|
 |
ea8ea4 |
From dfa06f76e3088dccf5ac56b4d7f3162830393516 Mon Sep 17 00:00:00 2001
|
|
|
4f7c03 |
From: Eric Garver <eric@garver.life>
|
|
|
4f7c03 |
Date: Tue, 4 Feb 2020 09:12:17 -0500
|
|
|
ea8ea4 |
Subject: [PATCH] RHEL only: default to AllowZoneDrifting=yes
|
|
|
4f7c03 |
|
|
|
4f7c03 |
---
|
|
|
4f7c03 |
config/firewalld.conf | 4 ++--
|
|
|
4f7c03 |
doc/xml/firewalld.conf.xml | 2 +-
|
|
|
4f7c03 |
doc/xml/firewalld.dbus.xml | 2 +-
|
|
|
4f7c03 |
src/firewall/config/__init__.py.in | 2 +-
|
|
|
4f7c03 |
src/tests/dbus/firewalld.conf.at | 4 ++--
|
|
|
4f7c03 |
src/tests/functions.at | 1 +
|
|
|
4f7c03 |
src/tests/regression/rhbz1514043.at | 5 +++++
|
|
|
4f7c03 |
7 files changed, 13 insertions(+), 7 deletions(-)
|
|
|
4f7c03 |
|
|
|
4f7c03 |
diff --git a/config/firewalld.conf b/config/firewalld.conf
|
|
|
4f7c03 |
index 02be07b9b892..1854f3795e0a 100644
|
|
|
4f7c03 |
--- a/config/firewalld.conf
|
|
|
4f7c03 |
+++ b/config/firewalld.conf
|
|
|
4f7c03 |
@@ -65,5 +65,5 @@ AutomaticHelpers=system
|
|
|
4f7c03 |
# Note: If "yes" packets will only drift from source based zones to interface
|
|
|
4f7c03 |
# based zones (including the default zone). Packets never drift from interface
|
|
|
4f7c03 |
# based zones to other interfaces based zones (including the default zone).
|
|
|
4f7c03 |
-# Possible values; "yes", "no". Defaults to "no".
|
|
|
4f7c03 |
-AllowZoneDrifting=no
|
|
|
4f7c03 |
+# Possible values; "yes", "no". Defaults to "yes".
|
|
|
4f7c03 |
+AllowZoneDrifting=yes
|
|
|
4f7c03 |
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
|
|
|
4f7c03 |
index 9d8017df3112..8dff74152cd1 100644
|
|
|
4f7c03 |
--- a/doc/xml/firewalld.conf.xml
|
|
|
4f7c03 |
+++ b/doc/xml/firewalld.conf.xml
|
|
|
4f7c03 |
@@ -158,7 +158,7 @@
|
|
|
4f7c03 |
to interface based zones (including the default zone). Packets
|
|
|
4f7c03 |
never drift from interface based zones to other interfaces
|
|
|
4f7c03 |
based zones (including the default zone).
|
|
|
4f7c03 |
- Valid values; "yes", "no". Defaults to "no".
|
|
|
4f7c03 |
+ Valid values; "yes", "no". Defaults to "yes".
|
|
|
4f7c03 |
</para>
|
|
|
4f7c03 |
</listitem>
|
|
|
4f7c03 |
</varlistentry>
|
|
|
4f7c03 |
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
|
|
|
4f7c03 |
index ea0be9cefd1c..afd2c7bba401 100644
|
|
|
4f7c03 |
--- a/doc/xml/firewalld.dbus.xml
|
|
|
4f7c03 |
+++ b/doc/xml/firewalld.dbus.xml
|
|
|
4f7c03 |
@@ -2571,7 +2571,7 @@
|
|
|
4f7c03 |
to interface based zones (including the default zone). Packets
|
|
|
4f7c03 |
never drift from interface based zones to other interfaces
|
|
|
4f7c03 |
based zones (including the default zone).
|
|
|
4f7c03 |
- Valid values; "yes", "no". Defaults to "no".
|
|
|
4f7c03 |
+ Valid values; "yes", "no". Defaults to "yes".
|
|
|
4f7c03 |
</para></listitem>
|
|
|
4f7c03 |
</varlistentry>
|
|
|
4f7c03 |
<varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
|
|
|
4f7c03 |
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
|
|
|
4f7c03 |
index 3926c8fdb3a3..561ea3f34325 100644
|
|
|
4f7c03 |
--- a/src/firewall/config/__init__.py.in
|
|
|
4f7c03 |
+++ b/src/firewall/config/__init__.py.in
|
|
|
4f7c03 |
@@ -128,4 +128,4 @@ FALLBACK_INDIVIDUAL_CALLS = False
|
|
|
4f7c03 |
FALLBACK_LOG_DENIED = "off"
|
|
|
4f7c03 |
FALLBACK_AUTOMATIC_HELPERS = "system"
|
|
|
4f7c03 |
FALLBACK_FIREWALL_BACKEND = "iptables"
|
|
|
4f7c03 |
-FALLBACK_ALLOW_ZONE_DRIFTING = False
|
|
|
4f7c03 |
+FALLBACK_ALLOW_ZONE_DRIFTING = True
|
|
|
4f7c03 |
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
|
|
|
4f7c03 |
index 0884e21b6368..8ed00f84e158 100644
|
|
|
4f7c03 |
--- a/src/tests/dbus/firewalld.conf.at
|
|
|
4f7c03 |
+++ b/src/tests/dbus/firewalld.conf.at
|
|
|
4f7c03 |
@@ -3,7 +3,7 @@ FWD_START_TEST([firewalld.conf])
|
|
|
4f7c03 |
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
|
|
|
4f7c03 |
IF_HOST_SUPPORTS_NFT_FIB([
|
|
|
4f7c03 |
DBUS_GETALL([config], [config], 0, [dnl
|
|
|
4f7c03 |
-string "AllowZoneDrifting" : variant string "no"
|
|
|
4f7c03 |
+string "AllowZoneDrifting" : variant string "yes"
|
|
|
4f7c03 |
string "AutomaticHelpers" : variant string "system"
|
|
|
4f7c03 |
string "CleanupOnExit" : variant string "no"
|
|
|
4f7c03 |
string "DefaultZone" : variant string "public"
|
|
|
4f7c03 |
@@ -14,7 +14,7 @@ string "LogDenied" : variant string "off"
|
|
|
4f7c03 |
string "MinimalMark" : variant int32 100
|
|
|
4f7c03 |
])], [
|
|
|
4f7c03 |
DBUS_GETALL([config], [config], 0, [dnl
|
|
|
4f7c03 |
-string "AllowZoneDrifting" : variant string "no"
|
|
|
4f7c03 |
+string "AllowZoneDrifting" : variant string "yes"
|
|
|
4f7c03 |
string "AutomaticHelpers" : variant string "system"
|
|
|
4f7c03 |
string "CleanupOnExit" : variant string "no"
|
|
|
4f7c03 |
string "DefaultZone" : variant string "public"
|
|
|
4f7c03 |
diff --git a/src/tests/functions.at b/src/tests/functions.at
|
|
|
ea8ea4 |
index 29436dbc1509..2340fb8f5565 100644
|
|
|
4f7c03 |
--- a/src/tests/functions.at
|
|
|
4f7c03 |
+++ b/src/tests/functions.at
|
|
|
ea8ea4 |
@@ -146,6 +146,7 @@ m4_define([FWD_END_TEST], [
|
|
|
4f7c03 |
sed -i "/modprobe: ERROR:/d" ./firewalld.log
|
|
|
ea8ea4 |
sed -i "/WARNING: Failed to load nf_conntrack module/d" ./firewalld.log
|
|
|
ea8ea4 |
sed -i "/WARNING: Failed to get and parse nf_conntrack_helper setting/d" ./firewalld.log
|
|
|
4f7c03 |
+ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log
|
|
|
4f7c03 |
if test x"$1" != x"ignore"; then
|
|
|
4f7c03 |
if test -n "$1"; then
|
|
|
4f7c03 |
sed -i $1 ./firewalld.log
|
|
|
4f7c03 |
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
|
|
|
4f7c03 |
index ff2ede2ece71..7f061d86c2f1 100644
|
|
|
4f7c03 |
--- a/src/tests/regression/rhbz1514043.at
|
|
|
4f7c03 |
+++ b/src/tests/regression/rhbz1514043.at
|
|
|
4f7c03 |
@@ -1,4 +1,9 @@
|
|
|
4f7c03 |
FWD_START_TEST([--set-log-denied does not zero config])
|
|
|
4f7c03 |
+
|
|
|
4f7c03 |
+dnl Expected test results assume this is set to "no"
|
|
|
4f7c03 |
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
|
|
|
4f7c03 |
+FWD_RELOAD
|
|
|
4f7c03 |
+
|
|
|
4f7c03 |
FWD_CHECK([-q --set-log-denied=all])
|
|
|
4f7c03 |
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
|
|
|
4f7c03 |
FWD_RELOAD
|
|
|
4f7c03 |
--
|
|
|
4f7c03 |
2.23.0
|
|
|
4f7c03 |
|