw_PREROUTING_ZONES {
ip6 saddr dead:beef::/54 goto raw_PRE_public
@ -85,7 +85,7 @@ index 1896a9bfc61c..01b717483d77 100644
goto raw_PRE_public
}
}
@@ -101,9 +104,9 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
@@ -109,9 +112,9 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl
table inet firewalld {
chain mangle_PREROUTING_ZONES {
ip6 saddr dead:beef::/54 goto mangle_PRE_public
@ -97,7 +97,7 @@ index 1896a9bfc61c..01b717483d77 100644
goto mangle_PRE_public
}
}
@@ -118,9 +121,9 @@ NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
@@ -126,9 +129,9 @@ NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl
NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl
table ip firewalld {
chain nat_PREROUTING_ZONES {
@ -109,7 +109,7 @@ index 1896a9bfc61c..01b717483d77 100644
goto nat_PRE_public
}
}
@@ -135,9 +138,9 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
@@ -143,9 +146,9 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl
NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl
table ip firewalld {
chain nat_POSTROUTING_ZONES {
@ -121,7 +121,7 @@ index 1896a9bfc61c..01b717483d77 100644
goto nat_POST_public
}
}
@@ -153,8 +156,8 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
@@ -161,8 +164,8 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl
table ip6 firewalld {
chain nat_PREROUTING_ZONES {
ip6 saddr dead:beef::/54 goto nat_PRE_public
@ -131,7 +131,7 @@ index 1896a9bfc61c..01b717483d77 100644
goto nat_PRE_public
}
}
@@ -170,8 +173,8 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
@@ -178,8 +181,8 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl
table ip6 firewalld {
chain nat_POSTROUTING_ZONES {
ip6 daddr dead:beef::/54 goto nat_POST_public
@ -141,7 +141,7 @@ index 1896a9bfc61c..01b717483d77 100644
goto nat_POST_public
}
}
@@ -186,9 +189,9 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
@@ -194,9 +197,9 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
@ -153,7 +153,7 @@ index 1896a9bfc61c..01b717483d77 100644
IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
@@ -201,15 +204,15 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
@@ -209,15 +212,15 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
])
IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
@ -173,7 +173,7 @@ index 1896a9bfc61c..01b717483d77 100644
FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
@@ -217,9 +220,9 @@ IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
@@ -225,9 +228,9 @@ IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
@ -185,7 +185,7 @@ index 1896a9bfc61c..01b717483d77 100644
PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
@@ -227,9 +230,9 @@ IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
@@ -235,9 +238,9 @@ IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
@ -197,7 +197,7 @@ index 1896a9bfc61c..01b717483d77 100644
PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
@@ -237,9 +240,9 @@ IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
@@ -245,9 +248,9 @@ IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
@ -209,7 +209,7 @@ index 1896a9bfc61c..01b717483d77 100644
PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
@@ -247,9 +250,9 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
@@ -255,9 +258,9 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0
])
IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
@ -221,7 +221,7 @@ index 1896a9bfc61c..01b717483d77 100644
POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
]])
@@ -263,8 +266,8 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
@@ -271,8 +274,8 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl
])
IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0,
[[IN_public all dead:beef::/54 ::/0 [goto]
@ -231,7 +231,7 @@ index 1896a9bfc61c..01b717483d77 100644
IN_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
@@ -279,14 +282,14 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
@@ -287,14 +290,14 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl
])
IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0,
[[FWDI_public all dead:beef::/54 ::/0 [goto]
@ -248,7 +248,7 @@ index 1896a9bfc61c..01b717483d77 100644
FWDO_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
@@ -298,8 +301,8 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
@@ -306,8 +309,8 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl
])
IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0,
[[PRE_public all dead:beef::/54 ::/0 [goto]
@ -258,7 +258,7 @@ index 1896a9bfc61c..01b717483d77 100644
PRE_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
@@ -308,8 +311,8 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
@@ -316,8 +319,8 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl
])
IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0,
[[PRE_public all dead:beef::/54 ::/0 [goto]
@ -268,7 +268,7 @@ index 1896a9bfc61c..01b717483d77 100644
PRE_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
@@ -318,8 +321,8 @@ IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
@@ -326,8 +329,8 @@ IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl
])
IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0,
[[PRE_public all dead:beef::/54 ::/0 [goto]
@ -278,7 +278,7 @@ index 1896a9bfc61c..01b717483d77 100644
PRE_public all ::/0 ::/0 [goto]
]])
IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
@@ -328,9 +331,456 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
@@ -336,9 +339,456 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl
])
IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0,
[[POST_public all ::/0 dead:beef::/54 [goto]
@ -376,7 +376,7 @@ index 1896a9bfc61c..01b717483d77 100644
+ }
+ }
+])
+m4_if(yes, HOST_SUPPORTS_NFT_FIB, [dnl
+IF_HOST_SUPPORTS_NFT_FIB([
+ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl
+ table inet firewalld {
+ chain raw_PREROUTING {
@ -738,7 +738,7 @@ index 1896a9bfc61c..01b717483d77 100644
-FWD_END_TEST
+FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d'])
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
index 168be70a2900..3751e60204e4 100644
index 972457e3126e..bb054bdb0361 100644
--- a/src/tests/regression/rhbz1734765.at
+++ b/src/tests/regression/rhbz1734765.at
@@ -1,9 +1,12 @@
@ -772,7 +772,7 @@ index 168be70a2900..3751e60204e4 100644
+
+FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"])
+FWD_CHECK([-q --zone=public --add-source="20.20.20.20"])
+IF_IPV6_SUPPORTED([
+IF_HOST_SUPPORTS_IPV6_RULES([
+FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"])
+FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"])
+FWD_CHECK([-q --zone=foobar_012 --add-source ipset:ipsetv6])

328
SOURCES/0034-chore-test-retab-some-test-cases.patch Normal file
View File

@ -0,0 +1,328 @@
From 9ffa72e5b9b3d36f8a2b52a3dcaac519f7f08b5e Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 29 Jan 2020 10:56:06 -0500
Subject: [PATCH 34/37] chore: test: retab some test cases
Replace leading tabs with spaces.
(cherry picked from commit 890d8a60893a0c3975b792bcbd3a6c65419a8e8c)
(cherry picked from commit 9b2609406c0f20681bc02f98b24091e8f509e26f)
---
src/tests/features/helpers_custom.at | 120 +++++++++++++--------------
src/tests/regression/gh453.at | 68 +++++++--------
src/tests/regression/rhbz1506742.at | 2 +-
src/tests/regression/rhbz1734765.at | 28 +++----
4 files changed, 109 insertions(+), 109 deletions(-)
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index bf673bd70b33..bd4b52cfb1d6 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -33,32 +33,32 @@ ftptest
FWD_CHECK([-q --add-service=ftptest])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
- table inet firewalld {
- chain filter_IN_public_allow {
- tcp dport 22 ct state new,untracked accept
- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
- tcp dport 9090 ct state new,untracked accept
- tcp dport 2121 ct helper set "helper-ftptest-tcp"
- tcp dport 2121 ct state new,untracked accept
- }
- }
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ tcp dport 2121 ct helper set "helper-ftptest-tcp"
+ tcp dport 2121 ct state new,untracked accept
+ }
+ }
])
IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
+ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
+ CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
dnl Same thing as above, but with the new "helper" in service.
@@ -90,32 +90,32 @@ ftptest
FWD_CHECK([-q --add-service=ftptest])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
- table inet firewalld {
- chain filter_IN_public_allow {
- tcp dport 22 ct state new,untracked accept
- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
- tcp dport 9090 ct state new,untracked accept
- tcp dport 2121 ct helper set "helper-ftptest-tcp"
- tcp dport 2121 ct state new,untracked accept
- }
- }
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ tcp dport 2121 ct helper set "helper-ftptest-tcp"
+ tcp dport 2121 ct state new,untracked accept
+ }
+ }
])
IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
+ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
+ CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
dnl again, but with both "module" and "helper"
@@ -128,38 +128,38 @@ FWD_RELOAD
FWD_CHECK([-q --add-service=ftptest])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
- table inet firewalld {
- chain filter_IN_public_allow {
- tcp dport 22 ct state new,untracked accept
- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
- tcp dport 9090 ct state new,untracked accept
- tcp dport 21 ct helper set "helper-ftp-tcp"
- tcp dport 2121 ct helper set "helper-ftptest-tcp"
- tcp dport 2121 ct state new,untracked accept
- tcp dport 21 ct state new,untracked accept
- }
- }
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ tcp dport 21 ct helper set "helper-ftp-tcp"
+ tcp dport 2121 ct helper set "helper-ftptest-tcp"
+ tcp dport 2121 ct state new,untracked accept
+ tcp dport 21 ct state new,untracked accept
+ }
+ }
])
IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 CT helper ftp
- CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
+ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 CT helper ftp
+ CT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 CT helper ftp
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
- ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
- CT tcp ::/0 ::/0 tcp dpt:21 CT helper ftp
- CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
+ CT tcp ::/0 ::/0 tcp dpt:21 CT helper ftp
+ CT tcp ::/0 ::/0 tcp dpt:2121 CT helper ftp
])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
- ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
- ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
- ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
FWD_END_TEST
diff --git a/src/tests/regression/gh453.at b/src/tests/regression/gh453.at
index 6d820fce840a..61bc90aae673 100644
--- a/src/tests/regression/gh453.at
+++ b/src/tests/regression/gh453.at
@@ -8,50 +8,50 @@ FWD_CHECK([-q --set-automatic-helpers=no])
FWD_CHECK([-q --add-service=ftp])
NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-ftp-tcp"], 0, [m4_strip([dnl
- ct helper helper-ftp-tcp {
- type "ftp" protocol tcp
- l3proto inet
- }
+ ct helper helper-ftp-tcp {
+ type "ftp" protocol tcp
+ l3proto inet
+ }
])])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
- table inet firewalld {
- chain filter_IN_public_allow {
- tcp dport 22 ct state new,untracked accept
- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
- tcp dport 9090 ct state new,untracked accept
- tcp dport 21 ct helper set "helper-ftp-tcp"
- tcp dport 21 ct state new,untracked accept
- }
- }
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ tcp dport 21 ct helper set "helper-ftp-tcp"
+ tcp dport 21 ct state new,untracked accept
+ }
+ }
])
FWD_CHECK([-q --add-service=sip])
NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-sip-tcp"], 0, [m4_strip([dnl
- ct helper helper-sip-tcp {
- type "sip" protocol tcp
- l3proto inet
- }
+ ct helper helper-sip-tcp {
+ type "sip" protocol tcp
+ l3proto inet
+ }
])])
NS_CHECK([nft list ruleset | TRIM_WHITESPACE |grep -A3 "ct helper helper-sip-udp"], 0, [m4_strip([dnl
- ct helper helper-sip-udp {
- type "sip" protocol udp
- l3proto inet
- }
+ ct helper helper-sip-udp {
+ type "sip" protocol udp
+ l3proto inet
+ }
])])
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
- table inet firewalld {
- chain filter_IN_public_allow {
- tcp dport 22 ct state new,untracked accept
- ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
- tcp dport 9090 ct state new,untracked accept
- tcp dport 21 ct helper set "helper-ftp-tcp"
- tcp dport 21 ct state new,untracked accept
- tcp dport 5060 ct helper set "helper-sip-tcp"
- udp dport 5060 ct helper set "helper-sip-udp"
- tcp dport 5060 ct state new,untracked accept
- udp dport 5060 ct state new,untracked accept
- }
- }
+ table inet firewalld {
+ chain filter_IN_public_allow {
+ tcp dport 22 ct state new,untracked accept
+ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
+ tcp dport 21 ct helper set "helper-ftp-tcp"
+ tcp dport 21 ct state new,untracked accept
+ tcp dport 5060 ct helper set "helper-sip-tcp"
+ udp dport 5060 ct helper set "helper-sip-udp"
+ tcp dport 5060 ct state new,untracked accept
+ udp dport 5060 ct state new,untracked accept
+ }
+ }
])
FWD_END_TEST
diff --git a/src/tests/regression/rhbz1506742.at b/src/tests/regression/rhbz1506742.at
index 48b224731fbc..2ab4f1a9cef1 100644
--- a/src/tests/regression/rhbz1506742.at
+++ b/src/tests/regression/rhbz1506742.at
@@ -20,4 +20,4 @@ FWD_CHECK([-q --ipset=foobar --query-entry=1.2.3.4], 32, ignore, ignore)
FWD_CHECK([-q --ipset=foobar --remove-entries-from-file=foobar_entries.txt])
FWD_END_TEST([-e '/Error: IPSET_WITH_TIMEOUT/d' dnl
-e '/ERROR: IPSET_WITH_TIMEOUT/d' dnl
- -e '/WARNING: NOT_ENABLED/d'])
+ -e '/WARNING: NOT_ENABLED/d'])
diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at
index bb054bdb0361..b5023a058a55 100644
--- a/src/tests/regression/rhbz1734765.at
+++ b/src/tests/regression/rhbz1734765.at
@@ -44,22 +44,22 @@ FWD_CHECK([-q --permanent --zone=trusted --add-interface=foobar1])
FWD_RELOAD
NFT_LIST_SET([ipsetv4], 0, [dnl
- table inet firewalld {
- set ipsetv4 {
- type ipv4_addr
- flags interval
- elements = { 192.0.2.12 }
- }
- }
+ table inet firewalld {
+ set ipsetv4 {
+ type ipv4_addr
+ flags interval
+ elements = { 192.0.2.12 }
+ }
+ }
])
NFT_LIST_SET([ipsetv6], 0, [dnl
- table inet firewalld {
- set ipsetv6 {
- type ipv6_addr
- flags interval
- elements = { ::2 }
- }
- }
+ table inet firewalld {
+ set ipsetv6 {
+ type ipv6_addr
+ flags interval
+ elements = { ::2 }
+ }
+ }
])
FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"])
--
2.23.0

43
SOURCES/0035-improvement-translations-build-target-to-merge-from-.patch Normal file
View File

@ -0,0 +1,43 @@
From 25c8e71e0acea773b62f4772069b1c8b63257c3e Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Fri, 31 Jan 2020 12:24:54 -0500
Subject: [PATCH 35/37] improvement: translations: build target to merge from
master
This new target, merge-po, will automatically merge new translations
from the master branch. It's meant to be run only from the stable
branches.
(cherry picked from commit 8f5998c84dbb35edb477e1a98e274fd43b29bdcd)
(cherry picked from commit 3714754699df142c7ec88182603079286a41ef86)
---
Makefile.am | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 85da0b5857d2..72dc039b5591 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -118,6 +118,19 @@ update-po:
ls $(top_srcdir)/po/*.po | sed 's/.*\/po\///;s/.po//' > $(top_srcdir)/po/LINGUAS
$(MAKE) -C po update-po ${PACKAGE_NAME}.pot
+# This merges translations from the upstream master branch.
+# It's only meant to be used from the stable branches. Translations
+# contributions are only done against master.
+merge-po: update-po
+ git fetch -q https://github.com/firewalld/firewalld master; \
+ for po in $(top_srcdir)/po/*.po; do \
+ mv $${po} $${po}.old; \
+ git checkout -q FETCH_HEAD $${po}; \
+ msgcat --use-first -o $${po}.merged $${po} $${po}.old; \
+ mv $${po}.merged $${po}; \
+ git add $${po}; \
+ done
+
clean-po:
@for cat in `cat ${top_srcdir}/po/LINGUAS`; do \
msgattrib --translated --no-fuzzy --no-obsolete --force-po --no-location --clear-previous --strict $(top_srcdir)/po/$$cat.po -o $(top_srcdir)/po/$$cat.out; \
--
2.23.0

3990
SOURCES/0036-chore-translation-merge-from-master.patch Normal file
View File

File diff suppressed because it is too large Load Diff

102
SOURCES/0037-improvement-check-container-use-docker-build.patch Normal file
View File

@ -0,0 +1,102 @@
From e5cf566becc7ffa01e0339e95b20469993af8d2b Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 3 Feb 2020 08:38:57 -0500
Subject: [PATCH 37/39] improvement: check-container: use docker build
This is so we can have intermediate images and make use of the cache.
Avoids rebuilding the container every time.
(cherry picked from commit a7fead65d6920c26df5f2a12e53bb8eb5a752ee6)
(cherry picked from commit b79b8a58ffc8ab24d8c0a8e61598452b3407b80f)
---
src/tests/Makefile.am | 65 ++++++++++++++++++++++---------------------
1 file changed, 33 insertions(+), 32 deletions(-)
diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
index bf028c7c5389..c01ee682c0b2 100644
--- a/src/tests/Makefile.am
+++ b/src/tests/Makefile.am
@@ -46,47 +46,48 @@ $(TESTSUITE) $(TESTSUITE_INTEGRATION): $(TESTSUITE_FILES) $(srcdir)/package.m4
$(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at
mv $@.tmp $@
-check-container-debian-sid:
- (cd $(abs_top_srcdir) && tar -c . ) | \
- $(PODMAN) run -i --rm --privileged debian:sid bash -c \
- "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \
- apt-get update && \
- apt-get install -y autoconf automake pkg-config intltool libglib2.0-dev \
- xsltproc docbook-xsl docbook-xml iptables ipset ebtables \
- nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \
- python3-dbus python3-gi python3-slip-dbus python3-nftables \
- procps network-manager gir1.2-nm-1.0 && \
- apt-get install -y libnftables-dev && \
- ./autogen.sh && \
- ./configure PYTHON=/usr/bin/python3 && \
- make && \
- make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \
- make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" "
+CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide
+
+check-container-debian-sid-image: check-container-%-image:
+ (cd $(abs_top_srcdir) && { \
+ echo "FROM debian:sid" && \
+ echo "RUN apt-get update" && \
+ echo "RUN apt-get install -y autoconf automake pkg-config intltool libglib2.0-dev \
+ xsltproc docbook-xsl docbook-xml iptables ipset ebtables \
+ nftables libxml2-utils libdbus-1-dev libgirepository1.0-dev \
+ python3-dbus python3-gi python3-slip-dbus python3-nftables \
+ procps network-manager gir1.2-nm-1.0" && \
+ echo "COPY . /tmp/firewalld"; \
+ } | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
+
+check-container-fedora-rawhide-image: check-container-%-image:
+ (cd $(abs_top_srcdir) && { \
+ echo "FROM fedora:rawhide" && \
+ echo "RUN dnf -y makecache" && \
+ echo "RUN dnf -y install autoconf automake conntrack-tools desktop-file-utils \
+ docbook-style-xsl file gettext glib2-devel intltool ipset \
+ iptables iptables-nft libtool libxml2 libxslt make nftables \
+ python3-nftables python3-slip-dbus python3-gobject-base \
+ diffutils procps-ng iproute which dbus-daemon \
+ NetworkManager" && \
+ echo "RUN alternatives --set ebtables /usr/sbin/ebtables-nft" && \
+ echo "COPY . /tmp/firewalld"; \
+ } | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
-check-container-fedora-rawhide:
- (cd $(abs_top_srcdir) && tar -c . ) | \
- $(PODMAN) run -i --rm --privileged fedora:rawhide bash -c \
- "mkdir -p /tmp/firewalld && cd /tmp/firewalld && tar -x && \
- dnf -y makecache && \
- dnf -y install autoconf automake conntrack-tools desktop-file-utils \
- docbook-style-xsl file gettext glib2-devel intltool ipset \
- iptables iptables-nft libtool libxml2 libxslt make nftables \
- python3-nftables python3-slip-dbus python3-gobject-base \
- diffutils procps-ng iproute which dbus-daemon \
- NetworkManager && \
- alternatives --set ebtables /usr/sbin/ebtables-nft && \
+$(CONTAINER_TARGETS): check-container-%: check-container-%-image
+ $(PODMAN) run -i --rm --privileged firewalld-testsuite-$* bash -c " \
+ cd /tmp/firewalld && \
./autogen.sh && \
./configure PYTHON=/usr/bin/python3 && \
make && \
make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" && \
make -C src/tests check-integration TESTSUITEFLAGS=\"$(TESTSUITEFLAGS) -j1\" "
+ $(PODMAN) rmi firewalld-testsuite-$*
-check-container: check-container-debian-sid
-check-container: check-container-fedora-rawhide
+check-container: $(CONTAINER_TARGETS)
.PHONY: check-container
-.PHONY: check-container-debian-sid
-.PHONY: check-container-fedora-rawhide
+.PHONY: $(CONTAINER_TARGETS) $(foreach container,$(CONTAINER_TARGETS),$(container)-image)
check-integration: atconfig atlocal $(TESTSUITE_INTEGRATION)
$(SHELL) '$(TESTSUITE_INTEGRATION)' $(TESTSUITEFLAGS) \
--
2.23.0

10
SOURCES/0034-fix-firewall-offline-cmd-Don-t-print-warning-about-A.patch → SOURCES/0038-fix-firewall-offline-cmd-Don-t-print-warning-about-A.patch
View File

@ -1,7 +1,7 @@
From 8b332eae015f215f9db3f2cd2961ebfcec9e2b1a Mon Sep 17 00:00:00 2001
From e84f00aee61d5055c2da2c9c1aff683f20b84f56 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Feb 2020 13:12:31 -0500
Subject: [PATCH 34/35] fix: firewall-offline-cmd: Don't print warning about
Subject: [PATCH 38/39] fix: firewall-offline-cmd: Don't print warning about
AllowZoneDrifting
If we're called from firewall-offline-cmd, don't log the warning. It's
@ -9,16 +9,16 @@ overly verbose to warn on every invocation.
Fixes: afadd377b09d ("feat: AllowZoneDrifting config option")
(cherry picked from commit eefcb1a712ffca5e08dcefa6aa17c935c16b835f)
(cherry picked from commit b6d3bd4c4359523b483eb630f9265cc4cbe408f2)
(cherry picked from commit ba1f1a744ca543b4e9359ab26b4b1f9ff70fcb64)
---
src/firewall/core/fw.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 07bc9f375771..969052bd92bd 100644
index 6206ed586988..ebadd6cce20e 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -331,10 +331,11 @@ class Firewall(object):
@@ -293,10 +293,11 @@ class Firewall(object):
self._allow_zone_drifting = False
else:
self._allow_zone_drifting = True

77
SOURCES/0035-RHEL-only-default-to-AllowZoneDrifting-yes.patch → SOURCES/0039-RHEL-only-default-to-AllowZoneDrifting-yes.patch
View File

@ -1,25 +1,25 @@
From e9a5699dcb4e50dacbf1350b39a95dc9aef6cefa Mon Sep 17 00:00:00 2001
From d31326a93b0dc1e203f4696aca4a7c0f8118d2e8 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Tue, 4 Feb 2020 09:12:17 -0500
Subject: [PATCH 35/35] RHEL only: default to AllowZoneDrifting=yes
Subject: [PATCH 39/39] RHEL only: default to AllowZoneDrifting=yes
---
config/firewalld.conf | 4 ++--
doc/xml/firewalld.conf.xml | 2 +-
doc/xml/firewalld.dbus.xml | 2 +-
src/firewall/config/__init__.py.in | 2 +-
src/tests/dbus/firewalld.conf.at | 2 +-
src/tests/cli/firewall-cmd.at | 4 ++++
src/tests/dbus/firewalld.conf.at | 4 ++--
src/tests/features/rfc3964_ipv4.at | 4 ++++
src/tests/firewall-cmd.at | 4 ++++
src/tests/functions.at | 1 +
src/tests/regression/rhbz1514043.at | 4 ++++
9 files changed, 19 insertions(+), 6 deletions(-)
9 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index ebf8021226b7..6d0feb88f7c3 100644
index 532f0452212e..f791b2358ab8 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -81,5 +81,5 @@ RFC3964_IPv4=yes
@@ -71,5 +71,5 @@ RFC3964_IPv4=yes
# Note: If "yes" packets will only drift from source based zones to interface
# based zones (including the default zone). Packets never drift from interface
# based zones to other interfaces based zones (including the default zone).
@ -28,7 +28,7 @@ index ebf8021226b7..6d0feb88f7c3 100644
+# Possible values; "yes", "no". Defaults to "yes".
+AllowZoneDrifting=yes
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index 8108066e88bf..9574c567867f 100644
index fcfbfd2b68c1..c21ef87813bc 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -197,7 +197,7 @@
@ -41,10 +41,10 @@ index 8108066e88bf..9574c567867f 100644
</listitem>
</varlistentry>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index f72bad526d65..408787594035 100644
index 5d77af976443..77ad77c01675 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2590,7 +2590,7 @@
@@ -2591,7 +2591,7 @@
to interface based zones (including the default zone). Packets
never drift from interface based zones to other interfaces
based zones (including the default zone).
@ -54,26 +54,50 @@ index f72bad526d65..408787594035 100644
</varlistentry>
<varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index c009d93e4164..fbef1828c8aa 100644
index 481eb8de758d..645c76b66c8d 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -132,4 +132,4 @@ FALLBACK_AUTOMATIC_HELPERS = "system"
@@ -130,4 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"
FALLBACK_FIREWALL_BACKEND = "nftables"
FALLBACK_FLUSH_ALL_ON_RELOAD = True
FALLBACK_RFC3964_IPV4 = True
-FALLBACK_ALLOW_ZONE_DRIFTING = False
+FALLBACK_ALLOW_ZONE_DRIFTING = True
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
index 51b367e7a0f0..3590cb23d600 100644
--- a/src/tests/cli/firewall-cmd.at
+++ b/src/tests/cli/firewall-cmd.at
@@ -1054,6 +1054,10 @@ FWD_START_TEST([rich rules priority])
CHECK_LOG_AUDIT
+ dnl Expected test results assume this is set to "no"
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+ FWD_RELOAD
+
dnl Verify generic layout of zone
NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl
table inet firewalld {
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 65ac702f4713..de3780e5b5e4 100644
index 35aead759a9c..4eefa3286f9f 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -3,7 +3,7 @@ AT_KEYWORDS(dbus)
@@ -4,7 +4,7 @@ AT_KEYWORDS(dbus)
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
IF_HOST_SUPPORTS_NFT_FIB([
DBUS_GETALL([config], [config], 0, [dnl
-string "AllowZoneDrifting" : variant string "no"
+string "AllowZoneDrifting" : variant string "yes"
string "AutomaticHelpers" : variant string "system"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
@@ -18,7 +18,7 @@ string "MinimalMark" : variant int32 100
string "RFC3964_IPv4" : variant string "yes"
])], [
DBUS_GETALL([config], [config], 0, [dnl
-string "AllowZoneDrifting" : variant string "no"
+string "AllowZoneDrifting" : variant string "yes"
string "AutomaticHelpers" : variant string "no"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at
@ -91,27 +115,12 @@ index 54f5f756270b..15fef52612cc 100644
AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf])
AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
FWD_RELOAD
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index 53f2eb2c7c88..ad6ed9540c7f 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -970,6 +970,10 @@ FWD_START_TEST([rich rules priority])
CHECK_LOG_AUDIT
+ dnl Expected test results assume this is set to "no"
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
+ FWD_RELOAD
+
dnl Verify generic layout of zone
NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl
table inet firewalld {
diff --git a/src/tests/functions.at b/src/tests/functions.at
index 3771bb8bd5a7..ef7c696ddf73 100644
index cd4e31c7f9d4..0e28420d7123 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -149,6 +149,7 @@ m4_define([FWD_END_TEST], [
IF_IPV6_SUPPORTED([], [
@@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [
IF_HOST_SUPPORTS_IP6TABLES([], [
sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
])
+ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log

123
SOURCES/0040-doc-direct-add-CAVEATS-section.patch Normal file
View File

@ -0,0 +1,123 @@
From 8d899360b8cd33962fa0b73cc17d2b8bb7710252 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 19 Feb 2020 09:48:01 -0500
Subject: [PATCH] doc: direct: add CAVEATS section
This basically covers issues/questions users have been asking about
direct rules and the nftables backend.
Fixes: #555
Fixes: rhbz 1692964
(cherry picked from commit dbcba0433b9986b6da2172bc9a826836af2be9b0)
(cherry picked from commit 0e826f0681da9917f29f26cfdd881f490a210f31)
---
doc/xml/firewall-cmd.xml.in | 3 ++
doc/xml/firewall-offline-cmd.xml | 3 ++
doc/xml/firewalld.direct.xml | 63 ++++++++++++++++++++++++++++++++
3 files changed, 69 insertions(+)
diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
index 3562b4cc7fdc..be65d61166c2 100644
--- a/doc/xml/firewall-cmd.xml.in
+++ b/doc/xml/firewall-cmd.xml.in
@@ -1810,6 +1810,9 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
<para>
Direct options should be used only as a last resort when it's not possible to use for example <option>--add-service</option>=<replaceable>service</replaceable> or <option>--add-rich-rule</option>='<replaceable>rule</replaceable>'.
</para>
+ <para>
+ <emphasis role="bold">Warning</emphasis>: Direct rules behavior is different depending on the value of <literal>FirewallBackend</literal>. See <literal>CAVEATS</literal> in <citerefentry><refentrytitle>firewalld.direct</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
<para>
The first argument of each option has to be <literal>ipv4</literal> or <literal>ipv6</literal> or <literal>eb</literal>. With <literal>ipv4</literal> it will be for IPv4 (<citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>), with <literal>ipv6</literal> for IPv6 (<citerefentry><refentrytitle>ip6tables</refentrytitle><manvolnum>8</manvolnum></citerefentry>) and with <literal>eb</literal> for ethernet bridges (<citerefentry><refentrytitle>ebtables</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
</para>
diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml
index eb2fd75e231c..16159748aea0 100644
--- a/doc/xml/firewall-offline-cmd.xml
+++ b/doc/xml/firewall-offline-cmd.xml
@@ -1784,6 +1784,9 @@
<para>
Direct options should be used only as a last resort when it's not possible to use for example <option>--add-service</option>=<replaceable>service</replaceable> or <option>--add-rich-rule</option>='<replaceable>rule</replaceable>'.
</para>
+ <para>
+ <emphasis role="bold">Warning</emphasis>: Direct rules behavior is different depending on the value of <literal>FirewallBackend</literal>. See <literal>CAVEATS</literal> in <citerefentry><refentrytitle>firewalld.direct</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
<para>
The first argument of each option has to be <literal>ipv4</literal> or <literal>ipv6</literal> or <literal>eb</literal>. With <literal>ipv4</literal> it will be for IPv4 (<citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry>), with <literal>ipv6</literal> for IPv6 (<citerefentry><refentrytitle>ip6tables</refentrytitle><manvolnum>8</manvolnum></citerefentry>) and with <literal>eb</literal> for ethernet bridges (<citerefentry><refentrytitle>ebtables</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
</para>
diff --git a/doc/xml/firewalld.direct.xml b/doc/xml/firewalld.direct.xml
index d4e5cd74d590..de7b5973dd7f 100644
--- a/doc/xml/firewalld.direct.xml
+++ b/doc/xml/firewalld.direct.xml
@@ -206,6 +206,69 @@
</refsect1>
+ <refsect1 id="caveats">
+ <title>Caveats</title>
+
+ <para>
+ Depending on the value of <literal>FirewallBackend</literal> (see <citerefentry><refentrytitle>firewalld.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) direct rules behave differently in some scenarios.
+ </para>
+ <refsect2 id="Packet accept/drop precedence">
+ <title>Packet accept/drop precedence</title>
+ <para>
+ Due to implementation details of netfilter inside the kernel, if <literal>FirewallBackend=nftables</literal> is used direct rules that <literal>ACCEPT</literal> packets don't actually cause the packets to be immediately accepted by the system. Those packets are still be subject to firewalld's nftables ruleset. This basically means there are two independent firewalls and packets must be accepted by both (iptables and nftables). As an aside, this scenario also occurs inside of nftables (again due to netfilter) if there are multiple chains attached to the same hook - it's not as simple as iptables vs nftables.
+ </para>
+ <para>
+ There are a handful of options to workaround the <literal>ACCEPT</literal> issue:
+ </para>
+ <orderedlist>
+ <listitem><para>Rich Rules</para>
+ <para>
+ If a rich rule can be used, then they should always be preferred over direct rules. Rich Rules will be converted to the enabled <literal>FirewallBackend</literal>. See <citerefentry><refentrytitle>firewalld.richlanguage</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+ </listitem>
+ <listitem><para>Blanket Accept</para>
+ <para>
+ Users can add an explicit accept to the nftables ruleset. This can be done by adding the interface or source to the <literal>trusted</literal> zone.
+ </para>
+ <para>
+ This strategy is often employed by things that perform their own filtering such as: libvirt, podman, docker.
+ </para>
+ <para>
+ <emphasis role="bold">Warning</emphasis>: This means firewalld will do no filtering on these packets. It must all be done via direct rules or out-of-band iptables rules.
+ </para>
+ </listitem>
+ <listitem><para>Selective Accept</para>
+ <para>
+ Alternatively, enable only the relevant service, port, address, or otherwise in the appropriate zone.
+ </para>
+ </listitem>
+ <listitem><para>Revert to the iptables backend</para>
+ <para>
+ A last resort is to revert to the iptables backend by setting <literal>FirewallBackend=iptables</literal>. Users should be aware that firewalld development focuses on the nftables backend.
+ </para>
+ </listitem>
+ </orderedlist>
+
+ <para>
+ For direct rules that <literal>DROP</literal> packets the packets are immediately dropped regardless of the value of <literal>FirewallBackend</literal>. As such, there is no special consideration needed.
+ </para>
+
+ <para>
+ Firewalld guarantees the above ACCEPT/DROP behavior by registering nftables hooks with a lower precedence than iptables hooks.
+ </para>
+ </refsect2>
+
+ <refsect2 id="Direct interface precedence">
+ <title>Direct interface precedence</title>
+ <para>
+ With <literal>FirewallBackend=iptables</literal> firewalld's top-level internal rules apply before direct rules are executed. This includes rules to accept existing connections. In the past this has surprised users. As an example, if a user adds a direct rule to drop traffic on destination port 22 existing SSH sessions would continue to function, but new connections would be denied.
+ </para>
+ <para>
+ With <literal>FirewallBackend=nftables</literal> direct rules were deliberately given a higher precedence than all other firewalld rules. This includes rules to accept existing connections.
+ </para>
+ </refsect2>
+ </refsect1>
+
<refsect1 id="example">
<title>Example</title>
--
2.23.0

119
SOURCES/RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch
View File

@ -1,4 +1,4 @@
From 0f28f2b7b8072bdc2e483d035230ddcb8b00a919 Mon Sep 17 00:00:00 2001
From aaba32dd922c84662521754952e5a50198dd8625 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Mon, 9 Jul 2018 11:29:33 -0400
Subject: [PATCH] Add cockpit by default to some zones
@ -9,12 +9,13 @@ Fixes: #1581578
config/zones/internal.xml | 1 +
config/zones/public.xml | 1 +
config/zones/work.xml | 1 +
src/tests/features/helpers_custom.at | 9 +++++++++
src/tests/features/service_include.at | 2 +-
src/tests/firewall-cmd.at | 14 +++++++++++++-
src/tests/regression/gh366.at | 3 +++
src/tests/regression/gh453.at | 2 ++
src/tests/regression/rhbz1514043.at | 2 +-
9 files changed, 24 insertions(+), 3 deletions(-)
10 files changed, 33 insertions(+), 3 deletions(-)
diff --git a/config/zones/home.xml b/config/zones/home.xml
index 42b29b2f2d50..8aa8afa0e8aa 100644
@ -56,11 +57,87 @@ index 6ea5550a40bd..9609ee6f65c2 100644
<service name="dhcpv6-client"/>
+ <service name="cockpit"/>
</zone>
diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
index c65f067a06ec..263185c88724 100644
--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
@@ -17,6 +17,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -27,6 +28,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -35,6 +37,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -51,6 +54,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
}
@@ -61,6 +65,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
@@ -69,6 +74,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
])
@@ -86,6 +92,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+ tcp dport 9090 ct state new,untracked accept
tcp dport 21 ct helper set "helper-ftp-tcp"
tcp dport 2121 ct helper set "helper-ftptest-tcp"
tcp dport 2121 ct state new,untracked accept
@@ -99,6 +106,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
@@ -109,6 +117,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
])
diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
index b3a50a84bd88..992c5ef0ba92 100644
index 219d5b42767b..0bf59f63b81b 100644
--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
@@ -90,7 +90,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl
@@ -117,7 +117,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl
])
FWD_CHECK([--zone=public --list-services], 0, [dnl
@ -70,10 +147,10 @@ index b3a50a84bd88..992c5ef0ba92 100644
FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist])
FWD_RELOAD
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index efc8f9c50757..6444b4566af5 100644
index 0e0d3938da0a..540bdb8b1065 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -1046,6 +1046,7 @@ FWD_START_TEST([rich rules priority])
@@ -1144,6 +1144,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -81,7 +158,7 @@ index efc8f9c50757..6444b4566af5 100644
tcp dport 1122 ct state new,untracked accept
tcp dport 3333 ct state new,untracked accept
tcp dport 4444 ct state new,untracked accept
@@ -1061,6 +1062,7 @@ FWD_START_TEST([rich rules priority])
@@ -1159,6 +1160,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -89,7 +166,7 @@ index efc8f9c50757..6444b4566af5 100644
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 ctstate NEW,UNTRACKED
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 ctstate NEW,UNTRACKED
@@ -1075,6 +1077,7 @@ FWD_START_TEST([rich rules priority])
@@ -1173,6 +1175,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -97,7 +174,7 @@ index efc8f9c50757..6444b4566af5 100644
ACCEPT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:3333 ctstate NEW,UNTRACKED
ACCEPT tcp ::/0 ::/0 tcp dpt:4444 ctstate NEW,UNTRACKED
@@ -1156,6 +1159,7 @@ FWD_START_TEST([rich rules priority])
@@ -1254,6 +1257,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -105,7 +182,7 @@ index efc8f9c50757..6444b4566af5 100644
}
}
])
@@ -1259,6 +1263,7 @@ FWD_START_TEST([rich rules priority])
@@ -1357,6 +1361,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -113,7 +190,7 @@ index efc8f9c50757..6444b4566af5 100644
])
IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
])
@@ -1293,6 +1298,7 @@ FWD_START_TEST([rich rules priority])
@@ -1391,6 +1396,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -121,7 +198,7 @@ index efc8f9c50757..6444b4566af5 100644
])
IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
])
@@ -1340,6 +1346,7 @@ FWD_START_TEST([rich rules priority])
@@ -1438,6 +1444,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -129,7 +206,7 @@ index efc8f9c50757..6444b4566af5 100644
icmp type echo-request accept
icmpv6 type echo-request accept
}
@@ -1380,6 +1387,7 @@ FWD_START_TEST([rich rules priority])
@@ -1478,6 +1485,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -137,7 +214,7 @@ index efc8f9c50757..6444b4566af5 100644
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
])
IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
@@ -1402,6 +1410,7 @@ FWD_START_TEST([rich rules priority])
@@ -1500,6 +1508,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -145,7 +222,7 @@ index efc8f9c50757..6444b4566af5 100644
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
])
IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
@@ -1458,6 +1467,7 @@ FWD_START_TEST([rich rules priority])
@@ -1556,6 +1565,7 @@ FWD_START_TEST([rich rules priority])
chain filter_IN_public_allow {
tcp dport 22 ct state new,untracked accept
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -153,7 +230,7 @@ index efc8f9c50757..6444b4566af5 100644
}
}
])
@@ -1495,6 +1505,7 @@ FWD_START_TEST([rich rules priority])
@@ -1593,6 +1603,7 @@ FWD_START_TEST([rich rules priority])
])
IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -161,7 +238,7 @@ index efc8f9c50757..6444b4566af5 100644
])
IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
])
@@ -1515,6 +1526,7 @@ FWD_START_TEST([rich rules priority])
@@ -1613,6 +1624,7 @@ FWD_START_TEST([rich rules priority])
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -169,7 +246,7 @@ index efc8f9c50757..6444b4566af5 100644
])
IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
])
@@ -1540,7 +1552,7 @@ FWD_START_TEST([rich rules priority])
@@ -1638,7 +1650,7 @@ FWD_START_TEST([rich rules priority])
icmp-block-inversion: no
interfaces:
sources:
@ -225,7 +302,7 @@ index f57a79dcf9a2..6d820fce840a 100644
tcp dport 21 ct state new,untracked accept
tcp dport 5060 ct helper set "helper-sip-tcp"
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
index deb93a5fac94..88ce4934e5ea 100644
index efc33e09478b..241cf547f7f3 100644
--- a/src/tests/regression/rhbz1514043.at
+++ b/src/tests/regression/rhbz1514043.at
@@ -5,7 +5,7 @@ FWD_CHECK([-q --set-log-denied=all])
@ -235,8 +312,8 @@ index deb93a5fac94..88ce4934e5ea 100644
-services: dhcpv6-client samba ssh
+services: cockpit dhcpv6-client samba ssh
])
dnl check that log denied actually took effect
m4_if(iptables, FIREWALL_BACKEND, [
--
2.20.1
2.23.0

83
SPECS/firewalld.spec
View File

@ -1,45 +1,50 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 0.7.0
Release: 5%{?dist}.1
Version: 0.8.0
Release: 4%{?dist}
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
Patch1: RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch
Patch2: 0001-fix-src-test-Makefile-use-wildcard-in-variable-expan.patch
Patch3: 0002-fix-CLI-show-service-includes-with-info-service.patch
Patch4: 0003-fix-tests-always-list-rules-using-macros.patch
Patch5: 0004-test-new-macro-PIPESTATUS0.patch
Patch6: 0005-test-use-PIPESTATUS0-in-LIST-macros.patch
Patch7: 0006-fix-test-features-rfc3964_ipv4-use-return-code-not-o.patch
Patch8: 0007-test-new-macro-CHECK_MODULE_PROTO_GRE.patch
Patch9: 0008-fix-test-regression-pr323-skip-if-GRE-module-doesn-t.patch
Patch10: 0009-test-service-coverage-for-import-from-file.patch
Patch11: 0010-fix-dbus-fix-service-API-break.patch
Patch12: 0011-fix-dbus-add-missing-APIs-for-service-includes.patch
Patch13: 0012-fix-tests-functions-use-gdbus-instead-of-dbus-send.patch
Patch14: 0013-test-functions-add-CHOMP-macro-for-shell-output.patch
Patch15: 0014-test-functions-add-macro-DBUS_INTROSPECT.patch
Patch16: 0015-test-dbus-service-API-coverage.patch
Patch17: 0016-fix-dbus-new-dict-based-APIs-for-services.patch
Patch18: 0017-test-dbus-coverage-for-new-service-APIs.patch
Patch19: 0018-fix-client-service-use-dict-based-dbus-APIs.patch
Patch20: 0019-fix-firewall-offline-cmd-service-use-dict-based-APIs.patch
Patch21: 0020-fix-direct-removeRules-was-mistakenly-removing-all-r.patch
Patch22: 0021-test-coverage-for-rhbz-1723610-and-gh-385.patch
Patch23: 0022-fix-tests-regression-rhbz1723610-make-output-reliabl.patch
Patch24: 0023-fix-tests-regression-rhbz1723610-avoid-calling-IPv6-.patch
Patch25: 0024-fix-guarantee-zone-source-dispatch-is-sorted-by-zone.patch
Patch26: 0025-test-verify-source-based-zone-dispatch-ordered-by-zo.patch
Patch27: 0026-fix-test-regression-rhbz1734765-guard-IPv6-usage.patch
Patch28: 0027-fix-nftables-fix-zone-dispatch-using-ipset-sources-i.patch
Patch29: 0028-test-regression-rhbz1734765-add-coverage-for-rhbz-17.patch
Patch2: 0002-fix-CLI-service-also-output-helpers-for-service-info.patch
Patch3: 0003-fix-reload-let-NM-interface-assignments-override-per.patch
Patch4: 0004-fix-dbus-firewall.conf-fix-check-for-AutomaticHelper.patch
Patch5: 0005-fix-test-CHECK_NAT_COEXISTENCE-only-check-for-kernel.patch
Patch6: 0006-fix-test-direct-passthrough-no-need-to-check-for-dum.patch
Patch7: 0007-fix-test-functions-FWD_END_TEST-improve-grep-for-err.patch
Patch8: 0008-test-build-add-support-for-running-in-containers.patch
Patch9: 0009-test-check-container-add-support-for-debian-sid.patch
Patch10: 0010-test-check-container-add-support-for-fedora-rawhide.patch
Patch11: 0011-fix-test-leave-cleanup-for-tests-cases.patch
Patch12: 0012-test-functions-new-macros-for-starting-stopping-Netw.patch
Patch13: 0013-test-functions-add-macro-NMCLI_CHECK.patch
Patch14: 0014-test-build-support-integration-tests.patch
Patch15: 0015-test-integration-NM-zone-overrides-interface-on-relo.patch
Patch16: 0016-test-check-container-also-run-check-integration.patch
Patch17: 0017-doc-README-add-note-about-integration-tests.patch
Patch18: 0018-chore-update-translations.patch
Patch19: 0019-doc-README-add-note-about-language-translations.patch
Patch20: 0020-fix-rich-source-dest-only-matching-with-mark-action.patch
Patch21: 0021-test-coverage-for-gh-567.patch
Patch22: 0022-improvement-test-move-regression.at-inside-directory.patch
Patch23: 0023-improvement-test-move-features.at-inside-directory.patch
Patch24: 0024-improvement-test-move-python.at-inside-directory.patch
Patch25: 0025-improvement-test-move-dbus.at-inside-directory.patch
Patch26: 0026-improvement-test-move-firewall-cmd.at-and-firewall-o.patch
Patch27: 0027-test-enhance-test-for-rhbz1729097.patch
Patch28: 0028-fix-test-functions-FWD_END_TEST-grep-for-errors-warn.patch
Patch29: 0029-improvement-tests-regression-rhbz1715977-shorten-tes.patch
Patch30: 0030-feat-AllowZoneDrifting-config-option.patch
Patch31: 0031-feat-nftables-support-AllowZoneDrifting-yes.patch
Patch32: 0032-feat-ipXtables-support-AllowZoneDrifting-yes.patch
Patch33: 0033-test-verify-AllowZoneDrifting-yes.patch
Patch34: 0034-fix-firewall-offline-cmd-Don-t-print-warning-about-A.patch
Patch35: 0035-RHEL-only-default-to-AllowZoneDrifting-yes.patch
Patch34: 0034-chore-test-retab-some-test-cases.patch
Patch35: 0035-improvement-translations-build-target-to-merge-from-.patch
Patch36: 0036-chore-translation-merge-from-master.patch
Patch37: 0037-improvement-check-container-use-docker-build.patch
Patch38: 0038-fix-firewall-offline-cmd-Don-t-print-warning-about-A.patch
Patch39: 0039-RHEL-only-default-to-AllowZoneDrifting-yes.patch
Patch40: 0040-doc-direct-add-CAVEATS-section.patch
BuildArch: noarch
BuildRequires: autoconf
@ -54,9 +59,7 @@ BuildRequires: docbook-style-xsl
BuildRequires: libxslt
BuildRequires: iptables, ebtables, ipset
BuildRequires: python3-devel
BuildRequires: nftables >= 0.9.0-13
Requires: iptables, ebtables, ipset
Requires: nftables >= 0.9.0-13
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
@ -83,6 +86,7 @@ Requires: python3-dbus
Requires: python3-slip-dbus
Requires: python3-decorator
Requires: python3-gobject-base
Requires: python3-nftables
%description -n python3-firewall
Python3 bindings for firewalld.
@ -238,9 +242,18 @@ desktop-file-install --delete-original \
%{_mandir}/man1/firewall-config*.1*
%changelog
* Wed Feb 05 2020 Eric Garver <egarver@redhat.com> - 0.7.0-5.el8_1_0.1
* Thu Feb 27 2020 Eric Garver <egarver@redhat.com> - 0.8.0-4
- doc: direct: add CAVEATS section
* Mon Feb 03 2020 Eric Garver <egarver@redhat.com> - 0.8.0-3
- restore zone drifting as a feature
* Tue Nov 12 2019 Eric Garver <egarver@redhat.com> - 0.8.0-2
- fix: CLI: service: also output helpers for service info
* Tue Nov 05 2019 Eric Garver <egarver@redhat.com> - 0.8.0-1
- rebase to v0.8.0
* Tue Aug 13 2019 Eric Garver <egarver@redhat.com> - 0.7.0-5
- bump nftables version requirements