|
 |
725d6a |
From 5c18dbc41a2f59364fb495ef164dcc3c9147e408 Mon Sep 17 00:00:00 2001
|
|
|
725d6a |
From: Eric Garver <eric@garver.life>
|
|
|
725d6a |
Date: Fri, 28 Aug 2020 11:44:33 -0400
|
|
|
725d6a |
Subject: [PATCH 52/62] fix(rich icmptype): verify rule and icmptype families
|
|
|
725d6a |
don't conflict
|
|
|
725d6a |
|
|
|
725d6a |
Fixes: rhbz 1855140
|
|
|
725d6a |
(cherry picked from commit 11aac7755d9c8e338f72b5350329255937efd8e8)
|
|
|
725d6a |
(cherry picked from commit b49a88095b05bcf1bce36e989d7003948f1ee6f7)
|
|
|
725d6a |
---
|
|
|
725d6a |
src/firewall/core/fw_zone.py | 6 ++++++
|
|
|
725d6a |
src/firewall/core/io/zone.py | 17 ++++++++++++++++-
|
|
|
725d6a |
2 files changed, 22 insertions(+), 1 deletion(-)
|
|
|
725d6a |
|
|
|
725d6a |
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
|
|
|
725d6a |
index bd026222dce5..129306b6f969 100644
|
|
|
725d6a |
--- a/src/firewall/core/fw_zone.py
|
|
|
725d6a |
+++ b/src/firewall/core/fw_zone.py
|
|
|
725d6a |
@@ -1703,6 +1703,12 @@ class FirewallZone(object):
|
|
|
725d6a |
type(rule.element) == Rich_IcmpType:
|
|
|
725d6a |
ict = self._fw.config.get_icmptype(rule.element.name)
|
|
|
725d6a |
|
|
|
725d6a |
+ if rule.family and ict.destination and \
|
|
|
725d6a |
+ rule.family not in ict.destination:
|
|
|
725d6a |
+ raise FirewallError(errors.INVALID_ICMPTYPE,
|
|
|
725d6a |
+ "rich rule family '%s' conflicts with icmp type '%s'" % \
|
|
|
725d6a |
+ (rule.family, rule.element.name))
|
|
|
725d6a |
+
|
|
|
725d6a |
if type(rule.element) == Rich_IcmpBlock and \
|
|
|
725d6a |
rule.action and type(rule.action) == Rich_Accept:
|
|
|
725d6a |
# icmp block might have reject or drop action, but not accept
|
|
|
725d6a |
diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
|
|
|
725d6a |
index 68b2a7c9567c..529b92c25b62 100644
|
|
|
725d6a |
--- a/src/firewall/core/io/zone.py
|
|
|
725d6a |
+++ b/src/firewall/core/io/zone.py
|
|
|
725d6a |
@@ -232,7 +232,22 @@ class Zone(IO_Object):
|
|
|
725d6a |
raise FirewallError(errors.INVALID_ADDR, source)
|
|
|
725d6a |
elif item == "rules_str":
|
|
|
725d6a |
for rule in config:
|
|
|
725d6a |
- rich.Rich_Rule(rule_str=rule)
|
|
|
725d6a |
+ obj_rich = rich.Rich_Rule(rule_str=rule)
|
|
|
725d6a |
+ if self.fw_config and obj_rich.element and (isinstance(obj_rich.element, rich.Rich_IcmpBlock) or
|
|
|
725d6a |
+ isinstance(obj_rich.element, rich.Rich_IcmpType)):
|
|
|
725d6a |
+ existing_icmptypes = self.fw_config.get_icmptypes()
|
|
|
725d6a |
+ if obj_rich.element.name not in existing_icmptypes:
|
|
|
725d6a |
+ raise FirewallError(errors.INVALID_ICMPTYPE,
|
|
|
725d6a |
+ "'%s' not among existing icmp types" % \
|
|
|
725d6a |
+ obj_rich.element.name)
|
|
|
725d6a |
+
|
|
|
725d6a |
+ elif obj_rich.family:
|
|
|
725d6a |
+ ict = self.fw_config.get_icmptype(obj_rich.element.name)
|
|
|
725d6a |
+ if ict.destination and obj_rich.family not in ict.destination:
|
|
|
725d6a |
+ raise FirewallError(errors.INVALID_ICMPTYPE,
|
|
|
725d6a |
+ "rich rule family '%s' conflicts with icmp type '%s'" % \
|
|
|
725d6a |
+ (obj_rich.family, obj_rich.element.name))
|
|
|
725d6a |
+
|
|
|
725d6a |
|
|
|
725d6a |
def check_name(self, name):
|
|
|
725d6a |
super(Zone, self).check_name(name)
|
|
|
725d6a |
--
|
|
|
725d6a |
2.28.0
|
|
|
725d6a |
|