rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/0029-fix-ipXtables-don-t-use-tables-that-aren-t-available.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c8bceb8bf3db2fe79739fc14eb36252dbd2fa1e2
  2.   SOURCES
  3.   0029-fix-ipXtables-don-t-use-tables-that-aren-t-available.patch
Blob History Raw
c8bceb 
From 7eff52fa9a7fe21549486e4c92869303f2dc9759 Mon Sep 17 00:00:00 2001
c8bceb 
From: Eric Garver <eric@garver.life>
c8bceb 
Date: Wed, 17 Apr 2019 15:57:22 -0400
c8bceb 
Subject: [PATCH 29/73] fix: ipXtables: don't use tables that aren't available
c8bceb
c8bceb 
At least for the default ruleset we can avoid failure if some of these
c8bceb 
tables are missing. But features that use those missing tables will
c8bceb 
still fail if the user attempts to use those features.
c8bceb
c8bceb 
Here is a probably incomplete mapping of tables -> features:
c8bceb
c8bceb 
  raw:	    helpers, IPv6_rpfilter
c8bceb 
  mangle:   rich rule mark action
c8bceb 
  nat:	    masquerade, forward ports
c8bceb 
  security: none
c8bceb
c8bceb 
Of course, direct rules apply to all tables. It is fatal if the "filter"
c8bceb 
table is not available.
c8bceb
c8bceb 
Fixes: #411
c8bceb 
Fixes: #484
c8bceb 
(cherry picked from commit c46b0892e1e4a540c959b4c1f6ea87de50d1bcf8)
c8bceb 
(cherry picked from commit 1dfbd1b2ba848e281876f7e40b47b8bc18a6d305)
c8bceb 
---
c8bceb 
 src/firewall/core/ipXtables.py | 104 ++++++++++++++++++---------------
c8bceb 
 1 file changed, 56 insertions(+), 48 deletions(-)
c8bceb
c8bceb 
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
c8bceb 
index c21dc47457b3..4a9c06242f08 100644
c8bceb 
--- a/src/firewall/core/ipXtables.py
c8bceb 
+++ b/src/firewall/core/ipXtables.py
c8bceb 
@@ -449,6 +449,8 @@ class ip4tables(object):
c8bceb 
     def build_flush_rules(self):
c8bceb 
         rules = []
c8bceb 
         for table in BUILT_IN_CHAINS.keys():
c8bceb 
+            if not self.get_available_tables(table):
c8bceb 
+                continue
c8bceb 
             # Flush firewall rules: -F
c8bceb 
             # Delete firewall chains: -X
c8bceb 
             # Set counter to zero: -Z
c8bceb 
@@ -459,6 +461,8 @@ class ip4tables(object):
c8bceb 
     def build_set_policy_rules(self, policy):
c8bceb 
         rules = []
c8bceb 
         for table in BUILT_IN_CHAINS.keys():
c8bceb 
+            if not self.get_available_tables(table):
c8bceb 
+                continue
c8bceb 
             if table == "nat":
c8bceb 
                 continue
c8bceb 
             for chain in BUILT_IN_CHAINS[table]:
c8bceb 
@@ -505,54 +509,58 @@ class ip4tables(object):
c8bceb 
     def build_default_rules(self, log_denied="off"):
c8bceb 
         default_rules = {}
c8bceb
c8bceb 
-        default_rules["security"] = [ ]
c8bceb 
-        self.our_chains["security"] = set()
c8bceb 
-        for chain in BUILT_IN_CHAINS["security"]:
c8bceb 
-            default_rules["security"].append("-N %s_direct" % chain)
c8bceb 
-            default_rules["security"].append("-A %s -j %s_direct" % (chain, chain))
c8bceb 
-            self.our_chains["security"].add("%s_direct" % chain)
c8bceb 
-
c8bceb 
-        default_rules["raw"] = [ ]
c8bceb 
-        self.our_chains["raw"] = set()
c8bceb 
-        for chain in BUILT_IN_CHAINS["raw"]:
c8bceb 
-            default_rules["raw"].append("-N %s_direct" % chain)
c8bceb 
-            default_rules["raw"].append("-A %s -j %s_direct" % (chain, chain))
c8bceb 
-            self.our_chains["raw"].add("%s_direct" % chain)
c8bceb 
-
c8bceb 
-            if chain == "PREROUTING":
c8bceb 
-                default_rules["raw"].append("-N %s_ZONES_SOURCE" % chain)
c8bceb 
-                default_rules["raw"].append("-N %s_ZONES" % chain)
c8bceb 
-                default_rules["raw"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
c8bceb 
-                default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain))
c8bceb 
-                self.our_chains["raw"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
c8bceb 
-
c8bceb 
-        default_rules["mangle"] = [ ]
c8bceb 
-        self.our_chains["mangle"] = set()
c8bceb 
-        for chain in BUILT_IN_CHAINS["mangle"]:
c8bceb 
-            default_rules["mangle"].append("-N %s_direct" % chain)
c8bceb 
-            default_rules["mangle"].append("-A %s -j %s_direct" % (chain, chain))
c8bceb 
-            self.our_chains["mangle"].add("%s_direct" % chain)
c8bceb 
-
c8bceb 
-            if chain == "PREROUTING":
c8bceb 
-                default_rules["mangle"].append("-N %s_ZONES_SOURCE" % chain)
c8bceb 
-                default_rules["mangle"].append("-N %s_ZONES" % chain)
c8bceb 
-                default_rules["mangle"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
c8bceb 
-                default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain))
c8bceb 
-                self.our_chains["mangle"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
c8bceb 
-
c8bceb 
-        default_rules["nat"] = [ ]
c8bceb 
-        self.our_chains["nat"] = set()
c8bceb 
-        for chain in BUILT_IN_CHAINS["nat"]:
c8bceb 
-            default_rules["nat"].append("-N %s_direct" % chain)
c8bceb 
-            default_rules["nat"].append("-A %s -j %s_direct" % (chain, chain))
c8bceb 
-            self.our_chains["nat"].add("%s_direct" % chain)
c8bceb 
-
c8bceb 
-            if chain in [ "PREROUTING", "POSTROUTING" ]:
c8bceb 
-                default_rules["nat"].append("-N %s_ZONES_SOURCE" % chain)
c8bceb 
-                default_rules["nat"].append("-N %s_ZONES" % chain)
c8bceb 
-                default_rules["nat"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
c8bceb 
-                default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain))
c8bceb 
-                self.our_chains["nat"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
c8bceb 
+        if self.get_available_tables("security"):
c8bceb 
+            default_rules["security"] = [ ]
c8bceb 
+            self.our_chains["security"] = set()
c8bceb 
+            for chain in BUILT_IN_CHAINS["security"]:
c8bceb 
+                default_rules["security"].append("-N %s_direct" % chain)
c8bceb 
+                default_rules["security"].append("-A %s -j %s_direct" % (chain, chain))
c8bceb 
+                self.our_chains["security"].add("%s_direct" % chain)
c8bceb 
+
c8bceb 
+        if self.get_available_tables("raw"):
c8bceb 
+            default_rules["raw"] = [ ]
c8bceb 
+            self.our_chains["raw"] = set()
c8bceb 
+            for chain in BUILT_IN_CHAINS["raw"]:
c8bceb 
+                default_rules["raw"].append("-N %s_direct" % chain)
c8bceb 
+                default_rules["raw"].append("-A %s -j %s_direct" % (chain, chain))
c8bceb 
+                self.our_chains["raw"].add("%s_direct" % chain)
c8bceb 
+
c8bceb 
+                if chain == "PREROUTING":
c8bceb 
+                    default_rules["raw"].append("-N %s_ZONES_SOURCE" % chain)
c8bceb 
+                    default_rules["raw"].append("-N %s_ZONES" % chain)
c8bceb 
+                    default_rules["raw"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
c8bceb 
+                    default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain))
c8bceb 
+                    self.our_chains["raw"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
c8bceb 
+
c8bceb 
+        if self.get_available_tables("mangle"):
c8bceb 
+            default_rules["mangle"] = [ ]
c8bceb 
+            self.our_chains["mangle"] = set()
c8bceb 
+            for chain in BUILT_IN_CHAINS["mangle"]:
c8bceb 
+                default_rules["mangle"].append("-N %s_direct" % chain)
c8bceb 
+                default_rules["mangle"].append("-A %s -j %s_direct" % (chain, chain))
c8bceb 
+                self.our_chains["mangle"].add("%s_direct" % chain)
c8bceb 
+
c8bceb 
+                if chain == "PREROUTING":
c8bceb 
+                    default_rules["mangle"].append("-N %s_ZONES_SOURCE" % chain)
c8bceb 
+                    default_rules["mangle"].append("-N %s_ZONES" % chain)
c8bceb 
+                    default_rules["mangle"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
c8bceb 
+                    default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain))
c8bceb 
+                    self.our_chains["mangle"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
c8bceb 
+
c8bceb 
+        if self.get_available_tables("nat"):
c8bceb 
+            default_rules["nat"] = [ ]
c8bceb 
+            self.our_chains["nat"] = set()
c8bceb 
+            for chain in BUILT_IN_CHAINS["nat"]:
c8bceb 
+                default_rules["nat"].append("-N %s_direct" % chain)
c8bceb 
+                default_rules["nat"].append("-A %s -j %s_direct" % (chain, chain))
c8bceb 
+                self.our_chains["nat"].add("%s_direct" % chain)
c8bceb 
+
c8bceb 
+                if chain in [ "PREROUTING", "POSTROUTING" ]:
c8bceb 
+                    default_rules["nat"].append("-N %s_ZONES_SOURCE" % chain)
c8bceb 
+                    default_rules["nat"].append("-N %s_ZONES" % chain)
c8bceb 
+                    default_rules["nat"].append("-A %s -j %s_ZONES_SOURCE" % (chain, chain))
c8bceb 
+                    default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain))
c8bceb 
+                    self.our_chains["nat"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
c8bceb
c8bceb 
         default_rules["filter"] = [
c8bceb 
             "-N INPUT_direct",
c8bceb 
--
c8bceb 
2.20.1
c8bceb

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation