From c37c84f095d820cbd137a285e263075472934502 Mon Sep 17 00:00:00 2001

From: Eric Garver <e@erig.me>

Date: Thu, 31 May 2018 14:15:57 -0400

Subject: [PATCH 4/5] firewall-cmd: add --check-config option

Fixes: rhbz 1477771

(cherry picked from commit b071536beb7ef2c91adb79c7769a265fc74ab15f)

---

 doc/xml/firewalld.dbus.xml       | 11 +++++++++++

 src/firewall-cmd                 |  6 +++++-

 src/firewall/client.py           |  5 +++++

 src/firewall/server/firewalld.py | 11 +++++++++++

 4 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml

index f02edb173f6e..acdbb5fd6e00 100644

--- a/doc/xml/firewalld.dbus.xml

+++ b/doc/xml/firewalld.dbus.xml

@@ -347,6 +347,17 @@

 	      </para>

             </listitem>

           </varlistentry>

+          <varlistentry id="FirewallD1.Methods.checkPermanentConfig">

+            <term><methodname>checkPermanentConfig</methodname>() → Nothing</term>

+            <listitem>

+              <para>

+                Run checks on the permanent configuration. This is most useful if changes were made manually to configuration files.

+              </para>

+              <para>

+                Possible errors: any

+              </para>

+            </listitem>

+          </varlistentry>

           <varlistentry id="FirewallD1.Methods.setDefaultZone">

             <term><methodname>setDefaultZone</methodname>(s: <parameter>zone</parameter>) → Nothing</term>

             <listitem>

diff --git a/src/firewall-cmd b/src/firewall-cmd

index 1a864b32e819..b80115564e1b 100755

--- a/src/firewall-cmd

+++ b/src/firewall-cmd

@@ -59,6 +59,7 @@ Status Options

   --complete-reload    Reload firewall and lose state information

   --runtime-to-permanent

                        Create permanent from runtime configuration

+  --check-config       Check permanent configuration for errors

 Log Denied Options

   --get-log-denied     Print the log denied value

@@ -484,6 +485,7 @@ parser_group_standalone.add_argument("--reload", action="store_true")

 parser_group_standalone.add_argument("--complete-reload", action="store_true")

 parser_group_standalone.add_argument("--runtime-to-permanent",

                                      action="store_true")

+parser_group_standalone.add_argument("--check-config", action="store_true")

 parser_group_standalone.add_argument("--get-ipset-types", action="store_true")

 parser_group_standalone.add_argument("--get-log-denied", action="store_true")

 parser_group_standalone.add_argument("--set-log-denied", metavar="<value>")

@@ -750,7 +752,7 @@ options_standalone = a.help or a.version or \

     a.get_default_zone or a.set_default_zone or \

     a.get_active_zones or a.get_ipset_types or \

     a.get_log_denied or a.set_log_denied or \

-    a.get_automatic_helpers or a.set_automatic_helpers

+    a.get_automatic_helpers or a.set_automatic_helpers or a.check_config

 options_desc_xml_file = a.set_description or a.get_description or \

                         a.set_short or a.get_short

@@ -2039,6 +2041,8 @@ elif a.complete_reload:

     fw.complete_reload()

 elif a.runtime_to_permanent:

     fw.runtimeToPermanent()

+elif a.check_config:

+    fw.checkPermanentConfig()

 elif a.direct:

     if a.passthrough:

         if len(a.passthrough) < 2:

diff --git a/src/firewall/client.py b/src/firewall/client.py

index f90bbd78eb73..da45ceb5b964 100644

--- a/src/firewall/client.py

+++ b/src/firewall/client.py

@@ -2760,6 +2760,11 @@ class FirewallClient(object):

     def runtimeToPermanent(self):

         self.fw.runtimeToPermanent()

+    @slip.dbus.polkit.enable_proxy

+    @handle_exceptions

+    def checkPermanentConfig(self):

+        self.fw.checkPermanentConfig()

+

     @slip.dbus.polkit.enable_proxy

     @handle_exceptions

     def get_property(self, prop):

diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py

index fc7422f12261..2cecc4771cb0 100644

--- a/src/firewall/server/firewalld.py

+++ b/src/firewall/server/firewalld.py

@@ -42,6 +42,7 @@ from firewall.dbus_utils import dbus_to_python, \

     command_of_sender, context_of_sender, uid_of_sender, user_of_uid, \

     dbus_introspection_prepare_properties, \

     dbus_introspection_add_properties

+from firewall.core.io.functions import check_config

 from firewall.core.io.zone import Zone

 from firewall.core.io.ipset import IPSet

 from firewall.core.io.service import Service

@@ -336,6 +337,16 @@ class FirewallD(slip.dbus.service.Object):

     def Reloaded(self):

         log.debug1("Reloaded()")

+    @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG)

+    @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='',

+                         out_signature='')

+    @dbus_handle_exceptions

+    def checkPermanentConfig(self, sender=None): # pylint: disable=W0613

+        """Check permanent configuration

+        """

+        log.debug1("checkPermanentConfig()")

+        check_config(self.fw)

+

     # runtime to permanent

     @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG)

-- 

2.16.3