|
 |
1dfe16 |
From c517bae24deb45ee3c75e5a7ae9927a82217dccb Mon Sep 17 00:00:00 2001
|
|
|
24f428 |
From: Eric Garver <e@erig.me>
|
|
|
24f428 |
Date: Wed, 14 Nov 2018 11:42:17 -0500
|
|
|
1dfe16 |
Subject: [PATCH] remove ability to use nftables backend
|
|
|
24f428 |
|
|
|
24f428 |
---
|
|
|
24f428 |
config/firewalld.conf | 7 -------
|
|
|
24f428 |
configure.ac | 10 ----------
|
|
|
24f428 |
doc/xml/firewalld.conf.xml | 14 --------------
|
|
|
24f428 |
doc/xml/firewalld.dbus.xml | 10 ----------
|
|
|
24f428 |
src/firewall/config/__init__.py.in | 3 +--
|
|
|
24f428 |
src/firewall/core/fw.py | 5 -----
|
|
|
24f428 |
src/firewall/core/io/firewalld_conf.py | 11 +----------
|
|
|
24f428 |
src/firewall/server/config.py | 19 +++----------------
|
|
|
1dfe16 |
src/tests/dbus/firewalld.conf.at | 6 +-----
|
|
|
1dfe16 |
src/tests/functions.at | 5 +----
|
|
|
24f428 |
src/tests/testsuite.at | 2 +-
|
|
|
1dfe16 |
11 files changed, 8 insertions(+), 84 deletions(-)
|
|
|
24f428 |
|
|
|
24f428 |
diff --git a/config/firewalld.conf b/config/firewalld.conf
|
|
|
24f428 |
index b53c0aa50c53..63df409bf567 100644
|
|
|
24f428 |
--- a/config/firewalld.conf
|
|
|
24f428 |
+++ b/config/firewalld.conf
|
|
|
24f428 |
@@ -55,10 +55,3 @@ LogDenied=off
|
|
|
24f428 |
# will be used. Possible values are: yes, no and system.
|
|
|
24f428 |
# Default: system
|
|
|
24f428 |
AutomaticHelpers=system
|
|
|
24f428 |
-
|
|
|
24f428 |
-# FirewallBackend
|
|
|
24f428 |
-# Selects the firewall backend implementation.
|
|
|
24f428 |
-# Choices are:
|
|
|
24f428 |
-# - nftables (default)
|
|
|
24f428 |
-# - iptables (iptables, ip6tables, ebtables and ipset)
|
|
|
24f428 |
-FirewallBackend=nftables
|
|
|
24f428 |
diff --git a/configure.ac b/configure.ac
|
|
|
24f428 |
index db9a39f92def..d1c365e29986 100644
|
|
|
24f428 |
--- a/configure.ac
|
|
|
24f428 |
+++ b/configure.ac
|
|
|
24f428 |
@@ -147,16 +147,6 @@ if test "x$IPSET" = "x"; then
|
|
|
24f428 |
fi
|
|
|
24f428 |
AC_SUBST(IPSET)
|
|
|
24f428 |
|
|
|
24f428 |
-AC_ARG_WITH([nft],
|
|
|
24f428 |
- AS_HELP_STRING([--with-nft], [Path to nft (nftables) executable]),
|
|
|
24f428 |
- [NFT=$withval
|
|
|
24f428 |
- AC_MSG_NOTICE([Using for nft: $NFT])],
|
|
|
24f428 |
- [AC_PATH_PROG([NFT], [nft], [], [$FW_TOOLS_PATH])])
|
|
|
24f428 |
-if test "x$NFT" = "x"; then
|
|
|
24f428 |
- AC_MSG_ERROR([nft was not found in $FW_TOOLS_PATH])
|
|
|
24f428 |
-fi
|
|
|
24f428 |
-AC_SUBST(NFT)
|
|
|
24f428 |
-
|
|
|
24f428 |
#############################################################
|
|
|
24f428 |
|
|
|
24f428 |
AC_SUBST([GETTEXT_PACKAGE], '[PKG_NAME]')
|
|
|
24f428 |
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
|
|
|
24f428 |
index df4b9521fd71..afb94b90937f 100644
|
|
|
24f428 |
--- a/doc/xml/firewalld.conf.xml
|
|
|
24f428 |
+++ b/doc/xml/firewalld.conf.xml
|
|
|
24f428 |
@@ -144,20 +144,6 @@
|
|
|
24f428 |
</listitem>
|
|
|
24f428 |
</varlistentry>
|
|
|
24f428 |
|
|
|
24f428 |
- <varlistentry>
|
|
|
24f428 |
- <term><option>FirewallBackend</option></term>
|
|
|
24f428 |
- <listitem>
|
|
|
24f428 |
- <para>
|
|
|
24f428 |
- Selects the firewall backend implementation. Possible values
|
|
|
24f428 |
- are; <replaceable>nftables</replaceable> (default), or
|
|
|
24f428 |
- <replaceable>iptables</replaceable>. This applies to all
|
|
|
24f428 |
- firewalld primitives. The only exception is direct and
|
|
|
24f428 |
- passthrough rules which always use the traditional iptables,
|
|
|
24f428 |
- ip6tables, and ebtables backends.
