Accepting request 637406 from security:netfilter
- Add upstream patch to mark more strings as translatable which is required by firewall UI when creating rich rules (bsc#1096542) * 0001-Fix-translating-labels-392.patch - Add upstream patch to fix rich rules that uses ipset (bsc#1104990) * 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch - Update to 0.6.2. Some of the changes are: * update translations * nftables: fix log-denied with values other than "all" or "off" * fw_ipset: raise FirewallError if backend command fails * ipset: only use "-exist" on restore * fw_ipset: fix duplicate add of ipset entries * *tables: For opened ports/protocols/etc match ct state new,untracked (bsc#1105821) * ipXtables: increase wait lock to 10s * nftables: fix rich rules ports/protocols/source ports not considering ct state * ports: allow querying a single added by range * fw_zone: do not change rich rule errors into warnings * fw_zone: fix services with multiple destination IP versions (bsc#1105899) * fw_zone: consider destination for protocols * firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False (boo#1106319) * fw: If direct rules fail to apply add a "Direct" label to error msg * fw: if startup fails on reload, reapply non-perm config that survives reload * nftables: fix rich rule audit log * ebtables: replace RETURN policy with explicit RETURN at end of chain * direct backends: allow build_chain() to build multiple rules * fw: if failure occurs during startup set state to FAILED * fw: on restart set policy from same function * ebtables: drop support for broute table - Remove upstream patches OBS-URL: https://build.opensuse.org/request/show/637406 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/firewalld?expand=0&rev=37
This commit is contained in:
commit
b4d329838c
35
0001-Fix-translating-labels-392.patch
Normal file
35
0001-Fix-translating-labels-392.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From 15fb48d04e576edb828abf321ae1e765822a4ee3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: MeggyCal <MeggyCal@users.noreply.github.com>
|
||||||
|
Date: Thu, 20 Sep 2018 15:37:17 +0200
|
||||||
|
Subject: [PATCH] Fix translating labels (#392)
|
||||||
|
|
||||||
|
Fix for #344 was incomplete, the "flags" were not translating and the reported bug was still active.
|
||||||
|
|
||||||
|
Fixes: #344
|
||||||
|
(cherry picked from commit e657200927a9f0f41fbed95640cd47e2a5836c6f)
|
||||||
|
---
|
||||||
|
src/firewall-config.glade | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/firewall-config.glade b/src/firewall-config.glade
|
||||||
|
index 22bed58a..75c229b4 100644
|
||||||
|
--- a/src/firewall-config.glade
|
||||||
|
+++ b/src/firewall-config.glade
|
||||||
|
@@ -10135,10 +10135,10 @@
|
||||||
|
<property name="halign">start</property>
|
||||||
|
<property name="valign">start</property>
|
||||||
|
<items>
|
||||||
|
- <item>accept</item>
|
||||||
|
- <item>reject</item>
|
||||||
|
- <item>drop</item>
|
||||||
|
- <item>mark</item>
|
||||||
|
+ <item translatable="yes">accept</item>
|
||||||
|
+ <item translatable="yes">reject</item>
|
||||||
|
+ <item translatable="yes">drop</item>
|
||||||
|
+ <item translatable="yes">mark</item>
|
||||||
|
</items>
|
||||||
|
<signal name="changed" handler="on_richRuleDialog_changed" swapped="no"/>
|
||||||
|
</object>
|
||||||
|
--
|
||||||
|
2.19.0
|
||||||
|
|
@ -1,47 +0,0 @@
|
|||||||
From e9eede7766610d5b632087783761f93334bdd47e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Eric Garver <e@erig.me>
|
|
||||||
Date: Wed, 29 Aug 2018 10:19:11 -0400
|
|
||||||
Subject: [PATCH 1/4] fw_zone: consider destination for protocols
|
|
||||||
|
|
||||||
destinations were ignore if protocols were specified. This fixes that.
