|
 |
06cdf6 |
diff -up firewalld-0.3.9/doc/xml/firewall-cmd.xml.RHBZ#993650_add firewalld-0.3.9/doc/xml/firewall-cmd.xml
|
|
|
06cdf6 |
--- firewalld-0.3.9/doc/xml/firewall-cmd.xml.RHBZ#993650_add 2014-10-20 22:03:54.453869807 +0200
|
|
|
06cdf6 |
+++ firewalld-0.3.9/doc/xml/firewall-cmd.xml 2014-10-20 22:03:54.460869767 +0200
|
|
|
06cdf6 |
@@ -943,16 +943,16 @@
|
|
|
06cdf6 |
<term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-all-passthroughs</option></term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Get all permanent passthrough as a newline separated list of the ipv value and arguments.
|
|
|
06cdf6 |
+ Get all passthrough rules as a newline separated list of the ipv value and arguments.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
</listitem>
|
|
|
06cdf6 |
</varlistentry>
|
|
|
06cdf6 |
|
|
|
06cdf6 |
<varlistentry>
|
|
|
06cdf6 |
- <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-passthroughs</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } </term>
|
|
|
06cdf6 |
+ <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-passthroughs</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> }</term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Get all permanent passthrough rules for the ipv value as a newline separated list of the priority and arguments.
|
|
|
06cdf6 |
+ Get all passthrough rules for the ipv value as a newline separated list of the priority and arguments.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
</listitem>
|
|
|
06cdf6 |
</varlistentry>
|
|
|
06cdf6 |
@@ -961,7 +961,7 @@
|
|
|
06cdf6 |
<term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--add-passthrough</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>args</replaceable></term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Add a permanent passthrough rule with the arguments <replaceable>args</replaceable> for the ipv value.
|
|
|
06cdf6 |
+ Add a passthrough rule with the arguments <replaceable>args</replaceable> for the ipv value.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
</listitem>
|
|
|
06cdf6 |
</varlistentry>
|
|
|
06cdf6 |
@@ -970,7 +970,7 @@
|
|
|
06cdf6 |
<term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--remove-passthrough</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>args</replaceable></term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Remove a permanent passthrough rule with the arguments <replaceable>args</replaceable> for the ipv value.
|
|
|
06cdf6 |
+ Remove a passthrough rule with the arguments <replaceable>args</replaceable> for the ipv value.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
</listitem>
|
|
|
06cdf6 |
</varlistentry>
|
|
|
06cdf6 |
@@ -979,7 +979,7 @@
|
|
|
06cdf6 |
<term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--query-passthrough</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>args</replaceable></term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Return whether a permanent passthrough rule with the arguments <replaceable>args</replaceable> exists for the ipv value. Returns 0 if true, 1 otherwise.
|
|
|
06cdf6 |
+ Return whether a passthrough rule with the arguments <replaceable>args</replaceable> exists for the ipv value. Returns 0 if true, 1 otherwise.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
</listitem>
|
|
|
06cdf6 |
</varlistentry>
|
|
|
06cdf6 |
diff -up firewalld-0.3.9/src/firewall/client.py.RHBZ#993650_add firewalld-0.3.9/src/firewall/client.py
|
|
|
06cdf6 |
--- firewalld-0.3.9/src/firewall/client.py.RHBZ#993650_add 2014-10-20 22:03:54.447869842 +0200
|
|
|
06cdf6 |
+++ firewalld-0.3.9/src/firewall/client.py 2014-10-20 22:03:54.461869762 +0200
|
|
|
06cdf6 |
@@ -1314,7 +1314,7 @@ class FirewallClientDirect(object):
|
|
|
06cdf6 |
self.settings[2] = passthroughs
|
|
|
06cdf6 |
@handle_exceptions
|
|
|
06cdf6 |
def removeAllPassthroughs(self):
|
|
|
06cdf6 |
- self.settings[2] = passthroughs
|
|
|
06cdf6 |
+ self.settings[2] = []
|
|
|
06cdf6 |
@handle_exceptions
|
|
|
06cdf6 |
def getPassthroughs(self, ipv):
|
|
|
06cdf6 |
return [ entry[1] for entry in self.settings[2] \
|
|
|
06cdf6 |
diff -up firewalld-0.3.9/src/firewall/core/fw_direct.py.RHBZ#993650_add firewalld-0.3.9/src/firewall/core/fw_direct.py
|
|
|
06cdf6 |
--- firewalld-0.3.9/src/firewall/core/fw_direct.py.RHBZ#993650_add 2014-10-20 22:03:54.392870157 +0200
|
|
|
06cdf6 |
+++ firewalld-0.3.9/src/firewall/core/fw_direct.py 2014-10-20 22:04:44.901595326 +0200
|
|
|
06cdf6 |
@@ -280,7 +280,7 @@ class FirewallDirect:
|
|
|
06cdf6 |
r.append((ipv, table, chain, priority, list(args)))
|
|
|
06cdf6 |
return r
|
|
|
06cdf6 |
|
|
|
06cdf6 |
- # DIRECT PASSTROUGH (untracked)
|
|
|
06cdf6 |
+ # DIRECT PASSTHROUGH (untracked)
|
|
|
06cdf6 |
|
|
|
06cdf6 |
def passthrough(self, ipv, args):
|
|
|
06cdf6 |
try:
|
|
|
06cdf6 |
@@ -289,7 +289,7 @@ class FirewallDirect:
|
|
|
06cdf6 |
log.debug2(msg)
|
|
|
06cdf6 |
raise FirewallError(COMMAND_FAILED, msg)
|
|
|
06cdf6 |
|
|
|
06cdf6 |
- # DIRECT PASSTROUGH (tracked)
|
|
|
06cdf6 |
+ # DIRECT PASSTHROUGH (tracked)
|
|
|
06cdf6 |
|
|
|
06cdf6 |
def _check_ipv(self, ipv):
|
|
|
06cdf6 |
ipvs = [ 'ipv4', 'ipv6', 'eb' ]
|
|
|
06cdf6 |
@@ -311,8 +311,14 @@ class FirewallDirect:
|
|
|
06cdf6 |
raise FirewallError(NOT_ENABLED,
|
|
|
06cdf6 |
"passthrough '%s', '%s'" % (ipv, args))
|
|
|
06cdf6 |
|
|
|
06cdf6 |
+ if enable:
|
|
|
06cdf6 |
+ self.check_passthrough(args)
|
|
|
06cdf6 |
+ _args = args
|
|
|
06cdf6 |
+ else:
|
|
|
06cdf6 |
+ _args = self.reverse_passthrough(args)
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
try:
|
|
|
06cdf6 |
- self._fw.rule(ipv, args)
|
|
|
06cdf6 |
+ self._fw.rule(ipv, _args)
|
|
|
06cdf6 |
except Exception as msg:
|
|
|
06cdf6 |
log.debug2(msg)
|
|
|
06cdf6 |
raise FirewallError(COMMAND_FAILED, msg)
|
|
|
06cdf6 |
@@ -349,3 +355,74 @@ class FirewallDirect:
|
|
|
06cdf6 |
for args in self._passthroughs[ipv]:
|
|
|
06cdf6 |
r.append(list(args))
|
|
|
06cdf6 |
return r
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
+ def check_passthrough(self, args):
|
|
|
06cdf6 |
+ """ Check if passthough rule is valid (only add, insert and new chain
|
|
|
06cdf6 |
+ rules are allowed) """
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
+ args = set(args)
|
|
|
06cdf6 |
+ not_allowed = set(["-C", "--check", # check rule
|
|
|
06cdf6 |
+ "-D", "--delete", # delete rule
|
|
|
06cdf6 |
+ "-R", "--replace", # replace rule
|
|
|
06cdf6 |
+ "-L", "--list", # list rule
|
|
|
06cdf6 |
+ "-S", "--list-rules", # print rules
|
|
|
06cdf6 |
+ "-F", "--flush", # flush rules
|
|
|
06cdf6 |
+ "-Z", "--zero", # zero rules
|
|
|
06cdf6 |
+ "-X", "--delete-chain", # delete chain
|
|
|
06cdf6 |
+ "-P", "--policy", # policy
|
|
|
06cdf6 |
+ "-E", "--rename-chain"]) # rename chain)
|
|
|
06cdf6 |
+ # intersection of args and not_allowed is not empty, i.e.
|
|
|
06cdf6 |
+ # something from args is not allowed
|
|
|
06cdf6 |
+ if len(args & not_allowed) > 0:
|
|
|
06cdf6 |
+ raise FirewallError(INVALID_PASSTHROUGH,
|
|
|
06cdf6 |
+ "arg '%s' is not allowed" %
|
|
|
06cdf6 |
+ list(args & not_allowed)[0] )
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
+ # args need to contain one of -A, -I, -N
|
|
|
06cdf6 |
+ needed = set(["-A", "--append",
|
|
|
06cdf6 |
+ "-I", "--insert",
|
|
|
06cdf6 |
+ "-N", "--new-chain"])
|
|
|
06cdf6 |
+ # empty intersection of args and needed, i.e.
