|
 |
3d17f4 |
Adapted version of
|
|
|
3d17f4 |
|
|
|
3d17f4 |
commit 133e8e7cc77dfe10269ac146f3c03810f50062dd
|
|
|
3d17f4 |
Author: Thomas Woerner <twoerner@redhat.com>
|
|
|
3d17f4 |
Date: Thu Jan 15 17:36:09 2015 +0100
|
|
|
3d17f4 |
|
|
|
3d17f4 |
Fix readdition of removed permanent direct settings (RHBZ#1182641)
|
|
|
3d17f4 |
|
|
|
3d17f4 |
Permanent direct settings are not recognized as such while reloading firewalld
|
|
|
3d17f4 |
after adding the rules to the permanent environment if firewalld has been
|
|
|
3d17f4 |
reloaded after adding the settings in the first place and after they have been
|
|
|
3d17f4 |
removed again from the permanent environment again.
|
|
|
3d17f4 |
|
|
|
3d17f4 |
A new test has been added to firewall-cmd_test.sh for verification.
|
|
|
3d17f4 |
|
|
|
3d17f4 |
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
|
|
|
3d17f4 |
index 7787103..2ac7484 100644
|
|
|
3d17f4 |
--- a/src/firewall/core/fw.py
|
|
|
3d17f4 |
+++ b/src/firewall/core/fw.py
|
|
|
3d17f4 |
@@ -211,9 +211,7 @@ class Firewall:
|
|
|
3d17f4 |
log.debug1("Failed to load direct rules file '%s': %s",
|
|
|
3d17f4 |
FIREWALLD_DIRECT, msg)
|
|
|
3d17f4 |
else:
|
|
|
3d17f4 |
- self.direct.set_config((obj.get_all_chains(),
|
|
|
3d17f4 |
- obj.get_all_rules(),
|
|
|
3d17f4 |
- obj.get_all_passthroughs()))
|
|
|
3d17f4 |
+ self.direct.set_permanent_config(obj)
|
|
|
3d17f4 |
self.config.set_direct(copy.deepcopy(obj))
|
|
|
3d17f4 |
|
|
|
3d17f4 |
# check if default_zone is a valid zone
|
|
|
3d17f4 |
@@ -652,7 +650,7 @@ class Firewall:
|
|
|
3d17f4 |
for zone in self.zone.get_zones():
|
|
|
3d17f4 |
_zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"]
|
|
|
3d17f4 |
# save direct config
|
|
|
3d17f4 |
- _direct_config = self.direct.get_config()
|
|
|
3d17f4 |
+ _direct_config = self.direct.get_runtime_config()
|
|
|
3d17f4 |
_old_dz = self.get_default_zone()
|
|
|
3d17f4 |
|
|
|
3d17f4 |
# stop
|
|
|
3d17f4 |
diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
|
|
|
3d17f4 |
index 358d182..a4cbf51 100644
|
|
|
3d17f4 |
--- a/src/firewall/core/fw_direct.py
|
|
|
3d17f4 |
+++ b/src/firewall/core/fw_direct.py
|
|
|
3d17f4 |
@@ -56,10 +56,51 @@ class FirewallDirect:
|
|
|
3d17f4 |
self._rules = LastUpdatedOrderedDict()
|
|
|
3d17f4 |
self._rule_priority_positions = { }
|
|
|
3d17f4 |
self._passthroughs = LastUpdatedOrderedDict()
|
|
|
3d17f4 |
+ self._obj = None
|
|
|
3d17f4 |
|
|
|
3d17f4 |
def cleanup(self):
|
|
|
3d17f4 |
self.__init_vars()
|
|
|
3d17f4 |
|
|
|
3d17f4 |
+ def set_permanent_config(self, obj):
|
|
|
3d17f4 |
+ # Apply permanent configuration and save the obj to be able to
|
|
|
3d17f4 |
+ # remove permanent configuration settings within get_runtime_config
|
|
|
3d17f4 |
+ # for use in firewalld reload.
|
|
|
3d17f4 |
+ self._obj = obj
|
|
|
3d17f4 |
+ self.set_config((obj.get_all_chains(),
|
|
|
3d17f4 |
+ obj.get_all_rules(),
|
|
|
3d17f4 |
+ obj.get_all_passthroughs()))
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ def get_runtime_config(self):
|
|
|
3d17f4 |
+ # Return only runtime changes
|
|
|
3d17f4 |
+ # Remove all chains, rules and passthroughs that are in self._obj
|
|
|
3d17f4 |
+ # (permanent config applied in firewalld _start.
|
|
|
3d17f4 |
+ chains = LastUpdatedOrderedDict()
|
|
|
3d17f4 |
+ rules = LastUpdatedOrderedDict()
|
|
|
3d17f4 |
+ passthroughs = LastUpdatedOrderedDict()
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ for table_id in self._chains:
|
|
|
3d17f4 |
+ (ipv, table) = table_id
|
|
|
3d17f4 |
+ for chain in self._chains[table_id]:
|
|
|
3d17f4 |
+ if not self._obj.query_chain(ipv, table, chain):
|
|
|
3d17f4 |
+ chains.setdefault(table_id, [ ]).append(chain)
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ for chain_id in self._rules:
|
|
|
3d17f4 |
+ (ipv, table, chain) = chain_id
|
|
|
3d17f4 |
+ for (priority, args) in self._rules[chain_id]:
|
|
|
3d17f4 |
+ if not self._obj.query_rule(ipv, table, chain, priority, args):
|
|
|
3d17f4 |
+ if not chain_id in rules:
|
|
|
3d17f4 |
+ rules[chain_id] = LastUpdatedOrderedDict()
|
|
|
3d17f4 |
+ rules[chain_id][rule_id] = priority
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ for ipv in self._passthroughs:
|
|
|
3d17f4 |
+ for args in self._passthroughs[ipv]:
|
|
|
3d17f4 |
+ if not self._obj.query_passthrough(ipv, args):
|
|
|
3d17f4 |
+ if not ipv in passthroughs:
|
|
|
3d17f4 |
+ passthroughs[ipv] = [ ]
|
|
|
3d17f4 |
+ passthroughs[ipv].append(args)
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
+ return (chains, rules, passthroughs)
|
|
|
3d17f4 |
+
|
|
|
3d17f4 |
def get_config(self):
|
|
|
3d17f4 |
return (self._chains, self._rules, self._passthroughs)
|
|
|
3d17f4 |
|
|
|
3d17f4 |
#diff --git a/src/tests/firewall-cmd_test.sh b/src/tests/firewall-cmd_test.sh
|
|
|
3d17f4 |
#index 75f6e2f..2b03e6a 100755
|
|
|
3d17f4 |
#--- a/src/tests/firewall-cmd_test.sh
|
|
|
3d17f4 |
#+++ b/src/tests/firewall-cmd_test.sh
|
|
|
3d17f4 |
#@@ -85,6 +85,20 @@ assert_bad() {
|
|
|
3d17f4 |
# fi
|
|
|
3d17f4 |
# }
|
|
|
3d17f4 |
#
|
|
|
3d17f4 |
#+assert_bad_contains() {
|
|
|
3d17f4 |
#+ local args="${1}"
|
|
|
3d17f4 |
#+ local value="${2}"
|
|
|
3d17f4 |
#+ local ret
|
|
|
3d17f4 |
#+
|
|
|
3d17f4 |
#+ ret=$(${path}firewall-cmd ${args}) > /dev/null
|
|
|
3d17f4 |
#+ if [[ ( "$?" -ne 0 ) || ( "${ret}" = *${value}* ) ]]; then
|
|
|
3d17f4 |
#+ ((failures++))
|
|
|
3d17f4 |
#+ echo -e "${args} ... ${RED}${failures}. FAILED (non-zero exit status or '${ret}' does contain '${value}')${RESTORE}"
|
|
|
3d17f4 |
#+ else
|
|
|
3d17f4 |
#+ echo "${args} ... OK"
|
|
|
3d17f4 |
#+ fi
|
|
|
3d17f4 |
#+}
|
|
|
3d17f4 |
#+
|
|
|
3d17f4 |
# # rich rules need separate assert methods because of quotation hell
|
|
|
3d17f4 |
# assert_rich_good() {
|
|
|
3d17f4 |
# local operation="${1}"
|
|
|
3d17f4 |
#@@ -563,6 +577,22 @@ assert_good "--permanent --direct --remove-chain ipv4 filter ${mychain_
|
|
|
3d17f4 |
# assert_bad "--permanent --direct --query-chain ipv4 filter ${mychain_p}"
|
|
|
3d17f4 |
# assert_good "--permanent --direct --remove-chain ipv4 filter dummy" # removing nonexisting chain is just warning
|
