|
 |
21c891 |
From 0166f79231381947c8ba90aad16863f052835bc0 Mon Sep 17 00:00:00 2001
|
|
|
21c891 |
From: Eric Garver <e@erig.me>
|
|
|
21c891 |
Date: Fri, 2 Nov 2018 14:10:38 -0400
|
|
|
21c891 |
Subject: [PATCH 05/34] rich rules: fix mark action
|
|
|
21c891 |
|
|
|
21c891 |
They were being placed in the wrong (and nonexistent) chain. Also add
|
|
|
21c891 |
test coverage for the "mark" action.
|
|
|
21c891 |
|
|
|
21c891 |
Fixes: 7c5f5f4d12ee ("fw_zone: push rich rule generation to backend")
|
|
|
21c891 |
Tested-by: Felix Kaechele <heffer@fedoraproject.org>
|
|
|
21c891 |
(cherry picked from commit 5d36e0f55887c6204e07bd8095ead1ce2d535ddb)
|
|
|
21c891 |
(cherry picked from commit da851982df4020460fe4fa005dd99be4357ff9bd)
|
|
|
21c891 |
---
|
|
|
21c891 |
src/firewall/core/ipXtables.py | 4 ++--
|
|
|
21c891 |
src/firewall/core/nftables.py | 4 ++--
|
|
|
21c891 |
src/tests/firewall-cmd.at | 1 +
|
|
|
21c891 |
3 files changed, 5 insertions(+), 4 deletions(-)
|
|
|
21c891 |
|
|
|
21c891 |
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
|
|
21c891 |
index 11aebec6e05a..b98ba5228e68 100644
|
|
|
21c891 |
--- a/src/firewall/core/ipXtables.py
|
|
|
21c891 |
+++ b/src/firewall/core/ipXtables.py
|
|
|
21c891 |
@@ -807,10 +807,10 @@ class ip4tables(object):
|
|
|
21c891 |
chain = "%s_deny" % target
|
|
|
21c891 |
rule_action = [ "-j", "DROP" ]
|
|
|
21c891 |
elif type(rich_rule.action) == Rich_Mark:
|
|
|
21c891 |
- chain = "%s_allow" % target
|
|
|
21c891 |
- table = "mangle"
|
|
|
21c891 |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
|
|
|
21c891 |
zone=zone)
|
|
|
21c891 |
+ table = "mangle"
|
|
|
21c891 |
+ chain = "%s_allow" % target
|
|
|
21c891 |
rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ]
|
|
|
21c891 |
else:
|
|
|
21c891 |
raise FirewallError(INVALID_RULE,
|
|
|
21c891 |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
21c891 |
index cd05b2c3137e..69236a9600c2 100644
|
|
|
21c891 |
--- a/src/firewall/core/nftables.py
|
|
|
21c891 |
+++ b/src/firewall/core/nftables.py
|
|
|
21c891 |
@@ -723,10 +723,10 @@ class nftables(object):
|
|
|
21c891 |
chain = "%s_%s_deny" % (table, target)
|
|
|
21c891 |
rule_action = ["drop"]
|
|
|
21c891 |
elif type(rich_rule.action) == Rich_Mark:
|
|
|
21c891 |
- table = "mangle"
|
|
|
21c891 |
- chain = "%s_%s_allow" % (table, target)
|
|
|
21c891 |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
|
|
|
21c891 |
zone=zone)
|
|
|
21c891 |
+ table = "mangle"
|
|
|
21c891 |
+ chain = "%s_%s_allow" % (table, target)
|
|
|
21c891 |
rule_action = ["meta", "mark", "set", rich_rule.action.set]
|
|
|
21c891 |
else:
|
|
|
21c891 |
raise FirewallError(INVALID_RULE,
|
|
|
21c891 |
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
|
|
|
21c891 |
index f496b67e4a35..82ffa9f52b47 100644
|
|
|
21c891 |
--- a/src/tests/firewall-cmd.at
|
|
|
21c891 |
+++ b/src/tests/firewall-cmd.at
|
|
|
21c891 |
@@ -863,6 +863,7 @@ FWD_START_TEST([rich rules good])
|
|
|
21c891 |
rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"])
|
|
|
21c891 |
rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
|
|
|
21c891 |
rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
|
|
|
21c891 |
+ rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"])
|
|
|
21c891 |
FWD_END_TEST
|
|
|
21c891 |
FWD_START_TEST([rich rules audit])
|
|
|
21c891 |
CHECK_LOG_AUDIT
|
|
|
21c891 |
--
|
|
|
21c891 |
2.18.0
|
|
|
21c891 |
|