|
 |
21c891 |
From f20ba9f1493a31ca31ee071007533b4e35cb57a2 Mon Sep 17 00:00:00 2001
|
|
|
21c891 |
From: Eric Garver <eric@garver.life>
|
|
|
21c891 |
Date: Thu, 10 Jan 2019 13:29:12 -0500
|
|
|
21c891 |
Subject: [PATCH 1/3] nftables: move OUR_CHAINS inside the class
|
|
|
21c891 |
|
|
|
21c891 |
No reason for it to be at the file level. Lets move it inside the class.
|
|
|
21c891 |
|
|
|
21c891 |
(cherry picked from commit 37606c1eca2b247e648c658ea29af5b5194447e9)
|
|
|
21c891 |
---
|
|
|
21c891 |
src/firewall/core/nftables.py | 47 +++++++++++++++++------------------
|
|
|
21c891 |
1 file changed, 23 insertions(+), 24 deletions(-)
|
|
|
21c891 |
|
|
|
21c891 |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
21c891 |
index 1d0ce24d68a2..1eb9c3fb94c2 100644
|
|
|
21c891 |
--- a/src/firewall/core/nftables.py
|
|
|
21c891 |
+++ b/src/firewall/core/nftables.py
|
|
|
21c891 |
@@ -76,13 +76,6 @@ IPTABLES_TO_NFT_HOOK = {
|
|
|
21c891 |
},
|
|
|
21c891 |
}
|
|
|
21c891 |
|
|
|
21c891 |
-OUR_CHAINS = { # chains created by firewalld
|
|
|
21c891 |
- # family: { chains ...}
|
|
|
21c891 |
- "inet": {},
|
|
|
21c891 |
- "ip": {},
|
|
|
21c891 |
- "ip6": {},
|
|
|
21c891 |
-}
|
|
|
21c891 |
-
|
|
|
21c891 |
# Most ICMP types are provided by nft, but for the codes we have to use numeric
|
|
|
21c891 |
# values.
|
|
|
21c891 |
#
|
|
|
21c891 |
@@ -163,6 +156,12 @@ class nftables(object):
|
|
|
21c891 |
self.rule_to_handle = {}
|
|
|
21c891 |
self.rule_ref_count = {}
|
|
|
21c891 |
self.rich_rule_priority_counts = {}
|
|
|
21c891 |
+ self.our_chains = { # chains created by firewalld
|
|
|
21c891 |
+ # family: { chains ...}
|
|
|
21c891 |
+ "inet": {},
|
|
|
21c891 |
+ "ip": {},
|
|
|
21c891 |
+ "ip6": {},
|
|
|
21c891 |
+ }
|
|
|
21c891 |
|
|
|
21c891 |
def fill_exists(self):
|
|
|
21c891 |
self.command_exists = os.path.exists(self._command)
|
|
|
21c891 |
@@ -359,7 +358,7 @@ class nftables(object):
|
|
|
21c891 |
self.rich_rule_priority_counts = {}
|
|
|
21c891 |
|
|
|
21c891 |
rules = []
|
|
|
21c891 |
- for family in OUR_CHAINS.keys():
|
|
|
21c891 |
+ for family in self.our_chains.keys():
|
|
|
21c891 |
rules.append(["delete", "table", family, "%s" % TABLE_NAME])
|
|
|
21c891 |
return rules
|
|
|
21c891 |
|
|
|
21c891 |
@@ -399,13 +398,13 @@ class nftables(object):
|
|
|
21c891 |
|
|
|
21c891 |
def build_default_tables(self):
|
|
|
21c891 |
default_tables = []
|
|
|
21c891 |
- for family in OUR_CHAINS.keys():
|
|
|
21c891 |
+ for family in self.our_chains.keys():
|
|
|
21c891 |
default_tables.append("add table %s %s" % (family, TABLE_NAME))
|
|
|
21c891 |
return map(splitArgs, default_tables)
|
|
|
21c891 |
|
|
|
21c891 |
def build_default_rules(self, log_denied="off"):
|
|
|
21c891 |
default_rules = []
|
|
|
21c891 |
- OUR_CHAINS["inet"]["raw"] = set()
|
|
|
21c891 |
+ self.our_chains["inet"]["raw"] = set()
|
|
|
21c891 |
for chain in IPTABLES_TO_NFT_HOOK["raw"].keys():
|
|
|
21c891 |
default_rules.append("add chain inet %s raw_%s '{ type filter hook %s priority %d ; }'" %
|
|
|
21c891 |
(TABLE_NAME, chain,
|
|
|
21c891 |
@@ -417,9 +416,9 @@ class nftables(object):
|
|
|
21c891 |
default_rules.append("add chain inet %s raw_%s_ZONES" % (TABLE_NAME, chain))
|
|
|
21c891 |
default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES_SOURCE" % (TABLE_NAME, chain, chain))
|
|
|
21c891 |
default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES" % (TABLE_NAME, chain, chain))
|
|
|
21c891 |
- OUR_CHAINS["inet"]["raw"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
|
|
|
21c891 |
+ self.our_chains["inet"]["raw"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
|
|
|
21c891 |
|
|
|
21c891 |
- OUR_CHAINS["inet"]["mangle"] = set()
|
|
|
21c891 |
+ self.our_chains["inet"]["mangle"] = set()
|
|
|
21c891 |
for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys():
|
|
|
21c891 |
default_rules.append("add chain inet %s mangle_%s '{ type filter hook %s priority %d ; }'" %
|
|
|
21c891 |
(TABLE_NAME, chain,
|
|
|
21c891 |
@@ -430,10 +429,10 @@ class nftables(object):
|
|
|
21c891 |
default_rules.append("add chain inet %s mangle_%s_ZONES" % (TABLE_NAME, chain))
|
|
|
21c891 |
default_rules.append("add rule inet %s mangle_%s jump mangle_%s_ZONES_SOURCE" % (TABLE_NAME, chain, chain))
|
|
|
21c891 |
default_rules.append("add rule inet %s mangle_%s jump mangle_%s_ZONES" % (TABLE_NAME, chain, chain))
|
|
|
21c891 |
- OUR_CHAINS["inet"]["mangle"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
|
|
|
21c891 |
+ self.our_chains["inet"]["mangle"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
|
|
|
21c891 |
|
|
|
21c891 |
- OUR_CHAINS["ip"]["nat"] = set()
|
|
|
21c891 |
- OUR_CHAINS["ip6"]["nat"] = set()
|
|
|
21c891 |
+ self.our_chains["ip"]["nat"] = set()
|
|
|
21c891 |
+ self.our_chains["ip6"]["nat"] = set()
|
|
|
21c891 |
for family in ["ip", "ip6"]:
|
|
|
21c891 |
for chain in IPTABLES_TO_NFT_HOOK["nat"].keys():
|
|
|
21c891 |
default_rules.append("add chain %s %s nat_%s '{ type nat hook %s priority %d ; }'" %
|
|
|
21c891 |
@@ -445,9 +444,9 @@ class nftables(object):
|
|
|
21c891 |
default_rules.append("add chain %s %s nat_%s_ZONES" % (family, TABLE_NAME, chain))
|
|
|
21c891 |
default_rules.append("add rule %s %s nat_%s jump nat_%s_ZONES_SOURCE" % (family, TABLE_NAME, chain, chain))
|
|
|
21c891 |
default_rules.append("add rule %s %s nat_%s jump nat_%s_ZONES" % (family, TABLE_NAME, chain, chain))
|
|
|
21c891 |
- OUR_CHAINS[family]["nat"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
|
|
|
21c891 |
+ self.our_chains[family]["nat"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
|
|
|
21c891 |
|
|
|
21c891 |
- OUR_CHAINS["inet"]["filter"] = set()
|
|
|
21c891 |
+ self.our_chains["inet"]["filter"] = set()
|
|
|
21c891 |
for chain in IPTABLES_TO_NFT_HOOK["filter"].keys():
|
|
|
21c891 |
default_rules.append("add chain inet %s filter_%s '{ type filter hook %s priority %d ; }'" %
|
|
|
21c891 |
(TABLE_NAME, chain,
|
|
|
21c891 |
@@ -486,12 +485,12 @@ class nftables(object):
|
|
|
21c891 |
default_rules.append("add rule inet %s filter_%s %%%%LOGTYPE%%%% log prefix '\"FINAL_REJECT: \"'" % (TABLE_NAME, "FORWARD"))
|
|
|
21c891 |
default_rules.append("add rule inet %s filter_%s reject with icmpx type admin-prohibited" % (TABLE_NAME, "FORWARD"))
|
|
|
21c891 |
|
|
|
21c891 |
- OUR_CHAINS["inet"]["filter"] = set(["INPUT_ZONES_SOURCE",
|
|
|
21c891 |
- "INPUT_ZONES",
|
|
|
21c891 |
- "FORWARD_IN_ZONES_SOURCE",
|
|
|
21c891 |
- "FORWARD_IN_ZONES",
|
|
|
21c891 |
- "FORWARD_OUT_ZONES_SOURCE",
|
|
|
21c891 |
- "FORWARD_OUT_ZONES"])
|
|
|
21c891 |
+ self.our_chains["inet"]["filter"] = set(["INPUT_ZONES_SOURCE",
|
|
|
21c891 |
+ "INPUT_ZONES",
|
|
|
21c891 |
+ "FORWARD_IN_ZONES_SOURCE",
|
|
|
21c891 |
+ "FORWARD_IN_ZONES",
|
|
|
21c891 |
+ "FORWARD_OUT_ZONES_SOURCE",
|
|
|
21c891 |
+ "FORWARD_OUT_ZONES"])
|
|
|
21c891 |
|
|
|
21c891 |
return map(splitArgs, default_rules)
|
|
|
21c891 |
|
|
|
21c891 |
@@ -610,7 +609,7 @@ class nftables(object):
|
|
|
21c891 |
|
|
|
21c891 |
_zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
|
|
|
21c891 |
|
|
|
21c891 |
- OUR_CHAINS[family][table].update(set([_zone,
|
|
|
21c891 |
+ self.our_chains[family][table].update(set([_zone,
|
|
|
21c891 |
"%s_log" % _zone,
|
|
|
21c891 |
"%s_deny" % _zone,
|
|
|
21c891 |
"%s_pre" % _zone,
|
|
|
21c891 |
--
|
|
|
21c891 |
2.18.0
|
|
|
21c891 |
|