|
 |
725d6a |
From 4d099f4c0866801e40e362090e6986c693386e2c Mon Sep 17 00:00:00 2001
|
|
|
725d6a |
From: Eric Garver <eric@garver.life>
|
|
|
725d6a |
Date: Thu, 27 Aug 2020 15:30:45 -0400
|
|
|
725d6a |
Subject: [PATCH 50/62] fix(icmptype): when applying rules get ict from perm
|
|
|
725d6a |
config
|
|
|
725d6a |
|
|
|
725d6a |
Otherwise we may get runtime errors because the running kernel doesn't
|
|
|
725d6a |
support the ict. Use the permanent ict definition so we allow the case
|
|
|
725d6a |
where ip6tables is missing or not available. Explicit usage of an ict
|
|
|
725d6a |
not supported by the kernel will still fail to apply at runtime
|
|
|
725d6a |
(iptables complains), but if ip6tables is missing we don't attempt to
|
|
|
725d6a |
apply the ipv6 rules thus avoiding the issue.
|
|
|
725d6a |
|
|
|
725d6a |
(cherry picked from commit fdc44800aef4ec166987d529ffaea51f13ff54c2)
|
|
|
725d6a |
(cherry picked from commit 0016ec8e4aefb6cf2a8986a91530eae25a28ead7)
|
|
|
725d6a |
---
|
|
|
725d6a |
src/firewall/core/fw_zone.py | 6 +++---
|
|
|
725d6a |
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
725d6a |
|
|
|
725d6a |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
725d6a |
index b9fe1f6aae97..9d8bcf620251 100644
|
|
|
725d6a |
--- a/src/firewall/core/fw_zone.py
|
|
|
725d6a |
+++ b/src/firewall/core/fw_zone.py
|
|
|
725d6a |
@@ -1526,7 +1526,7 @@ class FirewallZone(object):
|
|
|
725d6a |
if rule.family:
|
|
|
725d6a |
ipvs = [ rule.family ]
|
|
|
725d6a |
elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)):
|
|
|
725d6a |
- ict = self._fw.icmptype.get_icmptype(rule.element.name)
|
|
|
725d6a |
+ ict = self._fw.config.get_icmptype(rule.element.name)
|
|
|
725d6a |
if ict.destination:
|
|
|
725d6a |
ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination]
|
|
|
725d6a |
|
|
|
725d6a |
@@ -1698,7 +1698,7 @@ class FirewallZone(object):
|
|
|
725d6a |
# ICMP BLOCK and ICMP TYPE
|
|
|
725d6a |
elif type(rule.element) == Rich_IcmpBlock or \
|
|
|
725d6a |
type(rule.element) == Rich_IcmpType:
|
|
|
725d6a |
- ict = self._fw.icmptype.get_icmptype(rule.element.name)
|
|
|
725d6a |
+ ict = self._fw.config.get_icmptype(rule.element.name)
|
|
|
725d6a |
|
|
|
725d6a |
if type(rule.element) == Rich_IcmpBlock and \
|
|
|
725d6a |
rule.action and type(rule.action) == Rich_Accept:
|
|
|
725d6a |
@@ -1862,7 +1862,7 @@ class FirewallZone(object):
|
|
|
725d6a |
transaction.add_rules(backend, rules)
|
|
|
725d6a |
|
|
|
725d6a |
def _icmp_block(self, enable, zone, icmp, transaction):
|
|
|
725d6a |
- ict = self._fw.icmptype.get_icmptype(icmp)
|
|
|
725d6a |
+ ict = self._fw.config.get_icmptype(icmp)
|
|
|
725d6a |
|
|
|
725d6a |
if enable:
|
|
|
725d6a |
transaction.add_chain(zone, "filter", "INPUT")
|
|
|
725d6a |
--
|
|
|
725d6a |
2.28.0
|
|
|
725d6a |
|