!5 update firewalld to 0.6.6
Merge pull request !5 from eaglegai/openEuler-20.03-LTS
This commit is contained in:
openeuler-ci-bot
Gitee
commit
802c6c898d
@ -1,35 +0,0 @@
|
||||
From 5494006021e83f27195dc902c3c9fd024e71dc3b Mon Sep 17 00:00:00 2001
|
||||
From: MeggyCal <MeggyCal@users.noreply.github.com>
|
||||
Date: Thu, 20 Sep 2018 15:37:17 +0200
|
||||
Subject: [PATCH] Fix translating labels (#392)
|
||||
|
||||
Fix for #344 was incomplete, the "flags" were not translating and the reported bug was still active.
|
||||
|
||||
Fixes: #344
|
||||
(cherry picked from commit e657200927a9f0f41fbed95640cd47e2a5836c6f)
|
||||
---
|
||||
src/firewall-config.glade | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/firewall-config.glade b/src/firewall-config.glade
|
||||
index 22bed58aafaf..75c229b408fd 100644
|
||||
--- a/src/firewall-config.glade
|
||||
+++ b/src/firewall-config.glade
|
||||
@@ -10135,10 +10135,10 @@
|
||||
<property name="halign">start</property>
|
||||
<property name="valign">start</property>
|
||||
<items>
|
||||
- <item>accept</item>
|
||||
- <item>reject</item>
|
||||
- <item>drop</item>
|
||||
- <item>mark</item>
|
||||
+ <item translatable="yes">accept</item>
|
||||
+ <item translatable="yes">reject</item>
|
||||
+ <item translatable="yes">drop</item>
|
||||
+ <item translatable="yes">mark</item>
|
||||
</items>
|
||||
<signal name="changed" handler="on_richRuleDialog_changed" swapped="no"/>
|
||||
</object>
|
||||
--
|
||||
2.18.0
|
||||
|
||||
@ -88,20 +88,22 @@ index 473210de10af..44e649111ffb 100644
|
||||
string "DefaultZone" : variant string "public"
|
||||
-string "FirewallBackend" : variant string "nftables"
|
||||
+string "FirewallBackend" : variant string "iptables"
|
||||
m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
|
||||
string "IPv6_rpfilter" : variant string "no"],[dnl
|
||||
string "IPv6_rpfilter" : variant string "yes"])
|
||||
string "IPv6_rpfilter" : variant string "yes"
|
||||
string "IndividualCalls" : variant string "no"
|
||||
string "Lockdown" : variant string "no"
|
||||
diff --git a/src/tests/functions.at b/src/tests/functions.at
|
||||
index 3b79a9f31305..dd7b43d9dac6 100644
|
||||
--- a/src/tests/functions.at
|
||||
+++ b/src/tests/functions.at
|
||||
@@ -65,13 +65,13 @@ m4_define([FWD_START_TEST], [
|
||||
fi
|
||||
|
||||
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
|
||||
@@ -65,15 +65,15 @@ m4_define([FWD_START_TEST], [
|
||||
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [
|
||||
AT_KEYWORDS(offline)
|
||||
], [
|
||||
- m4_define_default([FIREWALL_BACKEND], [nftables])
|
||||
+ m4_define_default([FIREWALL_BACKEND], [iptables])
|
||||
|
||||
AT_KEYWORDS(FIREWALL_BACKEND)
|
||||
|
||||
dnl don't unload modules or bother cleaning up, the namespace will be deleted
|
||||
AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
|
||||
|
||||
|
||||
@ -1,48 +0,0 @@
|
||||
From 2e53fab83ac844c1d2fb2781116ad47b8900ab85 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Fri, 21 Sep 2018 11:02:18 -0400
|
||||
Subject: [PATCH 1/2] fw_transaction: On clear zone transaction, must clear fw
|
||||
and other zones
|
||||
|
||||
Just like FirewallZoneTransaction.execute() that was spawned from a
|
||||
FirewallTransaction must call FirewallTransaction.exectue() we should
|
||||
also make sure the same is done for clear(). Otherwise we can end up
|
||||
with a partially cleared transaction. This gets really hairy if the
|
||||
FirewallTransaction contains many instances of FirewallZoneTransaction
|
||||
which is common during startup with non-default configuration.
|
||||
|
||||
Fixes: #374
|
||||
---
|
||||
src/firewall/core/fw_transaction.py | 16 +++++++++++++---
|
||||
1 file changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/firewall/core/fw_transaction.py b/src/firewall/core/fw_transaction.py
|
||||
index f169e4a923dd..ad204c1991cf 100644
|
||||
--- a/src/firewall/core/fw_transaction.py
|
||||
+++ b/src/firewall/core/fw_transaction.py
|
||||
@@ -231,9 +231,19 @@ class FirewallZoneTransaction(SimpleFirewallTransaction):
|
||||
self.modules = [ ] # [ module,.. ]
|
||||
|
||||
def clear(self):
|
||||
- super(FirewallZoneTransaction, self).clear()
|
||||
- del self.chains[:]
|
||||
- del self.modules[:]
|
||||
+ # calling clear on a zone_transaction that was spawned from a
|
||||
+ # FirewallTransaction needs to clear the fw_transaction and all the
|
||||
+ # other zones otherwise we end up with a partially cleared transaction.
