|
 |
725d6a |
From 244d1bfe190f2cc32c10d0fecaf81536761ecc09 Mon Sep 17 00:00:00 2001
|
|
|
725d6a |
From: Eric Garver <eric@garver.life>
|
|
|
725d6a |
Date: Tue, 1 Sep 2020 13:16:23 -0400
|
|
|
725d6a |
Subject: [PATCH 59/62] fix(icmptype): nftables: runtimeToPermanent if
|
|
|
725d6a |
ip6tables not available
|
|
|
725d6a |
|
|
|
725d6a |
We were not filling the runtime ipv6 icmptypes list if the active
|
|
|
725d6a |
backend was nftables and ip6tables wasn't available. This caused "ipv6"
|
|
|
725d6a |
to be dropped from the supported ipvs/destinations for the icmptype.
|
|
|
725d6a |
This also caused runtimeToPermanent to fail because the runtime
|
|
|
725d6a |
icmptypes definition dropped "ipv6" causing runtimeToPermanent to copy
|
|
|
725d6a |
the runtime icmptype to permanent because they were different... this
|
|
|
725d6a |
caused sanity checks on the permanent configuration to fail.
|
|
|
725d6a |
|
|
|
725d6a |
(cherry picked from commit c92d43dcdf5622e82e28454652acd6a981b015f9)
|
|
|
725d6a |
(cherry picked from commit 6f23f727be818f356625e39682fb226a81925647)
|
|
|
725d6a |
---
|
|
|
725d6a |
src/firewall/core/fw.py | 24 ++++++++++++++----------
|
|
|
725d6a |
src/firewall/core/fw_icmptype.py | 8 ++++----
|
|
|
725d6a |
src/firewall/core/ipXtables.py | 2 +-
|
|
|
725d6a |
src/firewall/core/nftables.py | 6 +++---
|
|
|
725d6a |
src/firewall/server/firewalld.py | 4 ++--
|
|
|
725d6a |
5 files changed, 24 insertions(+), 20 deletions(-)
|
|
|
725d6a |
|
|
|
725d6a |
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
|
|
|
725d6a |
index c767f416f3d2..1df916efb10f 100644
|
|
|
725d6a |
--- a/src/firewall/core/fw.py
|
|
|
725d6a |
+++ b/src/firewall/core/fw.py
|
|
|
725d6a |
@@ -76,10 +76,10 @@ class Firewall(object):
|
|
|
725d6a |
else:
|
|
|
725d6a |
self.ip4tables_backend = ipXtables.ip4tables(self)
|
|
|
725d6a |
self.ip4tables_enabled = True
|
|
|
725d6a |
- self.ip4tables_supported_icmp_types = [ ]
|
|
|
725d6a |
+ self.ipv4_supported_icmp_types = [ ]
|
|
|
725d6a |
self.ip6tables_backend = ipXtables.ip6tables(self)
|
|
|
725d6a |
self.ip6tables_enabled = True
|
|
|
725d6a |
- self.ip6tables_supported_icmp_types = [ ]
|
|
|
725d6a |
+ self.ipv6_supported_icmp_types = [ ]
|
|
|
725d6a |
self.ebtables_backend = ebtables.ebtables()
|
|
|
725d6a |
self.ebtables_enabled = True
|
|
|
725d6a |
self.ipset_backend = ipset.ipset()
|
|
|
725d6a |
@@ -172,11 +172,13 @@ class Firewall(object):
|
|
|
725d6a |
log.warning("iptables-restore and iptables are missing, "
|
|
|
725d6a |
"disabling IPv4 firewall.")
|
|
|
725d6a |
self.ip4tables_enabled = False
|
|
|
725d6a |
- if self.ip4tables_enabled:
|
|
|
725d6a |
- self.ip4tables_supported_icmp_types = \
|
|
|
725d6a |
- self.ip4tables_backend.supported_icmp_types()
|
|
|
725d6a |
+ if self.nftables_enabled:
|
|
|
725d6a |
+ self.ipv4_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv4")
|
|
|
725d6a |
else:
|
|
|
725d6a |
- self.ip4tables_supported_icmp_types = [ ]
|
|
|
725d6a |
+ if self.ip4tables_enabled:
|
|
|
725d6a |
+ self.ipv4_supported_icmp_types = self.ip4tables_backend.supported_icmp_types()
|
|
|
725d6a |
+ else:
|
|
|
725d6a |
+ self.ipv4_supported_icmp_types = [ ]
|
|
|
725d6a |
self.ip6tables_backend.fill_exists()
|
|
|
725d6a |
if not self.ip6tables_backend.restore_command_exists:
|
|
|
725d6a |
if self.ip6tables_backend.command_exists:
|
|
|
725d6a |
@@ -186,11 +188,13 @@ class Firewall(object):
|
|
|
725d6a |
log.warning("ip6tables-restore and ip6tables are missing, "
|
|
|
725d6a |
"disabling IPv6 firewall.")
|
|
|
725d6a |
self.ip6tables_enabled = False
|
|
|
725d6a |
- if self.ip6tables_enabled:
|
|
|
725d6a |
- self.ip6tables_supported_icmp_types = \
|
|
|
725d6a |
- self.ip6tables_backend.supported_icmp_types()
|
|
|
725d6a |
+ if self.nftables_enabled:
|
|
|
725d6a |
+ self.ipv6_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv6")
|
|
|
725d6a |
else:
|
|
|
725d6a |
- self.ip6tables_supported_icmp_types = [ ]
|
|
|
725d6a |
+ if self.ip6tables_enabled:
|
|
|
725d6a |
+ self.ipv6_supported_icmp_types = self.ip6tables_backend.supported_icmp_types()
|
|
|
725d6a |
+ else:
|
|
|
725d6a |
+ self.ipv6_supported_icmp_types = [ ]
|
|
|
725d6a |
self.ebtables_backend.fill_exists()
|
|
|
725d6a |
if not self.ebtables_backend.restore_command_exists:
|
|
|
725d6a |
if self.ebtables_backend.command_exists:
|
|
|
725d6a |
diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py
|
|
|
725d6a |
index afe9f91d6bf6..a565bb6d8733 100644
|
|
|
725d6a |
--- a/src/firewall/core/fw_icmptype.py
|
|
|
725d6a |
+++ b/src/firewall/core/fw_icmptype.py
|
|
|
725d6a |
@@ -57,13 +57,13 @@ class FirewallIcmpType(object):
|
|
|
725d6a |
ipvs = orig_ipvs[:]
|
|
|
725d6a |
for ipv in orig_ipvs:
|
|
|
725d6a |
if ipv == "ipv4":
|
|
|
725d6a |
- if not self._fw.ip4tables_enabled:
|
|
|
725d6a |
+ if not self._fw.ip4tables_enabled and not self._fw.nftables_enabled:
|
|
|
725d6a |
continue
|
|
|
725d6a |
- supported_icmps = self._fw.ip4tables_supported_icmp_types
|
|
|
725d6a |
+ supported_icmps = self._fw.ipv4_supported_icmp_types
|
|
|
725d6a |
elif ipv == "ipv6":
|
|
|
725d6a |
- if not self._fw.ip6tables_enabled:
|
|
|
725d6a |
+ if not self._fw.ip6tables_enabled and not self._fw.nftables_enabled:
|
|
|
725d6a |
continue
|
|
|
725d6a |
- supported_icmps = self._fw.ip6tables_supported_icmp_types
|
|
|
725d6a |
+ supported_icmps = self._fw.ipv6_supported_icmp_types
|
|
|
725d6a |
else:
|
|
|
725d6a |
supported_icmps = [ ]
|
|
|
