firewalld/0001-firewall.core.fw_ipset-get_ipset-may-not-ckeck-if-se.patch

From 7e7be5658c2b1a8aa130480ad8e1a7314c83bba9 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Wed, 15 Feb 2017 11:11:40 +0100
Subject: [PATCH] firewall.core.fw_ipset: get_ipset may not ckeck if set is
 applied by default

This breaks the ipset overloading from /etc/firewalld/ipsets.
Fixes: #206
---
 src/firewall/core/fw_ipset.py | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
index bbbc8eb9..952d1226 100644
--- a/src/firewall/core/fw_ipset.py
+++ b/src/firewall/core/fw_ipset.py
@@ -55,10 +55,11 @@ class FirewallIPSet(object):
     def has_ipsets(self):
         return len(self._ipsets) > 0
 
-    def get_ipset(self, name):
+    def get_ipset(self, name, applied=False):
         self.check_ipset(name)
         obj = self._ipsets[name]
-        self.check_applied_obj(obj)
+        if applied:
+            self.check_applied_obj(obj)
         return obj
 
     def _error2warning(self, f, name, *args):
@@ -141,11 +142,11 @@ class FirewallIPSet(object):
     # TYPE
 
     def get_type(self, name):
-        return self.get_ipset(name).type
+        return self.get_ipset(name, applied=True).type
 
     # DIMENSION
     def get_dimension(self, name):
-        return len(self.get_ipset(name).type.split(","))
+        return len(self.get_ipset(name, applied=True).type.split(","))
 
     # APPLIED
 
@@ -164,7 +165,7 @@ class FirewallIPSet(object):
     # OPTIONS
 
     def get_family(self, name):
-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
         if "family" in obj.options:
             if obj.options["family"] == "inet6":
                 return "ipv6"
@@ -179,7 +180,7 @@ class FirewallIPSet(object):
         pass
 
     def add_entry(self, name, entry):
-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
         if "timeout" in obj.options and obj.options["timeout"] != "0":
             # no entries visible for ipsets with timeout
             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
@@ -201,7 +202,7 @@ class FirewallIPSet(object):
                 obj.entries.append(entry)
 
     def remove_entry(self, name, entry):
-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
         if "timeout" in obj.options and obj.options["timeout"] != "0":
             # no entries visible for ipsets with timeout
             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
@@ -222,7 +223,7 @@ class FirewallIPSet(object):
                 obj.entries.remove(entry)
 
     def query_entry(self, name, entry):
-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
         if "timeout" in obj.options and obj.options["timeout"] != "0":
             # no entries visible for ipsets with timeout
             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
@@ -230,11 +231,11 @@ class FirewallIPSet(object):
         return entry in obj.entries
 
     def get_entries(self, name):
-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
         return obj.entries
 
     def set_entries(self, name, entries):
-        obj = self.get_ipset(name)
+        obj = self.get_ipset(name, applied=True)
         if "timeout" in obj.options and obj.options["timeout"] != "0":
             # no entries visible for ipsets with timeout
             raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
-- 
2.11.0
Accepting request 458640 from home:markoschandras:network - Update to version 0.4.4.3 * New service freeipa-trust (rh#1411650) * Complete icmp types for IPv4 and IPv6 * New h323 helper container * Support helper container: h323 * firewall.server.decorators: ALREADY_ errors should be logged as warnings * firewall.command: ALREADY_SET should also result in zero exit code * tests/firewall-offline-cmd_test.sh: Only use firewall-offline-cmd * Support more ipset types: hash:ip,port, hash:ip,port,ip, hash:ip,port,net, hash:ip,mark, hash:net,net, hash:net,port, hash:net,port,net, hash:net,iface * New checks for ipset entry validation * Use ipset dimension for match * firewall.core.base: New ZONE_SOURCE_IPSET_TYPES list * New firewall.core.icmp providing names and types for icmp and icmpv6 values * firewall.core.fw_ipset: New methods to get ipset dimension and applied state * firewall.errors: New error NOT_APPLIED * firewall-cmd man page: Add missing --get-ipset-types * firewall.core.fw_nm: No trace back on failed get_connection call (rh#1413345) * firewall.core.prog: Fix addition of the error output in runProg * Speed up ipset handling, (re)loading and import from file * Support --family option for --new-ipset * Handle FirewallError for query sequences in command line tools * Fail to alter entries of ipsets with timeout * Extended tests for ipset options * Return empty list for ipsets using timeouts * firewall.functions: Fix checks in checkIPnMask and checkIP6nMask (gh#t-woerner/firewalld#186) * firewalld.conf man page: New section about AutomaticHelpers * firewall-offline-cmd man page: Added -v and -q options, fixed section ids * firewall{-cmd, ctl}: Fix scope of final return in try_set_zone_of_interface * firewall.core.fw_zone: Limit masquerading forward rule to new connections * firewall-config: Update active zones on reloaded signal OBS-URL: https://build.opensuse.org/request/show/458640 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=38 2017-02-17 10:46:55 +01:00			`From 7e7be5658c2b1a8aa130480ad8e1a7314c83bba9 Mon Sep 17 00:00:00 2001`
			`From: Thomas Woerner <twoerner@redhat.com>`
			`Date: Wed, 15 Feb 2017 11:11:40 +0100`
			`Subject: [PATCH] firewall.core.fw_ipset: get_ipset may not ckeck if set is`
			`applied by default`

