|
 |
87a48e |
From 0e28840f5c3362d032f2f805cbbe6fbbaa217437 Mon Sep 17 00:00:00 2001
|
|
|
87a48e |
From: Eric Garver <eric@garver.life>
|
|
|
87a48e |
Date: Wed, 27 Oct 2021 13:58:27 -0400
|
|
|
87a48e |
Subject: [PATCH 44/50] fix(io/functions): check_config against on disk conf
|
|
|
87a48e |
|
|
|
87a48e |
Before this change the runtime FirewallConfig() instance was used. This
|
|
|
87a48e |
caused some permanent configuration issues to not be caught due to
|
|
|
87a48e |
comparing against the runtime instances of all objects.
|
|
|
87a48e |
|
|
|
87a48e |
For example, two zones in permanent configuration may use the same
|
|
|
87a48e |
interface (which is not valid), but if the runtime configuration does
|
|
|
87a48e |
not have have these interface assignments then check_config() won't
|
|
|
87a48e |
catch the issue since it compares against the runtime configuration.
|
|
|
87a48e |
|
|
|
87a48e |
Fix is to build a temporary FirewallConfig() instance for all the
|
|
|
87a48e |
on-disk/permanent configuration.
|
|
|
87a48e |
|
|
|
87a48e |
(cherry picked from commit 35d4facc8962cd1b66bc245fe03f658d491e1061)
|
|
|
87a48e |
(cherry picked from commit 55a799e872dc88b1341a6bc38af33e77dfedb72f)
|
|
|
87a48e |
---
|
|
|
87a48e |
src/firewall/core/io/functions.py | 47 ++++++++++++++++++++++---------
|
|
|
87a48e |
1 file changed, 34 insertions(+), 13 deletions(-)
|
|
|
87a48e |
|
|
|
87a48e |
diff --git a/src/firewall/core/io/functions.py b/src/firewall/core/io/functions.py
|
|
|
87a48e |
index 0c7b1886426c..35a7eaf8dec8 100644
|
|
|
87a48e |
--- a/src/firewall/core/io/functions.py
|
|
|
87a48e |
+++ b/src/firewall/core/io/functions.py
|
|
|
87a48e |
@@ -24,6 +24,7 @@ import os
|
|
|
87a48e |
from firewall import config
|
|
|
87a48e |
from firewall.errors import FirewallError
|
|
|
87a48e |
|
|
|
87a48e |
+from firewall.core.fw_config import FirewallConfig
|
|
|
87a48e |
from firewall.core.io.zone import zone_reader
|
|
|
87a48e |
from firewall.core.io.service import service_reader
|
|
|
87a48e |
from firewall.core.io.ipset import ipset_reader
|
|
|
87a48e |
@@ -34,26 +35,46 @@ from firewall.core.io.direct import Direct
|
|
|
87a48e |
from firewall.core.io.lockdown_whitelist import LockdownWhitelist
|
|
|
87a48e |
from firewall.core.io.firewalld_conf import firewalld_conf
|
|
|
87a48e |
|
|
|
87a48e |
-def check_config(fw=None):
|
|
|
87a48e |
+def check_config(fw):
|
|
|
87a48e |
+ fw_config = FirewallConfig(fw)
|
|
|
87a48e |
readers = {
|
|
|
87a48e |
- "ipset" : (ipset_reader, [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS]),
|
|
|
87a48e |
- "helper" : (helper_reader, [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS]),
|
|
|
87a48e |
- "icmptype" : (icmptype_reader, [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES]),
|
|
|
87a48e |
- "service" : (service_reader, [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES]),
|
|
|
87a48e |
- "zone" : (zone_reader, [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES]),
|
|
|
87a48e |
- "policy" : (policy_reader, [config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES]),
|
|
|
87a48e |
+ "ipset": {"reader": ipset_reader,
|
|
|
87a48e |
+ "add": fw_config.add_ipset,
|
|
|
87a48e |
+ "dirs": [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS],
|
|
|
87a48e |
+ },
|
|
|
87a48e |
+ "helper": {"reader": helper_reader,
|
|
|
87a48e |
+ "add": fw_config.add_helper,
|
|
|
87a48e |
+ "dirs": [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS],
|
|
|
87a48e |
+ },
|
|
|
87a48e |
+ "icmptype": {"reader": icmptype_reader,
|
|
|
87a48e |
+ "add": fw_config.add_icmptype,
|
|
|
87a48e |
+ "dirs": [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES],
|
|
|
87a48e |
+ },
|
|
|
87a48e |
+ "service": {"reader": service_reader,
|
|
|
87a48e |
+ "add": fw_config.add_service,
|
|
|
87a48e |
+ "dirs": [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES],
|
|
|
87a48e |
+ },
|
|
|
87a48e |
+ "zone": {"reader": zone_reader,
|
|
|
87a48e |
+ "add": fw_config.add_zone,
|
|
|
87a48e |
+ "dirs": [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES],
|
|
|
87a48e |
+ },
|
|
|
87a48e |
+ "policy": {"reader": policy_reader,
|
|
|
87a48e |
+ "add": fw_config.add_policy_object,
|
|
|
87a48e |
+ "dirs": [config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES],
|
|
|
87a48e |
+ },
|
|
|
87a48e |
}
|
|
|
87a48e |
for reader in readers.keys():
|
|
|
87a48e |
- for dir in readers[reader][1]:
|
|
|
87a48e |
- if not os.path.isdir(dir):
|
|
|
87a48e |
+ for _dir in readers[reader]["dirs"]:
|
|
|
87a48e |
+ if not os.path.isdir(_dir):
|
|
|
87a48e |
continue
|
|
|
87a48e |
- for file in sorted(os.listdir(dir)):
|
|
|
87a48e |
+ for file in sorted(os.listdir(_dir)):
|
|
|
87a48e |
if file.endswith(".xml"):
|
|
|
87a48e |
try:
|
|
|
87a48e |
- obj = readers[reader][0](file, dir)
|
|
|
87a48e |
- if fw and reader in ["zone", "policy"]:
|
|
|
87a48e |
- obj.fw_config = fw.config
|
|
|
87a48e |
+ obj = readers[reader]["reader"](file, _dir)
|
|
|
87a48e |
+ if reader in ["zone", "policy"]:
|
|
|
87a48e |
+ obj.fw_config = fw_config
|
|
|
87a48e |
obj.check_config(obj.export_config())
|
|
|
87a48e |
+ readers[reader]["add"](obj)
|
|
|
87a48e |
except FirewallError as error:
|
|
|
87a48e |
raise FirewallError(error.code, "'%s': %s" % (file, error.msg))
|
|
|
87a48e |
except Exception as msg:
|
|
|
87a48e |
--
|
|
|
87a48e |
2.27.0
|
|
|
87a48e |
|