|
 |
1dfe16 |
From fcff9a0adbc8042544372e1af5d84b48e6d52c93 Mon Sep 17 00:00:00 2001
|
|
|
1dfe16 |
From: Eric Garver <eric@garver.life>
|
|
|
1dfe16 |
Date: Mon, 13 May 2019 09:40:31 -0400
|
|
|
1dfe16 |
Subject: [PATCH 32/37] fix: avoid calling backends that aren't available
|
|
|
1dfe16 |
|
|
|
1dfe16 |
We should operate just fine if some backend aren't available, e.g.
|
|
|
1dfe16 |
ip6tables. This fixes some areas that broke that.
|
|
|
1dfe16 |
|
|
|
1dfe16 |
Fixes: #491
|
|
|
1dfe16 |
(cherry picked from commit 3fdffa76be42ce88bff35ce2b84c2beda3c016a1)
|
|
|
1dfe16 |
(cherry picked from commit 86d003dcdbd2eb20ac32858f7cfa3074169d5b5e)
|
|
|
1dfe16 |
---
|
|
|
1dfe16 |
src/firewall/core/fw.py | 54 ++++++++++++++++++------------------
|
|
|
1dfe16 |
src/firewall/core/fw_zone.py | 4 ++-
|
|
|
1dfe16 |
2 files changed, 30 insertions(+), 28 deletions(-)
|
|
|
1dfe16 |
|
|
|
1dfe16 |
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
|
|
|
1dfe16 |
index abb25f0c3e72..998de99e9532 100644
|
|
|
1dfe16 |
--- a/src/firewall/core/fw.py
|
|
|
1dfe16 |
+++ b/src/firewall/core/fw.py
|
|
|
1dfe16 |
@@ -703,24 +703,24 @@ class Firewall(object):
|
|
|
1dfe16 |
def get_backend_by_ipv(self, ipv):
|
|
|
1dfe16 |
if self.nftables_enabled:
|
|
|
1dfe16 |
return self.nftables_backend
|
|
|
1dfe16 |
- if ipv == "ipv4":
|
|
|
1dfe16 |
+ if ipv == "ipv4" and self.ip4tables_enabled:
|
|
|
1dfe16 |
return self.ip4tables_backend
|
|
|
1dfe16 |
- elif ipv == "ipv6":
|
|
|
1dfe16 |
+ elif ipv == "ipv6" and self.ip6tables_enabled:
|
|
|
1dfe16 |
return self.ip6tables_backend
|
|
|
1dfe16 |
- elif ipv == "eb":
|
|
|
1dfe16 |
+ elif ipv == "eb" and self.ebtables_enabled:
|
|
|
1dfe16 |
return self.ebtables_backend
|
|
|
1dfe16 |
raise FirewallError(errors.INVALID_IPV,
|
|
|
1dfe16 |
- "'%s' is not a valid backend" % ipv)
|
|
|
1dfe16 |
+ "'%s' is not a valid backend or is unavailable" % ipv)
|
|
|
1dfe16 |
|
|
|
1dfe16 |
def get_direct_backend_by_ipv(self, ipv):
|
|
|
1dfe16 |
- if ipv == "ipv4":
|
|
|
1dfe16 |
+ if ipv == "ipv4" and self.ip4tables_enabled:
|
|
|
1dfe16 |
return self.ip4tables_backend
|
|
|
1dfe16 |
- elif ipv == "ipv6":
|
|
|
1dfe16 |
+ elif ipv == "ipv6" and self.ip6tables_enabled:
|
|
|
1dfe16 |
return self.ip6tables_backend
|
|
|
1dfe16 |
- elif ipv == "eb":
|
|
|
1dfe16 |
+ elif ipv == "eb" and self.ebtables_enabled:
|
|
|
1dfe16 |
return self.ebtables_backend
|
|
|
1dfe16 |
raise FirewallError(errors.INVALID_IPV,
|
|
|
1dfe16 |
- "'%s' is not a valid backend" % ipv)
|
|
|
1dfe16 |
+ "'%s' is not a valid backend or is unavailable" % ipv)
|
|
|
1dfe16 |
|
|
|
1dfe16 |
def is_backend_enabled(self, name):
|
|
|
1dfe16 |
if name == "ip4tables":
|
|
|
1dfe16 |
@@ -791,29 +791,29 @@ class Firewall(object):
|
|
|
1dfe16 |
rules = backend.build_default_rules(self._log_denied)
|
|
|
1dfe16 |
transaction.add_rules(backend, rules)
|
|
|
1dfe16 |
|
|
|
1dfe16 |
- ipv6_backend = self.get_backend_by_ipv("ipv6")
|
|
|
1dfe16 |
- if self.ipv6_rpfilter_enabled and \