			`This breaks the ipset overloading from /etc/firewalld/ipsets.`
			`Fixes: #206`
			`---`
			`src/firewall/core/fw_ipset.py \| 21 +++++++++++----------`
			`1 file changed, 11 insertions(+), 10 deletions(-)`

			`diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py`
			`index bbbc8eb9..952d1226 100644`
			`--- a/src/firewall/core/fw_ipset.py`
			`+++ b/src/firewall/core/fw_ipset.py`
			`@@ -55,10 +55,11 @@ class FirewallIPSet(object):`
			`def has_ipsets(self):`
			`return len(self._ipsets) > 0`

			`- def get_ipset(self, name):`
			`+ def get_ipset(self, name, applied=False):`
			`self.check_ipset(name)`
			`obj = self._ipsets[name]`
			`- self.check_applied_obj(obj)`
			`+ if applied:`
			`+ self.check_applied_obj(obj)`
			`return obj`

			`def _error2warning(self, f, name, *args):`
			`@@ -141,11 +142,11 @@ class FirewallIPSet(object):`
			`# TYPE`

			`def get_type(self, name):`
			`- return self.get_ipset(name).type`
			`+ return self.get_ipset(name, applied=True).type`

			`# DIMENSION`
			`def get_dimension(self, name):`
			`- return len(self.get_ipset(name).type.split(","))`
			`+ return len(self.get_ipset(name, applied=True).type.split(","))`

			`# APPLIED`

			`@@ -164,7 +165,7 @@ class FirewallIPSet(object):`
			`# OPTIONS`

			`def get_family(self, name):`
			`- obj = self.get_ipset(name)`
			`+ obj = self.get_ipset(name, applied=True)`
			`if "family" in obj.options:`
			`if obj.options["family"] == "inet6":`
			`return "ipv6"`
			`@@ -179,7 +180,7 @@ class FirewallIPSet(object):`
			`pass`

			`def add_entry(self, name, entry):`
			`- obj = self.get_ipset(name)`
			`+ obj = self.get_ipset(name, applied=True)`
			`if "timeout" in obj.options and obj.options["timeout"] != "0":`
			`# no entries visible for ipsets with timeout`
			`raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)`
			`@@ -201,7 +202,7 @@ class FirewallIPSet(object):`
			`obj.entries.append(entry)`

			`def remove_entry(self, name, entry):`
			`- obj = self.get_ipset(name)`
			`+ obj = self.get_ipset(name, applied=True)`
			`if "timeout" in obj.options and obj.options["timeout"] != "0":`
			`# no entries visible for ipsets with timeout`
			`raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)`
			`@@ -222,7 +223,7 @@ class FirewallIPSet(object):`
			`obj.entries.remove(entry)`

			`def query_entry(self, name, entry):`
			`- obj = self.get_ipset(name)`
			`+ obj = self.get_ipset(name, applied=True)`
			`if "timeout" in obj.options and obj.options["timeout"] != "0":`
			`# no entries visible for ipsets with timeout`
			`raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)`
			`@@ -230,11 +231,11 @@ class FirewallIPSet(object):`
			`return entry in obj.entries`

			`def get_entries(self, name):`
			`- obj = self.get_ipset(name)`
			`+ obj = self.get_ipset(name, applied=True)`
			`return obj.entries`

			`def set_entries(self, name, entries):`
			`- obj = self.get_ipset(name)`
			`+ obj = self.get_ipset(name, applied=True)`
			`if "timeout" in obj.options and obj.options["timeout"] != "0":`
			`# no entries visible for ipsets with timeout`
			`raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)`
			`--`
			`2.11.0`