|
||||
+ if self.fw_transaction:
|
||||
+ super(FirewallTransaction, self.fw_transaction).clear()
|
||||
+ for zone in self.fw_transaction.zone_transactions.keys():
|
||||
+ super(FirewallZoneTransaction, self.fw_transaction.zone_transactions[zone]).clear()
|
||||
+ del self.fw_transaction.zone_transactions[zone].chains[:]
|
||||
+ del self.fw_transaction.zone_transactions[zone].modules[:]
|
||||
+ else:
|
||||
+ super(FirewallZoneTransaction, self).clear()
|
||||
+ del self.chains[:]
|
||||
+ del self.modules[:]
|
||||
|
||||
def prepare(self, enable, rules=None, modules=None):
|
||||
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
|
||||
--
|
||||
2.18.0
|
||||
|
||||
@ -1,135 +0,0 @@
|
||||
From 7cdd8027d13677185b301f849d42957e635ffa67 Mon Sep 17 00:00:00 2001
|
||||
From: StefanBruens <stefan.bruens@rwth-aachen.de>
|
||||
Date: Tue, 25 Sep 2018 21:56:36 +0200
|
||||
Subject: [PATCH 006/127] firewall/core/io/*.py: Let SAX handle the encoding of
|
||||
XML files (#395)
|
||||
|
||||
SAX is able to determine the encoding of XML files itself if the file
|
||||
contains a correct "encoding" pseudo attribute, e.g.:
|
||||
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
|
||||
|
||||
For this to work, the file stream has to be opened in binary mode, and
|
||||
the parser has to read the stream using a SAX InputStream, which
|
||||
autodetects the encoding.
|
||||
|
||||
Fixes: #303
|
||||
---
|
||||
src/firewall/core/io/direct.py | 6 ++++--
|
||||
src/firewall/core/io/helper.py | 6 ++++--
|
||||
src/firewall/core/io/icmptype.py | 6 ++++--
|
||||
src/firewall/core/io/ipset.py | 6 ++++--
|
||||
src/firewall/core/io/service.py | 6 ++++--
|
||||
src/firewall/core/io/zone.py | 6 ++++--
|
||||
6 files changed, 24 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/src/firewall/core/io/direct.py b/src/firewall/core/io/direct.py
|
||||
index 07e159da..b0c2cb52 100644
|
||||
--- a/src/firewall/core/io/direct.py
|
||||
+++ b/src/firewall/core/io/direct.py
|
||||
@@ -360,9 +360,11 @@ class Direct(IO_Object):
|
||||
handler = direct_ContentHandler(self)
|
||||
parser = sax.make_parser()
|
||||
parser.setContentHandler(handler)
|
||||
- with open(self.filename, "r") as f:
|
||||
+ with open(self.filename, "rb") as f:
|
||||
+ source = sax.InputSource(None)
|
||||
+ source.setByteStream(f)
|
||||
try:
|
||||
- parser.parse(f)
|
||||
+ parser.parse(source)
|
||||
except sax.SAXParseException as msg:
|
||||
raise FirewallError(errors.INVALID_TYPE,
|
||||
"Not a valid file: %s" % \
|
||||
diff --git a/src/firewall/core/io/helper.py b/src/firewall/core/io/helper.py
|
||||
index 4a2420dd..a5c81b9f 100644
|
||||
--- a/src/firewall/core/io/helper.py
|
||||
+++ b/src/firewall/core/io/helper.py
|
||||
@@ -156,9 +156,11 @@ def helper_reader(filename, path):
|
||||
parser = sax.make_parser()
|
||||
parser.setContentHandler(handler)
|
||||
name = "%s/%s" % (path, filename)
|
||||
- with open(name, "r") as f:
|
||||
+ with open(name, "rb") as f:
|
||||
+ source = sax.InputSource(None)
|
||||
+ source.setByteStream(f)
|
||||
try:
|
||||
- parser.parse(f)
|
||||
+ parser.parse(source)
|
||||
except sax.SAXParseException as msg:
|
||||
raise FirewallError(errors.INVALID_HELPER,
|
||||
"not a valid helper file: %s" % \
|
||||
diff --git a/src/firewall/core/io/icmptype.py b/src/firewall/core/io/icmptype.py
|
||||
index 91b48867..32103c59 100644
|
||||
--- a/src/firewall/core/io/icmptype.py
|
||||
+++ b/src/firewall/core/io/icmptype.py
|
||||
@@ -121,9 +121,11 @@ def icmptype_reader(filename, path):
|
||||
parser = sax.make_parser()
|
||||
parser.setContentHandler(handler)
|
||||
name = "%s/%s" % (path, filename)
|
||||
- with open(name, "r") as f:
|
||||
+ with open(name, "rb") as f:
|
||||
+ source = sax.InputSource(None)
|
||||
+ source.setByteStream(f)
|
||||
try:
|
||||
- parser.parse(f)
|
||||
+ parser.parse(source)
|
||||
except sax.SAXParseException as msg:
|
||||
raise FirewallError(errors.INVALID_ICMPTYPE,
|
||||
"not a valid icmptype file: %s" % \
|
||||
diff --git a/src/firewall/core/io/ipset.py b/src/firewall/core/io/ipset.py
|
||||
index 0670677b..8cc6a1f9 100644
|
||||
--- a/src/firewall/core/io/ipset.py
|
||||
+++ b/src/firewall/core/io/ipset.py
|
||||
@@ -390,9 +390,11 @@ def ipset_reader(filename, path):
|
||||
parser = sax.make_parser()
|
||||
parser.setContentHandler(handler)
|
||||
name = "%s/%s" % (path, filename)
|
||||
- with open(name, "r") as f:
|
||||
+ with open(name, "rb") as f:
|
||||
+ source = sax.InputSource(None)
|
||||
+ source.setByteStream(f)
|
||||
try:
|
||||
- parser.parse(f)
|
||||
+ parser.parse(source)
|
||||
except sax.SAXParseException as msg:
|
||||
raise FirewallError(errors.INVALID_IPSET,
|
||||
"not a valid ipset file: %s" % \
|
||||
diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py
|
||||
index c04d612e..487d5ba3 100644
|
||||
--- a/src/firewall/core/io/service.py
|
||||
+++ b/src/firewall/core/io/service.py
|
||||
@@ -219,9 +219,11 @@ def service_reader(filename, path):
|
||||
parser = sax.make_parser()
|
||||
parser.setContentHandler(handler)
|
||||
name = "%s/%s" % (path, filename)
|
||||
- with open(name, "r") as f:
|
||||
+ with open(name, "rb") as f:
|
||||
+ source = sax.InputSource(None)
|
||||
+ source.setByteStream(f)
|
||||
try:
|
||||
- parser.parse(f)
|
||||
+ parser.parse(source)
|
||||
except sax.SAXParseException as msg:
|
||||
raise FirewallError(errors.INVALID_SERVICE,
|
||||
"not a valid service file: %s" % \
|
||||
diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
|
||||
index c048c867..05368e9c 100644
|
||||
--- a/src/firewall/core/io/zone.py
|
||||
+++ b/src/firewall/core/io/zone.py
|
||||
@@ -696,9 +696,11 @@ def zone_reader(filename, path, no_check_name=False):
|
||||
parser = sax.make_parser()
|
||||
parser.setContentHandler(handler)
|
||||
name = "%s/%s" % (path, filename)
|
||||
- with open(name, "r") as f:
|
||||
+ with open(name, "rb") as f:
|
||||
+ source = sax.InputSource(None)
|
||||
+ source.setByteStream(f)
|
||||
try:
|
||||
- parser.parse(f)
|
||||
+ parser.parse(source)
|
||||
except sax.SAXParseException as msg:
|
||||
raise FirewallError(errors.INVALID_ZONE,
|
||||
"not a valid zone file: %s" % \
|
||||
--
|
||||
2.19.1
|
||||
|
||||
Binary file not shown.
BIN
firewalld-0.6.6.tar.gz
Normal file
BIN
firewalld-0.6.6.tar.gz
Normal file
Binary file not shown.
@ -1,31 +0,0 @@
|
||||
From 17adfe4137cfd1c1734ff1b77304f70e163313fa Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Tue, 9 Oct 2018 14:55:21 -0400
|
||||
Subject: [PATCH 018/127] firewalld: fix --runtime-to-permanent if NM not in
|
||||
use.
|
||||
|
||||
Due to scope "settings" was not defined.
|
||||
|
||||
Fixes: #404
|
||||
Fixes: e7c00a4063ff ("ifcfg: Modify ZONE= on permanent config changes")
|
||||
---
|
||||
src/firewall/server/firewalld.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
|
||||
index 6810b68c..bc04f2d0 100644
|
||||
--- a/src/firewall/server/firewalld.py
|
||||
+++ b/src/firewall/server/firewalld.py
|
||||
@@ -441,8 +441,8 @@ class FirewallD(slip.dbus.service.Object):
|
||||
nm_bus_name = nm_get_bus_name()
|
||||
for name in self.fw.zone.get_zones():
|
||||
conf = self.getZoneSettings(name)
|
||||
+ settings = FirewallClientZoneSettings(conf)
|
||||
if nm_bus_name is not None:
|
||||
- settings = FirewallClientZoneSettings(conf)
|
||||
changed = False
|
||||
for interface in settings.getInterfaces():
|
||||
if self.fw.zone.interface_get_sender(name, interface) == nm_bus_name:
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: firewalld
|
||||
Version: 0.6.2
|
||||
Release: 4
|
||||
Version: 0.6.6
|
||||
Release: 1
|
||||
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
|
||||
License: GPLv2+
|
||||
URL: http://www.firewalld.org
|
||||
@ -9,26 +9,6 @@ Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{
|
||||
Patch0: firewalld-0.2.6-MDNS-default.patch
|
||||
#backport from Eric Garver <e@erig.me>
|
||||
Patch1: 0001-fedora-patch-to-default-to-iptables-backend.patch
|
||||
#Patch2,3 backport from upstream
|
||||
Patch2: 0001-fw_transaction-On-clear-zone-transaction-must-clear-.patch
|
||||
Patch3: 0001-Fix-translating-labels-392.patch
|
||||
|
||||
Patch6000: firewall-core-io-.py-Let-SAX-handle-the-encoding-of-.patch
|
||||
Patch6001: nftables-fix-destination-checks-not-allowing-masks.patch
|
||||
Patch6002: firewalld-fix-runtime-to-permanent-if-NM-not-in-use.patch
|
||||
Patch6003: nftables-fix-reject-statement-in-block-zone.patch
|
||||
Patch6004: ipXtables-nftables-Fix-object-has-no-attribute-_log_.patch
|
||||
Patch6005: rich-rules-fix-mark-action.patch
|
||||
Patch6006: nftables-fix-panic-mode-not-filtering-output-packets.patch
|
||||
Patch6007: fw_zone-fix-rich-rule-masquerading.patch
|
||||
Patch6008: fw_zone-fix-IPv6-rich-rule-forward-port-without-toad.patch
|
||||
Patch6009: nftables-fix-rich-rule-masquerade.patch
|
||||
Patch6010: nftables-fix-ipv6-rich-rule-forward-ports.patch
|
||||
Patch6011: ipset-fix-set-apply-if-IndividualCalls-yes.patch
|
||||
Patch6012: fix-issue-457.patch
|
||||
|
||||
Patch9000: repair-test-cases.patch
|
||||
|
||||
|
||||
BuildArch: noarch
|
||||
BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl
|
||||
@ -211,6 +191,12 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Aug 28 2020 gaihuiying <gaihuiying1@huawei.com> - 0.9.6-1
|
||||
- Type:requirement
|
||||
- ID:NA
|
||||
- SUG:NA
|
||||
- DESC:update firewalld version to 0.9.6
|
||||
|
||||
* Wed Jan 15 2020 zhangrui <zhangrui182@huawei.com> - 0.6.2-4
|
||||
- create firewalld.conf file
|
||||
|
||||
|
||||
@ -1,26 +0,0 @@
|
||||
From 7da05eff467244f0da6a4e7c1370dd6c7605e9f4 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Nicolai <dalanicolai@gmail.com>
|
||||
Date: Mon, 11 Feb 2019 12:16:31 +0100
|
||||
Subject: [PATCH 102/127] fix issue #457
|
||||
|
||||
I found out I did not set a value for invert when adding the rich rule via firewall-cmd. Then I got the error as mentioned in issue #457 because the invert attribute was given a default value None. I corrected it here so that it gets the default value False. This fixed the issue for me.
|
||||
---
|
||||
src/firewall/core/rich.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
|
||||
index 91f53fd9..dacaeb9c 100644
|
||||
--- a/src/firewall/core/rich.py
|
||||
+++ b/src/firewall/core/rich.py
|
||||
@@ -394,7 +394,7 @@ class Rich_Rule(object):
|
||||
elif element in ['not', 'NOT']:
|
||||
attrs['invert'] = True
|
||||
else:
|
||||
- self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert'))
|
||||
+ self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert', False))
|
||||
in_elements.pop() # source
|
||||
attrs.clear()
|
||||
index = index -1 # return token to input
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,39 +0,0 @@
|
||||
From 2210822a2450a7b9ed853593c3d88aca1c43c2fc Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Wed, 5 Dec 2018 16:29:49 -0500
|
||||
Subject: [PATCH 048/127] fw_zone: fix IPv6 rich rule forward-port without
|
||||
toaddr
|
||||
|
||||
Using a rich rule with family=ipv6 and no toaddr specified was silently
|
||||
not applying any rules.
|
||||
---
|
||||
src/firewall/core/fw_zone.py | 11 ++---------
|
||||
1 file changed, 2 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
||||
index 816fa503..db90c32b 100644
|
||||
--- a/src/firewall/core/fw_zone.py
|
||||
+++ b/src/firewall/core/fw_zone.py
|
||||
@@ -1702,17 +1702,10 @@ class FirewallZone(object):
|
||||
for ipv in ipvs:
|
||||
if backend.is_ipv_supported(ipv):
|
||||
self.check_forward_port(ipv, port, protocol, toport, toaddr)
|
||||
-
|
||||
- if check_single_address("ipv6", toaddr):
|
||||
- ipv = "ipv6"
|
||||
- else:
|
||||
- ipv = "ipv4"
|
||||
-
|
||||
- if not backend.is_ipv_supported(ipv):
|
||||
- continue
|
||||
+ if enable:
|
||||
+ zone_transaction.add_post(enable_ip_forwarding, ipv)
|
||||
|
||||
if enable:
|
||||
- zone_transaction.add_post(enable_ip_forwarding, ipv)
|
||||
mark_id = self._fw.new_mark()
|
||||
|
||||
filter_chain = "INPUT" if not toaddr else "FORWARD_IN"
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,27 +0,0 @@
|
||||
From 14acf26afe09ff9092bebbfc7ffe718b1758c573 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Wed, 5 Dec 2018 13:09:28 -0500
|
||||
Subject: [PATCH 047/127] fw_zone: fix rich rule masquerading
|
||||
|
||||
We weren't passing the rich rule to the backend so filtering on
|
||||
source/destination would not work.
|
||||
---
|
||||
src/firewall/core/fw_zone.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
||||
index ca90f7fb..816fa503 100644
|
||||
--- a/src/firewall/core/fw_zone.py
|
||||
+++ b/src/firewall/core/fw_zone.py
|
||||
@@ -1690,7 +1690,7 @@ class FirewallZone(object):
|
||||
if backend.is_ipv_supported(ipv):
|
||||
zone_transaction.add_post(enable_ip_forwarding, ipv)
|
||||
|
||||
- rules = backend.build_zone_masquerade_rules(enable, zone)
|
||||
+ rules = backend.build_zone_masquerade_rules(enable, zone, rule)
|
||||
zone_transaction.add_rules(backend, rules)
|
||||
|
||||
# FORWARD PORT
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,43 +0,0 @@
|
||||
From 93824072768f989991a11069ac75f1cd3d56ae34 Mon Sep 17 00:00:00 2001
|
||||
From: Federico Cuello <fedux@fedux.com.ar>
|
||||
Date: Sat, 20 Oct 2018 15:47:28 +0200
|
||||
Subject: [PATCH 023/127] ipXtables/nftables: Fix "object has no attribute
|
||||
'_log_denied'"
|
||||
|
||||
This fixes nftables and ipXtables (when IndividualCalls=yes),
|
||||
as _log_denied is not an attribute of the class but a param.