|
|
|
1dfe16 |
- "raw" in ipv6_backend.get_available_tables():
|
|
|
1dfe16 |
+ if self.is_ipv_enabled("ipv6"):
|
|
|
1dfe16 |
+ ipv6_backend = self.get_backend_by_ipv("ipv6")
|
|
|
1dfe16 |
+ if self.ipv6_rpfilter_enabled and \
|
|
|
1dfe16 |
+ "raw" in ipv6_backend.get_available_tables():
|
|
|
1dfe16 |
|
|
|
1dfe16 |
- # Execute existing transaction
|
|
|
1dfe16 |
- transaction.execute(True)
|
|
|
1dfe16 |
- # Start new transaction
|
|
|
1dfe16 |
- transaction.clear()
|
|
|
1dfe16 |
+ # Execute existing transaction
|
|
|
1dfe16 |
+ transaction.execute(True)
|
|
|
1dfe16 |
+ # Start new transaction
|
|
|
1dfe16 |
+ transaction.clear()
|
|
|
1dfe16 |
|
|
|
1dfe16 |
- rules = ipv6_backend.build_rpfilter_rules(self._log_denied)
|
|
|
1dfe16 |
- transaction.add_rules(ipv6_backend, rules)
|
|
|
1dfe16 |
+ rules = ipv6_backend.build_rpfilter_rules(self._log_denied)
|
|
|
1dfe16 |
+ transaction.add_rules(ipv6_backend, rules)
|
|
|
1dfe16 |
|
|
|
1dfe16 |
- # Execute ipv6_rpfilter transaction, it might fail
|
|
|
1dfe16 |
- try:
|
|
|
1dfe16 |
- transaction.execute(True)
|
|
|
1dfe16 |
- except FirewallError as msg:
|
|
|
1dfe16 |
- log.warning("Applying rules for ipv6_rpfilter failed: %s", msg)
|
|
|
1dfe16 |
- # Start new transaction
|
|
|
1dfe16 |
- transaction.clear()
|
|
|
1dfe16 |
+ # Execute ipv6_rpfilter transaction, it might fail
|
|
|
1dfe16 |
+ try:
|
|
|
1dfe16 |
+ transaction.execute(True)
|
|
|
1dfe16 |
+ except FirewallError as msg:
|
|
|
1dfe16 |
+ log.warning("Applying rules for ipv6_rpfilter failed: %s", msg)
|
|
|
1dfe16 |
+ # Start new transaction
|
|
|
1dfe16 |
+ transaction.clear()
|
|
|
1dfe16 |
|
|
|
1dfe16 |
- else:
|
|
|
1dfe16 |
- if use_transaction is None:
|
|
|
1dfe16 |
- transaction.execute(True)
|
|
|
1dfe16 |
+ if use_transaction is None:
|
|
|
1dfe16 |
+ transaction.execute(True)
|
|
|
1dfe16 |
|
|
|
1dfe16 |
# flush and policy
|
|
|
1dfe16 |
|
|
|
1dfe16 |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
1dfe16 |
index d5eafb863439..31d7d6a168a8 100644
|
|
|
1dfe16 |
--- a/src/firewall/core/fw_zone.py
|
|
|
1dfe16 |
+++ b/src/firewall/core/fw_zone.py
|
|
|
1dfe16 |
@@ -1554,7 +1554,7 @@ class FirewallZone(object):
|
|
|
1dfe16 |
if rule.family is not None:
|
|
|
1dfe16 |
ipvs = [ rule.family ]
|
|
|
1dfe16 |
else:
|
|
|
1dfe16 |
- ipvs = [ "ipv4", "ipv6" ]
|
|
|
1dfe16 |
+ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
|
|
|
1dfe16 |
|
|
|
1dfe16 |
source_ipv = self._rule_source_ipv(rule.source)
|
|
|
1dfe16 |
if source_ipv is not None and source_ipv != "":
|
|
|
1dfe16 |
@@ -1804,6 +1804,8 @@ class FirewallZone(object):
|
|
|
1dfe16 |
#
|
|
|
1dfe16 |
backends_ipv = []
|
|
|
1dfe16 |
for ipv in ["ipv4", "ipv6"]:
|
|
|
1dfe16 |
+ if not self._fw.is_ipv_enabled(ipv):
|
|
|
1dfe16 |
+ continue
|
|
|
1dfe16 |
backend = self._fw.get_backend_by_ipv(ipv)
|
|
|
1dfe16 |
if len(svc.destination) > 0:
|
|
|
1dfe16 |
if ipv in svc.destination:
|
|
|
1dfe16 |
--
|
|
|
1dfe16 |
2.20.1
|
|
|
1dfe16 |
|