|
|
||||||
|
|
||||||
(cherry picked from commit 8d863e8a1c78cb93cb4823cd1824776dba1d9d34)
|
|
||||||
---
|
|
||||||
src/firewall/core/fw_zone.py | 7 ++++---
|
|
||||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
||||||
index 7c7653fe..155b8b7f 100644
|
|
||||||
--- a/src/firewall/core/fw_zone.py
|
|
||||||
+++ b/src/firewall/core/fw_zone.py
|
|
||||||
@@ -1640,7 +1640,7 @@ class FirewallZone(object):
|
|
||||||
if enable and type(rule.action) == Rich_Mark:
|
|
||||||
zone_transaction.add_chain("mangle", "PREROUTING")
|
|
||||||
rules = backend.build_zone_protocol_rules(
|
|
||||||
- enable, zone, proto, rule)
|
|
||||||
+ enable, zone, proto, destination, rule)
|
|
||||||
zone_transaction.add_rules(backend, rules)
|
|
||||||
|
|
||||||
# create rules
|
|
||||||
@@ -1677,7 +1677,7 @@ class FirewallZone(object):
|
|
||||||
zone_transaction.add_chain("mangle", "PREROUTING")
|
|
||||||
|
|
||||||
rules = backend.build_zone_protocol_rules(
|
|
||||||
- enable, zone, protocol, rule)
|
|
||||||
+ enable, zone, protocol, None, rule)
|
|
||||||
zone_transaction.add_rules(backend, rules)
|
|
||||||
|
|
||||||
# MASQUERADE
|
|
||||||
@@ -1852,7 +1852,8 @@ class FirewallZone(object):
|
|
||||||
zone_transaction.add_rules(backend, rules)
|
|
||||||
|
|
||||||
for protocol in svc.protocols:
|
|
||||||
- rules = backend.build_zone_protocol_rules(enable, zone, protocol)
|
|
||||||
+ rules = backend.build_zone_protocol_rules(
|
|
||||||
+ enable, zone, protocol, destination)
|
|
||||||
zone_transaction.add_rules(backend, rules)
|
|
||||||
|
|
||||||
for (port,proto) in svc.source_ports:
|
|
||||||
--
|
|
||||||
2.18.0
|
|
||||||
|
|
@ -1,74 +0,0 @@
|
|||||||
From 0a5827471610fdbb19a053f7f46c114d4fbdf2a0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Eric Garver <e@erig.me>
|
|
||||||
Date: Wed, 29 Aug 2018 16:10:20 -0400
|
|
||||||
Subject: [PATCH] nftables: fix rich rules ports/protocols/source ports not
|
|
||||||
considering ct state
|
|
||||||
|
|
||||||
They were accepting the packets, but were not matching on "ct state new"
|
|
||||||
as they should have been. In most (all?) cases, this should not have had
|
|
||||||
a noticeable affect because the existing connections were accepted long
|
|
||||||
before the _allow rules are hit.
|
|
||||||
|
|
||||||
(cherry picked from commit 0dd56eba38a2e0075281fb5a7180ecb9851359e1)
|
|
||||||
---
|
|
||||||
src/firewall/core/nftables.py | 9 ++++++---
|
|
||||||
1 file changed, 6 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
||||||
index 1ac8b3a8..20296292 100644
|
|
||||||
--- a/src/firewall/core/nftables.py
|
|
||||||
+++ b/src/firewall/core/nftables.py
|
|
||||||
@@ -812,6 +812,7 @@ class nftables(object):
|
|
||||||
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
||||||
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
||||||
rule_fragment += [proto, "dport", "%s" % portStr(port, "-")]
|
|
||||||
+ rule_fragment += ["ct", "state", "new"]
|
|
||||||
|
|
||||||
rules = []
|
|
||||||
if rich_rule:
|
|
||||||
@@ -821,7 +822,7 @@ class nftables(object):
|
|
||||||
else:
|
|
||||||
rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME,
|
|
||||||
"%s_%s_allow" % (table, target)] +
|
|
||||||
- rule_fragment + ["ct", "state", "new", "accept"])
|
|
||||||
+ rule_fragment + ["accept"])
|
|
||||||
|
|
||||||
return rules
|
|
||||||
|
|
||||||
@@ -844,6 +845,7 @@ class nftables(object):
|
|
||||||
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
||||||
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
||||||
rule_fragment = ["meta", "l4proto", protocol]
|
|
||||||
+ rule_fragment += ["ct", "state", "new"]
|
|
||||||
|
|
||||||
rules = []
|
|
||||||
if rich_rule:
|
|
||||||
@@ -853,7 +855,7 @@ class nftables(object):
|
|
||||||
else:
|
|
||||||
rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME,
|
|
||||||
"filter_%s_allow" % (target)] +
|
|
||||||
- rule_fragment + ["ct", "state", "new", "accept"])
|
|
||||||
+ rule_fragment + ["accept"])
|
|
||||||
|
|
||||||
return rules
|
|
||||||
|
|
||||||
@@ -876,6 +878,7 @@ class nftables(object):
|
|
||||||
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
||||||
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
||||||
rule_fragment += [proto, "sport", "%s" % portStr(port, "-")]
|
|
||||||
+ rule_fragment += ["ct", "state", "new"]
|
|
||||||
|
|
||||||
rules = []
|
|
||||||
if rich_rule:
|
|
||||||
@@ -885,7 +888,7 @@ class nftables(object):
|
|
||||||
else:
|
|
||||||
rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME,
|
|
||||||
"%s_%s_allow" % (table, target)] +
|
|
||||||
- rule_fragment + ["ct", "state", "new", "accept"])
|
|
||||||
+ rule_fragment + ["accept"])
|
|
||||||
|
|
||||||
return rules
|
|
||||||
|
|
||||||
--
|
|
||||||
2.18.0
|
|
||||||
|
|
41
0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
Normal file
41
0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
From fa0bce3d45563e28b8beea1cb0ee325f4a82ebf9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Eric Garver <e@erig.me>
|
||||||
|
Date: Fri, 21 Sep 2018 15:55:50 -0400
|
||||||
|
Subject: [PATCH] fw_zone: expose _ipset_match_flags()
|
||||||
|
|
||||||
|
Rename __ipset_match_flags() to _ipset_match_flags() so it may be used
|
||||||
|
outside the class. With the iptables backend this fixes rich rules that
|
||||||
|
match a source using an ipset.
|
||||||
|
|
||||||
|
Fixes: #374
|
||||||
|
---
|
||||||
|
src/firewall/core/fw_zone.py | 2 +-
|
||||||
|
src/firewall/core/ipXtables.py | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
||||||
|
index 2d794393..ca90f7fb 100644
|
||||||
|
--- a/src/firewall/core/fw_zone.py
|
||||||
|
+++ b/src/firewall/core/fw_zone.py
|
||||||
|
@@ -1519,7 +1519,7 @@ def _ipset_family(self, name):
|
||||||
|
def __ipset_type(self, name):
|
||||||
|
return self._fw.ipset.get_type(name)
|
||||||
|
|
||||||
|
- def __ipset_match_flags(self, name, flag):
|
||||||
|
+ def _ipset_match_flags(self, name, flag):
|
||||||
|
return ",".join([flag] * self._fw.ipset.get_dimension(name))
|
||||||
|
|
||||||
|
def _check_ipset_applied(self, name):
|
||||||
|
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
||||||
|
index 66af2a26..02a518d2 100644
|
||||||
|
--- a/src/firewall/core/ipXtables.py
|
||||||
|
+++ b/src/firewall/core/ipXtables.py
|
||||||
|
@@ -852,7 +852,7 @@ def _rich_rule_source_fragment(self, rich_source):
|
||||||
|
rule_fragment += [ "-m", "set" ]
|
||||||
|
if rich_source.invert:
|
||||||
|
rule_fragment.append("!")
|
||||||
|
- flags = self._fw.zone.__ipset_match_flags(rich_source.ipset, "src")
|
||||||
|
+ flags = self._fw.zone._ipset_match_flags(rich_source.ipset, "src")
|
||||||
|
rule_fragment += [ "--match-set", rich_source.ipset, flags ]
|
||||||
|
|
||||||
|
return rule_fragment
|
@ -1,216 +0,0 @@
|
|||||||
From d9f46f02dd90bc6630f6e5462e67bc5341bdcade Mon Sep 17 00:00:00 2001
|
|
||||||
From: Eric Garver <e@erig.me>
|
|
||||||
Date: Wed, 29 Aug 2018 10:10:18 -0400
|
|
||||||
Subject: [PATCH 2/4] fw_zone: fix services with multiple destination IP
|
|
||||||
versions
|
|
||||||
|
|
||||||
Only one of the IP versions was being added to the backend. Make sure we
|
|
||||||
consider both.
|
|
||||||
|
|
||||||
Fixes: #366
|
|
||||||
Fixes: 929b1d2ab988 ("fw_zone: push service rule generation into backends")
|
|
||||||
Fixes: 7c5f5f4d12ee ("fw_zone: push rich rule generation to backend")
|
|
||||||
(cherry picked from commit 4aa13cc1377143e59a7f89bbbd9c4b01a9b8896a)
|
|
||||||
---
|
|
||||||
src/firewall/core/fw_zone.py | 170 +++++++++++++++++------------------
|
|
||||||
1 file changed, 82 insertions(+), 88 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
||||||
index 155b8b7f..75ea6018 100644
|
|
||||||
--- a/src/firewall/core/fw_zone.py
|
|
||||||
+++ b/src/firewall/core/fw_zone.py
|
|
||||||
@@ -1572,84 +1572,82 @@ class FirewallZone(object):
|
|
||||||
if type(rule.element) == Rich_Service:
|
|
||||||
svc = self._fw.service.get_service(rule.element.name)
|
|
||||||
|
|
||||||
- destination = rule.destination if rule.destination else None
|
|
||||||
+ destinations = [rule.destination] if rule.destination else [None]
|
|
||||||
+
|
|
||||||
if len(svc.destination) > 0:
|
|
||||||
+ if rule.destination:
|
|
||||||
+ # we can not use two destinations at the same time
|
|
||||||
+ raise FirewallError(errors.INVALID_RULE,
|
|
||||||
+ "Destination conflict with service.")
|
|
||||||
+ destinations = []
|
|
||||||
for ipv in ipvs:
|
|
||||||
- if ipv in svc.destination:
|
|
||||||
- if not backend.is_ipv_supported(ipv):
|
|
||||||
- # destination is set, only use if it contains ipv
|
|
||||||
- raise FirewallError(errors.INVALID_RULE,
|
|
||||||
- "Service %s is not usable with %s" %
|
|
||||||
- (rule.element.name, backend.name))
|
|
||||||
- elif svc.destination[ipv] != "" and rule.destination:
|
|
||||||
- # we can not use two destinations at the same time
|
|
||||||
- raise FirewallError(errors.INVALID_RULE,
|
|
||||||
- "Destination conflict with service.")
|
|
||||||
- destination = svc.destination[ipv]
|
|
||||||
-
|
|
||||||
- if enable:
|
|
||||||
- zone_transaction.add_chain("filter", "INPUT")
|
|
||||||
- if self._fw.nf_conntrack_helper_setting == 0:
|
|
||||||
- zone_transaction.add_chain("raw", "PREROUTING")
|
|
||||||
+ if ipv in svc.destination and backend.is_ipv_supported(ipv):
|
|
||||||
+ destinations.append(svc.destination[ipv])
|
|
||||||
|
|
||||||
- if type(rule.action) == Rich_Accept:
|
|
||||||
- # only load modules for accept action
|
|
||||||
- helpers = self.get_helpers_for_service_modules(svc.modules,
|
|
||||||
- enable)
|
|
||||||
-
|
|
||||||
- modules = [ ]
|
|
||||||
- for helper in helpers:
|
|
||||||
- module = helper.module
|
|
||||||
+ for destination in destinations:
|
|
||||||
+ if enable:
|
|
||||||
+ zone_transaction.add_chain("filter", "INPUT")
|
|
||||||
if self._fw.nf_conntrack_helper_setting == 0:
|
|
||||||
- if helper.name not in \
|
|
||||||
- self._fw.nf_conntrack_helpers[module]:
|
|
||||||
- raise FirewallError(
|
|
||||||
- errors.INVALID_HELPER,
|
|
||||||
- "'%s' not available in kernel" % module)
|
|
||||||
- nat_module = module.replace("conntrack", "nat")
|
|
||||||
- if nat_module in self._fw.nf_nat_helpers:
|
|
||||||
- modules.append(nat_module)
|
|
||||||
- if helper.family != "" and not backend.is_ipv_supported(helper.family):
|
|
||||||
- # no support for family ipv, continue
|
|
||||||
- continue
|
|
||||||
- if len(helper.ports) < 1:
|
|
||||||
- modules.append(module)
|
|
||||||
- else:
|
|
||||||
- for (port,proto) in helper.ports:
|
|
||||||
- rules = backend.build_zone_helper_ports_rules(
|
|
||||||
- enable, zone, proto, port,
|
|
||||||
- destination, helper.name)
|
|
||||||
- zone_transaction.add_rules(backend, rules)
|
|
||||||
- else:
|
|
||||||
- if helper.module not in modules:
|
|
||||||
- modules.append(helper.module)
|
|
||||||
- nat_module = helper.module.replace("conntrack", "nat")
|
|
||||||
+ zone_transaction.add_chain("raw", "PREROUTING")
|
|
||||||
+
|
|
||||||
+ if type(rule.action) == Rich_Accept:
|
|
||||||
+ # only load modules for accept action
|
|
||||||
+ helpers = self.get_helpers_for_service_modules(svc.modules,
|
|
||||||
+ enable)
|
|
||||||
+
|
|
||||||
+ modules = [ ]
|
|
||||||
+ for helper in helpers:
|
|
||||||
+ module = helper.module
|
|
||||||
+ if self._fw.nf_conntrack_helper_setting == 0:
|
|
||||||
+ if helper.name not in \
|
|
||||||
+ self._fw.nf_conntrack_helpers[module]:
|
|
||||||
+ raise FirewallError(
|
|
||||||
+ errors.INVALID_HELPER,
|
|
||||||
+ "'%s' not available in kernel" % module)
|
|
||||||
+ nat_module = module.replace("conntrack", "nat")
|
|
||||||
if nat_module in self._fw.nf_nat_helpers:
|
|
||||||
modules.append(nat_module)
|
|
||||||
- zone_transaction.add_modules(modules)
|
|
||||||
-
|
|
||||||
- # create rules
|
|
||||||
- for (port,proto) in svc.ports:
|
|
||||||
- if enable and type(rule.action) == Rich_Mark:
|
|
||||||
- zone_transaction.add_chain("mangle", "PREROUTING")
|
|
||||||
- rules = backend.build_zone_ports_rules(
|
|
||||||
- enable, zone, proto, port, destination, rule)
|
|
||||||
- zone_transaction.add_rules(backend, rules)
|
|
||||||
-
|
|
||||||
- for proto in svc.protocols:
|
|
||||||
- if enable and type(rule.action) == Rich_Mark:
|
|
||||||
- zone_transaction.add_chain("mangle", "PREROUTING")
|
|
||||||
- rules = backend.build_zone_protocol_rules(
|
|
||||||
- enable, zone, proto, destination, rule)
|
|
||||||
- zone_transaction.add_rules(backend, rules)
|
|
||||||
-
|
|
||||||
- # create rules
|
|
||||||
- for (port,proto) in svc.source_ports:
|
|
||||||
- if enable and type(rule.action) == Rich_Mark:
|
|
||||||
- zone_transaction.add_chain("mangle", "PREROUTING")
|
|
||||||
- rules = backend.build_zone_source_ports_rules(
|
|
||||||
- enable, zone, proto, port, destination, rule)
|
|
||||||
- zone_transaction.add_rules(backend, rules)
|
|
||||||
+ if helper.family != "" and not backend.is_ipv_supported(helper.family):
|
|
||||||
+ # no support for family ipv, continue
|
|
||||||
+ continue
|
|
||||||
+ if len(helper.ports) < 1:
|
|
||||||
+ modules.append(module)
|
|
||||||
+ else:
|
|
||||||
+ for (port,proto) in helper.ports:
|
|
||||||
+ rules = backend.build_zone_helper_ports_rules(
|
|
||||||
+ enable, zone, proto, port,
|
|
||||||
+ destination, helper.name)
|
|
||||||
+ zone_transaction.add_rules(backend, rules)
|
|
||||||
+ else:
|
|
||||||
+ if helper.module not in modules:
|
|
||||||
+ modules.append(helper.module)
|
|
||||||
+ nat_module = helper.module.replace("conntrack", "nat")
|
|
||||||
+ if nat_module in self._fw.nf_nat_helpers:
|
|
||||||
+ modules.append(nat_module)
|
|
||||||
+ zone_transaction.add_modules(modules)
