Tree - rpms/firewalld - CentOS Git server

rpms / firewalld

Blame SOURCES/0031-feat-nftables-support-AllowZoneDrifting-yes.patch

Blob History Raw

		40251c	`From 8d480dea4b3fd4ecce20c1569d000cb999dd50f6 Mon Sep 17 00:00:00 2001`
		087194	`From: Eric Garver <eric@garver.life>`
		087194	`Date: Sun, 19 Jan 2020 14:37:31 -0500`
		40251c	`Subject: [PATCH 31/37] feat: nftables: support AllowZoneDrifting=yes`
		087194
		087194	`(cherry picked from commit 517a061c5886f2ebfb4aa7d73804aa7f3c5a3004)`
		40251c	`(cherry picked from commit 92c5926bb9e493545f8d949ba00cbf72e4c7f202)`
		087194	`---`
		40251c	`src/firewall/core/nftables.py \| 91 ++++++++++++++++++++---------------`
		40251c	`1 file changed, 52 insertions(+), 39 deletions(-)`
		087194
		087194	`diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py`
		40251c	`index cb8521fb7a5a..c8e893b5dbf6 100644`
		087194	`--- a/src/firewall/core/nftables.py`
		087194	`+++ b/src/firewall/core/nftables.py`
		40251c	`@@ -208,8 +208,11 @@ class nftables(object):`
		087194
		087194	`index = zone_source_index_cache[family].index(zone_source)`
		087194	`else:`
		087194	`- index = len(zone_source_index_cache[family])`
		087194	`-`
		087194	`+ if self._fw._allow_zone_drifting:`
		087194	`+ index = 0`
		087194	`+ else:`
		087194	`+ index = len(zone_source_index_cache[family])`
		087194	`+`
		40251c	`_verb_snippet = rule[verb]`
		40251c	`del rule[verb]`
		087194	`if index == 0:`
		40251c	`@@ -506,13 +509,14 @@ class nftables(object):`
		40251c	`"prio": IPTABLES_TO_NFT_HOOK["raw"][chain][1]}}})`
		087194
		087194	`for chain in ["PREROUTING"]:`
		40251c	`- default_rules.append({"add": {"chain": {"family": "inet",`
		40251c	`- "table": TABLE_NAME,`
		40251c	`- "name": "raw_%s_ZONES" % chain}}})`
		40251c	`- default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`- "table": TABLE_NAME,`
		40251c	`- "chain": "raw_%s" % chain,`
		40251c	`- "expr": [{"jump": {"target": "raw_%s_ZONES" % chain}}]}}})`
		087194	`+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:`
		40251c	`+ default_rules.append({"add": {"chain": {"family": "inet",`
		40251c	`+ "table": TABLE_NAME,`
		40251c	`+ "name": "raw_%s_%s" % (chain, dispatch_suffix)}}})`
		40251c	`+ default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`+ "table": TABLE_NAME,`
		40251c	`+ "chain": "raw_%s" % chain,`
		40251c	`+ "expr": [{"jump": {"target": "raw_%s_%s" % (chain, dispatch_suffix)}}]}}})`
		087194
		087194	`for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys():`
		40251c	`default_rules.append({"add": {"chain": {"family": "inet",`
		40251c	`@@ -521,13 +525,14 @@ class nftables(object):`
		40251c	`"type": "filter",`
		40251c	`"hook": "%s" % IPTABLES_TO_NFT_HOOK["mangle"][chain][0],`
		40251c	`"prio": IPTABLES_TO_NFT_HOOK["mangle"][chain][1]}}})`
		40251c	`- default_rules.append({"add": {"chain": {"family": "inet",`
		40251c	`- "table": TABLE_NAME,`
		40251c	`- "name": "mangle_%s_ZONES" % chain}}})`
		40251c	`- default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`- "table": TABLE_NAME,`
		40251c	`- "chain": "mangle_%s" % chain,`
		40251c	`- "expr": [{"jump": {"target": "mangle_%s_ZONES" % chain}}]}}})`
		087194	`+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:`
		40251c	`+ default_rules.append({"add": {"chain": {"family": "inet",`
		40251c	`+ "table": TABLE_NAME,`
		40251c	`+ "name": "mangle_%s_%s" % (chain, dispatch_suffix)}}})`
		40251c	`+ default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`+ "table": TABLE_NAME,`
		40251c	`+ "chain": "mangle_%s" % chain,`
		40251c	`+ "expr": [{"jump": {"target": "mangle_%s_%s" % (chain, dispatch_suffix)}}]}}})`
		087194
		087194	`for family in ["ip", "ip6"]:`
		087194	`for chain in IPTABLES_TO_NFT_HOOK["nat"].keys():`
		40251c	`@@ -537,13 +542,15 @@ class nftables(object):`
		40251c	`"type": "nat",`
		40251c	`"hook": "%s" % IPTABLES_TO_NFT_HOOK["nat"][chain][0],`
		40251c	`"prio": IPTABLES_TO_NFT_HOOK["nat"][chain][1]}}})`
		40251c	`- default_rules.append({"add": {"chain": {"family": family,`
		40251c	`- "table": TABLE_NAME,`
		40251c	`- "name": "nat_%s_ZONES" % chain}}})`
		40251c	`- default_rules.append({"add": {"rule": {"family": family,`
		40251c	`- "table": TABLE_NAME,`
		40251c	`- "chain": "nat_%s" % chain,`
		40251c	`- "expr": [{"jump": {"target": "nat_%s_ZONES" % chain}}]}}})`
		40251c	`+`
		087194	`+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:`
		40251c	`+ default_rules.append({"add": {"chain": {"family": family,`
		40251c	`+ "table": TABLE_NAME,`
		40251c	`+ "name": "nat_%s_%s" % (chain, dispatch_suffix)}}})`
		40251c	`+ default_rules.append({"add": {"rule": {"family": family,`
		40251c	`+ "table": TABLE_NAME,`
		40251c	`+ "chain": "nat_%s" % chain,`
		40251c	`+ "expr": [{"jump": {"target": "nat_%s_%s" % (chain, dispatch_suffix)}}]}}})`
		087194
		087194	`for chain in IPTABLES_TO_NFT_HOOK["filter"].keys():`
		40251c	`default_rules.append({"add": {"chain": {"family": "inet",`
		40251c	`@@ -554,9 +561,6 @@ class nftables(object):`
		40251c	`"prio": IPTABLES_TO_NFT_HOOK["filter"][chain][1]}}})`
		087194
		087194	`# filter, INPUT`
		40251c	`- default_rules.append({"add": {"chain": {"family": "inet",`
		40251c	`- "table": TABLE_NAME,`
		40251c	`- "name": "filter_%s_ZONES" % "INPUT"}}})`
		40251c	`default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`"table": TABLE_NAME,`
		40251c	`"chain": "filter_%s" % "INPUT",`
		40251c	`@@ -578,10 +582,14 @@ class nftables(object):`
		40251c	`"op": "==",`
		40251c	`"right": "lo"}},`
		40251c	`{"accept": None}]}}})`
		40251c	`- default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`- "table": TABLE_NAME,`
		40251c	`- "chain": "filter_%s" % "INPUT",`
		40251c	`- "expr": [{"jump": {"target": "filter_%s_ZONES" % "INPUT"}}]}}})`
		087194	`+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:`
		40251c	`+ default_rules.append({"add": {"chain": {"family": "inet",`
		40251c	`+ "table": TABLE_NAME,`
		40251c	`+ "name": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}})`
		40251c	`+ default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`+ "table": TABLE_NAME,`
		40251c	`+ "chain": "filter_%s" % "INPUT",`
		40251c	`+ "expr": [{"jump": {"target": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}]}}})`
		087194	`if log_denied != "off":`
		40251c	`default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`"table": TABLE_NAME,`
		40251c	`@@ -610,10 +618,6 @@ class nftables(object):`
		40251c	`"expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}})`
		087194
		087194	`# filter, FORWARD`
		40251c	`- for direction in ["IN", "OUT"]:`
		40251c	`- default_rules.append({"add": {"chain": {"family": "inet",`
		40251c	`- "table": TABLE_NAME,`
		40251c	`- "name": "filter_%s_%s_ZONES" % ("FORWARD", direction)}}})`
		40251c	`default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`"table": TABLE_NAME,`
		40251c	`"chain": "filter_%s" % "FORWARD",`
		40251c	`@@ -636,10 +640,14 @@ class nftables(object):`
		40251c	`"right": "lo"}},`
		40251c	`{"accept": None}]}}})`
		40251c	`for direction in ["IN", "OUT"]:`
		40251c	`- default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`- "table": TABLE_NAME,`
		40251c	`- "chain": "filter_%s" % "FORWARD",`
		40251c	`- "expr": [{"jump": {"target": "filter_%s_%s_ZONES" % ("FORWARD", direction)}}]}}})`
		087194	`+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:`
		40251c	`+ default_rules.append({"add": {"chain": {"family": "inet",`
		40251c	`+ "table": TABLE_NAME,`
		40251c	`+ "name": "filter_%s_%s_%s" % ("FORWARD", direction, dispatch_suffix)}}})`
		40251c	`+ default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`+ "table": TABLE_NAME,`
		40251c	`+ "chain": "filter_%s" % "FORWARD",`
		40251c	`+ "expr": [{"jump": {"target": "filter_%s_%s_%s" % ("FORWARD", direction, dispatch_suffix)}}]}}})`
		087194	`if log_denied != "off":`
		40251c	`default_rules.append({"add": {"rule": {"family": "inet",`
		40251c	`"table": TABLE_NAME,`
		40251c	`@@ -778,12 +786,17 @@ class nftables(object):`
		087194	`"OUTPUT": "daddr",`
		087194	`}[chain]`
		087194
		087194	`+ if self._fw._allow_zone_drifting:`
		087194	`+ zone_dispatch_chain = "%s_%s_ZONES_SOURCE" % (table, chain)`
		087194	`+ else:`
		087194	`+ zone_dispatch_chain = "%s_%s_ZONES" % (table, chain)`
		087194	`+`
		087194	`target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)`
		087194	`action = "goto"`
		087194
		40251c	`rule = {"family": family,`
		40251c	`"table": TABLE_NAME,`
		40251c	`- "chain": "%s_%s_ZONES" % (table, chain),`
		40251c	`+ "chain": zone_dispatch_chain,`
		40251c	`"expr": [self._rule_addr_fragment(opt, address),`
		40251c	`{action: {"target": "%s_%s" % (table, target)}}]}`
		40251c	`rule.update(self._zone_source_fragment(zone, address))`
		087194	`--`
		087194	`2.23.0`
		087194

rpms / firewalld

Source Code

Blame SOURCES/0031-feat-nftables-support-AllowZoneDrifting-yes.patch