rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/0115-fix-failure-to-load-modules-no-longer-fatal.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   c7-beta
  2.   SOURCES
  3.   0115-fix-failure-to-load-modules-no-longer-fatal.patch
Blob History Raw
bb602c 
From 5c873d88bceaf3bbaf2d781a812cbc4415c8b26a Mon Sep 17 00:00:00 2001
bb602c 
From: Eric Garver <eric@garver.life>
bb602c 
Date: Wed, 30 Oct 2019 08:24:46 -0400
bb602c 
Subject: [PATCH 115/122] fix: failure to load modules no longer fatal
bb602c
bb602c 
There are many cases in which module loading may fail:
bb602c 
 - builtin modules, but corrupt/missing modules.builtin database
bb602c 
 - CONFIG_MODULES=n
bb602c 
 - inside unprivileged container
bb602c
bb602c 
Unfortunately, we have no way to detect these scenarios. The only thing
bb602c 
we can do is attempt to load the module and hope for the best.
bb602c
bb602c 
Fixes: #430
bb602c 
Fixes: #519
bb602c 
(cherry picked from commit 88e76ddfed6fe348975bfea9002da0e4627c6e25)
bb602c 
(cherry picked from commit 407af3a6d2f5f0ca6e8a354a8cbfdb3228ad04bf)
bb602c 
---
bb602c 
 src/firewall/core/fw.py             | 17 +++++++++--------
bb602c 
 src/firewall/core/fw_transaction.py | 13 ++++++++-----
bb602c 
 src/tests/functions.at              |  1 +
bb602c 
 3 files changed, 18 insertions(+), 13 deletions(-)
bb602c
bb602c 
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
bb602c 
index 3e639f83d1f4..2c4325966a19 100644
bb602c 
--- a/src/firewall/core/fw.py
bb602c 
+++ b/src/firewall/core/fw.py
bb602c 
@@ -385,10 +385,9 @@ class Firewall(object):
bb602c 
         #
bb602c 
         # NOTE: must force loading of nf_conntrack to make sure the values are
bb602c 
         # available in /proc
bb602c 
-        module_return = self.handle_modules(["nf_conntrack"], True)
bb602c 
-        if module_return:
bb602c 
-            log.error("Failed to load nf_conntrack module: %s" % module_return[1])
bb602c 
-            sys.exit(1)
bb602c 
+        (status, msg) = self.handle_modules(["nf_conntrack"], True)
bb602c 
+        if status != 0:
bb602c 
+            log.warning("Failed to load nf_conntrack module: %s" % msg)
bb602c 
         if self._automatic_helpers != "system":
bb602c 
             functions.set_nf_conntrack_helper_setting(self._automatic_helpers == "yes")
bb602c 
         self.nf_conntrack_helper_setting = \
bb602c 
@@ -664,6 +663,8 @@ class Firewall(object):
bb602c 
     # handle modules
bb602c
bb602c 
     def handle_modules(self, _modules, enable):
bb602c 
+        num_failed = 0
bb602c 
+        error_msgs = ""
bb602c 
         for i,module in enumerate(_modules):
bb602c 
             if enable:
bb602c 
                 (status, msg) = self.modules_backend.load_module(module)
bb602c 
@@ -673,9 +674,9 @@ class Firewall(object):
bb602c 
                 else:
bb602c 
                     (status, msg) = self.modules_backend.unload_module(module)
bb602c 
             if status != 0:
bb602c 
-                if enable:
bb602c 
-                    return (_modules[:i], msg) # cleanup modules and error msg
bb602c 
-                # else: ignore cleanup
bb602c 
+                num_failed += 1
bb602c 
+                error_msgs += msg
bb602c 
+                continue
bb602c
bb602c 
             if enable:
bb602c 
                 self._module_refcount.setdefault(module, 0)
bb602c 
@@ -685,7 +686,7 @@ class Firewall(object):
bb602c 
                     self._module_refcount[module] -= 1
bb602c 
                     if self._module_refcount[module] == 0:
bb602c 
                         del self._module_refcount[module]
bb602c 
-        return None
bb602c 
+        return (num_failed, error_msgs)
bb602c
bb602c 
     def _select_firewall_backend(self, backend):
bb602c 
         if backend != "nftables":
bb602c 
diff --git a/src/firewall/core/fw_transaction.py b/src/firewall/core/fw_transaction.py
bb602c 
index ad204c1991cf..d5d3e858b6dd 100644
bb602c 
--- a/src/firewall/core/fw_transaction.py
bb602c 
+++ b/src/firewall/core/fw_transaction.py
bb602c 
@@ -113,11 +113,14 @@ class SimpleFirewallTransaction(object):
bb602c 
         if not error:
bb602c 
             module_return = self.fw.handle_modules(modules, enable)
bb602c 
             if module_return:
bb602c 
-                (cleanup_modules, msg) = module_return
bb602c 
-                if cleanup_modules is not None:
bb602c 
-                    error = True
bb602c 
-                    errorMsg = msg
bb602c 
-                    self.fw.handle_modules(cleanup_modules, not enable)
bb602c 
+                # Debug log about issues loading modules, but don't error. The
bb602c 
+                # modules may be builtin or CONFIG_MODULES=n, in which case
bb602c 
+                # modprobe will fail. Or we may be running inside a container
bb602c 
+                # that doesn't have sufficient privileges. Unfortunately there
bb602c 
+                # is no way for us to know.
bb602c 
+                (status, msg) = module_return
bb602c 
+                if status:
bb602c 
+                    log.debug1(msg)
bb602c
bb602c 
         # error case: revert rules
bb602c 
         if error:
bb602c 
diff --git a/src/tests/functions.at b/src/tests/functions.at
bb602c 
index 209f0f5d2ea9..17ca6c9fc052 100644
bb602c 
--- a/src/tests/functions.at
bb602c 
+++ b/src/tests/functions.at
bb602c 
@@ -143,6 +143,7 @@ m4_define([FWD_END_TEST], [
bb602c 
         IF_IPV6_SUPPORTED([], [
bb602c 
             sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log
bb602c 
         ])
bb602c 
+        sed -i "/modprobe: ERROR:/d" ./firewalld.log
bb602c 
         if test x"$1" != x"ignore"; then
bb602c 
             if test -n "$1"; then
bb602c 
                 sed -i $1 ./firewalld.log
bb602c 
--
bb602c 
2.23.0
bb602c

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation