|
 |
06cdf6 |
diff -up firewalld-0.3.9/doc/xml/firewall-cmd.xml.RHBZ#994044 firewalld-0.3.9/doc/xml/firewall-cmd.xml
|
|
|
06cdf6 |
--- firewalld-0.3.9/doc/xml/firewall-cmd.xml.RHBZ#994044 2014-09-29 23:03:25.059783798 +0200
|
|
|
06cdf6 |
+++ firewalld-0.3.9/doc/xml/firewall-cmd.xml 2014-09-29 23:04:31.637000024 +0200
|
|
|
06cdf6 |
@@ -340,10 +340,11 @@
|
|
|
06cdf6 |
</varlistentry>
|
|
|
06cdf6 |
|
|
|
06cdf6 |
<varlistentry>
|
|
|
06cdf6 |
- <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-service</option>=<replaceable>service</replaceable> <optional><option>--timeout</option>=<replaceable>seconds</replaceable></optional></term>
|
|
|
06cdf6 |
+ <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-service</option>=<replaceable>service</replaceable> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Add a service for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the amount of seconds and will be removed automatically afterwards.
|
|
|
06cdf6 |
+ Add a service for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.
|
|
|
06cdf6 |
+ <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
The service is one of the firewalld provided services. To get a list of the supported services, use <command>firewall-cmd --get-services</command>.
|
|
|
06cdf6 |
@@ -384,10 +385,11 @@
|
|
|
06cdf6 |
</varlistentry>
|
|
|
06cdf6 |
|
|
|
06cdf6 |
<varlistentry>
|
|
|
06cdf6 |
- <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable> <optional><option>--timeout</option>=<replaceable>seconds</replaceable></optional></term>
|
|
|
06cdf6 |
+ <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-port</option>=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>/<replaceable>protocol</replaceable> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Add the port for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the amount of seconds and will be removed automatically afterwards.
|
|
|
06cdf6 |
+ Add the port for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.
|
|
|
06cdf6 |
+ <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
The port can either be a single port number or a port range <replaceable>portid</replaceable>-<replaceable>portid</replaceable>. The protocol can either be <literal>tcp</literal> or <literal>udp</literal>.
|
|
|
06cdf6 |
@@ -428,10 +430,11 @@
|
|
|
06cdf6 |
</varlistentry>
|
|
|
06cdf6 |
|
|
|
06cdf6 |
<varlistentry>
|
|
|
06cdf6 |
- <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-icmp-block</option>=<replaceable>icmptype</replaceable> <optional><option>--timeout</option>=<replaceable>seconds</replaceable></optional></term>
|
|
|
06cdf6 |
+ <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-icmp-block</option>=<replaceable>icmptype</replaceable> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Add an ICMP block for <replaceable>icmptype</replaceable> for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the amount of seconds and will be removed automatically afterwards.
|
|
|
06cdf6 |
+ Add an ICMP block for <replaceable>icmptype</replaceable> for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.
|
|
|
06cdf6 |
+ <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
The <replaceable>icmptype</replaceable> is the one of the icmp types firewalld supports. To get a listing of supported icmp types: <command>firewall-cmd --get-icmptypes</command>
|
|
|
06cdf6 |
@@ -475,10 +478,11 @@
|
|
|
06cdf6 |
</varlistentry>
|
|
|
06cdf6 |
|
|
|
06cdf6 |
<varlistentry>
|
|
|
06cdf6 |
- <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-forward-port</option>=port=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>:proto=<replaceable>protocol</replaceable><optional>:toport=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional></optional><optional>:toaddr=<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional></optional> <optional><option>--timeout</option>=<replaceable>seconds</replaceable></optional></term>
|
|
|
06cdf6 |
+ <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-forward-port</option>=port=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional>:proto=<replaceable>protocol</replaceable><optional>:toport=<replaceable>portid</replaceable><optional>-<replaceable>portid</replaceable></optional></optional><optional>:toaddr=<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional></optional> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Add the <emphasis>IPv4</emphasis> forward port for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the amount of seconds and will be removed automatically afterwards.
|
|
|
06cdf6 |
+ Add the <emphasis>IPv4</emphasis> forward port for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. This option can be specified multiple times. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards.
|
|
|
06cdf6 |
+ <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
The port can either be a single port number <replaceable>portid</replaceable> or a port range <replaceable>portid</replaceable>-<replaceable>portid</replaceable>. The protocol can either be <literal>tcp</literal> or <literal>udp</literal>. The destination address is a simple IP address.
