cbd861eb95
- Add upstream patch to fix rich rules that uses ipset (bsc#1104990) * 00002-firewalld-0.6.x-rich-rule-with-ipset-regression.patch OBS-URL: https://build.opensuse.org/request/show/637102 OBS-URL: https://build.opensuse.org/package/show/security:netfilter/firewalld?expand=0&rev=86
42 lines
1.6 KiB
Diff
42 lines
1.6 KiB
Diff
From fa0bce3d45563e28b8beea1cb0ee325f4a82ebf9 Mon Sep 17 00:00:00 2001
|
|
From: Eric Garver <e@erig.me>
|
|
Date: Fri, 21 Sep 2018 15:55:50 -0400
|
|
Subject: [PATCH] fw_zone: expose _ipset_match_flags()
|
|
|
|
Rename __ipset_match_flags() to _ipset_match_flags() so it may be used
|
|
outside the class. With the iptables backend this fixes rich rules that
|
|
match a source using an ipset.
|
|
|
|
Fixes: #374
|
|
---
|
|
src/firewall/core/fw_zone.py | 2 +-
|
|
src/firewall/core/ipXtables.py | 2 +-
|
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
index 2d794393..ca90f7fb 100644
|
|
--- a/src/firewall/core/fw_zone.py
|
|
+++ b/src/firewall/core/fw_zone.py
|
|
@@ -1519,7 +1519,7 @@ def _ipset_family(self, name):
|
|
def __ipset_type(self, name):
|
|
return self._fw.ipset.get_type(name)
|
|
|
|
- def __ipset_match_flags(self, name, flag):
|
|
+ def _ipset_match_flags(self, name, flag):
|
|
return ",".join([flag] * self._fw.ipset.get_dimension(name))
|
|
|
|
def _check_ipset_applied(self, name):
|
|
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
|
index 66af2a26..02a518d2 100644
|
|
--- a/src/firewall/core/ipXtables.py
|
|
+++ b/src/firewall/core/ipXtables.py
|
|
@@ -852,7 +852,7 @@ def _rich_rule_source_fragment(self, rich_source):
|
|
rule_fragment += [ "-m", "set" ]
|
|
if rich_source.invert:
|
|
rule_fragment.append("!")
|
|
- flags = self._fw.zone.__ipset_match_flags(rich_source.ipset, "src")
|
|
+ flags = self._fw.zone._ipset_match_flags(rich_source.ipset, "src")
|
|
rule_fragment += [ "--match-set", rich_source.ipset, flags ]
|
|
|
|
return rule_fragment
|