|
||||
---
|
||||
src/firewall/core/ipXtables.py | 3 +--
|
||||
src/firewall/core/nftables.py | 2 +-
|
||||
2 files changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
||||
index 02a518d2..11aebec6 100644
|
||||
--- a/src/firewall/core/ipXtables.py
|
||||
+++ b/src/firewall/core/ipXtables.py
|
||||
@@ -492,8 +492,7 @@ class ip4tables(object):
|
||||
if log_denied == "off":
|
||||
return ""
|
||||
if log_denied in [ "unicast", "broadcast", "multicast" ]:
|
||||
- rule[i:i+1] = [ "-m", "pkttype", "--pkt-type",
|
||||
- self._log_denied ]
|
||||
+ rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", log_denied ]
|
||||
else:
|
||||
rule.pop(i)
|
||||
|
||||
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
||||
index 3c871069..cd05b2c3 100644
|
||||
--- a/src/firewall/core/nftables.py
|
||||
+++ b/src/firewall/core/nftables.py
|
||||
@@ -290,7 +290,7 @@ class nftables(object):
|
||||
if log_denied == "off":
|
||||
return ""
|
||||
if log_denied in ["unicast", "broadcast", "multicast"]:
|
||||
- rule[i:i+1] = ["pkttype", self._log_denied]
|
||||
+ rule[i:i+1] = ["pkttype", log_denied]
|
||||
else:
|
||||
rule.pop(i)
|
||||
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,81 +0,0 @@
|
||||
From 4157393136bbaff53e812029376b2a0a5113cedb Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Tue, 11 Dec 2018 11:32:54 -0500
|
||||
Subject: [PATCH 070/127] ipset: fix set apply if IndividualCalls=yes
|
||||
|
||||
Fixes: rhbz 1644834
|
||||
Fixes: e6188ec98ff4 ("FirewallIPSet: Support restore in apply_ipsets, use it in Firewall")
|
||||
---
|
||||
src/firewall/core/fw_ipset.py | 2 +-
|
||||
src/tests/regression/rhbz1601610.at | 43 +++++++++++++++++++++++++++++
|
||||
2 files changed, 44 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
|
||||
index b06a60d0..54ace39e 100644
|
||||
--- a/src/firewall/core/fw_ipset.py
|
||||
+++ b/src/firewall/core/fw_ipset.py
|
||||
@@ -125,7 +125,7 @@ class FirewallIPSet(object):
|
||||
raise FirewallError(errors.COMMAND_FAILED, msg)
|
||||
else:
|
||||
obj.applied = True
|
||||
- if "timeout" not in obj.options or \
|
||||
+ if "timeout" in obj.options and \
|
||||
obj.options["timeout"] != "0":
|
||||
# no entries visible for ipsets with timeout
|
||||
continue
|
||||
diff --git a/src/tests/regression/rhbz1601610.at b/src/tests/regression/rhbz1601610.at
|
||||
index 0676bb82..5ba0cee4 100644
|
||||
--- a/src/tests/regression/rhbz1601610.at
|
||||
+++ b/src/tests/regression/rhbz1601610.at
|
||||
@@ -57,5 +57,48 @@ FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22])
|
||||
FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [
|
||||
])
|
||||
|
||||
+dnl rhbz 1644834
|
||||
+FWD_CHECK([-q --ipset=foobar --add-entry=10.1.0.0/16])
|
||||
+FWD_CHECK([-q --runtime-to-permanent])
|
||||
+FWD_RELOAD
|
||||
+m4_if(nftables, FIREWALL_BACKEND, [
|
||||
+NFT_LIST_SET([foobar], 0, [dnl
|
||||
+table inet firewalld {
|
||||
+set foobar {
|
||||
+type ipv4_addr
|
||||
+flags interval
|
||||
+elements = { 10.1.0.0/16, 10.2.0.0/22 }
|
||||
+}
|
||||
+}
|
||||
+])], [
|
||||
+IPSET_LIST_SET([foobar], 0, [dnl
|
||||
+Name: foobar
|
||||
+Type: hash:net
|
||||
+Members:
|
||||
+10.1.0.0/16
|
||||
+10.2.0.0/22
|
||||
+])])
|
||||
+
|
||||
+dnl rhbz 1644834, again with IndividualCalls=yes
|
||||
+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf])
|
||||
+FWD_RELOAD
|
||||
+m4_if(nftables, FIREWALL_BACKEND, [
|
||||
+NFT_LIST_SET([foobar], 0, [dnl
|
||||
+table inet firewalld {
|
||||
+set foobar {
|
||||
+type ipv4_addr
|
||||
+flags interval
|
||||
+elements = { 10.1.0.0/16, 10.2.0.0/22 }
|
||||
+}
|
||||
+}
|
||||
+])], [
|
||||
+IPSET_LIST_SET([foobar], 0, [dnl
|
||||
+Name: foobar
|
||||
+Type: hash:net
|
||||
+Members:
|
||||
+10.1.0.0/16
|
||||
+10.2.0.0/22
|
||||
+])])
|
||||
+
|
||||
FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl
|
||||
-e '/ERROR: COMMAND_FAILED:.*element.*exists/d'])
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,63 +0,0 @@
|
||||
From b3c43ee7be2411a8d17416b98616378078f21eef Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Thu, 27 Sep 2018 08:52:22 -0400
|
||||
Subject: [PATCH 009/127] nftables: fix destination checks not allowing masks
|
||||
|
||||
Some destination checks were using check_single_address() which make it
|
||||
impossible to use a mask. This was discovered in issue #399.
