rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/firewalld-0.7-0002-fw-on-reload-retain-interfaces-from-NetworkManager.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   21c891623aedfc93c402340bdbb20138c7b6dcba
  2.   SOURCES
  3.   firewalld-0.7-0002-fw-on-reload-retain-interfaces-from-NetworkManager.patch
Blob History Raw
21c891 
From 680fc277f90e5a8286016c644b40f8178bf50b12 Mon Sep 17 00:00:00 2001
21c891 
From: Eric Garver <e@erig.me>
21c891 
Date: Fri, 7 Dec 2018 14:09:28 -0500
21c891 
Subject: [PATCH 16/34] fw: on reload() retain interfaces from NetworkManager
21c891
21c891 
With FlushOnAllReload=yes the interface to zone assignment controlled by
21c891 
NM was being lost during a reload. This is because these assignments are
21c891 
"runtime" from firewalld's point of view. Lets query NM for its
21c891 
assignments during a reload and reapply them.
21c891
21c891 
Also add test coverage for FlushAllOnReload=yes.
21c891
21c891 
Fixes: rhbz 1656962
21c891 
Fixes: 242bc4e2e20c ("Add "FlushAllOnReload" config option")
21c891 
(cherry picked from commit cd97204a06f3243b789d4213f5bd888b0b156f88)
21c891 
---
21c891 
 src/firewall/core/fw.py             |  8 ++++++++
21c891 
 src/tests/regression/rhbz1498923.at | 12 ++++++++++++
21c891 
 2 files changed, 20 insertions(+)
21c891
21c891 
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
21c891 
index 7e6255f77398..4ec2087ec48d 100644
21c891 
--- a/src/firewall/core/fw.py
21c891 
+++ b/src/firewall/core/fw.py
21c891 
@@ -42,6 +42,7 @@ from firewall.core.fw_policies import FirewallPolicies
21c891 
 from firewall.core.fw_ipset import FirewallIPSet
21c891 
 from firewall.core.fw_transaction import FirewallTransaction
21c891 
 from firewall.core.fw_helper import FirewallHelper
21c891 
+from firewall.core.fw_nm import nm_get_bus_name, nm_get_interfaces_in_zone
21c891 
 from firewall.core.logger import log
21c891 
 from firewall.core.io.firewalld_conf import firewalld_conf
21c891 
 from firewall.core.io.direct import Direct
21c891 
@@ -1035,6 +1036,13 @@ class Firewall(object):
21c891 
             # restore direct config
21c891 
             self.direct.set_config(_direct_config)
21c891
21c891 
+        # Restore permanent interfaces from NetworkManager
21c891 
+        nm_bus_name = nm_get_bus_name()
21c891 
+        if nm_bus_name:
21c891 
+            for zone in self.zone.get_zones():
21c891 
+                for interface in nm_get_interfaces_in_zone(zone):
21c891 
+                    self.zone.add_interface(zone, interface, sender=nm_bus_name)
21c891 
+
21c891 
         # enable panic mode again if it has been enabled before or set policy
21c891 
         # to ACCEPT
21c891 
         if _panic:
21c891 
diff --git a/src/tests/regression/rhbz1498923.at b/src/tests/regression/rhbz1498923.at
21c891 
index ed1022fb0ca4..70f7a6036b8f 100644
21c891 
--- a/src/tests/regression/rhbz1498923.at
21c891 
+++ b/src/tests/regression/rhbz1498923.at
21c891 
@@ -1,4 +1,16 @@
21c891 
 FWD_START_TEST([invalid direct rule causes reload error])
21c891 
+dnl Verify runtime interface to zone assignment is gone after reload
21c891 
+AT_CHECK([sed -i 's/^FlushAllOnReload.*/FlushAllOnReload=yes/' ./firewalld.conf])
21c891 
+FWD_RELOAD
21c891 
+FWD_CHECK([-q --zone=public --add-interface=foobar0])
21c891 
+FWD_CHECK([--get-zone-of-interface=foobar0], 0, [dnl
21c891 
+public
21c891 
+])
21c891 
+FWD_RELOAD
21c891 
+FWD_CHECK([--get-zone-of-interface=foobar0], 2, [], [dnl
21c891 
+no zone
21c891 
+])
21c891 
+
21c891 
 dnl Below we test retention of some items applicable to FlushAllOnReload=no
21c891 
 AT_CHECK([sed -i 's/^FlushAllOnReload.*/FlushAllOnReload=no/' ./firewalld.conf])
21c891 
 FWD_RELOAD
21c891 
--
21c891 
2.18.0
21c891

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation