|
 |
136e2c |
From 582db194cc697f79a17ac543076dd4bbe1216db6 Mon Sep 17 00:00:00 2001
|
|
|
136e2c |
From: Eric Garver <eric@garver.life>
|
|
|
136e2c |
Date: Thu, 11 Apr 2019 11:14:40 -0400
|
|
|
136e2c |
Subject: [PATCH 24/73] fix: rich rule forward-port deletion after reload
|
|
|
136e2c |
|
|
|
136e2c |
Simplify mark allocation for rich rules and make sure we use the mark in
|
|
|
136e2c |
apply_zone_settings().
|
|
|
136e2c |
|
|
|
136e2c |
Fixes: #482
|
|
|
136e2c |
Fixes: rhbz 1637675
|
|
|
136e2c |
(cherry picked from commit 362ebff8016116f831b83d3c9ee65858055b2c91)
|
|
|
136e2c |
(cherry picked from commit ab365b6a49a6f78b1c8394fca20b69623f9b9061)
|
|
|
136e2c |
---
|
|
|
136e2c |
src/firewall/core/fw_zone.py | 40 +++++++++++++++++++-----------------
|
|
|
136e2c |
1 file changed, 21 insertions(+), 19 deletions(-)
|
|
|
136e2c |
|
|
|
136e2c |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
136e2c |
index d5eafb863439..d98ff2259087 100644
|
|
|
136e2c |
--- a/src/firewall/core/fw_zone.py
|
|
|
136e2c |
+++ b/src/firewall/core/fw_zone.py
|
|
|
136e2c |
@@ -323,8 +323,12 @@ class FirewallZone(object):
|
|
|
136e2c |
elif key == "masquerade":
|
|
|
136e2c |
self._masquerade(enable, _zone, zone_transaction)
|
|
|
136e2c |
elif key == "rules":
|
|
|
136e2c |
+ if "mark" in obj.settings["rules"][args]:
|
|
|
136e2c |
+ mark = obj.settings["rules"][args]["mark"]
|
|
|
136e2c |
+ else:
|
|
|
136e2c |
+ mark = None
|
|
|
136e2c |
self.__rule(enable, _zone,
|
|
|
136e2c |
- Rich_Rule(rule_str=args), None,
|
|
|
136e2c |
+ Rich_Rule(rule_str=args), mark,
|
|
|
136e2c |
zone_transaction)
|
|
|
136e2c |
elif key == "interfaces":
|
|
|
136e2c |
self._interface(enable, _zone, args, zone_transaction)
|
|
|
136e2c |
@@ -672,8 +676,7 @@ class FirewallZone(object):
|
|
|
136e2c |
return None
|
|
|
136e2c |
|
|
|
136e2c |
def __rule(self, enable, zone, rule, mark_id, zone_transaction):
|
|
|
136e2c |
- return self._rule_prepare(enable, zone, rule, mark_id,
|
|
|
136e2c |
- zone_transaction)
|
|
|
136e2c |
+ self._rule_prepare(enable, zone, rule, mark_id, zone_transaction)
|
|
|
136e2c |
|
|
|
136e2c |
def add_rule(self, zone, rule, timeout=0, sender=None,
|
|
|
136e2c |
use_zone_transaction=None):
|
|
|
136e2c |
@@ -692,13 +695,16 @@ class FirewallZone(object):
|
|
|
136e2c |
else:
|
|
|
136e2c |
zone_transaction = use_zone_transaction
|
|
|
136e2c |
|
|
|
136e2c |
- if _obj.applied:
|
|
|
136e2c |
- mark = self.__rule(True, _zone, rule, None, zone_transaction)
|
|
|
136e2c |
+ if type(rule.element) == Rich_ForwardPort:
|
|
|
136e2c |
+ mark = self._fw.new_mark()
|
|
|
136e2c |
else:
|
|
|
136e2c |
mark = None
|
|
|
136e2c |
|
|
|
136e2c |
+ if _obj.applied:
|
|
|
136e2c |
+ self.__rule(True, _zone, rule, mark, zone_transaction)
|
|
|
136e2c |
+
|
|
|
136e2c |
self.__register_rule(_obj, rule_id, mark, timeout, sender)
