commit 2f435f7ab1e85bf958fd3ad933f6837bdcd5c5c3

Author: Thomas Woerner <twoerner@redhat.com>

Date:   Tue Feb 11 14:11:07 2014 +0100

    firewall-cmd: Create and remove permanent zones, services and icmptypes

diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml

index 41132ff..b1b1a15 100644

--- a/doc/xml/firewall-cmd.xml

+++ b/doc/xml/firewall-cmd.xml

@@ -10,7 +10,7 @@

   This file is part of firewalld.

-  Copyright (C) 2010-2013 Red Hat, Inc.

+  Copyright (C) 2010-2014 Red Hat, Inc.

   Authors:

   Thomas Woerner <twoerner@redhat.com>

@@ -271,6 +271,24 @@

 	    </para>

 	  </listitem>

 	</varlistentry>

+

+	<varlistentry>

+          <term><option>--permanent</option> <option>--new-zone</option>=<replaceable>zone</replaceable></term>

+          <listitem>

+            <para>

+              Add a new permanent zone.

+            </para>

+          </listitem>

+	</varlistentry>

+

+	<varlistentry>

+          <term><option>--permanent</option> <option>--delete-zone</option>=<replaceable>zone</replaceable></term>

+          <listitem>

+            <para>

+              Delete an existing permanent zone.

+            </para>

+          </listitem>

+	</varlistentry>

       </variablelist>

     </refsect2>

@@ -698,6 +716,52 @@

       </variablelist>

     </refsect2>

+    <refsect2 id="service_options">

+      <title>Service Options</title>

+      <variablelist>

+       <varlistentry>

+         <term><option>--permanent</option> <option>--new-service</option>=<replaceable>service</replaceable></term>

+         <listitem>

+           <para>

+             Add a new permanent service.

+           </para>

+         </listitem>

+       </varlistentry>

+

+       <varlistentry>

+         <term><option>--permanent</option> <option>--delete-service</option>=<replaceable>service</replaceable></term>

+         <listitem>

+           <para>

+             Delete an existing permanent service.

+           </para>

+         </listitem>

+       </varlistentry>

+      </variablelist>

+    </refsect2>

+

+    <refsect2 id="icmptype_options">

+      <title>Internet Control Message Protocol (ICMP) type Options</title>

+      <variablelist>

+       <varlistentry>

+         <term><option>--permanent</option> <option>--new-icmptype</option>=<replaceable>icmptype</replaceable></term>

+         <listitem>

+           <para>

+             Add a new permanent icmptype.

+           </para>

+         </listitem>

+       </varlistentry>

+

+       <varlistentry>

+         <term><option>--permanent</option> <option>--delete-icmptype</option>=<replaceable>icmptype</replaceable></term>

+         <listitem>

+           <para>

+             Delete an existing permanent icmptype.

+           </para>

+         </listitem>

+       </varlistentry>

+      </variablelist>

+    </refsect2>

+

     <refsect2 id="direct_options">

       <title>Direct Options</title>

       <para>

diff --git a/src/firewall-cmd b/src/firewall-cmd

index bdb7dbe..3316883 100755

--- a/src/firewall-cmd

+++ b/src/firewall-cmd

@@ -29,7 +29,7 @@ import argparse

 import dbus

 import os

-from firewall.client import FirewallClient

+from firewall.client import *

 from firewall.errors import *

 from firewall.functions import joinArgs

@@ -86,9 +86,23 @@ Zone Options

   --get-zone-of-source=<source>[/<mask>]

                        Print name of the zone the source[/mask] is bound to [P]

   --list-all-zones     List everything added for or enabled in all zones [P]

+  --new-zone=<zone>    Add a new zone [P only]

+  --delete-zone=<zone> Delete an existing zone [P only]

   --zone=<zone>        Use this zone to set or query options, else default zone

                        Usable for options maked with [Z]

+IcmpType Options

+  --new-icmptype=<icmptype>

+                       Add a new icmptype [P only]

+  --delete-icmptype=<icmptype>

+                       Delete and existing icmptype [P only]

+

+Service Options

+  --new-service=<service>

+                       Add a new service [P only]

+  --delete-service=<service>

+                       Delete and existing service [P only]

+

 Options to Adapt and Query Zones

   --list-all           List everything added for or enabled in a zone [P] [Z]

   --list-services      List services added for a zone [P] [Z]

@@ -373,6 +387,14 @@ parser_group_standalone.add_argument("--get-zone-of-interface", metavar="<iface>

 parser_group_standalone.add_argument("--get-zone-of-source", metavar="<source>")

 parser_group_standalone.add_argument("--list-all-zones", action="store_true")

+parser_group_config = parser.add_mutually_exclusive_group()

+parser_group_config.add_argument("--new-icmptype", metavar="<icmptype>")

+parser_group_config.add_argument("--delete-icmptype", metavar="<icmptype>")

+parser_group_config.add_argument("--new-service", metavar="<service>")

+parser_group_config.add_argument("--delete-service", metavar="<service>")

+parser_group_config.add_argument("--new-zone", metavar="<zone>")

+parser_group_config.add_argument("--delete-zone", metavar="<zone>")

+

 parser_group_lockdown_whitelist = parser.add_mutually_exclusive_group()

 parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-commands", action="store_true")

 parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-command", metavar="<command>")

@@ -512,6 +534,7 @@ options_zone_adapt_query = \

     a.add_rich_rule or a.remove_rich_rule or a.query_rich_rule or \

     a.add_masquerade or a.remove_masquerade or a.query_masquerade or \

     a.list_services or a.list_ports or a.list_icmp_blocks or \

+    a.list_forward_ports or a.list_rich_rules or a.list_all or \

     a.list_forward_ports or a.list_rich_rules or a.list_all

 options_zone_ops = options_zone_interfaces_sources or \

@@ -521,6 +544,10 @@ options_zone = a.zone or a.timeout or options_zone_ops

 options_permanent = a.permanent or options_config or a.zone or options_zone_ops

+options_permanent_only = a.new_icmptype or a.delete_icmptype or \

+                         a.new_service or a.delete_service or \

+                         a.new_zone or a.delete_zone

+

 options_direct = a.passthrough or \

            a.add_chain or a.remove_chain or a.query_chain or \

            a.get_chains or a.get_all_chains or \

@@ -543,15 +570,18 @@ options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \

 # Check various impossible combinations of options

 if not (options_standalone or options_zone or \

-        options_permanent or options_direct or options_direct_permanent):

+        options_permanent or options_direct or options_direct_permanent or \

+        options_permanent_only):

     __fail(parser.format_usage() + "No option specified.")

 if options_standalone and (options_zone or options_permanent or \

-                               options_direct or options_direct_permanent):

+                           options_direct or options_direct_permanent or \

+                           options_permanent_only):

     __fail(parser.format_usage() +

            "Can't use stand-alone options with other options.")

-if (options_direct or options_direct_permanent) and (options_zone):

+if (options_direct or options_direct_permanent or options_permanent_only) and \

+   (options_zone):

     __fail(parser.format_usage() +

            "Can't use 'direct' options with other options.")

@@ -564,6 +594,10 @@ if options_direct_permanent and not a.permanent:

     __fail(parser.format_usage() +

            "Option can be used only with --permanent.")

+if options_permanent_only and not a.permanent:

+    __fail(parser.format_usage() +

+           "Option can be used only with --permanent.")

+

 if options_config and options_zone:

     __fail(parser.format_usage() +

            "Wrong usage of --get-zones | --get-services | --get-icmptypes.")

@@ -625,6 +659,30 @@ if a.permanent:

         l = [fw.config().getIcmpType(i).get_property("name") for i in icmptypes]

         __print_and_exit(" ".join(sorted(l)))

+    elif a.new_zone:

+        config = fw.config()

+        config.addZone(a.new_zone, FirewallClientZoneSettings())

+

+    elif a.delete_zone:

+        zone = fw.config().getZoneByName(a.delete_zone)

+        zone.remove()

+

+    elif a.new_service:

+        config = fw.config()

+        config.addService(a.new_service, FirewallClientServiceSettings())

+

+    elif a.delete_service:

+        service = fw.config().getServiceByName(a.delete_service)

+        service.remove()

+

+    elif a.new_icmptype:

+        config = fw.config()

+        config.addIcmpType(a.new_icmptype, FirewallClientIcmpTypeSettings())

+

+    elif a.delete_icmptype:

+        icmptype = fw.config().getIcmpTypeByName(a.delete_icmptype)

+        icmptype.remove()

+

     # lockdown whitelist

     elif options_lockdown_whitelist:

commit b270c28945aa0f96e82f2f11a29370a3d57ded03

Author: Thomas Woerner <twoerner@redhat.com>

Date:   Tue Feb 11 13:00:16 2014 +0100

    FirewallClientZoneSettings: Set proper default target

    The default target was set to "" instread of DEFAULT_ZONE_TARGET.

diff --git a/src/firewall/client.py b/src/firewall/client.py

index c557b4f..3168887 100644

--- a/src/firewall/client.py

+++ b/src/firewall/client.py

@@ -30,6 +30,7 @@ import slip.dbus

 from firewall.config import *

 from firewall.config.dbus import *

+from firewall.core.base import DEFAULT_ZONE_TARGET

 from firewall.dbus_utils import dbus_to_python

 import dbus

 from decorator import decorator

@@ -79,8 +80,8 @@ class FirewallClientZoneSettings(object):

         if settings:

             self.settings = settings

         else:

-            self.settings = ["", "", "", False, "", [], [], [], False, [],

-                             [], [], []]

+            self.settings = ["", "", "", False, DEFAULT_ZONE_TARGET, [], [],

+                             [], False, [], [], [], []]

     @handle_exceptions

     def __repr__(self):

commit 89e034763e98024a81b3018cecd3058af9cce84f

Author: Thomas Woerner <twoerner@redhat.com>

Date:   Tue Feb 11 14:11:28 2014 +0100

    Fixed creation and deletion of zones, services and icmptypes over D-Bus signals

diff --git a/src/firewall-config b/src/firewall-config

index 363e89c..a00a794 100755

--- a/src/firewall-config

+++ b/src/firewall-config

@@ -1,7 +1,7 @@

 #!/usr/bin/python

 # -*- coding: utf-8 -*-

 #

-# Copyright (C) 2011-2012 Red Hat, Inc.

+# Copyright (C) 2011-2014 Red Hat, Inc.

 #

 # Authors:

 # Thomas Woerner <twoerner@redhat.com>

@@ -912,7 +912,6 @@ class FirewallConfig(object):

         self.fw.connect("direct:rule-removed", self.direct_rule_removed_cb)

         self.fw.connect("config:direct:updated", self.direct_updated_cb)

-        # TODO: zone-added, zone-removed

         self.fw.connect("config:zone-added", self.conf_zone_added_cb)

         self.fw.connect("config:zone-updated", self.conf_zone_updated_cb)

         self.fw.connect("config:zone-removed", self.conf_zone_removed_cb)

@@ -1580,7 +1579,7 @@ class FirewallConfig(object):

     def conf_zone_added_cb(self, zone):

         if self.runtime_view:

             return

-        self.load_zones()

+        self.zoneStore.append([zone, Pango.Weight.NORMAL])

     def conf_zone_updated_cb(self, zone):

         if self.runtime_view or zone != self.get_active_zone():

@@ -3500,20 +3499,20 @@ class FirewallConfig(object):

     def conf_service_added_cb(self, service):

         if self.runtime_view:

             return

-        self.serviceStore.append([False, service])

+        self.serviceConfServiceStore.append([service])

-    def conf_service_updated_cb(self, zone):

+    def conf_service_updated_cb(self, service):

         self.onChangeService()

     def conf_service_removed_cb(self, service):

         if self.runtime_view:

             return

-        iter = self.serviceStore.get_iter_first()

+        iter = self.serviceConfServiceStore.get_iter_first()

         while iter:

-            if self.serviceStore.get_value(iter, 1) == service:

-                self.serviceStore.remove(iter)

+            if self.serviceConfServiceStore.get_value(iter, 0) == service:

+                self.serviceConfServiceStore.remove(iter)

                 break

-            iter = self.serviceStore.iter_next(iter)

+            iter = self.serviceConfServiceStore.iter_next(iter)

     def onServiceConfAddService(self, *args):

         self.add_edit_service(True)

@@ -4066,7 +4065,7 @@ class FirewallConfig(object):

             return

         if not self.show_icmp_types:

             return

-        self.icmpStore.append([False, icmp])

+        self.icmpDialogIcmpStore.append([icmp])

     def conf_icmp_updated_cb(self, zone):

         if self.runtime_view:

@@ -4080,12 +4079,12 @@ class FirewallConfig(object):

             return

         if not self.show_icmp_types:

             return

-        iter = self.icmpStore.get_iter_first()

+        iter = self.icmpDialogIcmpStore.get_iter_first()

         while iter:

-            if self.icmpStore.get_value(iter, 1) == icmp:

-                self.icmpStore.remove(iter)

+            if self.icmpDialogIcmpStore.get_value(iter, 0) == icmp:

+                self.icmpDialogIcmpStore.remove(iter)

                 break

-            iter = self.icmpStore.iter_next(iter)

+            iter = self.icmpDialogIcmpStore.iter_next(iter)

     def lockdown_check_cb(self, *args):

         if self.fw.queryLockdown():