Blame SOURCES/0044-fix-avoid-calling-backends-that-aren-t-available.patch

c8bceb
From 5910f49d563c7d18354c83f6b6b76e4dca5ad931 Mon Sep 17 00:00:00 2001
c8bceb
From: Eric Garver <eric@garver.life>
c8bceb
Date: Mon, 13 May 2019 09:40:31 -0400
c8bceb
Subject: [PATCH 44/73] fix: avoid calling backends that aren't available
c8bceb
c8bceb
We should operate just fine if some backend aren't available, e.g.
c8bceb
ip6tables. This fixes some areas that broke that.
c8bceb
c8bceb
Fixes: #491
c8bceb
(cherry picked from commit 3fdffa76be42ce88bff35ce2b84c2beda3c016a1)
c8bceb
(cherry picked from commit 86d003dcdbd2eb20ac32858f7cfa3074169d5b5e)
c8bceb
---
c8bceb
 src/firewall/core/fw.py      | 54 ++++++++++++++++++------------------
c8bceb
 src/firewall/core/fw_zone.py |  4 ++-
c8bceb
 2 files changed, 30 insertions(+), 28 deletions(-)
c8bceb
c8bceb
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
c8bceb
index 114d41090042..3e639f83d1f4 100644
c8bceb
--- a/src/firewall/core/fw.py
c8bceb
+++ b/src/firewall/core/fw.py
c8bceb
@@ -703,24 +703,24 @@ class Firewall(object):
c8bceb
     def get_backend_by_ipv(self, ipv):
c8bceb
         if self.nftables_enabled:
c8bceb
             return self.nftables_backend
c8bceb
-        if ipv == "ipv4":
c8bceb
+        if ipv == "ipv4" and self.ip4tables_enabled:
c8bceb
             return self.ip4tables_backend
c8bceb
-        elif ipv == "ipv6":
c8bceb
+        elif ipv == "ipv6" and self.ip6tables_enabled:
c8bceb
             return self.ip6tables_backend
c8bceb
-        elif ipv == "eb":
c8bceb
+        elif ipv == "eb" and self.ebtables_enabled:
c8bceb
             return self.ebtables_backend
c8bceb
         raise FirewallError(errors.INVALID_IPV,
c8bceb
-                            "'%s' is not a valid backend" % ipv)
c8bceb
+                            "'%s' is not a valid backend or is unavailable" % ipv)
c8bceb
 
c8bceb
     def get_direct_backend_by_ipv(self, ipv):
c8bceb
-        if ipv == "ipv4":
c8bceb
+        if ipv == "ipv4" and self.ip4tables_enabled:
c8bceb
             return self.ip4tables_backend
c8bceb
-        elif ipv == "ipv6":
c8bceb
+        elif ipv == "ipv6" and self.ip6tables_enabled:
c8bceb
             return self.ip6tables_backend
c8bceb
-        elif ipv == "eb":
c8bceb
+        elif ipv == "eb" and self.ebtables_enabled:
c8bceb
             return self.ebtables_backend
c8bceb
         raise FirewallError(errors.INVALID_IPV,
c8bceb
-                            "'%s' is not a valid backend" % ipv)
c8bceb
+                            "'%s' is not a valid backend or is unavailable" % ipv)
c8bceb
 
c8bceb
     def is_backend_enabled(self, name):
c8bceb
         if name == "ip4tables":
c8bceb
@@ -791,29 +791,29 @@ class Firewall(object):
c8bceb
             rules = backend.build_default_rules(self._log_denied)
c8bceb
             transaction.add_rules(backend, rules)
c8bceb
 
c8bceb
-        ipv6_backend = self.get_backend_by_ipv("ipv6")
c8bceb
-        if self.ipv6_rpfilter_enabled and \
c8bceb
-           "raw" in ipv6_backend.get_available_tables():
c8bceb
+        if self.is_ipv_enabled("ipv6"):
c8bceb
+            ipv6_backend = self.get_backend_by_ipv("ipv6")
c8bceb
+            if self.ipv6_rpfilter_enabled and \
c8bceb
+               "raw" in ipv6_backend.get_available_tables():
c8bceb
 
c8bceb
-            # Execute existing transaction
c8bceb
-            transaction.execute(True)
c8bceb
-            # Start new transaction
c8bceb
-            transaction.clear()
c8bceb
+                # Execute existing transaction
c8bceb
+                transaction.execute(True)
c8bceb
+                # Start new transaction
c8bceb
+                transaction.clear()
c8bceb
 
c8bceb
-            rules = ipv6_backend.build_rpfilter_rules(self._log_denied)
c8bceb
-            transaction.add_rules(ipv6_backend, rules)
c8bceb
+                rules = ipv6_backend.build_rpfilter_rules(self._log_denied)
c8bceb
+                transaction.add_rules(ipv6_backend, rules)
c8bceb
 
c8bceb
-            # Execute ipv6_rpfilter transaction, it might fail
c8bceb
-            try:
c8bceb
-                transaction.execute(True)
c8bceb
-            except FirewallError as msg:
c8bceb
-                log.warning("Applying rules for ipv6_rpfilter failed: %s", msg)
c8bceb
-            # Start new transaction
c8bceb
-            transaction.clear()
c8bceb
+                # Execute ipv6_rpfilter transaction, it might fail
c8bceb
+                try:
c8bceb
+                    transaction.execute(True)
c8bceb
+                except FirewallError as msg:
c8bceb
+                    log.warning("Applying rules for ipv6_rpfilter failed: %s", msg)
c8bceb
+                # Start new transaction
c8bceb
+                transaction.clear()
c8bceb
 
c8bceb
-        else:
c8bceb
-            if use_transaction is None:
c8bceb
-                transaction.execute(True)
c8bceb
+        if use_transaction is None:
c8bceb
+            transaction.execute(True)
c8bceb
 
c8bceb
     # flush and policy
c8bceb
 
c8bceb
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
c8bceb
index d98ff2259087..ee02a161bcfb 100644
c8bceb
--- a/src/firewall/core/fw_zone.py
c8bceb
+++ b/src/firewall/core/fw_zone.py
c8bceb
@@ -1563,7 +1563,7 @@ class FirewallZone(object):
c8bceb
         if rule.family is not None:
c8bceb
             ipvs = [ rule.family ]
c8bceb
         else:
c8bceb
-            ipvs = [ "ipv4", "ipv6" ]
c8bceb
+            ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
c8bceb
 
c8bceb
         source_ipv = self._rule_source_ipv(rule.source)
c8bceb
         if source_ipv is not None and source_ipv != "":
c8bceb
@@ -1806,6 +1806,8 @@ class FirewallZone(object):
c8bceb
         #
c8bceb
         backends_ipv = []
c8bceb
         for ipv in ["ipv4", "ipv6"]:
c8bceb
+            if not self._fw.is_ipv_enabled(ipv):
c8bceb
+                continue
c8bceb
             backend = self._fw.get_backend_by_ipv(ipv)
c8bceb
             if len(svc.destination) > 0:
c8bceb
                 if ipv in svc.destination:
c8bceb
-- 
c8bceb
2.20.1
c8bceb