|
 |
21c891 |
From c96c468ace1d37a80bcd546a70bd6a7769ae00df Mon Sep 17 00:00:00 2001
|
|
|
21c891 |
From: Eric Garver <e@erig.me>
|
|
|
21c891 |
Date: Tue, 11 Dec 2018 11:32:54 -0500
|
|
|
21c891 |
Subject: [PATCH 13/34] ipset: fix set apply if IndividualCalls=yes
|
|
|
21c891 |
|
|
|
21c891 |
Fixes: rhbz 1644834
|
|
|
21c891 |
Fixes: e6188ec98ff4 ("FirewallIPSet: Support restore in apply_ipsets, use it in Firewall")
|
|
|
21c891 |
(cherry picked from commit 4157393136bbaff53e812029376b2a0a5113cedb)
|
|
|
21c891 |
(cherry picked from commit a0e749f90a7cfddb7a4f0ce65f34053bebd1c762)
|
|
|
21c891 |
---
|
|
|
21c891 |
src/firewall/core/fw_ipset.py | 2 +-
|
|
|
21c891 |
src/tests/regression/rhbz1601610.at | 43 +++++++++++++++++++++++++++++
|
|
|
21c891 |
2 files changed, 44 insertions(+), 1 deletion(-)
|
|
|
21c891 |
|
|
|
21c891 |
diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
|
|
|
21c891 |
index b06a60d027a6..54ace39ea6e1 100644
|
|
|
21c891 |
--- a/src/firewall/core/fw_ipset.py
|
|
|
21c891 |
+++ b/src/firewall/core/fw_ipset.py
|
|
|
21c891 |
@@ -125,7 +125,7 @@ class FirewallIPSet(object):
|
|
|
21c891 |
raise FirewallError(errors.COMMAND_FAILED, msg)
|
|
|
21c891 |
else:
|
|
|
21c891 |
obj.applied = True
|
|
|
21c891 |
- if "timeout" not in obj.options or \
|
|
|
21c891 |
+ if "timeout" in obj.options and \
|
|
|
21c891 |
obj.options["timeout"] != "0":
|
|
|
21c891 |
# no entries visible for ipsets with timeout
|
|
|
21c891 |
continue
|
|
|
21c891 |
diff --git a/src/tests/regression/rhbz1601610.at b/src/tests/regression/rhbz1601610.at
|
|
|
21c891 |
index 0676bb82e31c..5ba0cee44be0 100644
|
|
|
21c891 |
--- a/src/tests/regression/rhbz1601610.at
|
|
|
21c891 |
+++ b/src/tests/regression/rhbz1601610.at
|
|
|
21c891 |
@@ -57,5 +57,48 @@ FWD_CHECK([-q --permanent --ipset=foobar --remove-entry=10.1.1.0/22])
|
|
|
21c891 |
FWD_CHECK([--permanent --ipset=foobar --get-entries], 0, [
|
|
|
21c891 |
])
|
|
|
21c891 |
|
|
|
21c891 |
+dnl rhbz 1644834
|
|
|
21c891 |
+FWD_CHECK([-q --ipset=foobar --add-entry=10.1.0.0/16])
|
|
|
21c891 |
+FWD_CHECK([-q --runtime-to-permanent])
|
|
|
21c891 |
+FWD_RELOAD
|
|
|
21c891 |
+m4_if(nftables, FIREWALL_BACKEND, [
|
|
|
21c891 |
+NFT_LIST_SET([foobar], 0, [dnl
|
|
|
21c891 |
+table inet firewalld {
|
|
|
21c891 |
+set foobar {
|
|
|
21c891 |
+type ipv4_addr
|
|
|
21c891 |
+flags interval
|
|
|
21c891 |
+elements = { 10.1.0.0/16, 10.2.0.0/22 }
|
|
|
21c891 |
+}
|
|
|
21c891 |
+}
|
|
|
21c891 |
+])], [
|
|
|
21c891 |
+IPSET_LIST_SET([foobar], 0, [dnl
|
|
|
21c891 |
+Name: foobar
|
|
|
21c891 |
+Type: hash:net
|
|
|
21c891 |
+Members:
|
|
|
21c891 |
+10.1.0.0/16
|
|
|
21c891 |
+10.2.0.0/22
|
|
|
21c891 |
+])])
|
|
|
21c891 |
+
|
|
|
21c891 |
+dnl rhbz 1644834, again with IndividualCalls=yes
|
|
|
21c891 |
+AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf])
|
|
|
21c891 |
+FWD_RELOAD
|
|
|
21c891 |
+m4_if(nftables, FIREWALL_BACKEND, [
|
|
|
21c891 |
+NFT_LIST_SET([foobar], 0, [dnl
|
|
|
21c891 |
+table inet firewalld {
|
|
|
21c891 |
+set foobar {
|
|
|
21c891 |
+type ipv4_addr
|
|
|
21c891 |
+flags interval
|
|
|
21c891 |
+elements = { 10.1.0.0/16, 10.2.0.0/22 }
|
|
|
21c891 |
+}
|
|
|
21c891 |
+}
|
|
|
21c891 |
+])], [
|
|
|
21c891 |
+IPSET_LIST_SET([foobar], 0, [dnl
|
|
|
21c891 |
+Name: foobar
|
|
|
21c891 |
+Type: hash:net
|
|
|
21c891 |
+Members:
|
|
|
21c891 |
+10.1.0.0/16
|
|
|
21c891 |
+10.2.0.0/22
|
|
|
21c891 |
+])])
|
|
|
21c891 |
+
|
|
|
21c891 |
FWD_END_TEST([-e '/ERROR: COMMAND_FAILED:.*already added.*/d'dnl
|
|
|
21c891 |
-e '/ERROR: COMMAND_FAILED:.*element.*exists/d'])
|
|
|
21c891 |
--
|
|
|
21c891 |
2.18.0
|
|
|
21c891 |
|