|
 |
21c891 |
From 851c03faa007db22dd28be5e7fbf63eb6861dec2 Mon Sep 17 00:00:00 2001
|
|
|
21c891 |
From: Eric Garver <e@erig.me>
|
|
|
21c891 |
Date: Thu, 6 Dec 2018 15:25:17 -0500
|
|
|
21c891 |
Subject: [PATCH 33/34] treewide: shorten rich rule chain suffix
|
|
|
21c891 |
|
|
|
21c891 |
iptables only allows chain names up to 29 characters. So lets reduce the
|
|
|
21c891 |
chain suffix for rich rules with priorities. Otherwise zones with longer
|
|
|
21c891 |
names won't be usable.
|
|
|
21c891 |
|
|
|
21c891 |
_rich_rule_pre --> _pre
|
|
|
21c891 |
_rich_rule_post --> _post
|
|
|
21c891 |
|
|
|
21c891 |
Note: This is a non issue for the nftables backend. As of kernel v4.14
|
|
|
21c891 |
it allows names up to 255 bytes.
|
|
|
21c891 |
|
|
|
21c891 |
Fixes: 29d657527bd2 ("ipXtables: support rich rule priorities")
|
|
|
21c891 |
(cherry picked from commit f4a8a4f57cccea32bef0e3725ec6d657824b8b5c)
|
|
|
21c891 |
---
|
|
|
21c891 |
doc/xml/firewalld.richlanguage.xml | 8 +-
|
|
|
21c891 |
src/firewall/core/ipXtables.py | 20 ++---
|
|
|
21c891 |
src/firewall/core/nftables.py | 20 ++---
|
|
|
21c891 |
src/tests/firewall-cmd.at | 116 ++++++++++++++---------------
|
|
|
21c891 |
4 files changed, 82 insertions(+), 82 deletions(-)
|
|
|
21c891 |
|
|
|
21c891 |
diff --git a/doc/xml/firewalld.richlanguage.xml b/doc/xml/firewalld.richlanguage.xml
|
|
|
21c891 |
index a0562b93249e..a053a828f1fe 100644
|
|
|
21c891 |
--- a/doc/xml/firewalld.richlanguage.xml
|
|
|
21c891 |
+++ b/doc/xml/firewalld.richlanguage.xml
|
|
|
21c891 |
@@ -344,21 +344,21 @@ limit value="rate/duration"
|
|
|
21c891 |
</para>
|
|
|
21c891 |
<para>
|
|
|
21c891 |
<programlisting>
|
|
|
21c891 |
-<replaceable>zone</replaceable>_rich_rule_pre
|
|
|
21c891 |
+<replaceable>zone</replaceable>_pre
|
|
|
21c891 |
<replaceable>zone</replaceable>_log
|
|
|
21c891 |
<replaceable>zone</replaceable>_deny
|
|
|
21c891 |
<replaceable>zone</replaceable>_allow
|
|
|
21c891 |
-<replaceable>zone</replaceable>_rich_rule_post
|
|
|
21c891 |
+<replaceable>zone</replaceable>_post
|
|
|
21c891 |
</programlisting>
|
|
|
21c891 |
</para>
|
|
|
21c891 |
<para>
|
|
|
21c891 |
- When <emphasis>priority < 0</emphasis>, the rich rule will be placed in the <replaceable>zone</replaceable>_rich_rule_pre chain.
|
|
|
21c891 |
+ When <emphasis>priority < 0</emphasis>, the rich rule will be placed in the <replaceable>zone</replaceable>_pre chain.
|
|
|
21c891 |
</para>
|
|
|
21c891 |
<para>
|
|
|
21c891 |
When <emphasis>priority == 0</emphasis>Then all logging rules will be placed in the <replaceable>zone</replaceable>_log chain. All reject and drop rules will be placed in the <replaceable>zone</replaceable>_deny chain, which will be walked after the log chain. All accept rules will be placed in the <replaceable>zone</replaceable>_allow chain, which will be walked after the deny chain. If a rule contains log and also deny or allow actions, the parts are placed in the matching chains.
|
|
|
21c891 |
</para>
|
|
|
21c891 |
<para>
|
|
|
21c891 |
- When <emphasis>priority > 0</emphasis>, the rich rule will be placed in the <replaceable>zone</replaceable>_rich_rule_post chain.
|
|
|
21c891 |
+ When <emphasis>priority > 0</emphasis>, the rich rule will be placed in the <replaceable>zone</replaceable>_post chain.
|
|
|
21c891 |
</para>
|
|
|
21c891 |
</refsect2>
|
|
|
21c891 |
</refsect1>
|
|
|
21c891 |
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
|
|
21c891 |
index 43ff9307a41c..1940641c982e 100644
|
|
|
21c891 |
--- a/src/firewall/core/ipXtables.py
|
|
|
21c891 |
+++ b/src/firewall/core/ipXtables.py
|
|
|
21c891 |
@@ -804,22 +804,22 @@ class ip4tables(object):
|
|
|
21c891 |
OUR_CHAINS[table].update(set([_zone,
|
|
|
21c891 |
"%s_log" % _zone,
|
|
|
21c891 |
"%s_deny" % _zone,
|
|
|
21c891 |
- "%s_rich_rule_pre" % _zone,
|
|
|
21c891 |
- "%s_rich_rule_post" % _zone,
|
|
|
21c891 |
+ "%s_pre" % _zone,
|
|
|
21c891 |
+ "%s_post" % _zone,
|
|
|
21c891 |
"%s_allow" % _zone]))
|
|
|
21c891 |
|
|
|
21c891 |
rules = []
|
|
|
21c891 |
rules.append([ "-N", _zone, "-t", table ])
|
|
|
21c891 |
- rules.append([ "-N", "%s_rich_rule_pre" % _zone, "-t", table ])
|
|
|
21c891 |
+ rules.append([ "-N", "%s_pre" % _zone, "-t", table ])
|
|
|
21c891 |
rules.append([ "-N", "%s_log" % _zone, "-t", table ])
|
|
|
21c891 |
rules.append([ "-N", "%s_deny" % _zone, "-t", table ])
|
|
|
21c891 |
rules.append([ "-N", "%s_allow" % _zone, "-t", table ])
|
|
|
21c891 |
- rules.append([ "-N", "%s_rich_rule_post" % _zone, "-t", table ])
|
|
|
21c891 |
- rules.append([ "-I", _zone, "1", "-t", table, "-j", "%s_rich_rule_pre" % _zone ])
|
|
|
21c891 |
+ rules.append([ "-N", "%s_post" % _zone, "-t", table ])
|
|
|
21c891 |
+ rules.append([ "-I", _zone, "1", "-t", table, "-j", "%s_pre" % _zone ])
|
|
|
21c891 |
rules.append([ "-I", _zone, "2", "-t", table, "-j", "%s_log" % _zone ])
|
|
|
21c891 |
rules.append([ "-I", _zone, "3", "-t", table, "-j", "%s_deny" % _zone ])
|
|
|
21c891 |
rules.append([ "-I", _zone, "4", "-t", table, "-j", "%s_allow" % _zone ])
|
|
|
21c891 |
- rules.append([ "-I", _zone, "5", "-t", table, "-j", "%s_rich_rule_post" % _zone ])
|
|
|
21c891 |
+ rules.append([ "-I", _zone, "5", "-t", table, "-j", "%s_post" % _zone ])
|
|
|
21c891 |
|
|
|
21c891 |
# Handle trust, block and drop zones:
|
|
|
21c891 |
# Add an additional rule with the zone target (accept, reject
|
|
|
21c891 |
@@ -869,9 +869,9 @@ class ip4tables(object):
|
|
|
21c891 |
type(rich_rule.action) in [Rich_Reject, Rich_Drop]:
|
|
|
21c891 |
return "deny"
|
|
|
21c891 |
elif rich_rule.priority < 0:
|
|
|
21c891 |
- return "rich_rule_pre"
|
|
|
21c891 |
+ return "pre"
|
|
|
21c891 |
else:
|
|
|
21c891 |
- return "rich_rule_post"
|
|
|
21c891 |
+ return "post"
|
|
|
21c891 |
|
|
|
21c891 |
def _rich_rule_chain_suffix_from_log(self, rich_rule):
|
|
|
21c891 |
if not rich_rule.log and not rich_rule.audit:
|
|
|
21c891 |
@@ -880,9 +880,9 @@ class ip4tables(object):
|
|
|
21c891 |
if rich_rule.priority == 0:
|
|
|
21c891 |
return "log"
|
|
|
21c891 |
elif rich_rule.priority < 0:
|
|
|
21c891 |
- return "rich_rule_pre"
|
|
|
21c891 |
+ return "pre"
|
|
|
21c891 |
else:
|
|
|
21c891 |
- return "rich_rule_post"
|
|
|
21c891 |
+ return "post"
|
|
|
21c891 |
|
|
|
21c891 |
def _rich_rule_priority_fragment(self, rich_rule):
|
|
|
21c891 |
if rich_rule.priority == 0:
|
|
|
21c891 |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
21c891 |
index d59bc55bf1a5..8e24721c94f5 100644
|
|
|
21c891 |
--- a/src/firewall/core/nftables.py
|
|
|
21c891 |
+++ b/src/firewall/core/nftables.py
|
|
|
21c891 |
@@ -609,15 +609,15 @@ class nftables(object):
|
|
|
21c891 |
OUR_CHAINS[family][table].update(set([_zone,
|
|
|
21c891 |
"%s_log" % _zone,
|
|
|
21c891 |
"%s_deny" % _zone,
|
|
|
21c891 |
- "%s_rich_rule_pre" % _zone,
|
|
|
21c891 |
- "%s_rich_rule_post" % _zone,
|
|
|
21c891 |
+ "%s_pre" % _zone,
|
|
|
21c891 |
+ "%s_post" % _zone,
|
|
|
21c891 |
"%s_allow" % _zone]))
|
|
|
21c891 |
|
|
|
21c891 |
rules = []
|
|
|
21c891 |
rules.append(["add", "chain", family, "%s" % TABLE_NAME,
|
|
|
21c891 |
"%s_%s" % (table, _zone)])
|
|
|
21c891 |
rules.append(["add", "chain", family, "%s" % TABLE_NAME,
|
|
|
21c891 |
- "%s_%s_rich_rule_pre" % (table, _zone)])
|
|
|
21c891 |
+ "%s_%s_pre" % (table, _zone)])
|
|
|
21c891 |
rules.append(["add", "chain", family, "%s" % TABLE_NAME,
|
|
|
21c891 |
"%s_%s_log" % (table, _zone)])
|
|
|
21c891 |
rules.append(["add", "chain", family, "%s" % TABLE_NAME,
|
|
|
21c891 |
@@ -625,11 +625,11 @@ class nftables(object):
|
|
|
21c891 |
rules.append(["add", "chain", family, "%s" % TABLE_NAME,
|
|
|
21c891 |
"%s_%s_allow" % (table, _zone)])
|
|
|
21c891 |
rules.append(["add", "chain", family, "%s" % TABLE_NAME,
|
|
|
21c891 |
- "%s_%s_rich_rule_post" % (table, _zone)])
|
|
|
21c891 |
+ "%s_%s_post" % (table, _zone)])
|
|
|
21c891 |
|
|
|
21c891 |
rules.append(["add", "rule", family, "%s" % TABLE_NAME,
|
|
|
21c891 |
"%s_%s" % (table, _zone),
|
|
|
21c891 |
- "jump", "%s_%s_rich_rule_pre" % (table, _zone)])
|
|
|
21c891 |
+ "jump", "%s_%s_pre" % (table, _zone)])
|
|
|
21c891 |
rules.append(["add", "rule", family, "%s" % TABLE_NAME,
|
|
|
21c891 |
"%s_%s" % (table, _zone),
|
|
|
21c891 |
"jump", "%s_%s_log" % (table, _zone)])
|
|
|
21c891 |
@@ -641,7 +641,7 @@ class nftables(object):
|
|
|
21c891 |
"jump", "%s_%s_allow" % (table, _zone)])
|
|
|
21c891 |
rules.append(["add", "rule", family, "%s" % TABLE_NAME,
|
|
|
21c891 |
"%s_%s" % (table, _zone),
|
|
|
21c891 |
- "jump", "%s_%s_rich_rule_post" % (table, _zone)])
|
|
|
21c891 |
+ "jump", "%s_%s_post" % (table, _zone)])
|
|
|
21c891 |
|
|
|
21c891 |
target = self._fw.zone._zones[zone].target
|
|
|
21c891 |
|
|
|
21c891 |
@@ -741,9 +741,9 @@ class nftables(object):
|
|
|
21c891 |
type(rich_rule.action) in [Rich_Reject, Rich_Drop]:
|
|
|
21c891 |
return "deny"
|
|
|
21c891 |
elif rich_rule.priority < 0:
|
|
|
21c891 |
- return "rich_rule_pre"
|
|
|
21c891 |
+ return "pre"
|
|
|
21c891 |
else:
|
|
|
21c891 |
- return "rich_rule_post"
|
|
|
21c891 |
+ return "post"
|
|
|
21c891 |
|
|
|
21c891 |
def _rich_rule_chain_suffix_from_log(self, rich_rule):
|
|
|
21c891 |
if not rich_rule.log and not rich_rule.audit:
|
|
|
21c891 |
@@ -752,9 +752,9 @@ class nftables(object):
|
|
|
21c891 |
if rich_rule.priority == 0:
|
|
|
21c891 |
return "log"
|
|
|
21c891 |
elif rich_rule.priority < 0:
|
|
|
21c891 |
- return "rich_rule_pre"
|
|
|
21c891 |
+ return "pre"
|
|
|
21c891 |
else:
|
|
|
21c891 |
- return "rich_rule_post"
|
|
|
21c891 |
+ return "post"
|
|
|
21c891 |
|
|
|
21c891 |
def _rich_rule_priority_fragment(self, rich_rule):
|
|
|
21c891 |
if rich_rule.priority == 0:
|
|
|
21c891 |
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
|
|
|
21c891 |
index 0c74a2d087cc..d408f31bd6b8 100644
|
|
|
21c891 |
--- a/src/tests/firewall-cmd.at
|
|
|
21c891 |
+++ b/src/tests/firewall-cmd.at
|
|
|
21c891 |
@@ -871,11 +871,11 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
chain filter_IN_public {
|
|
|
21c891 |
- jump filter_IN_public_rich_rule_pre
|
|
|
21c891 |
+ jump filter_IN_public_pre
|
|
|
21c891 |
jump filter_IN_public_log
|
|
|
21c891 |
jump filter_IN_public_deny
|
|
|
21c891 |
jump filter_IN_public_allow
|
|
|
21c891 |
- jump filter_IN_public_rich_rule_post
|
|
|
21c891 |
+ jump filter_IN_public_post
|
|
|
21c891 |
meta l4proto { icmp, ipv6-icmp } accept
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
@@ -883,45 +883,45 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
NFT_LIST_RULES([inet], [filter_FWDI_public], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
chain filter_FWDI_public {
|
|
|
21c891 |
- jump filter_FWDI_public_rich_rule_pre
|
|
|
21c891 |
+ jump filter_FWDI_public_pre
|
|
|
21c891 |
jump filter_FWDI_public_log
|
|
|
21c891 |
jump filter_FWDI_public_deny
|
|
|
21c891 |
jump filter_FWDI_public_allow
|
|
|
21c891 |
- jump filter_FWDI_public_rich_rule_post
|
|
|
21c891 |
+ jump filter_FWDI_public_post
|
|
|
21c891 |
meta l4proto { icmp, ipv6-icmp } accept
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])], [
|
|
|
21c891 |
IPTABLES_LIST_RULES([filter], [IN_public], 0, [dnl
|
|
|
21c891 |
- IN_public_rich_rule_pre all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
+ IN_public_pre all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
- IN_public_rich_rule_post all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
+ IN_public_post all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
])
|
|
|
21c891 |
IPTABLES_LIST_RULES([filter], [FWDI_public], 0, [dnl
|
|
|
21c891 |
- FWDI_public_rich_rule_pre all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
+ FWDI_public_pre all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
- FWDI_public_rich_rule_post all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
+ FWDI_public_post all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
])
|
|
|
21c891 |
IP6TABLES_LIST_RULES([filter], [IN_public], 0, [dnl
|
|
|
21c891 |
- IN_public_rich_rule_pre all ::/0 ::/0
|
|
|
21c891 |
+ IN_public_pre all ::/0 ::/0
|
|
|
21c891 |
IN_public_log all ::/0 ::/0
|
|
|
21c891 |
IN_public_deny all ::/0 ::/0
|
|
|
21c891 |
IN_public_allow all ::/0 ::/0
|
|
|
21c891 |
- IN_public_rich_rule_post all ::/0 ::/0
|
|
|
21c891 |
+ IN_public_post all ::/0 ::/0
|
|
|
21c891 |
ACCEPT icmpv6 ::/0 ::/0
|
|
|
21c891 |
])
|
|
|
21c891 |
IP6TABLES_LIST_RULES([filter], [FWDI_public], 0, [dnl
|
|
|
21c891 |
- FWDI_public_rich_rule_pre all ::/0 ::/0
|
|
|
21c891 |
+ FWDI_public_pre all ::/0 ::/0
|
|
|
21c891 |
FWDI_public_log all ::/0 ::/0
|
|
|
21c891 |
FWDI_public_deny all ::/0 ::/0
|
|
|
21c891 |
FWDI_public_allow all ::/0 ::/0
|
|
|
21c891 |
- FWDI_public_rich_rule_post all ::/0 ::/0
|
|
|
21c891 |
+ FWDI_public_post all ::/0 ::/0
|
|
|
21c891 |
ACCEPT icmpv6 ::/0 ::/0
|
|
|
21c891 |
])])
|
|
|
21c891 |
|
|
|
21c891 |
@@ -1004,17 +1004,17 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
FWD_CHECK([--add-rich-rule=rich_rule_str], 0, ignore)
|
|
|
21c891 |
FWD_CHECK([--query-rich-rule=rich_rule_str], 0, ignore)
|
|
|
21c891 |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
|
21c891 |
- NFT_LIST_RULES([inet], [filter_IN_public_rich_rule_post], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([inet], [filter_IN_public_post], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
- chain filter_IN_public_rich_rule_post {
|
|
|
21c891 |
+ chain filter_IN_public_post {
|
|
|
21c891 |
drop
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])], [
|
|
|
21c891 |
- IPTABLES_LIST_RULES([filter], [IN_public_rich_rule_post], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([filter], [IN_public_post], 0, [dnl
|
|
|
21c891 |
DROP all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
])
|
|
|
21c891 |
- IP6TABLES_LIST_RULES([filter], [IN_public_rich_rule_post], 0, [dnl
|
|
|
21c891 |
+ IP6TABLES_LIST_RULES([filter], [IN_public_post], 0, [dnl
|
|
|
21c891 |
DROP all ::/0 ::/0
|
|
|
21c891 |
])])
|
|
|
21c891 |
FWD_CHECK([--remove-rich-rule=rich_rule_str], 0, ignore)
|
|
|
21c891 |
@@ -1043,9 +1043,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
FWD_CHECK([--add-rich-rule='rule family="ipv6" priority=-123 forward-port port="999" protocol="tcp" to-port="99"'], 0, ignore)
|
|
|
21c891 |
FWD_CHECK([--add-rich-rule='rule family="ipv6" priority=-123 forward-port port="9999" protocol="tcp" to-port="9999" to-addr="1234::4321"'], 0, ignore)
|
|
|
21c891 |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
|
21c891 |
- NFT_LIST_RULES([inet], [filter_IN_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([inet], [filter_IN_public_pre], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
- chain filter_IN_public_rich_rule_pre {
|
|
|
21c891 |
+ chain filter_IN_public_pre {
|
|
|
21c891 |
ct state new,untracked meta mark 0x00000069 accept
|
|
|
21c891 |
ct state new,untracked meta mark 0x00000066 accept
|
|
|
21c891 |
ip saddr 10.1.0.0/16 drop
|
|
|
21c891 |
@@ -1062,9 +1062,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])
|
|
|
21c891 |
- NFT_LIST_RULES([inet], [filter_FWDI_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([inet], [filter_FWDI_public_pre], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
- chain filter_FWDI_public_rich_rule_pre {
|
|
|
21c891 |
+ chain filter_FWDI_public_pre {
|
|
|
21c891 |
ct state new,untracked meta mark 0x0000006a accept
|
|
|
21c891 |
ct state new,untracked meta mark 0x00000067 accept
|
|
|
21c891 |
}
|
|
|
21c891 |
@@ -1077,9 +1077,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])
|
|
|
21c891 |
- NFT_LIST_RULES([inet], [filter_FWDO_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([inet], [filter_FWDO_public_pre], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
- chain filter_FWDO_public_rich_rule_pre {
|
|
|
21c891 |
+ chain filter_FWDO_public_pre {
|
|
|
21c891 |
ip saddr 10.1.1.0/24 ct state new,untracked accept
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
@@ -1091,9 +1091,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])
|
|
|
21c891 |
- NFT_LIST_RULES([ip], [nat_PRE_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([ip], [nat_PRE_public_pre], 0, [dnl
|
|
|
21c891 |
table ip firewalld {
|
|
|
21c891 |
- chain nat_PRE_public_rich_rule_pre {
|
|
|
21c891 |
+ chain nat_PRE_public_pre {
|
|
|
21c891 |
meta l4proto tcp meta mark 0x00000066 redirect to :80
|
|
|
21c891 |
meta l4proto tcp meta mark 0x00000067 dnat to 10.1.1.1:80
|
|
|
21c891 |
}
|
|
|
21c891 |
@@ -1107,9 +1107,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])
|
|
|
21c891 |
- NFT_LIST_RULES([ip], [nat_POST_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([ip], [nat_POST_public_pre], 0, [dnl
|
|
|
21c891 |
table ip firewalld {
|
|
|
21c891 |
- chain nat_POST_public_rich_rule_pre {
|
|
|
21c891 |
+ chain nat_POST_public_pre {
|
|
|
21c891 |
ip saddr 10.1.1.0/24 oifname != "lo" masquerade
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
@@ -1121,9 +1121,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])
|
|
|
21c891 |
- NFT_LIST_RULES([ip6], [nat_PRE_public_rich_rule_pre], 0,
|
|
|
21c891 |
+ NFT_LIST_RULES([ip6], [nat_PRE_public_pre], 0,
|
|
|
21c891 |
[[table ip6 firewalld {
|
|
|
21c891 |
- chain nat_PRE_public_rich_rule_pre {
|
|
|
21c891 |
+ chain nat_PRE_public_pre {
|
|
|
21c891 |
meta l4proto tcp meta mark 0x00000069 redirect to :99
|
|
|
21c891 |
meta l4proto tcp meta mark 0x0000006a dnat to [1234::4321]:9999
|
|
|
21c891 |
}
|
|
|
21c891 |
@@ -1136,9 +1136,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])
|
|
|
21c891 |
- NFT_LIST_RULES([ip6], [nat_POST_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([ip6], [nat_POST_public_pre], 0, [dnl
|
|
|
21c891 |
table ip6 firewalld {
|
|
|
21c891 |
- chain nat_POST_public_rich_rule_pre {
|
|
|
21c891 |
+ chain nat_POST_public_pre {
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])
|
|
|
21c891 |
@@ -1148,9 +1148,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])
|
|
|
21c891 |
- NFT_LIST_RULES([inet], [mangle_PRE_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([inet], [mangle_PRE_public_pre], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
- chain mangle_PRE_public_rich_rule_pre {
|
|
|
21c891 |
+ chain mangle_PRE_public_pre {
|
|
|
21c891 |
meta nfproto ipv6 tcp dport 999 meta mark set 0x00000069
|
|
|
21c891 |
meta nfproto ipv6 tcp dport 9999 meta mark set 0x0000006a
|
|
|
21c891 |
meta nfproto ipv4 tcp dport 8888 meta mark set 0x00000066
|
|
|
21c891 |
@@ -1167,7 +1167,7 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])], [
|
|
|
21c891 |
- IPTABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([filter], [IN_public_pre], 0, [dnl
|
|
|
21c891 |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED mark match 0x66
|
|
|
21c891 |
DROP all -- 10.1.0.0/16 0.0.0.0/0
|
|
|
21c891 |
])
|
|
|
21c891 |
@@ -1175,19 +1175,19 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED mark match 0x64
|
|
|
21c891 |
])
|
|
|
21c891 |
- IPTABLES_LIST_RULES([filter], [FWDI_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
|
|
|
21c891 |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED mark match 0x67
|
|
|
21c891 |
])
|
|
|
21c891 |
IPTABLES_LIST_RULES([filter], [FWDI_public_allow], 0, [dnl
|
|
|
21c891 |
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED mark match 0x65
|
|
|
21c891 |
])
|
|
|
21c891 |
- IPTABLES_LIST_RULES([filter], [FWDO_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([filter], [FWDO_public_pre], 0, [dnl
|
|
|
21c891 |
ACCEPT all -- 10.1.1.0/24 0.0.0.0/0 ctstate NEW,UNTRACKED
|
|
|
21c891 |
])
|
|
|
21c891 |
IPTABLES_LIST_RULES([filter], [FWDO_public_allow], 0, [dnl
|
|
|
21c891 |
ACCEPT all -- 10.10.0.0/16 0.0.0.0/0 ctstate NEW,UNTRACKED
|
|
|
21c891 |
])
|
|
|
21c891 |
- IPTABLES_LIST_RULES([nat], [PRE_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([nat], [PRE_public_pre], 0, [dnl
|
|
|
21c891 |
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x66 to::80
|
|
|
21c891 |
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x67 to:10.1.1.1:80
|
|
|
21c891 |
])
|
|
|
21c891 |
@@ -1195,13 +1195,13 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x64 to::22
|
|
|
21c891 |
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 mark match 0x65 to:10.1.1.1:22
|
|
|
21c891 |
])
|
|
|
21c891 |
- IPTABLES_LIST_RULES([nat], [POST_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([nat], [POST_public_pre], 0, [dnl
|
|
|
21c891 |
MASQUERADE all -- 10.1.1.0/24 0.0.0.0/0
|
|
|
21c891 |
])
|
|
|
21c891 |
IPTABLES_LIST_RULES([nat], [POST_public_allow], 0, [dnl
|
|
|
21c891 |
MASQUERADE all -- 10.10.0.0/16 0.0.0.0/0
|
|
|
21c891 |
])
|
|
|
21c891 |
- IPTABLES_LIST_RULES([mangle], [PRE_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([mangle], [PRE_public_pre], 0, [dnl
|
|
|
21c891 |
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8888 MARK set 0x66
|
|
|
21c891 |
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 MARK set 0x67
|
|
|
21c891 |
])
|
|
|
21c891 |
@@ -1209,7 +1209,7 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:222 MARK set 0x64
|
|
|
21c891 |
MARK tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222 MARK set 0x65
|
|
|
21c891 |
])
|
|
|
21c891 |
- IP6TABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IP6TABLES_LIST_RULES([filter], [IN_public_pre], 0, [dnl
|
|
|
21c891 |
ACCEPT all ::/0 ::/0 ctstate NEW,UNTRACKED mark match 0x69
|
|
|
21c891 |
])
|
|
|
21c891 |
IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
|
|
|
21c891 |
@@ -1217,19 +1217,19 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT all ::/0 ::/0 ctstate NEW,UNTRACKED mark match 0x68
|
|
|
21c891 |
])
|
|
|
21c891 |
- IP6TABLES_LIST_RULES([filter], [FWDI_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
|
|
|
21c891 |
ACCEPT all ::/0 ::/0 ctstate NEW,UNTRACKED mark match 0x6a
|
|
|
21c891 |
])
|
|
|
21c891 |
IP6TABLES_LIST_RULES([filter], [FWDI_public_allow], 0, [dnl
|
|
|
21c891 |
])
|
|
|
21c891 |
- IP6TABLES_LIST_RULES([nat], [PRE_public_rich_rule_pre], 0,
|
|
|
21c891 |
+ IP6TABLES_LIST_RULES([nat], [PRE_public_pre], 0,
|
|
|
21c891 |
[[DNAT tcp ::/0 ::/0 mark match 0x69 to::99
|
|
|
21c891 |
DNAT tcp ::/0 ::/0 mark match 0x6a to:[1234::4321]:9999
|
|
|
21c891 |
]])
|
|
|
21c891 |
IP6TABLES_LIST_RULES([nat], [PRE_public_allow], 0, [dnl
|
|
|
21c891 |
DNAT tcp ::/0 ::/0 mark match 0x68 to::90
|
|
|
21c891 |
])
|
|
|
21c891 |
- IP6TABLES_LIST_RULES([mangle], [PRE_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IP6TABLES_LIST_RULES([mangle], [PRE_public_pre], 0, [dnl
|
|
|
21c891 |
MARK tcp ::/0 ::/0 tcp dpt:999 MARK set 0x69
|
|
|
21c891 |
MARK tcp ::/0 ::/0 tcp dpt:9999 MARK set 0x6a
|
|
|
21c891 |
])
|
|
|
21c891 |
@@ -1245,9 +1245,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
FWD_CHECK([--add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
|
|
|
21c891 |
FWD_CHECK([--add-rich-rule='rule priority=-10 icmp-type name="echo-request" accept'], 0, ignore)
|
|
|
21c891 |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
|
21c891 |
- NFT_LIST_RULES([inet], [filter_IN_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([inet], [filter_IN_public_pre], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
- chain filter_IN_public_rich_rule_pre {
|
|
|
21c891 |
+ chain filter_IN_public_pre {
|
|
|
21c891 |
icmp type destination-unreachable reject with icmp type admin-prohibited
|
|
|
21c891 |
icmpv6 type destination-unreachable reject with icmpv6 type admin-prohibited
|
|
|
21c891 |
icmp type echo-request accept
|
|
|
21c891 |
@@ -1273,9 +1273,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])
|
|
|
21c891 |
- NFT_LIST_RULES([inet], [filter_FWDI_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([inet], [filter_FWDI_public_pre], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
- chain filter_FWDI_public_rich_rule_pre {
|
|
|
21c891 |
+ chain filter_FWDI_public_pre {
|
|
|
21c891 |
icmp type destination-unreachable reject with icmp type admin-prohibited
|
|
|
21c891 |
icmpv6 type destination-unreachable reject with icmpv6 type admin-prohibited
|
|
|
21c891 |
icmp type echo-request accept
|
|
|
21c891 |
@@ -1299,7 +1299,7 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])], [
|
|
|
21c891 |
- IPTABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([filter], [IN_public_pre], 0, [dnl
|
|
|
21c891 |
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 reject-with icmp-host-prohibited
|
|
|
21c891 |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
|
|
|
21c891 |
])
|
|
|
21c891 |
@@ -1310,7 +1310,7 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
|
|
|
21c891 |
])
|
|
|
21c891 |
- IPTABLES_LIST_RULES([filter], [FWDI_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
|
|
|
21c891 |
REJECT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 3 reject-with icmp-host-prohibited
|
|
|
21c891 |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
|
|
|
21c891 |
])
|
|
|
21c891 |
@@ -1320,7 +1320,7 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
IPTABLES_LIST_RULES([filter], [FWDI_public_allow], 0, [dnl
|
|
|
21c891 |
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
|
|
|
21c891 |
])
|
|
|
21c891 |
- IP6TABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IP6TABLES_LIST_RULES([filter], [IN_public_pre], 0, [dnl
|
|
|
21c891 |
REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 1 reject-with icmp6-adm-prohibited
|
|
|
21c891 |
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
|
|
|
21c891 |
])
|
|
|
21c891 |
@@ -1332,7 +1332,7 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
|
|
|
21c891 |
])
|
|
|
21c891 |
- IP6TABLES_LIST_RULES([filter], [FWDI_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
|
|
|
21c891 |
REJECT icmpv6 ::/0 ::/0 ipv6-icmptype 1 reject-with icmp6-adm-prohibited
|
|
|
21c891 |
ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
|
|
|
21c891 |
])
|
|
|
21c891 |
@@ -1370,9 +1370,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
FWD_CHECK([--remove-rich-rule='rule priority="-77" service name="smtp" accept'], 0, ignore)
|
|
|
21c891 |
FWD_CHECK([--remove-rich-rule='rule family="ipv4" priority=-3 source address="10.100.100.0/24" drop'], 0, ignore)
|
|
|
21c891 |
m4_if(nftables, FIREWALL_BACKEND, [
|
|
|
21c891 |
- NFT_LIST_RULES([inet], [filter_IN_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([inet], [filter_IN_public_pre], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
- chain filter_IN_public_rich_rule_pre {
|
|
|
21c891 |
+ chain filter_IN_public_pre {
|
|
|
21c891 |
ip saddr 10.0.0.0/8 log
|
|
|
21c891 |
tcp dport 1111 ct state new,untracked log
|
|
|
21c891 |
tcp dport 1111 ct state new,untracked drop
|
|
|
21c891 |
@@ -1402,9 +1402,9 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])
|
|
|
21c891 |
- NFT_LIST_RULES([inet], [filter_IN_public_rich_rule_post], 0, [dnl
|
|
|
21c891 |
+ NFT_LIST_RULES([inet], [filter_IN_public_post], 0, [dnl
|
|
|
21c891 |
table inet firewalld {
|
|
|
21c891 |
- chain filter_IN_public_rich_rule_post {
|
|
|
21c891 |
+ chain filter_IN_public_post {
|
|
|
21c891 |
tcp dport 80 ct state new,untracked accept
|
|
|
21c891 |
tcp dport 22 ct state new,untracked accept
|
|
|
21c891 |
tcp dport 443 ct state new,untracked accept
|
|
|
21c891 |
@@ -1414,7 +1414,7 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
}
|
|
|
21c891 |
}
|
|
|
21c891 |
])], [
|
|
|
21c891 |
- IPTABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([filter], [IN_public_pre], 0, [dnl
|
|
|
21c891 |
LOG all -- 10.0.0.0/8 0.0.0.0/0 LOG flags 0 level 4
|
|
|
21c891 |
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1111 ctstate NEW,UNTRACKED LOG flags 0 level 4
|
|
|
21c891 |
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1111 ctstate NEW,UNTRACKED
|
|
|
21c891 |
@@ -1429,7 +1429,7 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
])
|
|
|
21c891 |
IPTABLES_LIST_RULES([filter], [IN_public_log], 0, [dnl
|
|
|
21c891 |
])
|
|
|
21c891 |
- IPTABLES_LIST_RULES([filter], [IN_public_rich_rule_post], 0, [dnl
|
|
|
21c891 |
+ IPTABLES_LIST_RULES([filter], [IN_public_post], 0, [dnl
|
|
|
21c891 |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED
|
|
|
21c891 |
@@ -1437,7 +1437,7 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "'DROPPED: '"
|
|
|
21c891 |
DROP all -- 0.0.0.0/0 0.0.0.0/0
|
|
|
21c891 |
])
|
|
|
21c891 |
- IP6TABLES_LIST_RULES([filter], [IN_public_rich_rule_pre], 0, [dnl
|
|
|
21c891 |
+ IP6TABLES_LIST_RULES([filter], [IN_public_pre], 0, [dnl
|
|
|
21c891 |
LOG tcp ::/0 ::/0 tcp dpt:1111 ctstate NEW,UNTRACKED LOG flags 0 level 4
|
|
|
21c891 |
DROP tcp ::/0 ::/0 tcp dpt:1111 ctstate NEW,UNTRACKED
|
|
|
21c891 |
])
|
|
|
21c891 |
@@ -1449,7 +1449,7 @@ FWD_START_TEST([rich rules priority])
|
|
|
21c891 |
])
|
|
|
21c891 |
IP6TABLES_LIST_RULES([filter], [IN_public_log], 0, [dnl
|
|
|
21c891 |
])
|
|
|
21c891 |
- IP6TABLES_LIST_RULES([filter], [IN_public_rich_rule_post], 0, [dnl
|
|
|
21c891 |
+ IP6TABLES_LIST_RULES([filter], [IN_public_post], 0, [dnl
|
|
|
21c891 |
ACCEPT tcp ::/0 ::/0 tcp dpt:80 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
21c891 |
ACCEPT tcp ::/0 ::/0 tcp dpt:443 ctstate NEW,UNTRACKED
|
|
|
21c891 |
--
|
|
|
21c891 |
2.18.0
|
|
|
21c891 |
|