rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/0029-fix-ipXtables-don-t-use-tables-that-aren-t-available.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   0029-fix-ipXtables-don-t-use-tables-that-aren-t-available.patch
Blob History Raw
136e2c 
From 7eff52fa9a7fe21549486e4c92869303f2dc9759 Mon Sep 17 00:00:00 2001
136e2c 
From: Eric Garver <eric@garver.life>
136e2c 
Date: Wed, 17 Apr 2019 15:57:22 -0400
136e2c 
Subject: [PATCH 29/73] fix: ipXtables: don't use tables that aren't available
136e2c
136e2c 
At least for the default ruleset we can avoid failure if some of these
136e2c 
tables are missing. But features that use those missing tables will
136e2c 
still fail if the user attempts to use those features.
136e2c
136e2c 
Here is a probably incomplete mapping of tables -> features:
136e2c
136e2c 
  raw:	    helpers, IPv6_rpfilter
136e2c 
  mangle:   rich rule mark action
136e2c 
  nat:	    masquerade, forward ports
136e2c 
  security: none
136e2c
136e2c 
Of course, direct rules apply to all tables. It is fatal if the "filter"
136e2c 
table is not available.
136e2c
136e2c 
Fixes: #411
136e2c 
Fixes: #484
136e2c 
(cherry picked from commit c46b0892e1e4a540c959b4c1f6ea87de50d1bcf8)
136e2c 
(cherry picked from commit 1dfbd1b2ba848e281876f7e40b47b8bc18a6d305)
136e2c 
---
136e2c 
 src/firewall/core/ipXtables.py | 104 ++++++++++++++++++---------------
136e2c 
 1 file changed, 56 insertions(+), 48 deletions(-)
136e2c
136e2c 
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
136e2c 
index c21dc47457b3..4a9c06242f08 100644
136e2c 
--- a/src/firewall/core/ipXtables.py
136e2c 
+++ b/src/firewall/core/ipXtables.py
136e2c 
@@ -449,6 +449,8 @@ class ip4tables(object):
136e2c 
     def build_flush_rules(self):
136e2c 
         rules = []
136e2c 
         for table in BUILT_IN_CHAINS.keys():
136e2c 
+            if not self.get_available_tables(table):
136e2c 
+                continue
136e2c 
             # Flush firewall rules: -F
136e2c 
             # Delete firewall chains: -X
136e2c 
             # Set counter to zero: -Z
136e2c 
@@ -459,6 +461,8 @@ class ip4tables(object):
136e2c 
     def build_set_policy_rules(self, policy):
136e2c 
         rules = []
136e2c 
         for table in BUILT_IN_CHAINS.keys():
136e2c 
+            if not self.get_available_tables(table):
136e2c 
+                continue
136e2c 
             if table == "nat":
136e2c 
                 continue
136e2c 
             for chain in BUILT_IN_CHAINS[table]:
136e2c 
@@ -505,54 +509,58 @@ class ip4tables(object):
136e2c 
     def build_default_rules(self, log_denied="off"):
136e2c 
         default_rules = {}
136e2c
136e2c 
-        default_rules["security"] = [ ]
136e2c 
-        self.our_chains["security"] = set()
136e2c 
-        for chain in BUILT_IN_CHAINS["security"]:
136e2c 
-            default_rules["security"].append("-N %s_direct" % chain)
136e2c 
-            default_rules["security"].append("-A %s -j %s_direct" % (chain, chain))
136e2c 
-            self.our_chains["security"].add("%s_direct" % chain)
136e2c 
-
136e2c 
-        default_rules["raw"] = [ ]
136e2c 
-        self.our_chains["raw"] = set()
136e2c 
-        for chain in BUILT_IN_CHAINS["raw"]:
136e2c 
-            default_rules["raw"].append("-N %s_direct" % chain)
136e2c 
-            default_rules["raw"].append("-A %s -j %s_direct" % (chain, chain))
136e2c 
-            self.our_chains["raw"].add("%s_direct" % chain)
136e2c 
-
136e2c 
-            if chain == "PREROUTING":
136e2c 
-                default_rules["raw"].append("-N %s_ZONES_SOURCE" % chain)
136e2c 
-                default_rules["raw"].append("-N %s_ZONES" % chain)
136e2c 
-                default_rules["raw"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
136e2c 
-                default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain))
136e2c 
-                self.our_chains["raw"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
136e2c 
-
136e2c 
-        default_rules["mangle"] = [ ]
136e2c 
-        self.our_chains["mangle"] = set()
136e2c 
-        for chain in BUILT_IN_CHAINS["mangle"]:
136e2c 
-            default_rules["mangle"].append("-N %s_direct" % chain)
136e2c 
-            default_rules["mangle"].append("-A %s -j %s_direct" % (chain, chain))
136e2c 
-            self.our_chains["mangle"].add("%s_direct" % chain)
136e2c 
-
136e2c 
-            if chain == "PREROUTING":
136e2c 
-                default_rules["mangle"].append("-N %s_ZONES_SOURCE" % chain)
136e2c 
-                default_rules["mangle"].append("-N %s_ZONES" % chain)
136e2c 
-                default_rules["mangle"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
136e2c 
-                default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain))
136e2c 
-                self.our_chains["mangle"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
136e2c 
-
136e2c 
-        default_rules["nat"] = [ ]
136e2c 
-        self.our_chains["nat"] = set()
136e2c 
-        for chain in BUILT_IN_CHAINS["nat"]:
136e2c 
-            default_rules["nat"].append("-N %s_direct" % chain)
136e2c 
-            default_rules["nat"].append("-A %s -j %s_direct" % (chain, chain))
136e2c 
-            self.our_chains["nat"].add("%s_direct" % chain)
136e2c 
-
136e2c 
-            if chain in [ "PREROUTING", "POSTROUTING" ]:
136e2c 
-                default_rules["nat"].append("-N %s_ZONES_SOURCE" % chain)
136e2c 
-                default_rules["nat"].append("-N %s_ZONES" % chain)
136e2c 
-                default_rules["nat"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
136e2c 
-                default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain))
136e2c 
-                self.our_chains["nat"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
136e2c 
+        if self.get_available_tables("security"):
136e2c 
+            default_rules["security"] = [ ]
136e2c 
+            self.our_chains["security"] = set()
136e2c 
+            for chain in BUILT_IN_CHAINS["security"]:
136e2c 
+                default_rules["security"].append("-N %s_direct" % chain)
136e2c 
+                default_rules["security"].append("-A %s -j %s_direct" % (chain, chain))
136e2c 
+                self.our_chains["security"].add("%s_direct" % chain)
136e2c 
+
136e2c 
+        if self.get_available_tables("raw"):
136e2c 
+            default_rules["raw"] = [ ]
136e2c 
+            self.our_chains["raw"] = set()
136e2c 
+            for chain in BUILT_IN_CHAINS["raw"]:
136e2c 
+                default_rules["raw"].append("-N %s_direct" % chain)
136e2c 
+                default_rules["raw"].append("-A %s -j %s_direct" % (chain, chain))
136e2c 
+                self.our_chains["raw"].add("%s_direct" % chain)
136e2c 
+
136e2c 
+                if chain == "PREROUTING":
136e2c 
+                    default_rules["raw"].append("-N %s_ZONES_SOURCE" % chain)
136e2c 
+                    default_rules["raw"].append("-N %s_ZONES" % chain)
136e2c 
+                    default_rules["raw"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
136e2c 
+                    default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain))
136e2c 
+                    self.our_chains["raw"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
136e2c 
+
136e2c 
+        if self.get_available_tables("mangle"):
136e2c 
+            default_rules["mangle"] = [ ]
136e2c 
+            self.our_chains["mangle"] = set()
136e2c 
+            for chain in BUILT_IN_CHAINS["mangle"]:
136e2c 
+                default_rules["mangle"].append("-N %s_direct" % chain)
136e2c 
+                default_rules["mangle"].append("-A %s -j %s_direct" % (chain, chain))
136e2c 
+                self.our_chains["mangle"].add("%s_direct" % chain)
136e2c 
+
136e2c 
+                if chain == "PREROUTING":
136e2c 
+                    default_rules["mangle"].append("-N %s_ZONES_SOURCE" % chain)
136e2c 
+                    default_rules["mangle"].append("-N %s_ZONES" % chain)
136e2c 
+                    default_rules["mangle"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
136e2c 
+                    default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain))
136e2c 
+                    self.our_chains["mangle"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
136e2c 
+
136e2c 
+        if self.get_available_tables("nat"):
136e2c 
+            default_rules["nat"] = [ ]
136e2c 
+            self.our_chains["nat"] = set()
136e2c 
+            for chain in BUILT_IN_CHAINS["nat"]:
136e2c 
+                default_rules["nat"].append("-N %s_direct" % chain)
136e2c 
+                default_rules["nat"].append("-A %s -j %s_direct" % (chain, chain))
136e2c 
+                self.our_chains["nat"].add("%s_direct" % chain)
136e2c 
+
136e2c 
+                if chain in [ "PREROUTING", "POSTROUTING" ]:
136e2c 
+                    default_rules["nat"].append("-N %s_ZONES_SOURCE" % chain)
136e2c 
+                    default_rules["nat"].append("-N %s_ZONES" % chain)
136e2c 
+                    default_rules["nat"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
136e2c 
+                    default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain))
136e2c 
+                    self.our_chains["nat"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
136e2c
136e2c 
         default_rules["filter"] = [
136e2c 
             "-N INPUT_direct",
136e2c 
--
136e2c 
2.20.1
136e2c

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation