|
 |
087194 |
From 3fbf366505d866c042e9dbc29a3fb6f30aff5459 Mon Sep 17 00:00:00 2001
|
|
|
087194 |
From: Eric Garver <eric@garver.life>
|
|
|
087194 |
Date: Sun, 19 Jan 2020 14:13:36 -0500
|
|
|
087194 |
Subject: [PATCH 30/35] feat: AllowZoneDrifting config option
|
|
|
087194 |
|
|
|
087194 |
Older versions of firewalld had undocumented behavior known as "zone
|
|
|
087194 |
drifting". This allowed packets to ingress multiple zones - this is a
|
|
|
087194 |
violation of zone based firewalls. However, some users rely on this
|
|
|
087194 |
behavior to have a "catch-all" zone, e.g. the default zone. You can
|
|
|
087194 |
enable this if you desire such behavior. It's disabled by default for
|
|
|
087194 |
security reasons.
|
|
|
087194 |
|
|
|
087194 |
Note: If "yes" packets will only drift from source based zones to
|
|
|
087194 |
interface based zones (including the default zone). Packets never drift
|
|
|
087194 |
from interface based zones to other interfaces based zones (including
|
|
|
087194 |
the default zone).
|
|
|
087194 |
|
|
|
087194 |
(cherry picked from commit afadd377b09dc62b340d24bcf891d31f040d1a18)
|
|
|
087194 |
(cherry picked from commit cb71601436854404b59e53fbdf3eaea1dec9bd80)
|
|
|
087194 |
---
|
|
|
087194 |
config/firewalld.conf | 12 ++++++++++++
|
|
|
087194 |
doc/xml/firewalld.conf.xml | 19 +++++++++++++++++++
|
|
|
087194 |
doc/xml/firewalld.dbus.xml | 16 ++++++++++++++++
|
|
|
087194 |
src/firewall/config/__init__.py.in | 1 +
|
|
|
087194 |
src/firewall/core/fw.py | 14 ++++++++++++++
|
|
|
087194 |
src/firewall/core/io/firewalld_conf.py | 13 +++++++++++--
|
|
|
087194 |
src/firewall/server/config.py | 20 +++++++++++++++++---
|
|
|
087194 |
src/tests/dbus/firewalld.conf.at | 2 ++
|
|
|
087194 |
8 files changed, 92 insertions(+), 5 deletions(-)
|
|
|
087194 |
|
|
|
087194 |
diff --git a/config/firewalld.conf b/config/firewalld.conf
|
|
|
087194 |
index 423b7ea0733a..ebf8021226b7 100644
|
|
|
087194 |
--- a/config/firewalld.conf
|
|
|
087194 |
+++ b/config/firewalld.conf
|
|
|
087194 |
@@ -71,3 +71,15 @@ FlushAllOnReload=yes
|
|
|
087194 |
# internet.
|
|
|
087194 |
# Defaults to "yes".
|
|
|
087194 |
RFC3964_IPv4=yes
|
|
|
087194 |
+
|
|
|
087194 |
+# AllowZoneDrifting
|
|
|
087194 |
+# Older versions of firewalld had undocumented behavior known as "zone
|
|
|
087194 |
+# drifting". This allowed packets to ingress multiple zones - this is a
|
|
|
087194 |
+# violation of zone based firewalls. However, some users rely on this behavior
|
|
|
087194 |
+# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
|
|
|
087194 |
+# desire such behavior. It's disabled by default for security reasons.
|
|
|
087194 |
+# Note: If "yes" packets will only drift from source based zones to interface
|
|
|
087194 |
+# based zones (including the default zone). Packets never drift from interface
|
|
|
087194 |
+# based zones to other interfaces based zones (including the default zone).
|
|
|
087194 |
+# Possible values; "yes", "no". Defaults to "no".
|
|
|
087194 |
+AllowZoneDrifting=no
|
|
|
087194 |
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
|
|
|
087194 |
index 1e229ed1d8b6..8108066e88bf 100644
|
|
|
087194 |
--- a/doc/xml/firewalld.conf.xml
|
|
|
087194 |
+++ b/doc/xml/firewalld.conf.xml
|
|
|
087194 |
@@ -183,6 +183,25 @@
|
|
|
087194 |
</listitem>
|
|
|
087194 |
</varlistentry>
|
|
|
087194 |
|
|
|
087194 |
+ <varlistentry>
|
|
|
087194 |
+ <term><option>AllowZoneDrifting</option></term>
|
|
|
087194 |
+ <listitem>
|
|
|
087194 |
+ <para>
|
|
|
087194 |
+ Older versions of firewalld had undocumented behavior known
|
|
|
087194 |
+ as "zone drifting". This allowed packets to ingress multiple
|
|
|
087194 |
+ zones - this is a violation of zone based firewalls. However,
|
|
|
087194 |
+ some users rely on this behavior to have a "catch-all" zone,
|
|
|
087194 |
+ e.g. the default zone. You can enable this if you desire such
|
|
|
087194 |
+ behavior. It's disabled by default for security reasons.
|
|
|
087194 |
+ Note: If "yes" packets will only drift from source based zones
|
|
|
087194 |
+ to interface based zones (including the default zone). Packets
|
|
|
087194 |
+ never drift from interface based zones to other interfaces
|
|
|
087194 |
+ based zones (including the default zone).
|
|
|
087194 |
+ Valid values; "yes", "no". Defaults to "no".
|
|
|
087194 |
+ </para>
|
|
|
087194 |
+ </listitem>
|
|
|
087194 |
+ </varlistentry>
|
|
|
087194 |
+
|
|
|
087194 |
</variablelist>
|
|
|
087194 |
|
|
|
087194 |
</refsect1>
|
|
|
087194 |
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
|
|
|
087194 |
index 4a81e8e61858..f72bad526d65 100644
|
|
|
087194 |
--- a/doc/xml/firewalld.dbus.xml
|
|
|
087194 |
+++ b/doc/xml/firewalld.dbus.xml
|
|
|
087194 |
@@ -2577,6 +2577,22 @@
|
|
|
087194 |
<refsect3 id="FirewallD1.config.Properties">
|
|
|
087194 |
<title>Properties</title>
|
|
|
087194 |
<variablelist>
|
|
|
087194 |
+ <varlistentry id="FirewallD1.config.Properties.AllowZoneDrifting">
|
|
|
087194 |
+ <term><parameter>AllowZoneDrifting</parameter> - s - (rw)</term>
|
|
|
087194 |
+ <listitem><para>
|
|
|
087194 |
+ Older versions of firewalld had undocumented behavior known
|
|
|
087194 |
+ as "zone drifting". This allowed packets to ingress multiple
|
|
|
087194 |
+ zones - this is a violation of zone based firewalls. However,
|
|
|
087194 |
+ some users rely on this behavior to have a "catch-all" zone,
|
|
|
087194 |
+ e.g. the default zone. You can enable this if you desire such
|
|
|
087194 |
+ behavior. It's disabled by default for security reasons.
|
|
|
087194 |
+ Note: If "yes" packets will only drift from source based zones
|
|
|
087194 |
+ to interface based zones (including the default zone). Packets
|
|
|
087194 |
+ never drift from interface based zones to other interfaces
|
|
|
087194 |
+ based zones (including the default zone).
|
|
|
087194 |
+ Valid values; "yes", "no". Defaults to "no".
|
|
|
087194 |
+ </para></listitem>
|
|
|
087194 |
+ </varlistentry>
|
|
|
087194 |
<varlistentry id="FirewallD1.config.Properties.AutomaticHelpers">
|
|
|
087194 |
<term>AutomaticHelpers - s - (rw)</term>
|
|
|
087194 |
<listitem>
|
|
|
087194 |
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
|
|
|
087194 |
index 5bb318c5b269..c009d93e4164 100644
|
|
|
087194 |
--- a/src/firewall/config/__init__.py.in
|
|
|
087194 |
+++ b/src/firewall/config/__init__.py.in
|
|
|
087194 |
@@ -132,3 +132,4 @@ FALLBACK_AUTOMATIC_HELPERS = "system"
|
|
|
087194 |
FALLBACK_FIREWALL_BACKEND = "nftables"
|
|
|
087194 |
FALLBACK_FLUSH_ALL_ON_RELOAD = True
|
|
|
087194 |
FALLBACK_RFC3964_IPV4 = True
|
|
|
087194 |
+FALLBACK_ALLOW_ZONE_DRIFTING = False
|
|
|
087194 |
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
|
|
|
087194 |
index a09c022a2baf..07bc9f375771 100644
|
|
|
087194 |
--- a/src/firewall/core/fw.py
|
|
|
087194 |
+++ b/src/firewall/core/fw.py
|
|
|
087194 |
@@ -127,6 +127,7 @@ class Firewall(object):
|
|
|
087194 |
self.nf_conntrack_helper_setting = 0
|
|
|
087194 |
self.nf_conntrack_helpers = { }
|
|
|
087194 |
self.nf_nat_helpers = { }
|
|
|
087194 |
+ self._allow_zone_drifting = config.FALLBACK_ALLOW_ZONE_DRIFTING
|
|
|
087194 |
|
|
|
087194 |
def individual_calls(self):
|
|
|
087194 |
return self._individual_calls
|
|
|
087194 |
@@ -324,6 +325,19 @@ class Firewall(object):
|
|
|
087194 |
log.debug1("RFC3964_IPv4 is set to '%s'",
|
|
|
087194 |
self._rfc3964_ipv4)
|
|
|
087194 |
|
|
|
087194 |
+ if self._firewalld_conf.get("AllowZoneDrifting"):
|
|
|
087194 |
+ value = self._firewalld_conf.get("AllowZoneDrifting")
|
|
|
087194 |
+ if value.lower() in [ "no", "false" ]:
|
|
|
087194 |
+ self._allow_zone_drifting = False
|
|
|
087194 |
+ else:
|
|
|
087194 |
+ self._allow_zone_drifting = True
|
|
|
087194 |
+ log.warning("AllowZoneDrifting is enabled. This is considered "
|
|
|
087194 |
+ "an insecure configuration option. It will be "
|
|
|
087194 |
+ "removed in a future release. Please consider "
|
|
|
087194 |
+ "disabling it now.")
|
|
|
087194 |
+ log.debug1("AllowZoneDrifting is set to '%s'",
|
|
|
087194 |
+ self._allow_zone_drifting)
|
|
|
087194 |
+
|
|
|
087194 |
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
|
|
|
087194 |
|
|
|
087194 |
self._select_firewall_backend(self._firewall_backend)
|
|
|
087194 |
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
|
|
|
087194 |
index c7a7ba283e0e..aec62e3a753c 100644
|
|
|
087194 |
--- a/src/firewall/core/io/firewalld_conf.py
|
|
|
087194 |
+++ b/src/firewall/core/io/firewalld_conf.py
|
|
|
087194 |
@@ -28,10 +28,10 @@ from firewall import config
|
|
|
087194 |
from firewall.core.logger import log
|
|
|
087194 |
from firewall.functions import b2u, u2b, PY2
|
|
|
087194 |
|
|
|
087194 |
-valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
|
|
|
087194 |
+valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
|
|
|
087194 |
"IPv6_rpfilter", "IndividualCalls", "LogDenied",
|
|
|
087194 |
"AutomaticHelpers", "FirewallBackend", "FlushAllOnReload",
|
|
|
087194 |
- "RFC3964_IPv4" ]
|
|
|
087194 |
+ "RFC3964_IPv4", "AllowZoneDrifting" ]
|
|
|
087194 |
|
|
|
087194 |
class firewalld_conf(object):
|
|
|
087194 |
def __init__(self, filename):
|
|
|
087194 |
@@ -83,6 +83,7 @@ class firewalld_conf(object):
|
|
|
087194 |
self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
|
|
|
087194 |
self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no")
|
|
|
087194 |
self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no")
|
|
|
087194 |
+ self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no")
|
|
|
087194 |
raise
|
|
|
087194 |
|
|
|
087194 |
for line in f:
|
|
|
087194 |
@@ -202,6 +203,14 @@ class firewalld_conf(object):
|
|
|
087194 |
config.FALLBACK_RFC3964_IPV4)
|
|
|
087194 |
self.set("RFC3964_IPv4", str(config.FALLBACK_RFC3964_IPV4))
|
|
|
087194 |
|
|
|
087194 |
+ value = self.get("AllowZoneDrifting")
|
|
|
087194 |
+ if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
|
|
|
087194 |
+ if value is not None:
|
|
|
087194 |
+ log.warning("AllowZoneDrifting '%s' is not valid, using default "
|
|
|
087194 |
+ "value %s", value if value else '',
|
|
|
087194 |
+ config.FALLBACK_ALLOW_ZONE_DRIFTING)
|
|
|
087194 |
+ self.set("AllowZoneDrifting", str(config.FALLBACK_ALLOW_ZONE_DRIFTING))
|
|
|
087194 |
+
|
|
|
087194 |
# save to self.filename if there are key/value changes
|
|
|
087194 |
def write(self):
|
|
|
087194 |
if len(self._config) < 1:
|
|
|
087194 |
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
|
|
|
087194 |
index b1b839da82ea..4315c6ac1589 100644
|
|
|
087194 |
--- a/src/firewall/server/config.py
|
|
|
087194 |
+++ b/src/firewall/server/config.py
|
|
|
087194 |
@@ -107,6 +107,7 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
087194 |
"FirewallBackend": "readwrite",
|
|
|
087194 |
"FlushAllOnReload": "readwrite",
|
|
|
087194 |
"RFC3964_IPv4": "readwrite",
|
|
|
087194 |
+ "AllowZoneDrifting": "readwrite",
|
|
|
087194 |
})
|
|
|
087194 |
|
|
|
087194 |
@handle_exceptions
|
|
|
087194 |
@@ -487,7 +488,8 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
087194 |
if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
|
|
|
087194 |
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
|
|
|
087194 |
"LogDenied", "AutomaticHelpers", "FirewallBackend",
|
|
|
087194 |
- "FlushAllOnReload", "RFC3964_IPv4" ]:
|
|
|
087194 |
+ "FlushAllOnReload", "RFC3964_IPv4",
|
|
|
087194 |
+ "AllowZoneDrifting" ]:
|
|
|
087194 |
raise dbus.exceptions.DBusException(
|
|
|
087194 |
"org.freedesktop.DBus.Error.InvalidArgs: "
|
|
|
087194 |
"Property '%s' does not exist" % prop)
|
|
|
087194 |
@@ -540,6 +542,10 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
087194 |
if value is None:
|
|
|
087194 |
value = "yes" if config.FALLBACK_RFC3964_IPV4 else "no"
|
|
|
087194 |
return dbus.String(value)
|
|
|
087194 |
+ elif prop == "AllowZoneDrifting":
|
|
|
087194 |
+ if value is None:
|
|
|
087194 |
+ value = "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no"
|
|
|
087194 |
+ return dbus.String(value)
|
|
|
087194 |
|
|
|
087194 |
@dbus_handle_exceptions
|
|
|
087194 |
def _get_dbus_property(self, prop):
|
|
|
087194 |
@@ -565,6 +571,8 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
087194 |
return dbus.String(self._get_property(prop))
|
|
|
087194 |
elif prop == "RFC3964_IPv4":
|
|
|
087194 |
return dbus.String(self._get_property(prop))
|
|
|
087194 |
+ elif prop == "AllowZoneDrifting":
|
|
|
087194 |
+ return dbus.String(self._get_property(prop))
|
|
|
087194 |
else:
|
|
|
087194 |
raise dbus.exceptions.DBusException(
|
|
|
087194 |
"org.freedesktop.DBus.Error.InvalidArgs: "
|
|
|
087194 |
@@ -605,7 +613,8 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
087194 |
for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
|
|
|
087194 |
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
|
|
|
087194 |
"LogDenied", "AutomaticHelpers", "FirewallBackend",
|
|
|
087194 |
- "FlushAllOnReload", "RFC3964_IPv4" ]:
|
|
|
087194 |
+ "FlushAllOnReload", "RFC3964_IPv4",
|
|
|
087194 |
+ "AllowZoneDrifting" ]:
|
|
|
087194 |
ret[x] = self._get_property(x)
|
|
|
087194 |
elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
|
|
|
087194 |
config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
|
|
|
087194 |
@@ -633,7 +642,7 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
087194 |
"IPv6_rpfilter", "IndividualCalls",
|
|
|
087194 |
"LogDenied", "AutomaticHelpers",
|
|
|
087194 |
"FirewallBackend", "FlushAllOnReload",
|
|
|
087194 |
- "RFC3964_IPv4" ]:
|
|
|
087194 |
+ "RFC3964_IPv4", "AllowZoneDrifting" ]:
|
|
|
087194 |
if property_name == "MinimalMark":
|
|
|
087194 |
try:
|
|
|
087194 |
int(new_value)
|
|
|
087194 |
@@ -677,6 +686,11 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
087194 |
raise FirewallError(errors.INVALID_VALUE,
|
|
|
087194 |
"'%s' for %s" % \
|
|
|
087194 |
(new_value, property_name))
|
|
|
087194 |
+ if property_name == "AllowZoneDrifting":
|
|
|
087194 |
+ if new_value.lower() not in ["yes", "true", "no", "false"]:
|
|
|
087194 |
+ raise FirewallError(errors.INVALID_VALUE,
|
|
|
087194 |
+ "'%s' for %s" % \
|
|
|
087194 |
+ (new_value, property_name))
|
|
|
087194 |
|
|
|
087194 |
self.config.get_firewalld_conf().set(property_name, new_value)
|
|
|
087194 |
self.config.get_firewalld_conf().write()
|
|
|
087194 |
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
|
|
|
087194 |
index 45559311eabb..65ac702f4713 100644
|
|
|
087194 |
--- a/src/tests/dbus/firewalld.conf.at
|
|
|
087194 |
+++ b/src/tests/dbus/firewalld.conf.at
|
|
|
087194 |
@@ -3,6 +3,7 @@ AT_KEYWORDS(dbus)
|
|
|
087194 |
|
|
|
087194 |
dnl Verify defaults over dbus. Should be inline with default firewalld.conf.
|
|
|
087194 |
DBUS_GETALL([config], [config], 0, [dnl
|
|
|
087194 |
+string "AllowZoneDrifting" : variant string "no"
|
|
|
087194 |
string "AutomaticHelpers" : variant string "system"
|
|
|
087194 |
string "CleanupOnExit" : variant string "no"
|
|
|
087194 |
string "DefaultZone" : variant string "public"
|
|
|
087194 |
@@ -36,6 +37,7 @@ _helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
|
|
|
087194 |
_helper([FlushAllOnReload], [string:"no"], [variant string "no"])
|
|
|
087194 |
_helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
|
|
|
087194 |
_helper([RFC3964_IPv4], [string:"no"], [variant string "no"])
|
|
|
087194 |
+_helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"])
|
|
|
087194 |
dnl Note: DefaultZone is RO
|
|
|
087194 |
m4_undefine([_helper])
|
|
|
087194 |
|
|
|
087194 |
--
|
|
|
087194 |
2.23.0
|
|
|
087194 |
|