|
|
|
136e2c |
- zone_transaction.add_fail(self.__unregister_rule, _obj, rule_id)
|
|
|
136e2c |
+ zone_transaction.add_fail(self.__unregister_rule, _obj, rule_id, mark)
|
|
|
136e2c |
|
|
|
136e2c |
if use_zone_transaction is None:
|
|
|
136e2c |
zone_transaction.execute(True)
|
|
|
136e2c |
@@ -720,28 +726,31 @@ class FirewallZone(object):
|
|
|
136e2c |
raise FirewallError(errors.NOT_ENABLED,
|
|
|
136e2c |
"'%s' not in '%s'" % (rule, _zone))
|
|
|
136e2c |
|
|
|
136e2c |
+ if "mark" in _obj.settings["rules"][rule_id]:
|
|
|
136e2c |
+ mark = _obj.settings["rules"][rule_id]["mark"]
|
|
|
136e2c |
+ else:
|
|
|
136e2c |
+ mark = None
|
|
|
136e2c |
+
|
|
|
136e2c |
if use_zone_transaction is None:
|
|
|
136e2c |
zone_transaction = self.new_zone_transaction(_zone)
|
|
|
136e2c |
else:
|
|
|
136e2c |
zone_transaction = use_zone_transaction
|
|
|
136e2c |
|
|
|
136e2c |
- if "mark" in _obj.settings["rules"][rule_id]:
|
|
|
136e2c |
- mark = _obj.settings["rules"][rule_id]["mark"]
|
|
|
136e2c |
- else:
|
|
|
136e2c |
- mark = None
|
|
|
136e2c |
if _obj.applied:
|
|
|
136e2c |
self.__rule(False, _zone, rule, mark, zone_transaction)
|
|
|
136e2c |
|
|
|
136e2c |
- zone_transaction.add_post(self.__unregister_rule, _obj, rule_id)
|
|
|
136e2c |
+ zone_transaction.add_post(self.__unregister_rule, _obj, rule_id, mark)
|
|
|
136e2c |
|
|
|
136e2c |
if use_zone_transaction is None:
|
|
|
136e2c |
zone_transaction.execute(True)
|
|
|
136e2c |
|
|
|
136e2c |
return _zone
|
|
|
136e2c |
|
|
|
136e2c |
- def __unregister_rule(self, _obj, rule_id):
|
|
|
136e2c |
+ def __unregister_rule(self, _obj, rule_id, mark=None):
|
|
|
136e2c |
if rule_id in _obj.settings["rules"]:
|
|
|
136e2c |
del _obj.settings["rules"][rule_id]
|
|
|
136e2c |
+ if mark:
|
|
|
136e2c |
+ self._fw.del_mark(mark)
|
|
|
136e2c |
|
|
|
136e2c |
def query_rule(self, zone, rule):
|
|
|
136e2c |
return self.__rule_id(rule) in self.get_settings(zone)["rules"]
|
|
|
136e2c |
@@ -1705,9 +1714,6 @@ class FirewallZone(object):
|
|
|
136e2c |
if toaddr and enable:
|
|
|
136e2c |
zone_transaction.add_post(enable_ip_forwarding, ipv)
|
|
|
136e2c |
|
|
|
136e2c |
- if enable:
|
|
|
136e2c |
- mark_id = self._fw.new_mark()
|
|
|
136e2c |
-
|
|
|
136e2c |
filter_chain = "INPUT" if not toaddr else "FORWARD_IN"
|
|
|
136e2c |
|
|
|
136e2c |
if enable:
|
|
|
136e2c |
@@ -1720,10 +1726,6 @@ class FirewallZone(object):
|
|
|
136e2c |
toaddr, mark_id, rule)
|
|
|
136e2c |
zone_transaction.add_rules(backend, rules)
|
|
|
136e2c |
|
|
|
136e2c |
- if not enable:
|
|
|
136e2c |
- zone_transaction.add_post(self._fw.del_mark, mark_id)
|
|
|
136e2c |
- mark_id = None
|
|
|
136e2c |
-
|
|
|
136e2c |
# SOURCE PORT
|
|
|
136e2c |
elif type(rule.element) == Rich_SourcePort:
|
|
|
136e2c |
port = rule.element.port
|
|
|
136e2c |
--
|
|
|
136e2c |
2.20.1
|
|
|
136e2c |
|