|
|
||||||
+
|
|
||||||
+ # create rules
|
|
||||||
+ for (port,proto) in svc.ports:
|
|
||||||
+ if enable and type(rule.action) == Rich_Mark:
|
|
||||||
+ zone_transaction.add_chain("mangle", "PREROUTING")
|
|
||||||
+ rules = backend.build_zone_ports_rules(
|
|
||||||
+ enable, zone, proto, port, destination, rule)
|
|
||||||
+ zone_transaction.add_rules(backend, rules)
|
|
||||||
+
|
|
||||||
+ for proto in svc.protocols:
|
|
||||||
+ if enable and type(rule.action) == Rich_Mark:
|
|
||||||
+ zone_transaction.add_chain("mangle", "PREROUTING")
|
|
||||||
+ rules = backend.build_zone_protocol_rules(
|
|
||||||
+ enable, zone, proto, destination, rule)
|
|
||||||
+ zone_transaction.add_rules(backend, rules)
|
|
||||||
+
|
|
||||||
+ # create rules
|
|
||||||
+ for (port,proto) in svc.source_ports:
|
|
||||||
+ if enable and type(rule.action) == Rich_Mark:
|
|
||||||
+ zone_transaction.add_chain("mangle", "PREROUTING")
|
|
||||||
+ rules = backend.build_zone_source_ports_rules(
|
|
||||||
+ enable, zone, proto, port, destination, rule)
|
|
||||||
+ zone_transaction.add_rules(backend, rules)
|
|
||||||
|
|
||||||
# PORT
|
|
||||||
elif type(rule.element) == Rich_Port:
|
|
||||||
@@ -1805,24 +1803,20 @@ class FirewallZone(object):
|
|
||||||
zone_transaction.add_modules(modules)
|
|
||||||
zone_transaction.add_chain("filter", "INPUT")
|
|
||||||
|
|
||||||
- for backend in self._fw.enabled_backends():
|
|
||||||
- if not backend.zones_supported:
|
|
||||||
- continue
|
|
||||||
- skip_backend = False
|
|
||||||
-
|
|
||||||
- destination = None
|
|
||||||
+ # build a list of (backend, destination). The destination may be ipv4,
|
|
||||||
+ # ipv6 or None
|
|
||||||
+ #
|
|
||||||
+ backends_ipv = []
|
|
||||||
+ for ipv in ["ipv4", "ipv6"]:
|
|
||||||
+ backend = self._fw.get_backend_by_ipv(ipv)
|
|
||||||
if len(svc.destination) > 0:
|
|
||||||
- for ipv in ["ipv4", "ipv6"]:
|
|
||||||
- if ipv in svc.destination:
|
|
||||||
- if not backend.is_ipv_supported(ipv):
|
|
||||||
- # destination is set, only use if it contains ipv
|
|
||||||
- skip_backend = True
|
|
||||||
- break
|
|
||||||
- destination = svc.destination[ipv]
|
|
||||||
-
|
|
||||||
- if skip_backend:
|
|
||||||
- continue
|
|
||||||
+ if ipv in svc.destination:
|
|
||||||
+ backends_ipv.append((backend, svc.destination[ipv]))
|
|
||||||
+ else:
|
|
||||||
+ if (backend, None) not in backends_ipv:
|
|
||||||
+ backends_ipv.append((backend, None))
|
|
||||||
|
|
||||||
+ for (backend,destination) in backends_ipv:
|
|
||||||
if self._fw.nf_conntrack_helper_setting == 0:
|
|
||||||
for helper in helpers:
|
|
||||||
module = helper.module
|
|
||||||
--
|
|
||||||
2.18.0
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:9fd94f4a5803ec6d1bf4a15f3b90d46fdf0ffa1b5187ff80a470460e3a1a8538
|
|
||||||
size 2269294
|
|
3
firewalld-0.6.2.tar.gz
Normal file
3
firewalld-0.6.2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:76ef7ed41caf67204dc80e1f2640176a481c72cadc30488492b22e45b3757c54
|
||||||
|
size 2273831
|
@ -1,44 +0,0 @@
|
|||||||
From a24ab61eabe24656b457273f54133fa99087f2f6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Farenjihn <farenjihn@gmail.com>
|
|
||||||
Date: Fri, 17 Aug 2018 11:58:55 +0200
|
|
||||||
Subject: [PATCH] firewall/core/fw_nm: nm_get_zone_of_connection should return
|
|
||||||
None or empty string instead of False
|
|
||||||
|
|
||||||
(cherry picked from commit 5a59a90f449a8bf836e62e2d9ad486301b1aa2bb)
|
|
||||||
---
|
|
||||||
src/firewall/core/fw_nm.py | 8 ++++----
|
|
||||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py
|
|
||||||
index 97113d95..37282a1a 100644
|
|
||||||
--- a/src/firewall/core/fw_nm.py
|
|
||||||
+++ b/src/firewall/core/fw_nm.py
|
|
||||||
@@ -75,21 +75,21 @@ def nm_get_zone_of_connection(connection):
|
|
||||||
|
|
||||||
con = nm_get_client().get_connection_by_uuid(connection)
|
|
||||||
if con is None:
|
|
||||||
- return False
|
|
||||||
+ return None
|
|
||||||
|
|
||||||
setting_con = con.get_setting_connection()
|
|
||||||
if setting_con is None:
|
|
||||||
- return False
|
|
||||||
+ return None
|
|
||||||
|
|
||||||
try:
|
|
||||||
if con.get_flags() & (NM.SettingsConnectionFlags.NM_GENERATED
|
|
||||||
| NM.SettingsConnectionFlags.NM_VOLATILE):
|
|
||||||
- return False
|
|
||||||
+ return ""
|
|
||||||
except AttributeError:
|
|
||||||
# Prior to NetworkManager 1.12, we can only guess
|
|
||||||
# that a connection was generated/volatile.
|
|
||||||
if con.get_unsaved():
|
|
||||||
- return False
|
|
||||||
+ return ""
|
|
||||||
|
|
||||||
zone = setting_con.get_zone()
|
|
||||||
if zone is None:
|
|
||||||
--
|
|
||||||
2.18.0
|
|
||||||
|
|
@ -1,3 +1,47 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 24 09:05:52 UTC 2018 - Markos Chandras <mchandras@suse.de>
|
||||||
|
|
||||||
|
- Add upstream patch to mark more strings as translatable which is
|
||||||
|
required by firewall UI when creating rich rules (bsc#1096542)
|
||||||
|
* 0001-Fix-translating-labels-392.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 21 17:13:32 UTC 2018 - Luiz Angelo Daros de Luca <luizluca@gmail.com>
|
||||||
|
|
||||||
|
- Add upstream patch to fix rich rules that uses ipset (bsc#1104990)
|
||||||
|
* 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Sep 20 07:27:33 UTC 2018 - Markos Chandras <mchandras@suse.de>
|
||||||
|
|
||||||
|
- Update to 0.6.2. Some of the changes are:
|
||||||
|
* update translations
|
||||||
|
* nftables: fix log-denied with values other than "all" or "off"
|
||||||
|
* fw_ipset: raise FirewallError if backend command fails
|
||||||
|
* ipset: only use "-exist" on restore
|
||||||
|
* fw_ipset: fix duplicate add of ipset entries
|
||||||
|
* *tables: For opened ports/protocols/etc match ct state new,untracked (bsc#1105821)
|
||||||
|
* ipXtables: increase wait lock to 10s
|
||||||
|
* nftables: fix rich rules ports/protocols/source ports not considering ct state
|
||||||
|
* ports: allow querying a single added by range
|
||||||
|
* fw_zone: do not change rich rule errors into warnings
|
||||||
|
* fw_zone: fix services with multiple destination IP versions (bsc#1105899)
|
||||||
|
* fw_zone: consider destination for protocols
|
||||||
|
* firewall/core/fw_nm: nm_get_zone_of_connection should return None or empty string instead of False (boo#1106319)
|
||||||
|
* fw: If direct rules fail to apply add a "Direct" label to error msg
|
||||||
|
* fw: if startup fails on reload, reapply non-perm config that survives reload
|
||||||
|
* nftables: fix rich rule audit log
|
||||||
|
* ebtables: replace RETURN policy with explicit RETURN at end of chain
|
||||||
|
* direct backends: allow build_chain() to build multiple rules
|
||||||
|
* fw: if failure occurs during startup set state to FAILED
|
||||||
|
* fw: on restart set policy from same function
|
||||||
|
* ebtables: drop support for broute table
|
||||||
|
- Remove upstream patches
|
||||||
|
* 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch
|
||||||
|
* 0001-fw_zone-consider-destination-for-protocols.patch
|
||||||
|
* 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch
|
||||||
|
* firewalld-fix-firewalld-config-crash.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Sep 17 14:28:19 UTC 2018 - Markos Chandras <mchandras@suse.de>
|
Mon Sep 17 14:28:19 UTC 2018 - Markos Chandras <mchandras@suse.de>
|
||||||
|
|
||||||
|
@ -21,7 +21,7 @@
|
|||||||
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
%define _fillupdir %{_localstatedir}/adm/fillup-templates
|
||||||
%endif
|
%endif
|
||||||
Name: firewalld
|
Name: firewalld
|
||||||
Version: 0.6.1
|
Version: 0.6.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
|
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
|
||||||
License: GPL-2.0-or-later
|
License: GPL-2.0-or-later
|
||||||
@ -30,14 +30,10 @@ Url: http://www.firewalld.org
|
|||||||
Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
Source: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||||
# PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761)
|
# PATCH-FIX-SUSE: 0001-firewall-backend-Switch-default-backend-to-iptables.patch (bsc#1102761)
|
||||||
Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch
|
Patch0: 0001-firewall-backend-Switch-default-backend-to-iptables.patch
|
||||||
# PATCH-FIX-UPSTREAM firewalld-fix-firewalld-config-crash.patch luc14n0@linuxmail.org -- fix firewall-config crash when nm_get_zone_of_connection returns "False"
|
# PATCH-FIX-UPSTREAM: 0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch (bsc#1104990)
|
||||||
Patch1: firewalld-fix-firewalld-config-crash.patch
|
Patch1: 0002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch
|
||||||
# PATCH-FIX-UPSTREAM 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch (bsc#1105821)
|
# PATCH-FIX-UPSTREAM: 0001-Fix-translating-labels-392.patch (bsc#1096542)
|
||||||
Patch2: 0001-nftables-fix-rich-rules-ports-protocols-source-ports.patch
|
Patch2: 0001-Fix-translating-labels-392.patch
|
||||||
# PATCH-FIX-UPSTRΕΑΜ 0001-fw_zone-consider-destination-for-protocols.patch
|
|
||||||
Patch3: 0001-fw_zone-consider-destination-for-protocols.patch
|
|
||||||
# PATCH-FIX-UPSTREAM 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch (bsc#1108651)
|
|
||||||
Patch4: 0002-fw_zone-fix-services-with-multiple-destination-IP-ve.patch
|
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: desktop-file-utils
|
BuildRequires: desktop-file-utils
|
||||||
@ -123,8 +119,6 @@ firewalld.
|
|||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
%patch2 -p1
|
||||||
%patch3 -p1
|
|
||||||
%patch4 -p1
|
|
||||||
|
|
||||||
# bsc#1078223
|
# bsc#1078223
|
||||||
rm config/services/high-availability.xml
|
rm config/services/high-availability.xml
|
||||||
|
Loading…
Reference in New Issue
Block a user