|
 |
e4e66d |
From 42c3c63410d53f1f1eef8a756202231a7872aafa Mon Sep 17 00:00:00 2001
|
|
|
e4e66d |
From: Eric Garver <eric@garver.life>
|
|
|
e4e66d |
Date: Tue, 4 Feb 2020 09:12:17 -0500
|
|
|
e4e66d |
Subject: [PATCH 2/6] RHEL only: default to AllowZoneDrifting=yes
|
|
|
e4e66d |
|
|
|
e4e66d |
---
|
|
|
e4e66d |
config/firewalld.conf | 4 ++--
|
|
|
e4e66d |
doc/xml/firewalld.conf.xml | 2 +-
|
|
|
e4e66d |
doc/xml/firewalld.dbus.xml | 2 +-
|
|
|
e4e66d |
src/firewall/config/__init__.py.in | 2 +-
|
|
|
e4e66d |
src/tests/cli/firewall-cmd.at | 8 ++++++++
|
|
|
e4e66d |
src/tests/dbus/firewalld.conf.at | 4 ++--
|
|
|
e4e66d |
src/tests/features/rfc3964_ipv4.at | 4 ++++
|
|
|
e4e66d |
src/tests/functions.at | 1 +
|
|
|
e4e66d |
src/tests/regression/rhbz1514043.at | 4 ++++
|
|
|
e4e66d |
src/tests/regression/rhbz1715977.at | 9 +++++++++
|
|
|
e4e66d |
10 files changed, 33 insertions(+), 7 deletions(-)
|
|
|
e4e66d |
|
|
|
e4e66d |
diff --git a/config/firewalld.conf b/config/firewalld.conf
|
|
|
e4e66d |
index 532f0452212e..f791b2358ab8 100644
|
|
|
e4e66d |
--- a/config/firewalld.conf
|
|
|
e4e66d |
+++ b/config/firewalld.conf
|
|
|
e4e66d |
@@ -71,5 +71,5 @@ RFC3964_IPv4=yes
|
|
|
e4e66d |
# Note: If "yes" packets will only drift from source based zones to interface
|
|
|
e4e66d |
# based zones (including the default zone). Packets never drift from interface
|
|
|
e4e66d |
# based zones to other interfaces based zones (including the default zone).
|
|
|
e4e66d |
-# Possible values; "yes", "no". Defaults to "no".
|
|
|
e4e66d |
-AllowZoneDrifting=no
|
|
|
e4e66d |
+# Possible values; "yes", "no". Defaults to "yes".
|
|
|
e4e66d |
+AllowZoneDrifting=yes
|
|
|
e4e66d |
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
|
|
|
e4e66d |
index fcfbfd2b68c1..c21ef87813bc 100644
|
|
|
e4e66d |
--- a/doc/xml/firewalld.conf.xml
|
|
|
e4e66d |
+++ b/doc/xml/firewalld.conf.xml
|
|
|
e4e66d |
@@ -197,7 +197,7 @@
|
|
|
e4e66d |
to interface based zones (including the default zone). Packets
|
|
|
e4e66d |
never drift from interface based zones to other interfaces
|
|
|
e4e66d |
based zones (including the default zone).
|
|
|
e4e66d |
- Valid values; "yes", "no". Defaults to "no".
|
|
|
e4e66d |
+ Valid values; "yes", "no". Defaults to "yes".
|
|
|
e4e66d |
</para>
|
|
|
e4e66d |
</listitem>
|
|
|
e4e66d |
</varlistentry>
|
|
|
e4e66d |
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
|
|
|
e4e66d |
index 5d77af976443..77ad77c01675 100644
|
|
|
e4e66d |
--- a/doc/xml/firewalld.dbus.xml
|
|
|
e4e66d |
+++ b/doc/xml/firewalld.dbus.xml
|
|
|
e4e66d |
@@ -2591,7 +2591,7 @@
|
|
|
e4e66d |
to interface based zones (including the default zone). Packets
|
|
|
e4e66d |
never drift from interface based zones to other interfaces
|
|
|
e4e66d |
based zones (including the default zone).
|
|
|
e4e66d |
- Valid values; "yes", "no". Defaults to "no".
|
|
|
e4e66d |
+ Valid values; "yes", "no". Defaults to "yes".
|
|
|
e4e66d |
</para></listitem>
|
|
|
e4e66d |
</varlistentry>
|
|
|
e4e66d |
<varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
|
|
|
e4e66d |
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
|
|
|
e4e66d |
index 481eb8de758d..645c76b66c8d 100644
|
|
|
e4e66d |
--- a/src/firewall/config/__init__.py.in
|
|
|
e4e66d |
+++ b/src/firewall/config/__init__.py.in
|
|
|
e4e66d |
@@ -130,4 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no"
|
|
|
e4e66d |
FALLBACK_FIREWALL_BACKEND = "nftables"
|
|
|
e4e66d |
FALLBACK_FLUSH_ALL_ON_RELOAD = True
|
|
|
e4e66d |
FALLBACK_RFC3964_IPV4 = True
|
|
|
e4e66d |
-FALLBACK_ALLOW_ZONE_DRIFTING = False
|
|
|
e4e66d |
+FALLBACK_ALLOW_ZONE_DRIFTING = True
|
|
|
e4e66d |
diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at
|
|
|
e4e66d |
index 74f480f8730f..c47c14ea1fc2 100644
|
|
|
e4e66d |
--- a/src/tests/cli/firewall-cmd.at
|
|
|
e4e66d |
+++ b/src/tests/cli/firewall-cmd.at
|
|
|
e4e66d |
@@ -696,6 +696,10 @@ FWD_START_TEST([ipset])
|
|
|
e4e66d |
CHECK_IPSET
|
|
|
e4e66d |
CHECK_IPSET_HASH_MAC
|
|
|
e4e66d |
|
|
|
e4e66d |
+ dnl Expected test results assume this is set to "no"
|
|
|
e4e66d |
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
|
|
|
e4e66d |
+ FWD_RELOAD
|
|
|
e4e66d |
+
|
|
|
e4e66d |
FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip], 0, ignore)
|
|
|
e4e66d |
FWD_CHECK([--reload], 0, ignore)
|
|
|
e4e66d |
FWD_CHECK([--ipset=foobar --get-entries], 0, [
|
|
|
e4e66d |
@@ -1197,6 +1201,10 @@ FWD_START_TEST([rich rules priority])
|
|
|
e4e66d |
|
|
|
e4e66d |
CHECK_LOG_AUDIT
|
|
|
e4e66d |
|
|
|
e4e66d |
+ dnl Expected test results assume this is set to "no"
|
|
|
e4e66d |
+ AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
|
|
|
e4e66d |
+ FWD_RELOAD
|
|
|
e4e66d |
+
|
|
|
e4e66d |
dnl Verify generic layout of zone
|
|
|
e4e66d |
NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl
|
|
|
e4e66d |
table inet firewalld {
|
|
|
e4e66d |
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
|
|
|
e4e66d |
index 35aead759a9c..4eefa3286f9f 100644
|
|
|
e4e66d |
--- a/src/tests/dbus/firewalld.conf.at
|
|
|
e4e66d |
+++ b/src/tests/dbus/firewalld.conf.at
|
|
|
e4e66d |
@@ -4,7 +4,7 @@ AT_KEYWORDS(dbus)
|
|
|
e4e66d |
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
|
|
|
e4e66d |
IF_HOST_SUPPORTS_NFT_FIB([
|
|
|
e4e66d |
DBUS_GETALL([config], [config], 0, [dnl
|
|
|
e4e66d |
-string "AllowZoneDrifting" : variant string "no"
|
|
|
e4e66d |
+string "AllowZoneDrifting" : variant string "yes"
|
|
|
e4e66d |
string "AutomaticHelpers" : variant string "no"
|
|
|
e4e66d |
string "CleanupOnExit" : variant string "no"
|
|
|
e4e66d |
string "DefaultZone" : variant string "public"
|
|
|
e4e66d |
@@ -18,7 +18,7 @@ string "MinimalMark" : variant int32 100
|
|
|
e4e66d |
string "RFC3964_IPv4" : variant string "yes"
|
|
|
e4e66d |
])], [
|
|
|
e4e66d |
DBUS_GETALL([config], [config], 0, [dnl
|
|
|
e4e66d |
-string "AllowZoneDrifting" : variant string "no"
|
|
|
e4e66d |
+string "AllowZoneDrifting" : variant string "yes"
|
|
|
e4e66d |
string "AutomaticHelpers" : variant string "no"
|
|
|
e4e66d |
string "CleanupOnExit" : variant string "no"
|
|
|
e4e66d |
string "DefaultZone" : variant string "public"
|
|
|
e4e66d |
diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at
|
|
|
e4e66d |
index 54f5f756270b..15fef52612cc 100644
|
|
|
e4e66d |
--- a/src/tests/features/rfc3964_ipv4.at
|
|
|
e4e66d |
+++ b/src/tests/features/rfc3964_ipv4.at
|
|
|
e4e66d |
@@ -1,6 +1,10 @@
|
|
|
e4e66d |
FWD_START_TEST([RFC3964_IPv4])
|
|
|
e4e66d |
AT_KEYWORDS(rfc3964_ipv4)
|
|
|
e4e66d |
|
|
|
e4e66d |
+dnl Expected test results assume this is set to "no"
|
|
|
e4e66d |
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
|
|
|
e4e66d |
+FWD_RELOAD
|
|
|
e4e66d |
+
|
|
|
e4e66d |
AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf])
|
|
|
e4e66d |
AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf])
|
|
|
e4e66d |
FWD_RELOAD
|
|
|
e4e66d |
diff --git a/src/tests/functions.at b/src/tests/functions.at
|
|
|
e4e66d |
index 5b3ed3ee4a5a..8f5ceba4d3f2 100644
|
|
|
e4e66d |
--- a/src/tests/functions.at
|
|
|
e4e66d |
+++ b/src/tests/functions.at
|
|
|
e4e66d |
@@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [
|
|
|
e4e66d |
IF_HOST_SUPPORTS_IP6TABLES([], [
|
|
|
e4e66d |
sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
|
|
|
e4e66d |
])
|
|
|
e4e66d |
+ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log
|
|
|
e4e66d |
if test x"$1" != x"ignore"; then
|
|
|
e4e66d |
if test -n "$1"; then
|
|
|
e4e66d |
sed -i $1 ./firewalld.log
|
|
|
e4e66d |
diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
|
|
|
e4e66d |
index 241cf547f7f3..8e4846a078b8 100644
|
|
|
e4e66d |
--- a/src/tests/regression/rhbz1514043.at
|
|
|
e4e66d |
+++ b/src/tests/regression/rhbz1514043.at
|
|
|
e4e66d |
@@ -1,6 +1,10 @@
|
|
|
e4e66d |
FWD_START_TEST([--set-log-denied does not zero config])
|
|
|
e4e66d |
AT_KEYWORDS(log_denied rhbz1514043)
|
|
|
e4e66d |
|
|
|
e4e66d |
+dnl Expected test results assume this is set to "no"
|
|
|
e4e66d |
+AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf])
|
|
|
e4e66d |
+FWD_RELOAD
|
|
|
e4e66d |
+
|
|
|
e4e66d |
FWD_CHECK([-q --set-log-denied=all])
|
|
|
e4e66d |
FWD_CHECK([-q --permanent --zone=public --add-service=samba])
|
|
|
e4e66d |
FWD_RELOAD
|
|
|
e4e66d |
diff --git a/src/tests/regression/rhbz1715977.at b/src/tests/regression/rhbz1715977.at
|
|
|
e4e66d |
index d548de72b90c..b9886e1a0a2b 100644
|
|
|
e4e66d |
--- a/src/tests/regression/rhbz1715977.at
|
|
|
e4e66d |
+++ b/src/tests/regression/rhbz1715977.at
|
|
|
e4e66d |
@@ -14,6 +14,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
|
|
|
e4e66d |
udp dport 137 ct state new,untracked accept
|
|
|
e4e66d |
udp dport 138 ct state new,untracked accept
|
|
|
e4e66d |
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
|
|
|
e4e66d |
+ tcp dport 9090 ct state new,untracked accept
|
|
|
e4e66d |
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
|
|
|
e4e66d |
}
|
|
|
e4e66d |
}
|
|
|
e4e66d |
@@ -23,6 +24,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
|
|
|
e4e66d |
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
])
|
|
|
e4e66d |
IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
|
|
|
e4e66d |
@@ -31,6 +33,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
|
|
|
e4e66d |
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
])
|
|
|
e4e66d |
|
|
|
e4e66d |
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.111.222/32" source address="10.10.10.0/24" service name="ssh" accept'])
|
|
|
e4e66d |
@@ -44,6 +47,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
|
|
|
e4e66d |
udp dport 137 ct state new,untracked accept
|
|
|
e4e66d |
udp dport 138 ct state new,untracked accept
|
|
|
e4e66d |
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
|
|
|
e4e66d |
+ tcp dport 9090 ct state new,untracked accept
|
|
|
e4e66d |
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
|
|
|
e4e66d |
ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
|
|
|
e4e66d |
}
|
|
|
e4e66d |
@@ -54,6 +58,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
|
|
|
e4e66d |
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
])
|
|
|
e4e66d |
@@ -63,6 +68,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
|
|
|
e4e66d |
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
])
|
|
|
e4e66d |
|
|
|
e4e66d |
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 service name="ssdp" accept'])
|
|
|
e4e66d |
@@ -76,6 +82,7 @@ NFT_LIST_RULES([inet], [filter_IN_internal_allow], 0, [dnl
|
|
|
e4e66d |
udp dport 137 ct state new,untracked accept
|
|
|
e4e66d |
udp dport 138 ct state new,untracked accept
|
|
|
e4e66d |
ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
|
|
|
e4e66d |
+ tcp dport 9090 ct state new,untracked accept
|
|
|
e4e66d |
ip daddr 192.168.122.235 tcp dport 22 ct state new,untracked accept
|
|
|
e4e66d |
ip daddr 192.168.111.222 ip saddr 10.10.10.0/24 tcp dport 22 ct state new,untracked accept
|
|
|
e4e66d |
ip daddr 239.255.255.250 udp dport 1900 ct state new,untracked accept
|
|
|
e4e66d |
@@ -87,6 +94,7 @@ IPTABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
|
|
|
e4e66d |
ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
+ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT tcp -- 0.0.0.0/0 192.168.122.235 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT tcp -- 10.10.10.0/24 192.168.111.222 tcp dpt:22 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp -- 0.0.0.0/0 239.255.255.250 udp dpt:1900 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
@@ -97,6 +105,7 @@ IP6TABLES_LIST_RULES([filter], [IN_internal_allow], 0, [dnl
|
|
|
e4e66d |
ACCEPT udp ::/0 ::/0 udp dpt:137 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp ::/0 ::/0 udp dpt:138 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
+ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
|
|
|
e4e66d |
])
|
|
|
e4e66d |
|
|
|
e4e66d |
FWD_CHECK([-q --zone=internal --add-rich-rule='rule family=ipv4 destination address="192.168.122.235/32" service name="mdns" accept'], 122, [ignore], [ignore])
|
|
|
e4e66d |
--
|
|
|
e4e66d |
2.23.0
|
|
|
e4e66d |
|