|
 |
00d018 |
From 0b69b4e464f02ea6fec50522b587a93092040b4d Mon Sep 17 00:00:00 2001
|
|
|
00d018 |
From: Eric Garver <eric@garver.life>
|
|
|
00d018 |
Date: Thu, 27 Aug 2020 15:59:13 -0400
|
|
|
00d018 |
Subject: [PATCH 51/62] fix(rich): clamp the IP families to those actually
|
|
|
00d018 |
enabled
|
|
|
00d018 |
|
|
|
00d018 |
One scenario is if IPv6 is not available, but we specify an icmp-type
|
|
|
00d018 |
that is ipv6 only, then we'll still attempt to call the IPv6 backend. We
|
|
|
00d018 |
should not do that.
|
|
|
00d018 |
|
|
|
00d018 |
(cherry picked from commit 4fcb27bdcf8be30d91d490ba2c0286af1cf299de)
|
|
|
00d018 |
(cherry picked from commit b8b0aeaaf853546f6990e8f635d7ea79233bbc79)
|
|
|
00d018 |
---
|
|
|
00d018 |
src/firewall/core/fw_zone.py | 5 ++++-
|
|
|
00d018 |
src/tests/regression/rhbz1855140.at | 2 --
|
|
|
00d018 |
2 files changed, 4 insertions(+), 3 deletions(-)
|
|
|
00d018 |
|
|
|
00d018 |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
00d018 |
index 9d8bcf620251..bd026222dce5 100644
|
|
|
00d018 |
--- a/src/firewall/core/fw_zone.py
|
|
|
00d018 |
+++ b/src/firewall/core/fw_zone.py
|
|
|
00d018 |
@@ -1542,7 +1542,10 @@ class FirewallZone(object):
|
|
|
00d018 |
ipvs = [ source_ipv ]
|
|
|
00d018 |
|
|
|
00d018 |
if not ipvs:
|
|
|
00d018 |
- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
|
|
|
00d018 |
+ ipvs = ["ipv4", "ipv6"]
|
|
|
00d018 |
+
|
|
|
00d018 |
+ # clamp ipvs to those that are actually enabled.
|
|
|
00d018 |
+ ipvs = [ipv for ipv in ipvs if self._fw.is_ipv_enabled(ipv)]
|
|
|
00d018 |
|
|
|
00d018 |
# add an element to object to allow backends to know what ipvs this applies to
|
|
|
00d018 |
rule.ipvs = ipvs
|
|
|
00d018 |
diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
|
|
|
00d018 |
index cea943e0bf24..8059e29fe71a 100644
|
|
|
00d018 |
--- a/src/tests/regression/rhbz1855140.at
|
|
|
00d018 |
+++ b/src/tests/regression/rhbz1855140.at
|
|
|
00d018 |
@@ -2,9 +2,7 @@ FWD_START_TEST([rich rule icmptypes with one family])
|
|
|
00d018 |
AT_KEYWORDS(rich icmp rhbz1855140)
|
|
|
00d018 |
|
|
|
00d018 |
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
|
|
|
00d018 |
-IF_HOST_SUPPORTS_IPV6_RULES([
|
|
|
00d018 |
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
|
|
|
00d018 |
-])
|
|
|
00d018 |
FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
|
|
|
00d018 |
FWD_RELOAD
|
|
|
00d018 |
NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
|
|
|
00d018 |
--
|
|
|
00d018 |
2.28.0
|
|
|
00d018 |
|