|
|
1ae9b3 |
From 5acbdc31a56f4b680323ba7aa92383da9e9f25fa Mon Sep 17 00:00:00 2001
|
|
|
1ae9b3 |
From: Eric Garver <eric@garver.life>
|
|
|
1ae9b3 |
Date: Wed, 22 Jul 2020 09:18:42 -0400
|
|
|
1ae9b3 |
Subject: [PATCH 41/45] fix(rich): icmptypes with one family
|
|
|
1ae9b3 |
|
|
|
1ae9b3 |
They were mistakenly being added to both families which fails.
|
|
|
1ae9b3 |
|
|
|
1ae9b3 |
Fixes: rhbz 1855140
|
|
|
1ae9b3 |
(cherry picked from commit 0112e36c4e225504b15a1feef3d453a757a00b21)
|
|
|
1ae9b3 |
(cherry picked from commit bd61af7db6f92d48a79fb1e84405aef4f522ffbf)
|
|
|
1ae9b3 |
---
|
|
|
1ae9b3 |
src/firewall/core/fw_zone.py | 26 +++++++++++---------------
|
|
|
1ae9b3 |
src/firewall/core/nftables.py | 2 +-
|
|
|
1ae9b3 |
2 files changed, 12 insertions(+), 16 deletions(-)
|
|
|
1ae9b3 |
|
|
|
1ae9b3 |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
1ae9b3 |
index 5677effab146..b9fe1f6aae97 100644
|
|
|
1ae9b3 |
--- a/src/firewall/core/fw_zone.py
|
|
|
1ae9b3 |
+++ b/src/firewall/core/fw_zone.py
|
|
|
1ae9b3 |
@@ -1522,14 +1522,17 @@ class FirewallZone(object):
|
|
|
1ae9b3 |
transaction.add_rules(backend, rules)
|
|
|
1ae9b3 |
|
|
|
1ae9b3 |
def _rule_prepare(self, enable, zone, rule, transaction):
|
|
|
1ae9b3 |
- if rule.family is not None:
|
|
|
1ae9b3 |
+ ipvs = []
|
|
|
1ae9b3 |
+ if rule.family:
|
|
|
1ae9b3 |
ipvs = [ rule.family ]
|
|
|
1ae9b3 |
- else:
|
|
|
1ae9b3 |
- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
|
|
|
1ae9b3 |
+ elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)):
|
|
|
1ae9b3 |
+ ict = self._fw.icmptype.get_icmptype(rule.element.name)
|
|
|
1ae9b3 |
+ if ict.destination:
|
|
|
1ae9b3 |
+ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination]
|
|
|
1ae9b3 |
|
|
|
1ae9b3 |
source_ipv = self._rule_source_ipv(rule.source)
|
|
|
1ae9b3 |
- if source_ipv is not None and source_ipv != "":
|
|
|
1ae9b3 |
- if rule.family is not None:
|
|
|
1ae9b3 |
+ if source_ipv:
|
|
|
1ae9b3 |
+ if rule.family:
|
|
|
1ae9b3 |
# rule family is defined by user, no way to change it
|
|
|
1ae9b3 |
if rule.family != source_ipv:
|
|
|
1ae9b3 |
raise FirewallError(errors.INVALID_RULE,
|
|
|
1ae9b3 |
@@ -1538,6 +1541,9 @@ class FirewallZone(object):
|
|
|
1ae9b3 |
# use the source family as rule family
|
|
|
1ae9b3 |
ipvs = [ source_ipv ]
|
|
|
1ae9b3 |
|
|
|
1ae9b3 |
+ if not ipvs:
|
|
|
1ae9b3 |
+ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
|
|
|
1ae9b3 |
+
|
|
|
1ae9b3 |
# add an element to object to allow backends to know what ipvs this applies to
|
|
|
1ae9b3 |
rule.ipvs = ipvs
|
|
|
1ae9b3 |
|
|
|
1ae9b3 |
@@ -1699,16 +1705,6 @@ class FirewallZone(object):
|
|
|
1ae9b3 |
# icmp block might have reject or drop action, but not accept
|
|
|
1ae9b3 |
raise FirewallError(errors.INVALID_RULE,
|
|
|
1ae9b3 |
"IcmpBlock not usable with accept action")
|
|
|
1ae9b3 |
- if ict.destination:
|
|
|
1ae9b3 |
- for ipv in ipvs:
|
|
|
1ae9b3 |
- if ipv in ict.destination \
|
|
|
1ae9b3 |
- and not backend.is_ipv_supported(ipv):
|
|
|
1ae9b3 |
- raise FirewallError(
|
|
|
1ae9b3 |
- errors.INVALID_RULE,
|
|
|
1ae9b3 |
- "Icmp%s %s not usable with %s" % \
|
|
|
1ae9b3 |
- ("Block" if type(rule.element) == \
|
|
|
1ae9b3 |
- Rich_IcmpBlock else "Type",
|
|
|
1ae9b3 |
- rule.element.name, backend.name))
|
|
|
1ae9b3 |
|
|
|
1ae9b3 |
table = "filter"
|
|
|
1ae9b3 |
if enable:
|
|
|
1ae9b3 |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
1ae9b3 |
index 85c790b5b51e..0198200b2372 100644
|
|
|
1ae9b3 |
--- a/src/firewall/core/nftables.py
|
|
|
1ae9b3 |
+++ b/src/firewall/core/nftables.py
|
|
|
1ae9b3 |
@@ -1383,7 +1383,7 @@ class nftables(object):
|
|
|
1ae9b3 |
return ICMP_TYPES_FRAGMENTS[ipv][icmp_type]
|
|
|
1ae9b3 |
else:
|
|
|
1ae9b3 |
raise FirewallError(INVALID_ICMPTYPE,
|
|
|
1ae9b3 |
- "ICMP type '%s' not supported by %s" % (icmp_type, self.name))
|
|
|
1ae9b3 |
+ "ICMP type '%s' not supported by %s for %s" % (icmp_type, self.name, ipv))
|
|
|
1ae9b3 |
|
|
|
1ae9b3 |
def build_zone_icmp_block_rules(self, enable, zone, ict, rich_rule=None):
|
|
|
1ae9b3 |
table = "filter"
|
|
|
1ae9b3 |
--
|
|
|
1ae9b3 |
2.27.0
|
|
|
1ae9b3 |
|