|
||||
---
|
||||
src/firewall/core/nftables.py | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
||||
index 811f4e71..64191d1f 100644
|
||||
--- a/src/firewall/core/nftables.py
|
||||
+++ b/src/firewall/core/nftables.py
|
||||
@@ -753,7 +753,7 @@ class nftables(object):
|
||||
return []
|
||||
|
||||
rule_fragment = []
|
||||
- if check_single_address("ipv4", rich_dest.addr):
|
||||
+ if check_address("ipv4", rich_dest.addr):
|
||||
rule_fragment += ["ip"]
|
||||
else:
|
||||
rule_fragment += ["ip6"]
|
||||
@@ -803,7 +803,7 @@ class nftables(object):
|
||||
if rich_rule:
|
||||
rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
|
||||
if destination:
|
||||
- if check_single_address("ipv4", destination):
|
||||
+ if check_address("ipv4", destination):
|
||||
rule_fragment += ["ip"]
|
||||
else:
|
||||
rule_fragment += ["ip6"]
|
||||
@@ -835,7 +835,7 @@ class nftables(object):
|
||||
if rich_rule:
|
||||
rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
|
||||
if destination:
|
||||
- if check_single_address("ipv4", destination):
|
||||
+ if check_address("ipv4", destination):
|
||||
rule_fragment += ["ip"]
|
||||
else:
|
||||
rule_fragment += ["ip6"]
|
||||
@@ -869,7 +869,7 @@ class nftables(object):
|
||||
if rich_rule:
|
||||
rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
|
||||
if destination:
|
||||
- if check_single_address("ipv4", destination):
|
||||
+ if check_address("ipv4", destination):
|
||||
rule_fragment += ["ip"]
|
||||
else:
|
||||
rule_fragment += ["ip6"]
|
||||
@@ -900,7 +900,7 @@ class nftables(object):
|
||||
rule = [add_del, "rule", "inet", "%s" % TABLE_NAME,
|
||||
"raw_%s_allow" % (target), proto]
|
||||
if destination:
|
||||
- if check_single_address("ipv4", destination):
|
||||
+ if check_address("ipv4", destination):
|
||||
rule += ["ip"]
|
||||
else:
|
||||
rule += ["ip6"]
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
From 628657cdafa7ba3217fb031c748f5a7d32924c90 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Wed, 5 Dec 2018 19:11:06 -0500
|
||||
Subject: [PATCH 050/127] nftables: fix ipv6 rich rule forward-ports
|
||||
|
||||
The were mistakenly being added to the ipv4 nat tables as well.
|
||||
|
||||
Fixes: #422
|
||||
Fixes: b630abd8e901 ("backend: introduce nftables support")
|
||||
---
|
||||
src/firewall/core/nftables.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
||||
index 00a02ad1..a1cb2c47 100644
|
||||
--- a/src/firewall/core/nftables.py
|
||||
+++ b/src/firewall/core/nftables.py
|
||||
@@ -980,7 +980,7 @@ class nftables(object):
|
||||
or toaddr and check_single_address("ipv6", toaddr)):
|
||||
rules.extend(self._build_zone_forward_port_nat_rules(enable, zone,
|
||||
protocol, mark_fragment, toaddr, toport, "ip6"))
|
||||
- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
|
||||
+ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
|
||||
or toaddr and check_single_address("ipv4", toaddr)):
|
||||
rules.extend(self._build_zone_forward_port_nat_rules(enable, zone,
|
||||
protocol, mark_fragment, toaddr, toport, "ip"))
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,73 +0,0 @@
|
||||
From 2f5608b4897ff99afbb1c2425a94df035031c1a2 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Mon, 3 Dec 2018 12:40:41 -0500
|
||||
Subject: [PATCH 043/127] nftables: fix panic mode not filtering output packets
|
||||
|
||||
This simplifies policy in the nftables backend by filtering only on the
|
||||
prerouting and output hooks. The others hooks are unnecessary since
|
||||
we're using a higher precedence.
|
||||
|
||||
Also fixes an issue when re-enabling panic mode multiple times. Due to
|
||||
rule de-duplication the policy drop rule was not being re-added.
|
||||
|
||||
Fixes: rhbz 1579740
|
||||
Fixes: a0f683dfef2c ("nftables: fix policy")
|
||||
---
|
||||
src/firewall/core/nftables.py | 36 +++++++++--------------------------
|
||||
1 file changed, 9 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
||||
index 69236a96..44cd4f9e 100644
|
||||
--- a/src/firewall/core/nftables.py
|
||||
+++ b/src/firewall/core/nftables.py
|
||||
@@ -314,38 +314,20 @@ class nftables(object):
|
||||
# packets while initially starting and for panic mode. As such, using
|
||||
# hooks with a higher priority than our base chains is sufficient.
|
||||
#
|
||||
- table_chains = []
|
||||
- for table in list(IPTABLES_TO_NFT_HOOK.keys()):
|
||||
- for chain in IPTABLES_TO_NFT_HOOK[table]:
|
||||
- table_chains.append((table, chain))
|
||||
-
|
||||
table_name = TABLE_NAME + "_" + "policy_drop"
|
||||
|
||||
- def _policy_drop_helper(table, chain, family, rules):
|
||||
- _chain = "%s_%s" % (table, chain)
|
||||
- _hook = IPTABLES_TO_NFT_HOOK[table][chain][0]
|
||||
- # add hooks with priority -1, only contain drop rule
|
||||
- _priority = IPTABLES_TO_NFT_HOOK[table][chain][1] - 1
|
||||
- _add_chain = "add chain %s %s %s '{ type filter hook %s priority %d ; }'" % \
|
||||
- (family, table_name, _chain, _hook, _priority)
|
||||
- rules.append(splitArgs(_add_chain))
|
||||
- rules.append(["add", "rule", family, table_name, _chain, "drop"])
|
||||
-
|
||||
rules = []
|
||||
if policy == "DROP":
|
||||
- for family in ["inet", "ip", "ip6"]:
|
||||
- rules.append(["add", "table", family, table_name])
|
||||
-
|
||||
- for table,chain in table_chains:
|
||||
- if table == "nat":
|
||||
- # nat requires two families
|
||||
- for family in ["ip", "ip6"]:
|
||||
- _policy_drop_helper(table, chain, family, rules)
|
||||
- else:
|
||||
- _policy_drop_helper(table, chain, "inet", rules)
|
||||
+ rules.append(["add", "table", "inet", table_name])
|
||||
+
|
||||
+ # To drop everything we need to use the "raw" priority. These occur
|
||||
+ # before conntrack, mangle, nat, etc
|
||||
+ for hook in ["prerouting", "output"]:
|
||||
+ _add_chain = "add chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'" % \
|
||||
+ (table_name, "raw", hook, hook, -300 + NFT_HOOK_OFFSET - 1)
|
||||
+ rules.append(splitArgs(_add_chain))
|
||||
elif policy == "ACCEPT":
|
||||
- for family in ["inet", "ip", "ip6"]:
|
||||
- rules.append(["delete", "table", family, table_name])
|
||||
+ rules.append(["delete", "table", "inet", table_name])
|
||||
else:
|
||||
FirewallError(UNKNOWN_ERROR, "not implemented")
|
||||
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,43 +0,0 @@
|
||||
From a9abba630333970cc59d5fdcb1e92968b38f5eaa Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Thu, 11 Oct 2018 11:58:22 -0400
|
||||
Subject: [PATCH 020/127] nftables: fix reject statement in "block" zone
|
||||
|
||||
Also add test coverage.
|
||||
|
||||
Fixes: #406
|
||||
---
|
||||
src/firewall/core/nftables.py | 3 ++-
|
||||
src/tests/firewall-cmd.at | 2 ++
|
||||
2 files changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
||||
index 8a305539..3c871069 100644
|
||||
--- a/src/firewall/core/nftables.py
|
||||
+++ b/src/firewall/core/nftables.py
|
||||
@@ -619,7 +619,8 @@ class nftables(object):
|
||||
target in ["ACCEPT", "REJECT", "%%REJECT%%", "DROP"] and \
|
||||
chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]:
|
||||
rules.append(["add", "rule", family, "%s" % TABLE_NAME,
|
||||
- "%s_%s" % (table, _zone), target.lower()])
|
||||
+ "%s_%s" % (table, _zone),
|
||||
+ target.lower() if target != "%%REJECT%%" else "%%REJECT%%"])
|
||||
|
||||
return rules
|
||||
|
||||
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
|
||||
index ef45110c..b7ec3816 100644
|
||||
--- a/src/tests/firewall-cmd.at
|
||||
+++ b/src/tests/firewall-cmd.at
|
||||
@@ -69,6 +69,8 @@ FWD_START_TEST([zone interfaces])
|
||||
FWD_CHECK([--zone=public --change-interface=dummy], 0, ignore)
|
||||
FWD_CHECK([--get-zone-of-interface=dummy], 0, [public
|
||||
])
|
||||
+ FWD_CHECK([--zone=block --add-interface=dummy1], 0, ignore)
|
||||
+ FWD_CHECK([--zone=block --remove-interface=dummy1], 0, ignore)
|
||||
|
||||
FWD_CHECK([--zone=dmz --change-zone=dummy], 0, ignore)
|
||||
FWD_CHECK([--get-zone-of-interface=dummy], 0, [dmz
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,38 +0,0 @@
|
||||
From aee4948e86fde6df8205b07f4da58e2a8c07377c Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Wed, 5 Dec 2018 17:16:30 -0500
|
||||
Subject: [PATCH 049/127] nftables: fix rich rule masquerade
|
||||
|
||||
---
|
||||
src/firewall/core/nftables.py | 7 +++----
|
||||
1 file changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
||||
index 44cd4f9e..00a02ad1 100644
|
||||
--- a/src/firewall/core/nftables.py
|
||||
+++ b/src/firewall/core/nftables.py
|
||||
@@ -900,7 +900,6 @@ class nftables(object):
|
||||
|
||||
rule_fragment = []
|
||||
if rich_rule:
|
||||
- rule_fragment += self._rich_rule_family_fragment(rich_rule.family)
|
||||
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
||||
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
||||
|
||||
@@ -912,10 +911,10 @@ class nftables(object):
|
||||
# nat tables needs to use ip/ip6 family
|
||||
rules = []
|
||||
if rich_rule and (rich_rule.family and rich_rule.family == "ipv6"
|
||||
- or rich_rule.source and check_address("ipv6", rich_rule.source)):
|
||||
+ or rich_rule.source and check_address("ipv6", rich_rule.source.addr)):
|
||||
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
|
||||
- if rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
|
||||
- or rich_rule.source and check_address("ipv4", rich_rule.source)):
|
||||
+ elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4"
|
||||
+ or rich_rule.source and check_address("ipv4", rich_rule.source.addr)):
|
||||
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule))
|
||||
else:
|
||||
rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule))
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,52 +0,0 @@
|
||||
From a43ae627eeb4f99bb15ed737fd58f0ec15d55dea Mon Sep 17 00:00:00 2001
|
||||
From: yanghua <yanghua21@huawei.com>
|
||||
Date: Mon, 6 May 2019 16:28:01 +0800
|
||||
Subject: [PATCH] Repair test cases gh366 rhbz1514043 rhbz1601610
|
||||
|
||||
---
|
||||
src/tests/functions.at | 2 +-
|
||||
src/tests/regression/gh366.at | 1 +
|
||||
src/tests/regression/rhbz1514043.at | 2 +-
|
||||
3 files changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tests/functions.at b/src/tests/functions.at
|
||||
index d1f3429..243724f 100644
|
||||
--- a/src/tests/functions.at
|
||||
+++ b/src/tests/functions.at
|
||||
@@ -244,7 +244,7 @@ m4_define([NFT_LIST_RULES], [
|
||||
m4_define([IPSET_LIST_SET], [
|
||||
NS_CHECK([ipset list $1 | TRIM_WHITESPACE |dnl
|
||||
grep -v "^\(Revision\|Header\|Size\|References\|Number\)" |dnl
|
||||
- awk 'NR <= 4; NR > 4 {print | "sort"}'],
|
||||
+ awk 'NR <= 3; NR > 3 {print | "sort"}'],
|
||||
[$2], [$3], [$4], [$5], [$6])
|
||||
])
|
||||
|
||||
diff --git a/src/tests/regression/gh366.at b/src/tests/regression/gh366.at
|
||||
index dd6963f..46307cf 100644
|
||||
--- a/src/tests/regression/gh366.at
|
||||
+++ b/src/tests/regression/gh366.at
|
||||
@@ -22,6 +22,7 @@ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
|
||||
ACCEPT udp ::/0 ff02::fb udp dpt:5353 ctstate NEW,UNTRACKED
|
||||
])])])
|
||||
|
||||
+FWD_CHECK([-q --zone=public --remove-service=mdns])
|
||||
FWD_CHECK([-q --zone=public --add-service=mdns])
|
||||
check_firewall_backend_output
|
||||
FWD_CHECK([-q --zone=public --remove-service=mdns])
|
||||
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
|
||||
index 4831460..077c007 100644
|
||||
--- a/src/tests/regression/rhbz1514043.at
|
||||
+++ b/src/tests/regression/rhbz1514043.at
|
||||
@@ -3,7 +3,7 @@ FWD_CHECK([-q --set-log-denied=all])
|
||||
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
|
||||
FWD_RELOAD
|
||||
FWD_CHECK([--zone=public --list-all | TRIM | grep ^services], 0, [dnl
|
||||
-services: ssh dhcpv6-client samba
|
||||
+services: ssh mdns dhcpv6-client samba
|
||||
])
|
||||
dnl check that log denied actually took effect
|
||||
m4_if(iptables, FIREWALL_BACKEND, [
|
||||
--
|
||||
2.19.1
|
||||
|
||||
@ -1,65 +0,0 @@
|
||||
From 5d36e0f55887c6204e07bd8095ead1ce2d535ddb Mon Sep 17 00:00:00 2001
|
||||
From: Eric Garver <e@erig.me>
|
||||
Date: Fri, 2 Nov 2018 14:10:38 -0400
|
||||
Subject: [PATCH 025/127] rich rules: fix mark action
|
||||
|
||||
They were being placed in the wrong (and nonexistent) chain. Also add
|
||||
test coverage for the "mark" action.
|
||||
|
||||
Fixes: 7c5f5f4d12ee ("fw_zone: push rich rule generation to backend")
|
||||
Tested-by: Felix Kaechele <heffer@fedoraproject.org>
|
||||
---
|
||||
src/firewall/core/ipXtables.py | 4 ++--
|
||||
src/firewall/core/nftables.py | 4 ++--
|
||||
src/tests/firewall-cmd.at | 1 +
|
||||
3 files changed, 5 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
||||
index 11aebec6..b98ba522 100644
|
||||
--- a/src/firewall/core/ipXtables.py
|
||||
+++ b/src/firewall/core/ipXtables.py
|
||||
@@ -807,10 +807,10 @@ class ip4tables(object):
|
||||
chain = "%s_deny" % target
|
||||
rule_action = [ "-j", "DROP" ]
|
||||
elif type(rich_rule.action) == Rich_Mark:
|
||||
- chain = "%s_allow" % target
|
||||
- table = "mangle"
|
||||
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
|
||||
zone=zone)
|
||||
+ table = "mangle"
|
||||
+ chain = "%s_allow" % target
|
||||
rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ]
|
||||
else:
|
||||
raise FirewallError(INVALID_RULE,
|
||||
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
||||
index cd05b2c3..69236a96 100644
|
||||
--- a/src/firewall/core/nftables.py
|
||||
+++ b/src/firewall/core/nftables.py
|
||||
@@ -723,10 +723,10 @@ class nftables(object):
|
||||
chain = "%s_%s_deny" % (table, target)
|
||||
rule_action = ["drop"]
|
||||
elif type(rich_rule.action) == Rich_Mark:
|
||||
- table = "mangle"
|
||||
- chain = "%s_%s_allow" % (table, target)
|
||||
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
|
||||
zone=zone)
|
||||
+ table = "mangle"
|
||||
+ chain = "%s_%s_allow" % (table, target)
|
||||
rule_action = ["meta", "mark", "set", rich_rule.action.set]
|
||||
else:
|
||||
raise FirewallError(INVALID_RULE,
|
||||
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
|
||||
index b7ec3816..f31c8955 100644
|
||||
--- a/src/tests/firewall-cmd.at
|
||||
+++ b/src/tests/firewall-cmd.at
|
||||
@@ -863,6 +863,7 @@ FWD_START_TEST([rich rules good])
|
||||
rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"])
|
||||
rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
|
||||
rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
|
||||
+ rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"])
|
||||
FWD_END_TEST
|
||||
FWD_START_TEST([rich rules audit])
|
||||
CHECK_LOG_AUDIT
|
||||
--
|
||||
2.19.1
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user