|
|
|
24f428 |
- </para>
|
|
|
24f428 |
- </listitem>
|
|
|
24f428 |
- </varlistentry>
|
|
|
24f428 |
-
|
|
|
24f428 |
</variablelist>
|
|
|
24f428 |
|
|
|
24f428 |
</refsect1>
|
|
|
24f428 |
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
|
|
|
24f428 |
index 8352f96cc057..ec82d4cad077 100644
|
|
|
24f428 |
--- a/doc/xml/firewalld.dbus.xml
|
|
|
24f428 |
+++ b/doc/xml/firewalld.dbus.xml
|
|
|
24f428 |
@@ -2582,16 +2582,6 @@
|
|
|
24f428 |
</para>
|
|
|
24f428 |
</listitem>
|
|
|
24f428 |
</varlistentry>
|
|
|
24f428 |
- <varlistentry id="FirewallD1.config.Properties.FirewallBackend">
|
|
|
24f428 |
- <term>FirewallBackend - s - (rw)</term>
|
|
|
24f428 |
- <listitem>
|
|
|
24f428 |
- <para>
|
|
|
24f428 |
- Selects the firewalld backend for all rules except the direct
|
|
|
24f428 |
- interface. Valid options are; nftables, iptables. Default in
|
|
|
24f428 |
- nftables.
|
|
|
24f428 |
- </para>
|
|
|
24f428 |
- </listitem>
|
|
|
24f428 |
- </varlistentry>
|
|
|
24f428 |
<varlistentry id="FirewallD1.config.Properties.IPv6_rpfilter">
|
|
|
24f428 |
<term><parameter>IPv6_rpfilter</parameter> - s - (rw)</term>
|
|
|
24f428 |
<listitem><para>Indicates whether the reverse path filter test on a packet for IPv6 is enabled. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.</para></listitem>
|
|
|
24f428 |
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
|
|
|
24f428 |
index 955be32077e1..20e4979062d8 100644
|
|
|
24f428 |
--- a/src/firewall/config/__init__.py.in
|
|
|
24f428 |
+++ b/src/firewall/config/__init__.py.in
|
|
|
24f428 |
@@ -118,7 +118,6 @@ COMMANDS = {
|
|
|
24f428 |
|
|
|
24f428 |
LOG_DENIED_VALUES = [ "all", "unicast", "broadcast", "multicast", "off" ]
|
|
|
24f428 |
AUTOMATIC_HELPERS_VALUES = [ "yes", "no", "system" ]
|
|
|
24f428 |
-FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
|
|
|
24f428 |
|
|
|
24f428 |
# fallbacks: will be overloaded by firewalld.conf
|
|
|
24f428 |
FALLBACK_ZONE = "public"
|
|
|
24f428 |
@@ -129,4 +128,4 @@ FALLBACK_IPV6_RPFILTER = True
|
|
|
24f428 |
FALLBACK_INDIVIDUAL_CALLS = False
|
|
|
24f428 |
FALLBACK_LOG_DENIED = "off"
|
|
|
24f428 |
FALLBACK_AUTOMATIC_HELPERS = "system"
|
|
|
24f428 |
-FALLBACK_FIREWALL_BACKEND = "nftables"
|
|
|
24f428 |
+FALLBACK_FIREWALL_BACKEND = "iptables"
|
|
|
24f428 |
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
|
|
|
24f428 |
index 9be13a5c1313..abb25f0c3e72 100644
|
|
|
24f428 |
--- a/src/firewall/core/fw.py
|
|
|
24f428 |
+++ b/src/firewall/core/fw.py
|
|
|
24f428 |
@@ -293,11 +293,6 @@ class Firewall(object):
|
|
|
24f428 |
log.debug1("AutomaticHelpers is set to '%s'",
|
|
|
24f428 |
self._automatic_helpers)
|
|
|
24f428 |
|
|
|
24f428 |
- if self._firewalld_conf.get("FirewallBackend"):
|
|
|
24f428 |
- self._firewall_backend = self._firewalld_conf.get("FirewallBackend")
|
|
|
24f428 |
- log.debug1("FirewallBackend is set to '%s'",
|
|
|
24f428 |
- self._firewall_backend)
|
|
|
24f428 |
-
|
|
|
24f428 |
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
|
|
|
24f428 |
|
|
|
24f428 |
self._select_firewall_backend(self._firewall_backend)
|
|
|
24f428 |
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
|
|
|
24f428 |
index 4d57bad693c1..9aee2dc6f9b7 100644
|
|
|
24f428 |
--- a/src/firewall/core/io/firewalld_conf.py
|
|
|
24f428 |
+++ b/src/firewall/core/io/firewalld_conf.py
|
|
|
24f428 |
@@ -30,7 +30,7 @@ from firewall.functions import b2u, u2b, PY2
|
|
|
24f428 |
|
|
|
24f428 |
valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
|
|
|
24f428 |
"IPv6_rpfilter", "IndividualCalls", "LogDenied",
|
|
|
24f428 |
- "AutomaticHelpers", "FirewallBackend" ]
|
|
|
24f428 |
+ "AutomaticHelpers" ]
|
|
|
24f428 |
|
|
|
24f428 |
class firewalld_conf(object):
|
|
|
24f428 |
def __init__(self, filename):
|
|
|
24f428 |
@@ -79,7 +79,6 @@ class firewalld_conf(object):
|
|
|
24f428 |
self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
|
|
|
24f428 |
self.set("LogDenied", config.FALLBACK_LOG_DENIED)
|
|
|
24f428 |
self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
|
|
|
24f428 |
- self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
|
|
|
24f428 |
raise
|
|
|
24f428 |
|
|
|
24f428 |
for line in f:
|
|
|
24f428 |
@@ -175,14 +174,6 @@ class firewalld_conf(object):
|
|
|
24f428 |
config.FALLBACK_AUTOMATIC_HELPERS)
|
|
|
24f428 |
self.set("AutomaticHelpers", str(config.FALLBACK_AUTOMATIC_HELPERS))
|
|
|
24f428 |
|
|
|
24f428 |
- value = self.get("FirewallBackend")
|
|
|
24f428 |
- if not value or value.lower() not in config.FIREWALL_BACKEND_VALUES:
|
|
|
24f428 |
- if value is not None:
|
|
|
24f428 |
- log.warning("FirewallBackend '%s' is not valid, using default "
|
|
|
24f428 |
- "value %s", value if value else '',
|
|
|
24f428 |
- config.FALLBACK_FIREWALL_BACKEND)
|
|
|
24f428 |
- self.set("FirewallBackend", str(config.FALLBACK_FIREWALL_BACKEND))
|
|
|
24f428 |
-
|
|
|
24f428 |
# save to self.filename if there are key/value changes
|
|
|
24f428 |
def write(self):
|
|
|
24f428 |
if len(self._config) < 1:
|
|
|
24f428 |
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
|
|
|
24f428 |
index dfc562b537eb..011052a9cabf 100644
|
|
|
24f428 |
--- a/src/firewall/server/config.py
|
|
|
24f428 |
+++ b/src/firewall/server/config.py
|
|
|
24f428 |
@@ -105,7 +105,6 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
24f428 |
"IndividualCalls": "readwrite",
|
|
|
24f428 |
"LogDenied": "readwrite",
|
|
|
24f428 |
"AutomaticHelpers": "readwrite",
|
|
|
24f428 |
- "FirewallBackend": "readwrite",
|
|
|
24f428 |
})
|
|
|
24f428 |
|
|
|
24f428 |
@handle_exceptions
|
|
|
24f428 |
@@ -485,7 +484,7 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
24f428 |
def _get_property(self, prop):
|
|
|
24f428 |
if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
|
|
|
24f428 |
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
|
|
|
24f428 |
- "LogDenied", "AutomaticHelpers", "FirewallBackend" ]:
|
|
|
24f428 |
+ "LogDenied", "AutomaticHelpers" ]:
|
|
|
24f428 |
raise dbus.exceptions.DBusException(
|
|
|
24f428 |
"org.freedesktop.DBus.Error.InvalidArgs: "
|
|
|
24f428 |
"Property '%s' does not exist" % prop)
|
|
|
24f428 |
@@ -526,10 +525,6 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
24f428 |
if value is None:
|
|
|
24f428 |
value = config.FALLBACK_AUTOMATIC_HELPERS
|
|
|
24f428 |
return dbus.String(value)
|
|
|
24f428 |
- elif prop == "FirewallBackend":
|
|
|
24f428 |
- if value is None:
|
|
|
24f428 |
- value = config.FALLBACK_FIREWALL_BACKEND
|
|
|
24f428 |
- return dbus.String(value)
|
|
|
24f428 |
|
|
|
24f428 |
@dbus_handle_exceptions
|
|
|
24f428 |
def _get_dbus_property(self, prop):
|
|
|
24f428 |
@@ -549,8 +544,6 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
24f428 |
return dbus.String(self._get_property(prop))
|
|
|
24f428 |
elif prop == "AutomaticHelpers":
|
|
|
24f428 |
return dbus.String(self._get_property(prop))
|
|
|
24f428 |
- elif prop == "FirewallBackend":
|
|
|
24f428 |
- return dbus.String(self._get_property(prop))
|
|
|
24f428 |
else:
|
|
|
24f428 |
raise dbus.exceptions.DBusException(
|
|
|
24f428 |
"org.freedesktop.DBus.Error.InvalidArgs: "
|
|
|
24f428 |
@@ -590,7 +583,7 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
24f428 |
if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
|
|
|
24f428 |
for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
|
|
|
24f428 |
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
|
|
|
24f428 |
- "LogDenied", "AutomaticHelpers", "FirewallBackend" ]:
|
|
|
24f428 |
+ "LogDenied", "AutomaticHelpers" ]:
|
|
|
24f428 |
ret[x] = self._get_property(x)
|
|
|
24f428 |
elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
|
|
|
24f428 |
config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
|
|
|
24f428 |
@@ -616,8 +609,7 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
24f428 |
if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
|
|
|
24f428 |
if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown",
|
|
|
24f428 |
"IPv6_rpfilter", "IndividualCalls",
|
|
|
24f428 |
- "LogDenied", "AutomaticHelpers",
|
|
|
24f428 |
- "FirewallBackend" ]:
|
|
|
24f428 |
+ "LogDenied", "AutomaticHelpers" ]:
|
|
|
24f428 |
if property_name == "MinimalMark":
|
|
|
24f428 |
try:
|
|
|
24f428 |
int(new_value)
|
|
|
24f428 |
@@ -646,11 +638,6 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
24f428 |
raise FirewallError(errors.INVALID_VALUE,
|
|
|
24f428 |
"'%s' for %s" % \
|
|
|
24f428 |
(new_value, property_name))
|
|
|
24f428 |
- if property_name == "FirewallBackend":
|
|
|
24f428 |
- if new_value not in config.FIREWALL_BACKEND_VALUES:
|
|
|
24f428 |
- raise FirewallError(errors.INVALID_VALUE,
|
|
|
24f428 |
- "'%s' for %s" % \
|
|
|
24f428 |
- (new_value, property_name))
|
|
|
24f428 |
self.config.get_firewalld_conf().set(property_name, new_value)
|
|
|
24f428 |
self.config.get_firewalld_conf().write()
|
|
|
24f428 |
self.PropertiesChanged(interface_name,
|
|
|
24f428 |
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
|
|
|
1dfe16 |
index 473210de10af..741b1e6f417f 100644
|
|
|
24f428 |
--- a/src/tests/dbus/firewalld.conf.at
|
|
|
24f428 |
+++ b/src/tests/dbus/firewalld.conf.at
|
|
|
1dfe16 |
@@ -5,10 +5,7 @@ DBUS_GETALL([config], [config], 0, [dnl
|
|
|
24f428 |
string "AutomaticHelpers" : variant string "system"
|
|
|
24f428 |
string "CleanupOnExit" : variant string "no"
|
|
|
24f428 |
string "DefaultZone" : variant string "public"
|
|
|
24f428 |
-string "FirewallBackend" : variant string "nftables"
|
|
|
1dfe16 |
-m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
|
|
|
1dfe16 |
-string "IPv6_rpfilter" : variant string "no"],[dnl
|
|
|
1dfe16 |
-string "IPv6_rpfilter" : variant string "yes"])
|
|
|
1dfe16 |
+string "IPv6_rpfilter" : variant string "yes"
|
|
|
1dfe16 |
string "IndividualCalls" : variant string "no"
|
|
|
1dfe16 |
string "Lockdown" : variant string "no"
|
|
|
1dfe16 |
string "LogDenied" : variant string "off"
|
|
|
1dfe16 |
@@ -29,7 +26,6 @@ _helper([Lockdown], [string:"yes"], [variant string "yes"])
|
|
|
24f428 |
_helper([LogDenied], [string:"all"], [variant string "all"])
|
|
|
24f428 |
_helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
|
|
|
24f428 |
_helper([IndividualCalls], [string:"yes"], [variant string "yes"])
|
|
|
24f428 |
-_helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
|
|
|
24f428 |
_helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
|
|
|
24f428 |
dnl Note: DefaultZone is RO
|
|
|
24f428 |
m4_undefine([_helper])
|
|
|
24f428 |
diff --git a/src/tests/functions.at b/src/tests/functions.at
|
|
|
1dfe16 |
index bae43faed410..3841df4264d7 100644
|
|
|
24f428 |
--- a/src/tests/functions.at
|
|
|
24f428 |
+++ b/src/tests/functions.at
|
|
|
1dfe16 |
@@ -58,14 +58,11 @@ m4_define([FWD_START_TEST], [
|
|
|
1dfe16 |
fi
|
|
|
1dfe16 |
|
|
|
1dfe16 |
m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
|
|
|
1dfe16 |
- m4_define_default([FIREWALL_BACKEND], [nftables])
|
|
|
1dfe16 |
+ m4_define_default([FIREWALL_BACKEND], [iptables])
|
|
|
1dfe16 |
|
|
|
24f428 |
dnl don't unload modules or bother cleaning up, the namespace will be deleted
|
|
|
24f428 |
AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
|
|
|
24f428 |
|
|
|
24f428 |
- dnl set the appropriate backend
|
|
|
24f428 |
- AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
|
|
|
24f428 |
-
|
|
|
24f428 |
dnl fib matching is pretty new in nftables. Don't use rpfilter on older
|
|
|
24f428 |
dnl kernels.
|
|
|
24f428 |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
|
24f428 |
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
|
|
|
24f428 |
index 2943d7460919..68d18c9018b8 100644
|
|
|
24f428 |
--- a/src/tests/testsuite.at
|
|
|
24f428 |
+++ b/src/tests/testsuite.at
|
|
|
24f428 |
@@ -10,7 +10,7 @@ m4_include([functions.at])
|
|
|
24f428 |
m4_include([firewall-offline-cmd.at])
|
|
|
24f428 |
m4_include([dbus.at])
|
|
|
24f428 |
|
|
|
24f428 |
-m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
|
|
|
24f428 |
+m4_foreach([FIREWALL_BACKEND], [[iptables]], [
|
|
|
24f428 |
m4_include([firewall-cmd.at])
|
|
|
24f428 |
m4_include([regression.at])
|
|
|
24f428 |
m4_include([python.at])
|
|
|
24f428 |
--
|
|
|
1dfe16 |
2.20.1
|
|
|
24f428 |
|