|
|
3d17f4 |
#
|
|
|
3d17f4 |
#+rule1="ipv4 nat OUTPUT 0 -s 1.2.3.4 -d 1.2.3.4 -p tcp --dport 80 -j REDIRECT --to-ports 81"
|
|
|
3d17f4 |
#+rule2="ipv4 nat OUTPUT 0 -s 1.2.3.4 -d 1.2.3.4 -p tcp --dport 80 -j REDIRECT --to-ports 82"
|
|
|
3d17f4 |
#+assert_good "--permanent --direct --add-rule ${rule1}"
|
|
|
3d17f4 |
#+assert_good_contains "--permanent --direct --get-all-rules" "${rule1}"
|
|
|
3d17f4 |
#+assert_good "--reload"
|
|
|
3d17f4 |
#+assert_good_contains "--direct --get-all-rules" "${rule1}"
|
|
|
3d17f4 |
#+assert_good "--permanent --direct --remove-rule ${rule1}"
|
|
|
3d17f4 |
#+assert_good "--permanent --direct --add-rule ${rule2}"
|
|
|
3d17f4 |
#+assert_good_contains "--permanent --direct --get-all-rules" "${rule2}"
|
|
|
3d17f4 |
#+assert_good "--reload"
|
|
|
3d17f4 |
#+assert_bad_contains "--direct --get-all-rules" "${rule1}"
|
|
|
3d17f4 |
#+assert_good_contains "--direct --get-all-rules" "${rule2}"
|
|
|
3d17f4 |
#+assert_good "--permanent --direct --remove-rule ${rule2}"
|
|
|
3d17f4 |
#+assert_good "--reload"
|
|
|
3d17f4 |
#+assert_bad_contains "--direct --get-all-rules" "${rule2}"
|
|
|
3d17f4 |
#+
|
|
|
3d17f4 |
# # lockdown
|
|
|
3d17f4 |
#
|
|
|
3d17f4 |
# cmd="/usr/bin/command"
|
|
|
3d17f4 |
commit e74cf839be5c51f4d5dec739b92c0c0f11d54f46
|
|
|
3d17f4 |
Merge: b5cc946 e32c402
|
|
|
3d17f4 |
Author: Thomas Woerner <twoerner@redhat.com>
|
|
|
3d17f4 |
Date: Mon May 18 13:43:07 2015 +0200
|
|
|
3d17f4 |
|
|
|
3d17f4 |
Merge pull request #17 from jpopelka/landscape-io
|
|
|
3d17f4 |
|
|
|
3d17f4 |
Fix flaws found by landscape.io
|
|
|
3d17f4 |
|
|
|
3d17f4 |
|
|
|
3d17f4 |
commit e85770bf37e785fed2f14839e64929215ffdd40f
|
|
|
3d17f4 |
Author: Mathieu Le Marec - Pasquet <kiorky@cryptelium.net>
|
|
|
3d17f4 |
Date: Tue May 12 18:46:16 2015 +0200
|
|
|
3d17f4 |
|
|
|
3d17f4 |
Another attempt to fix reload with direct rules.
|
|
|
3d17f4 |
|
|
|
3d17f4 |
This refs #12 #13
|
|
|
3d17f4 |
This fixes #14
|
|
|
3d17f4 |
|
|
|
3d17f4 |
Signed-off-by: Mathieu Le Marec - Pasquet <kiorky@cryptelium.net>
|
|
|
3d17f4 |
|
|
|
3d17f4 |
diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
|
|
|
3d17f4 |
index 48dd18f..1e0e009 100644
|
|
|
3d17f4 |
--- a/src/firewall/core/fw_direct.py
|
|
|
3d17f4 |
+++ b/src/firewall/core/fw_direct.py
|
|
|
3d17f4 |
@@ -88,9 +88,9 @@ class FirewallDirect:
|
|
|
3d17f4 |
(ipv, table, chain) = chain_id
|
|
|
3d17f4 |
for (priority, args) in self._rules[chain_id]:
|
|
|
3d17f4 |
if not self._obj.query_rule(ipv, table, chain, priority, args):
|
|
|
3d17f4 |
- if not chain_id in rules:
|
|
|
3d17f4 |
+ if chain_id not in rules:
|
|
|
3d17f4 |
rules[chain_id] = LastUpdatedOrderedDict()
|
|
|
3d17f4 |
- rules[chain_id][rule_id] = priority
|
|
|
3d17f4 |
+ rules[chain_id][(priority, args)] = priority
|
|
|
3d17f4 |
|
|
|
3d17f4 |
for ipv in self._passthroughs:
|
|
|
3d17f4 |
for args in self._passthroughs[ipv]:
|