|
|
|
06cdf6 |
+ # none from args contains any needed command
|
|
|
06cdf6 |
+ if len(args & needed) == 0:
|
|
|
06cdf6 |
+ raise FirewallError(INVALID_PASSTHROUGH,
|
|
|
06cdf6 |
+ "no '-A', '-I' or '-N' arg")
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
+ def reverse_passthrough(self, args):
|
|
|
06cdf6 |
+ """ Reverse valid passthough rule """
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
+ replace_args = {
|
|
|
06cdf6 |
+ # Append
|
|
|
06cdf6 |
+ "-A": "-D",
|
|
|
06cdf6 |
+ "--append": "--delete",
|
|
|
06cdf6 |
+ # Insert
|
|
|
06cdf6 |
+ "-I": "-D",
|
|
|
06cdf6 |
+ "--insert": "--delete",
|
|
|
06cdf6 |
+ # New chain
|
|
|
06cdf6 |
+ "-N": "-X",
|
|
|
06cdf6 |
+ "--new-chain": "--delete-chain",
|
|
|
06cdf6 |
+ }
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
+ ret_args = args[:]
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
+ for x in replace_args:
|
|
|
06cdf6 |
+ try:
|
|
|
06cdf6 |
+ idx = ret_args.index(x)
|
|
|
06cdf6 |
+ except:
|
|
|
06cdf6 |
+ continue
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
+ if x in [ "-I", "--insert" ]:
|
|
|
06cdf6 |
+ # With insert rulenum, then remove it if it is a number
|
|
|
06cdf6 |
+ # Opt at position idx, chain at position idx+1, [rulenum] at
|
|
|
06cdf6 |
+ # position idx+2
|
|
|
06cdf6 |
+ try:
|
|
|
06cdf6 |
+ int(ret_args[idx+2])
|
|
|
06cdf6 |
+ except:
|
|
|
06cdf6 |
+ pass
|
|
|
06cdf6 |
+ else:
|
|
|
06cdf6 |
+ ret_args.pop(idx+2)
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
+ ret_args[idx] = replace_args[x]
|
|
|
06cdf6 |
+ return ret_args
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
+ raise FirewallError(INVALID_PASSTHROUGH, "no '-A', '-I' or '-N' arg")
|
|
|
06cdf6 |
diff -up firewalld-0.3.9/src/firewall/errors.py.RHBZ#993650_add firewalld-0.3.9/src/firewall/errors.py
|
|
|
06cdf6 |
--- firewalld-0.3.9/src/firewall/errors.py.RHBZ#993650_add 2014-10-20 22:03:54.448869836 +0200
|
|
|
06cdf6 |
+++ firewalld-0.3.9/src/firewall/errors.py 2014-10-20 22:03:54.461869762 +0200
|
|
|
06cdf6 |
@@ -74,6 +74,7 @@ INVALID_COMMAND = 129
|
|
|
06cdf6 |
INVALID_USER = 130
|
|
|
06cdf6 |
INVALID_UID = 131
|
|
|
06cdf6 |
INVALID_MODULE = 132
|
|
|
06cdf6 |
+INVALID_PASSTHROUGH = 133
|
|
|
06cdf6 |
|
|
|
06cdf6 |
MISSING_TABLE = 200
|
|
|
06cdf6 |
MISSING_CHAIN = 201
|
|
|
06cdf6 |
diff -up firewalld-0.3.9/src/firewall/server/config.py.RHBZ#993650_add firewalld-0.3.9/src/firewall/server/config.py
|
|
|
06cdf6 |
--- firewalld-0.3.9/src/firewall/server/config.py.RHBZ#993650_add 2014-10-20 22:03:54.449869830 +0200
|
|
|
06cdf6 |
+++ firewalld-0.3.9/src/firewall/server/config.py 2014-10-20 22:03:54.461869762 +0200
|
|
|
06cdf6 |
@@ -897,6 +897,19 @@ class FirewallDConfig(slip.dbus.service.
|
|
|
06cdf6 |
idx = (ipv, table, chain, priority, args)
|
|
|
06cdf6 |
return idx in self.getSettings()[1]
|
|
|
06cdf6 |
|
|
|
06cdf6 |
+ @dbus_service_method(DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sss')
|
|
|
06cdf6 |
+ @dbus_handle_exceptions
|
|
|
06cdf6 |
+ def removeRules(self, ipv, table, chain, sender=None):
|
|
|
06cdf6 |
+ ipv = dbus_to_python(ipv)
|
|
|
06cdf6 |
+ table = dbus_to_python(table)
|
|
|
06cdf6 |
+ chain = dbus_to_python(chain)
|
|
|
06cdf6 |
+ log.debug1("config.direct.removeRules('%s', '%s', '%s')" %
|
|
|
06cdf6 |
+ (ipv, table, chain, ))
|
|
|
06cdf6 |
+ self.accessCheck(sender)
|
|
|
06cdf6 |
+ settings = list(self.getSettings())
|
|
|
06cdf6 |
+ settings[1] = []
|
|
|
06cdf6 |
+ self.update(tuple(settings))
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
@dbus_service_method(DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sss',
|
|
|
06cdf6 |
out_signature='a(ias)')
|
|
|
06cdf6 |
@dbus_handle_exceptions
|