|
|
|
06cdf6 |
@@ -519,10 +523,12 @@
|
|
|
06cdf6 |
|
|
|
06cdf6 |
|
|
|
06cdf6 |
<varlistentry>
|
|
|
06cdf6 |
- <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-masquerade</option> <optional><option>--timeout</option>=<replaceable>seconds</replaceable></optional></term>
|
|
|
06cdf6 |
+ <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-masquerade</option> <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Enable <emphasis>IPv4</emphasis> masquerade for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. If a timeout is supplied, masquerading will be active for the amount of seconds. Masquerading is useful if the machine is a router and machines connected over an interface in another zone should be able to use the first connection.
|
|
|
06cdf6 |
+ Enable <emphasis>IPv4</emphasis> masquerade for <replaceable>zone</replaceable>. If zone is omitted, default zone will be used. If a timeout is supplied, masquerading will be active for the specified amount of time.
|
|
|
06cdf6 |
+ <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
|
|
|
06cdf6 |
+ Masquerading is useful if the machine is a router and machines connected over an interface in another zone should be able to use the first connection.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
The <option>--timeout</option> option is not combinable with the <option>--permanent</option> option.
|
|
|
06cdf6 |
@@ -569,10 +575,11 @@
|
|
|
06cdf6 |
</varlistentry>
|
|
|
06cdf6 |
|
|
|
06cdf6 |
<varlistentry>
|
|
|
06cdf6 |
- <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-rich-rule</option>='<replaceable>rule</replaceable>' <optional><option>--timeout</option>=<replaceable>seconds</replaceable></optional></term>
|
|
|
06cdf6 |
+ <term><optional><option>--permanent</option></optional> <optional><option>--zone</option>=<replaceable>zone</replaceable></optional> <option>--add-rich-rule</option>='<replaceable>rule</replaceable>' <optional><option>--timeout</option>=<replaceable>timeval</replaceable></optional></term>
|
|
|
06cdf6 |
<listitem>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
- Add rich language rule '<replaceable>rule</replaceable>' for <replaceable>zone</replaceable>. This option can be specified multiple times. If zone is omitted, default zone will be used. If a timeout is supplied, the <replaceable>rule</replaceable> will be active for the amount of seconds and will be removed automatically afterwards.
|
|
|
06cdf6 |
+ Add rich language rule '<replaceable>rule</replaceable>' for <replaceable>zone</replaceable>. This option can be specified multiple times. If zone is omitted, default zone will be used. If a timeout is supplied, the <replaceable>rule</replaceable> will be active for the specified amount of time and will be removed automatically afterwards.
|
|
|
06cdf6 |
+ <replaceable>timeval</replaceable> is either a number (of seconds) or number followed by one of characters <literal>s</literal> (seconds), <literal>m</literal> (minutes), <literal>h</literal> (hours), for example <literal>20m</literal> or <literal>1h</literal>.
|
|
|
06cdf6 |
</para>
|
|
|
06cdf6 |
<para>
|
|
|
06cdf6 |
For the rich language rule syntax, please have a look at <citerefentry><refentrytitle>firewalld.richlanguage</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
|
|
06cdf6 |
diff -up firewalld-0.3.9/src/firewall-cmd.RHBZ#994044 firewalld-0.3.9/src/firewall-cmd
|
|
|
06cdf6 |
--- firewalld-0.3.9/src/firewall-cmd.RHBZ#994044 2014-09-29 23:03:25.063783811 +0200
|
|
|
06cdf6 |
+++ firewalld-0.3.9/src/firewall-cmd 2014-09-29 23:04:31.638000022 +0200
|
|
|
06cdf6 |
@@ -111,7 +111,8 @@ Service Options
|
|
|
06cdf6 |
Options to Adapt and Query Zones
|
|
|
06cdf6 |
--list-all List everything added for or enabled in a zone [P] [Z]
|
|
|
06cdf6 |
--list-services List services added for a zone [P] [Z]
|
|
|
06cdf6 |
- --timeout=<seconds> Enable an option for seconds only
|
|
|
06cdf6 |
+ --timeout=<timeval> Enable an option for timeval time, where timeval is
|
|
|
06cdf6 |
+ a number followed by one of letters 's' or 'm' or 'h'
|
|
|
06cdf6 |
Usable for options maked with [T]
|
|
|
06cdf6 |
--add-service=<service>
|
|
|
06cdf6 |
Add a service for a zone [P] [Z] [T]
|
|
|
06cdf6 |
@@ -425,7 +426,7 @@ parser_group_lockdown_whitelist.add_argu
|
|
|
06cdf6 |
|
|
|
06cdf6 |
parser.add_argument("--permanent", action="store_true")
|
|
|
06cdf6 |
parser.add_argument("--zone", default="", metavar="<zone>")
|
|
|
06cdf6 |
-parser.add_argument("--timeout", default=0, type=int, metavar="<seconds>")
|
|
|
06cdf6 |
+parser.add_argument("--timeout", default="0", metavar="<seconds>")
|
|
|
06cdf6 |
|
|
|
06cdf6 |
parser_group_zone = parser.add_mutually_exclusive_group()
|
|
|
06cdf6 |
parser_group_zone.add_argument("--add-interface", metavar="<iface>")
|
|
|
06cdf6 |
@@ -574,7 +575,7 @@ options_zone_adapt_query = \
|
|
|
06cdf6 |
options_zone_ops = options_zone_interfaces_sources or \
|
|
|
06cdf6 |
options_zone_action_action or options_zone_adapt_query
|
|
|
06cdf6 |
|
|
|
06cdf6 |
-options_zone = a.zone or a.timeout or options_zone_ops
|
|
|
06cdf6 |
+options_zone = a.zone or a.timeout != "0" or options_zone_ops
|
|
|
06cdf6 |
|
|
|
06cdf6 |
options_permanent = a.permanent or options_config or a.zone or options_zone_ops
|
|
|
06cdf6 |
|
|
|
06cdf6 |
@@ -633,13 +634,48 @@ if options_config and options_zone:
|
|
|
06cdf6 |
__fail(parser.format_usage() +
|
|
|
06cdf6 |
"Wrong usage of --get-zones | --get-services | --get-icmptypes.")
|
|
|
06cdf6 |
|
|
|
06cdf6 |
+if a.timeout != "0":
|
|
|
06cdf6 |
+ value = 0
|
|
|
06cdf6 |
+ unit = 's'
|
|
|
06cdf6 |
+ if len(a.timeout) < 1:
|
|
|
06cdf6 |
+ __fail(parser.format_usage() +
|
|
|
06cdf6 |
+ "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout)
|
|
|
06cdf6 |
+ elif len(a.timeout) == 1:
|
|
|
06cdf6 |
+ if a.timeout.isdigit():
|
|
|
06cdf6 |
+ value = int (a.timeout[0])
|
|
|
06cdf6 |
+ else:
|
|
|
06cdf6 |
+ __fail(parser.format_usage() +
|
|
|
06cdf6 |
+ "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout)
|
|
|
06cdf6 |
+ elif len(a.timeout) > 1:
|
|
|
06cdf6 |
+ if a.timeout.isdigit():
|
|
|
06cdf6 |
+ value = int(a.timeout)
|
|
|
06cdf6 |
+ unit = 's'
|
|
|
06cdf6 |
+ else:
|
|
|
06cdf6 |
+ if a.timeout[:-1].isdigit():
|
|
|
06cdf6 |
+ value = int (a.timeout[:-1])
|
|
|
06cdf6 |
+ else:
|
|
|
06cdf6 |
+ __fail(parser.format_usage() +
|
|
|
06cdf6 |
+ "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout)
|
|
|
06cdf6 |
+ unit = a.timeout[-1:].lower()
|
|
|
06cdf6 |
+ if unit == 's':
|
|
|
06cdf6 |
+ a.timeout = value
|
|
|
06cdf6 |
+ elif unit == 'm':
|
|
|
06cdf6 |
+ a.timeout = value * 60
|
|
|
06cdf6 |
+ elif unit == 'h':
|
|
|
06cdf6 |
+ a.timeout = value * 60 * 60
|
|
|
06cdf6 |
+ else:
|
|
|
06cdf6 |
+ __fail(parser.format_usage() +
|
|
|
06cdf6 |
+ "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout)
|
|
|
06cdf6 |
+else:
|
|
|
06cdf6 |
+ a.timeout = 0
|
|
|
06cdf6 |
+
|
|
|
06cdf6 |
if a.timeout and not (a.add_service or a.add_port or a.add_icmp_block or \
|
|
|
06cdf6 |
- a.add_forward_port or a.add_masquerade or \
|
|
|
06cdf6 |
- a.add_rich_rule):
|
|
|
06cdf6 |
+ a.add_forward_port or a.add_masquerade or \
|
|
|
06cdf6 |
+ a.add_rich_rule):
|
|
|
06cdf6 |
__fail(parser.format_usage() + "Wrong --timeout usage")
|
|
|
06cdf6 |
|
|
|
06cdf6 |
if a.permanent:
|
|
|
06cdf6 |
- if a.timeout != 0:
|
|
|
06cdf6 |
+ if a.timeout:
|
|
|
06cdf6 |
__fail(parser.format_usage() +
|
|
|
06cdf6 |
"Can't specify timeout for permanent action.")
|
|
|
06cdf6 |
if options_config and not a.zone:
|