rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/0017-ipXtables-simplify-rpfilter-rule-generation.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c7-beta
  2.   SOURCES
  3.   0017-ipXtables-simplify-rpfilter-rule-generation.patch
Blob History Raw
c8bceb 
From e387abcc0f63b83a407c720a99f4d5ea787186d6 Mon Sep 17 00:00:00 2001
c8bceb 
From: Eric Garver <e@erig.me>
c8bceb 
Date: Thu, 20 Dec 2018 15:34:36 -0500
c8bceb 
Subject: [PATCH 17/23] ipXtables: simplify rpfilter rule generation
c8bceb
c8bceb 
Don't bother specifying indexes. Just insert them in the correct order.
c8bceb
c8bceb 
(cherry picked from commit e93b1c1801ce2b8a71e433d90f095a7693e9a2a7)
c8bceb 
---
c8bceb 
 src/firewall/core/ipXtables.py | 18 +++++++++---------
c8bceb 
 1 file changed, 9 insertions(+), 9 deletions(-)
c8bceb
c8bceb 
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
c8bceb 
index b98ba5228e68..2bd8cc20dc7b 100644
c8bceb 
--- a/src/firewall/core/ipXtables.py
c8bceb 
+++ b/src/firewall/core/ipXtables.py
c8bceb 
@@ -1132,19 +1132,19 @@ class ip6tables(ip4tables):
c8bceb
c8bceb 
     def build_rpfilter_rules(self, log_denied=False):
c8bceb 
         rules = []
c8bceb 
-        rules.append([ "-I", "PREROUTING", "1", "-t", "raw",
c8bceb 
+        rules.append([ "-I", "PREROUTING", "-t", "raw",
c8bceb 
+                       "-m", "rpfilter", "--invert", "-j", "DROP" ])
c8bceb 
+        if log_denied != "off":
c8bceb 
+            rules.append([ "-I", "PREROUTING", "-t", "raw",
c8bceb 
+                           "-m", "rpfilter", "--invert",
c8bceb 
+                           "-j", "LOG",
c8bceb 
+                           "--log-prefix", "rpfilter_DROP: " ])
c8bceb 
+        rules.append([ "-I", "PREROUTING", "-t", "raw",
c8bceb 
                        "-p", "ipv6-icmp",
c8bceb 
                        "--icmpv6-type=neighbour-solicitation",
c8bceb 
                        "-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17
c8bceb 
-        rules.append([ "-I", "PREROUTING", "2", "-t", "raw",
c8bceb 
+        rules.append([ "-I", "PREROUTING", "-t", "raw",
c8bceb 
                        "-p", "ipv6-icmp",
c8bceb 
                        "--icmpv6-type=router-advertisement",
c8bceb 
                        "-j", "ACCEPT" ]) # RHBZ#1058505
c8bceb 
-        rules.append([ "-I", "PREROUTING", "3", "-t", "raw",
c8bceb 
-                       "-m", "rpfilter", "--invert", "-j", "DROP" ])
c8bceb 
-        if log_denied != "off":
c8bceb 
-            rules.append([ "-I", "PREROUTING", "3", "-t", "raw",
c8bceb 
-                           "-m", "rpfilter", "--invert",
c8bceb 
-                           "-j", "LOG",
c8bceb 
-                           "--log-prefix", "rpfilter_DROP: " ])
c8bceb 
         return rules
c8bceb 
--
c8bceb 
2.20.1
c8bceb

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation