|
|
b8221b |
From fb11903b8efd287f72e634fb8a4b4ff2034151fe Mon Sep 17 00:00:00 2001
|
|
|
b8221b |
From: Paul Laufer <50234787+refual@users.noreply.github.com>
|
|
|
b8221b |
Date: Fri, 27 Nov 2020 12:23:11 +0100
|
|
|
b8221b |
Subject: [PATCH 47/48] feat(config): add CleanupModulesOnExit configuration
|
|
|
b8221b |
option
|
|
|
b8221b |
|
|
|
b8221b |
Fixes: rhbz 1520532
|
|
|
b8221b |
Fixes: #533
|
|
|
b8221b |
Closes: #721
|
|
|
b8221b |
(cherry picked from commit 152a51537a7840afd0879ab4b60178bef4ec16a2)
|
|
|
b8221b |
---
|
|
|
b8221b |
config/firewalld.conf | 9 +++++++-
|
|
|
b8221b |
doc/xml/firewalld.conf.xml | 11 ++++++++++
|
|
|
b8221b |
doc/xml/firewalld.dbus.xml | 9 ++++++++
|
|
|
b8221b |
src/firewall/config/__init__.py.in | 1 +
|
|
|
b8221b |
src/firewall/core/fw.py | 29 +++++++++++++++++++-------
|
|
|
b8221b |
src/firewall/core/io/firewalld_conf.py | 19 +++++++++++++----
|
|
|
b8221b |
src/firewall/server/config.py | 23 +++++++++++++-------
|
|
|
b8221b |
src/tests/dbus/firewalld.conf.at | 2 ++
|
|
|
b8221b |
8 files changed, 82 insertions(+), 21 deletions(-)
|
|
|
b8221b |
|
|
|
b8221b |
diff --git a/config/firewalld.conf b/config/firewalld.conf
|
|
|
b8221b |
index a0556c0bbf5b..3abbc9c998c1 100644
|
|
|
b8221b |
--- a/config/firewalld.conf
|
|
|
b8221b |
+++ b/config/firewalld.conf
|
|
|
b8221b |
@@ -7,10 +7,17 @@ DefaultZone=public
|
|
|
b8221b |
|
|
|
b8221b |
# Clean up on exit
|
|
|
b8221b |
# If set to no or false the firewall configuration will not get cleaned up
|
|
|
b8221b |
-# on exit or stop of firewalld
|
|
|
b8221b |
+# on exit or stop of firewalld.
|
|
|
b8221b |
# Default: yes
|
|
|
b8221b |
CleanupOnExit=yes
|
|
|
b8221b |
|
|
|
b8221b |
+# Clean up kernel modules on exit
|
|
|
b8221b |
+# If set to yes or true the firewall related kernel modules will be
|
|
|
b8221b |
+# unloaded on exit or stop of firewalld. This might attempt to unload
|
|
|
b8221b |
+# modules not originally loaded by firewalld.
|
|
|
b8221b |
+# Default: no
|
|
|
b8221b |
+CleanupModulesOnExit=no
|
|
|
b8221b |
+
|
|
|
b8221b |
# Lockdown
|
|
|
b8221b |
# If set to enabled, firewall changes with the D-Bus interface will be limited
|
|
|
b8221b |
# to applications that are listed in the lockdown whitelist.
|
|
|
b8221b |
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
|
|
|
b8221b |
index 0bf4c2d4d011..dd6ffb214eb3 100644
|
|
|
b8221b |
--- a/doc/xml/firewalld.conf.xml
|
|
|
b8221b |
+++ b/doc/xml/firewalld.conf.xml
|
|
|
b8221b |
@@ -88,6 +88,17 @@
|
|
|
b8221b |
</listitem>
|
|
|
b8221b |
</varlistentry>
|
|
|
b8221b |
|
|
|
b8221b |
+ <varlistentry>
|
|
|
b8221b |
+ <term><option>CleanupModulesOnExit</option></term>
|
|
|
b8221b |
+ <listitem>
|
|
|
b8221b |
+ <para>
|
|
|
b8221b |
+ Setting this option to yes or true unloads all firewall-related
|
|
|
b8221b |
+ kernel modules when firewalld is stopped. The default value is no
|
|
|
b8221b |
+ or false.
|
|
|
b8221b |
+ </para>
|
|
|
b8221b |
+ </listitem>
|
|
|
b8221b |
+ </varlistentry>
|
|
|
b8221b |
+
|
|
|
b8221b |
<varlistentry>
|
|
|
b8221b |
<term><option>CleanupOnExit</option></term>
|
|
|
b8221b |
<listitem>
|
|
|
b8221b |
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
|
|
|
b8221b |
index d17cb8b6c1ec..466220b40b21 100644
|
|
|
b8221b |
--- a/doc/xml/firewalld.dbus.xml
|
|
|
b8221b |
+++ b/doc/xml/firewalld.dbus.xml
|
|
|
b8221b |
@@ -2798,6 +2798,15 @@
|
|
|
b8221b |
</para>
|
|
|
b8221b |
</listitem>
|
|
|
b8221b |
</varlistentry>
|
|
|
b8221b |
+ <varlistentry id="FirewallD1.config.Properties.CleanupModulesOnExit">
|
|
|
b8221b |
+ <term>CleanupModulesOnExit - s - (rw)</term>
|
|
|
b8221b |
+ <listitem>
|
|
|
b8221b |
+ <para>
|
|
|
b8221b |
+ Setting this option to yes or true unloads all firewall-related
|
|
|
b8221b |
+ kernel modules when firewalld is stopped.
|
|
|
b8221b |
+ </para>
|
|
|
b8221b |
+ </listitem>
|
|
|
b8221b |
+ </varlistentry>
|
|
|
b8221b |
<varlistentry id="FirewallD1.config.Properties.CleanupOnExit">
|
|
|
b8221b |
<term>CleanupOnExit - s - (rw)</term>
|
|
|
b8221b |
<listitem>
|
|
|
b8221b |
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
|
|
|
b8221b |
index 0dec7913f694..5d6d769fbf15 100644
|
|
|
b8221b |
--- a/src/firewall/config/__init__.py.in
|
|
|
b8221b |
+++ b/src/firewall/config/__init__.py.in
|
|
|
b8221b |
@@ -125,6 +125,7 @@ FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
|
|
|
b8221b |
FALLBACK_ZONE = "public"
|
|
|
b8221b |
FALLBACK_MINIMAL_MARK = 100
|
|
|
b8221b |
FALLBACK_CLEANUP_ON_EXIT = True
|
|
|
b8221b |
+FALLBACK_CLEANUP_MODULES_ON_EXIT = False
|
|
|
b8221b |
FALLBACK_LOCKDOWN = False
|
|
|
b8221b |
FALLBACK_IPV6_RPFILTER = True
|
|
|
b8221b |
FALLBACK_INDIVIDUAL_CALLS = False
|
|
|
b8221b |
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
|
|
|
b8221b |
index 3eb54e37ab5c..4171697bdb94 100644
|
|
|
b8221b |
--- a/src/firewall/core/fw.py
|
|
|
b8221b |
+++ b/src/firewall/core/fw.py
|
|
|
b8221b |
@@ -105,12 +105,13 @@ class Firewall(object):
|
|
|
b8221b |
self.__init_vars()
|
|
|
b8221b |
|
|
|
b8221b |
def __repr__(self):
|
|
|
b8221b |
- return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \
|
|
|
b8221b |
+ return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \
|
|
|
b8221b |
(self.__class__, self.ip4tables_enabled, self.ip6tables_enabled,
|
|
|
b8221b |
self.ebtables_enabled, self._state, self._panic,
|
|
|
b8221b |
self._default_zone, self._module_refcount, self._marks,
|
|
|
b8221b |
- self.cleanup_on_exit, self.ipv6_rpfilter_enabled,
|
|
|
b8221b |
- self.ipset_enabled, self._individual_calls, self._log_denied)
|
|
|
b8221b |
+ self.cleanup_on_exit, self.cleanup_modules_on_exit,
|
|
|
b8221b |
+ self.ipv6_rpfilter_enabled, self.ipset_enabled,
|
|
|
b8221b |
+ self._individual_calls, self._log_denied)
|
|
|
b8221b |
|
|
|
b8221b |
def __init_vars(self):
|
|
|
b8221b |
self._state = "INIT"
|
|
|
b8221b |
@@ -120,6 +121,7 @@ class Firewall(object):
|
|
|
b8221b |
self._marks = [ ]
|
|
|
b8221b |
# fallback settings will be overloaded by firewalld.conf
|
|
|
b8221b |
self.cleanup_on_exit = config.FALLBACK_CLEANUP_ON_EXIT
|
|
|
b8221b |
+ self.cleanup_modules_on_exit = config.FALLBACK_CLEANUP_MODULES_ON_EXIT
|
|
|
b8221b |
self.ipv6_rpfilter_enabled = config.FALLBACK_IPV6_RPFILTER
|
|
|
b8221b |
self._individual_calls = config.FALLBACK_INDIVIDUAL_CALLS
|
|
|
b8221b |
self._log_denied = config.FALLBACK_LOG_DENIED
|
|
|
b8221b |
@@ -232,6 +234,13 @@ class Firewall(object):
|
|
|
b8221b |
log.debug1("CleanupOnExit is set to '%s'",
|
|
|
b8221b |
self.cleanup_on_exit)
|
|
|
b8221b |
|
|
|
b8221b |
+ if self._firewalld_conf.get("CleanupModulesOnExit"):
|
|
|
b8221b |
+ value = self._firewalld_conf.get("CleanupModulesOnExit")
|
|
|
b8221b |
+ if value is not None and value.lower() in [ "yes", "true" ]:
|
|
|
b8221b |
+ self.cleanup_modules_on_exit = True
|
|
|
b8221b |
+ log.debug1("CleanupModulesOnExit is set to '%s'",
|
|
|
b8221b |
+ self.cleanup_modules_on_exit)
|
|
|
b8221b |
+
|
|
|
b8221b |
if self._firewalld_conf.get("Lockdown"):
|
|
|
b8221b |
value = self._firewalld_conf.get("Lockdown")
|
|
|
b8221b |
if value is not None and value.lower() in [ "yes", "true" ]:
|
|
|
b8221b |
@@ -667,11 +676,15 @@ class Firewall(object):
|
|
|
b8221b |
self.__init_vars()
|
|
|
b8221b |
|
|
|
b8221b |
def stop(self):
|
|
|
b8221b |
- if self.cleanup_on_exit and not self._offline:
|
|
|
b8221b |
- self.flush()
|
|
|
b8221b |
- self.ipset.flush()
|
|
|
b8221b |
- self.set_policy("ACCEPT")
|
|
|
b8221b |
- self.modules_backend.unload_firewall_modules()
|
|
|
b8221b |
+ if not self._offline:
|
|
|
b8221b |
+ if self.cleanup_on_exit:
|
|
|
b8221b |
+ self.flush()
|
|
|
b8221b |
+ self.ipset.flush()
|
|
|
b8221b |
+ self.set_policy("ACCEPT")
|
|
|
b8221b |
+
|
|
|
b8221b |
+ if self.cleanup_modules_on_exit:
|
|
|
b8221b |
+ log.debug1('Unloading firewall kernel modules')
|
|
|
b8221b |
+ self.modules_backend.unload_firewall_modules()
|
|
|
b8221b |
|
|
|
b8221b |
self.cleanup()
|
|
|
b8221b |
|
|
|
b8221b |
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
|
|
|
b8221b |
index 7c7092120676..70258400ef06 100644
|
|
|
b8221b |
--- a/src/firewall/core/io/firewalld_conf.py
|
|
|
b8221b |
+++ b/src/firewall/core/io/firewalld_conf.py
|
|
|
b8221b |
@@ -28,10 +28,11 @@ from firewall import config
|
|
|
b8221b |
from firewall.core.logger import log
|
|
|
b8221b |
from firewall.functions import b2u, u2b, PY2
|
|
|
b8221b |
|
|
|
b8221b |
-valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
|
|
|
b8221b |
- "IPv6_rpfilter", "IndividualCalls", "LogDenied",
|
|
|
b8221b |
- "AutomaticHelpers", "FirewallBackend", "FlushAllOnReload",
|
|
|
b8221b |
- "RFC3964_IPv4", "AllowZoneDrifting" ]
|
|
|
b8221b |
+valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit",
|
|
|
b8221b |
+ "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
|
|
|
b8221b |
+ "IndividualCalls", "LogDenied", "AutomaticHelpers",
|
|
|
b8221b |
+ "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
|
|
|
b8221b |
+ "AllowZoneDrifting" ]
|
|
|
b8221b |
|
|
|
b8221b |
class firewalld_conf(object):
|
|
|
b8221b |
def __init__(self, filename):
|
|
|
b8221b |
@@ -75,6 +76,7 @@ class firewalld_conf(object):
|
|
|
b8221b |
self.set("DefaultZone", config.FALLBACK_ZONE)
|
|
|
b8221b |
self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK))
|
|
|
b8221b |
self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
|
|
|
b8221b |
+ self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no")
|
|
|
b8221b |
self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no")
|
|
|
b8221b |
self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no")
|
|
|
b8221b |
self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
|
|
|
b8221b |
@@ -135,6 +137,15 @@ class firewalld_conf(object):
|
|
|
b8221b |
config.FALLBACK_CLEANUP_ON_EXIT)
|
|
|
b8221b |
self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
|
|
|
b8221b |
|
|
|
b8221b |
+ # check module cleanup on exit
|
|
|
b8221b |
+ value = self.get("CleanupModulesOnExit")
|
|
|
b8221b |
+ if not value or value.lower() not in [ "no", "false", "yes", "true" ]:
|
|
|
b8221b |
+ if value is not None:
|
|
|
b8221b |
+ log.warning("CleanupModulesOnExit '%s' is not valid, using default "
|
|
|
b8221b |
+ "value %s", value if value else '',
|
|
|
b8221b |
+ config.FALLBACK_CLEANUP_MODULES_ON_EXIT)
|
|
|
b8221b |
+ self.set("CleanupModulesOnExit", "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no")
|
|
|
b8221b |
+
|
|
|
b8221b |
# check lockdown
|
|
|
b8221b |
value = self.get("Lockdown")
|
|
|
b8221b |
if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
|
|
|
b8221b |
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
|
|
|
b8221b |
index 031ef5d1afaa..8815920c6893 100644
|
|
|
b8221b |
--- a/src/firewall/server/config.py
|
|
|
b8221b |
+++ b/src/firewall/server/config.py
|
|
|
b8221b |
@@ -100,6 +100,7 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
b8221b |
dbus_introspection_prepare_properties(self,
|
|
|
b8221b |
config.dbus.DBUS_INTERFACE_CONFIG,
|
|
|
b8221b |
{ "CleanupOnExit": "readwrite",
|
|
|
b8221b |
+ "CleanupModulesOnExit": "readwrite",
|
|
|
b8221b |
"IPv6_rpfilter": "readwrite",
|
|
|
b8221b |
"Lockdown": "readwrite",
|
|
|
b8221b |
"MinimalMark": "readwrite",
|
|
|
b8221b |
@@ -554,9 +555,9 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
b8221b |
@dbus_handle_exceptions
|
|
|
b8221b |
def _get_property(self, prop):
|
|
|
b8221b |
if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
|
|
|
b8221b |
- "Lockdown", "IPv6_rpfilter", "IndividualCalls",
|
|
|
b8221b |
- "LogDenied", "AutomaticHelpers", "FirewallBackend",
|
|
|
b8221b |
- "FlushAllOnReload", "RFC3964_IPv4",
|
|
|
b8221b |
+ "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
|
|
|
b8221b |
+ "IndividualCalls", "LogDenied", "AutomaticHelpers",
|
|
|
b8221b |
+ "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
|
|
|
b8221b |
"AllowZoneDrifting" ]:
|
|
|
b8221b |
raise dbus.exceptions.DBusException(
|
|
|
b8221b |
"org.freedesktop.DBus.Error.InvalidArgs: "
|
|
|
b8221b |
@@ -578,6 +579,10 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
b8221b |
if value is None:
|
|
|
b8221b |
value = "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no"
|
|
|
b8221b |
return dbus.String(value)
|
|
|
b8221b |
+ elif prop == "CleanupModulesOnExit":
|
|
|
b8221b |
+ if value is None:
|
|
|
b8221b |
+ value = "yes" if config.FALLBACK_CLEANUP_MODULES_ON_EXIT else "no"
|
|
|
b8221b |
+ return dbus.String(value)
|
|
|
b8221b |
elif prop == "Lockdown":
|
|
|
b8221b |
if value is None:
|
|
|
b8221b |
value = "yes" if config.FALLBACK_LOCKDOWN else "no"
|
|
|
b8221b |
@@ -623,6 +628,8 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
b8221b |
return dbus.Int32(self._get_property(prop))
|
|
|
b8221b |
elif prop == "CleanupOnExit":
|
|
|
b8221b |
return dbus.String(self._get_property(prop))
|
|
|
b8221b |
+ elif prop == "CleanupModulesOnExit":
|
|
|
b8221b |
+ return dbus.String(self._get_property(prop))
|
|
|
b8221b |
elif prop == "Lockdown":
|
|
|
b8221b |
return dbus.String(self._get_property(prop))
|
|
|
b8221b |
elif prop == "IPv6_rpfilter":
|
|
|
b8221b |
@@ -679,9 +686,9 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
b8221b |
ret = { }
|
|
|
b8221b |
if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
|
|
|
b8221b |
for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
|
|
|
b8221b |
- "Lockdown", "IPv6_rpfilter", "IndividualCalls",
|
|
|
b8221b |
- "LogDenied", "AutomaticHelpers", "FirewallBackend",
|
|
|
b8221b |
- "FlushAllOnReload", "RFC3964_IPv4",
|
|
|
b8221b |
+ "CleanupModulesOnExit", "Lockdown", "IPv6_rpfilter",
|
|
|
b8221b |
+ "IndividualCalls", "LogDenied", "AutomaticHelpers",
|
|
|
b8221b |
+ "FirewallBackend", "FlushAllOnReload", "RFC3964_IPv4",
|
|
|
b8221b |
"AllowZoneDrifting" ]:
|
|
|
b8221b |
ret[x] = self._get_property(x)
|
|
|
b8221b |
elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
|
|
|
b8221b |
@@ -706,12 +713,12 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
b8221b |
self.accessCheck(sender)
|
|
|
b8221b |
|
|
|
b8221b |
if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
|
|
|
b8221b |
- if property_name in [ "CleanupOnExit", "Lockdown",
|
|
|
b8221b |
+ if property_name in [ "CleanupOnExit", "Lockdown", "CleanupModulesOnExit",
|
|
|
b8221b |
"IPv6_rpfilter", "IndividualCalls",
|
|
|
b8221b |
"LogDenied",
|
|
|
b8221b |
"FirewallBackend", "FlushAllOnReload",
|
|
|
b8221b |
"RFC3964_IPv4", "AllowZoneDrifting" ]:
|
|
|
b8221b |
- if property_name in [ "CleanupOnExit", "Lockdown",
|
|
|
b8221b |
+ if property_name in [ "CleanupOnExit", "Lockdown", "CleanupModulesOnExit",
|
|
|
b8221b |
"IPv6_rpfilter", "IndividualCalls" ]:
|
|
|
b8221b |
if new_value.lower() not in [ "yes", "no",
|
|
|
b8221b |
"true", "false" ]:
|
|
|
b8221b |
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
|
|
|
b8221b |
index 9fc5502a8d0b..9a04a3bd491c 100644
|
|
|
b8221b |
--- a/src/tests/dbus/firewalld.conf.at
|
|
|
b8221b |
+++ b/src/tests/dbus/firewalld.conf.at
|
|
|
b8221b |
@@ -17,6 +17,7 @@ dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
|
|
|
b8221b |
DBUS_GETALL([config], [config], 0, [dnl
|
|
|
b8221b |
string "AllowZoneDrifting" : variant string "no"
|
|
|
b8221b |
string "AutomaticHelpers" : variant string "no"
|
|
|
b8221b |
+string "CleanupModulesOnExit" : variant string "no"
|
|
|
b8221b |
string "CleanupOnExit" : variant string "no"
|
|
|
b8221b |
string "DefaultZone" : variant string "public"
|
|
|
b8221b |
string "FirewallBackend" : variant string "nftables"
|
|
|
b8221b |
@@ -45,6 +46,7 @@ _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
|
|
|
b8221b |
_helper([IndividualCalls], [string:"yes"], [variant string "yes"])
|
|
|
b8221b |
_helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
|
|
|
b8221b |
_helper([FlushAllOnReload], [string:"no"], [variant string "no"])
|
|
|
b8221b |
+_helper([CleanupModulesOnExit], [string:"yes"], [variant string "yes"])
|
|
|
b8221b |
_helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
|
|
|
b8221b |
_helper([RFC3964_IPv4], [string:"no"], [variant string "no"])
|
|
|
b8221b |
_helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"])
|
|
|
b8221b |
--
|
|
|
b8221b |
2.31.1
|
|
|
b8221b |
|