725d6a |
if obj.name.lower() not in supported_icmps:
|
|
|
725d6a |
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
|
|
725d6a |
index c4535f2e5818..450e427c08b5 100644
|
|
|
725d6a |
--- a/src/firewall/core/ipXtables.py
|
|
|
725d6a |
+++ b/src/firewall/core/ipXtables.py
|
|
|
725d6a |
@@ -612,7 +612,7 @@ class ip4tables(object):
|
|
|
725d6a |
rules.append(["-t", table, "-P", chain, _policy])
|
|
|
725d6a |
return rules
|
|
|
725d6a |
|
|
|
725d6a |
- def supported_icmp_types(self):
|
|
|
725d6a |
+ def supported_icmp_types(self, ipv=None):
|
|
|
725d6a |
"""Return ICMP types that are supported by the iptables/ip6tables command and kernel"""
|
|
|
725d6a |
ret = [ ]
|
|
|
725d6a |
output = ""
|
|
|
725d6a |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
725d6a |
index daa7ace085a2..0a73c2c2669d 100644
|
|
|
725d6a |
--- a/src/firewall/core/nftables.py
|
|
|
725d6a |
+++ b/src/firewall/core/nftables.py
|
|
|
725d6a |
@@ -480,13 +480,13 @@ class nftables(object):
|
|
|
725d6a |
|
|
|
725d6a |
return rules
|
|
|
725d6a |
|
|
|
725d6a |
- def supported_icmp_types(self):
|
|
|
725d6a |
+ def supported_icmp_types(self, ipv=None):
|
|
|
725d6a |
# nftables supports any icmp_type via arbitrary type/code matching.
|
|
|
725d6a |
# We just need a translation for it in ICMP_TYPES_FRAGMENTS.
|
|
|
725d6a |
supported = set()
|
|
|
725d6a |
|
|
|
725d6a |
- for ipv in ICMP_TYPES_FRAGMENTS.keys():
|
|
|
725d6a |
- supported.update(ICMP_TYPES_FRAGMENTS[ipv].keys())
|
|
|
725d6a |
+ for _ipv in [ipv] if ipv else ICMP_TYPES_FRAGMENTS.keys():
|
|
|
725d6a |
+ supported.update(ICMP_TYPES_FRAGMENTS[_ipv].keys())
|
|
|
725d6a |
|
|
|
725d6a |
return list(supported)
|
|
|
725d6a |
|
|
|
725d6a |
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
|
|
|
725d6a |
index 10b085d48660..949f577053cc 100644
|
|
|
725d6a |
--- a/src/firewall/server/firewalld.py
|
|
|
725d6a |
+++ b/src/firewall/server/firewalld.py
|
|
|
725d6a |
@@ -162,7 +162,7 @@ class FirewallD(slip.dbus.service.Object):
|
|
|
725d6a |
return dbus.Boolean(self.fw.ip4tables_enabled)
|
|
|
725d6a |
|
|
|
725d6a |
elif prop == "IPv4ICMPTypes":
|
|
|
725d6a |
- return dbus.Array(self.fw.ip4tables_supported_icmp_types, "s")
|
|
|
725d6a |
+ return dbus.Array(self.fw.ipv4_supported_icmp_types, "s")
|
|
|
725d6a |
|
|
|
725d6a |
elif prop == "IPv6":
|
|
|
725d6a |
return dbus.Boolean(self.fw.ip6tables_enabled)
|
|
|
725d6a |
@@ -171,7 +171,7 @@ class FirewallD(slip.dbus.service.Object):
|
|
|
725d6a |
return dbus.Boolean(self.fw.ipv6_rpfilter_enabled)
|
|
|
725d6a |
|
|
|
725d6a |
elif prop == "IPv6ICMPTypes":
|
|
|
725d6a |
- return dbus.Array(self.fw.ip6tables_supported_icmp_types, "s")
|
|
|
725d6a |
+ return dbus.Array(self.fw.ipv6_supported_icmp_types, "s")
|
|
|
725d6a |
|
|
|
725d6a |
elif prop == "BRIDGE":
|
|
|
725d6a |
return dbus.Boolean(self.fw.ebtables_enabled)
|
|
|
725d6a |
--
|
|
|
725d6a |
2.28.0
|
|
|
725d6a |
|