|
 |
34791e |
commit 3e0997f5effaec309e03c9c7c639d8243536ad37
|
|
|
34791e |
Author: Thomas Woerner <twoerner@redhat.com>
|
|
|
34791e |
Date: Tue Apr 4 19:03:27 2017 +0200
|
|
|
34791e |
|
|
|
34791e |
Support sctp and dccp in ports, source-ports, forward-ports, helpers and rich rules
|
|
|
34791e |
|
|
|
34791e |
This patch adds support to use ports with the protocols sctp and dccp if also
|
|
|
34791e |
a port id is specified. The use of sctp and dccp is now also allowed in
|
|
|
34791e |
source-ports, forward-ports, helpers and rich language rules.
|
|
|
34791e |
|
|
|
34791e |
The test suite has been expanded to also test the new combinations.
|
|
|
34791e |
|
|
|
34791e |
This fixes RHBZ#1429808
|
|
|
34791e |
|
|
|
34791e |
diff --git a/doc/xml/firewalld.helper.xml b/doc/xml/firewalld.helper.xml
|
|
|
34791e |
index 9de4589..d931e22 100644
|
|
|
34791e |
--- a/doc/xml/firewalld.helper.xml
|
|
|
34791e |
+++ b/doc/xml/firewalld.helper.xml
|
|
|
34791e |
@@ -69,7 +69,7 @@
|
|
|
34791e |
<helper module="<replaceable>nf_conntrack_module</replaceable>" [family="<literal>ipv4</literal>|<literal>ipv6</literal>"]>
|
|
|
34791e |
<short><replaceable>short</replaceable></short>
|
|
|
34791e |
<description><replaceable>description</replaceable></description>
|
|
|
34791e |
- <port <replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>"/>
|
|
|
34791e |
+ <port <replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"/>
|
|
|
34791e |
</helper>
|
|
|
34791e |
</programlisting>
|
|
|
34791e |
</para>
|
|
|
34791e |
@@ -149,7 +149,7 @@
|
|
|
34791e |
<term>protocol="<replaceable>string</replaceable>"</term>
|
|
|
34791e |
<listitem>
|
|
|
34791e |
<para>
|
|
|
34791e |
- The protocol value can either be <option>tcp</option> or <option>udp</option>.
|
|
|
34791e |
+ The protocol value can either be <option>tcp</option>, <option>udp</option>, <option>sctp</option> or <option>dccp</option>.
|
|
|
34791e |
</para>
|
|
|
34791e |
</listitem>
|
|
|
34791e |
</varlistentry>
|
|
|
34791e |
diff --git a/doc/xml/firewalld.service.xml b/doc/xml/firewalld.service.xml
|
|
|
34791e |
index 568555f..425f5a9 100644
|
|
|
34791e |
--- a/doc/xml/firewalld.service.xml
|
|
|
34791e |
+++ b/doc/xml/firewalld.service.xml
|
|
|
34e49f |
@@ -136,7 +136,7 @@
|
|
|
34e49f |
<term>protocol="<replaceable>string</replaceable>"</term>
|
|
|
34e49f |
<listitem>
|
|
|
34e49f |
<para>
|
|
|
34e49f |
- The protocol value can either be <option>tcp</option> or <option>udp</option>.
|
|
|
34e49f |
+ The protocol value can either be <option>tcp</option>, <option>udp</option>, <option>sctp</option> or <option>dccp</option>.
|
|
|
34e49f |
</para>
|
|
|
34e49f |
</listitem>
|
|
|
34e49f |
</varlistentry>
|
|
|
34e49f |
@@ -185,7 +185,7 @@
|
|
|
34e49f |
<term>protocol="<replaceable>string</replaceable>"</term>
|
|
|
34e49f |
<listitem>
|
|
|
34e49f |
<para>
|
|
|
34e49f |
- The protocol value can either be <option>tcp</option> or <option>udp</option>.
|
|
|
34e49f |
+ The protocol value can either be <option>tcp</option>, <option>udp</option>, <option>sctp</option> or <option>dccp</option>.
|
|
|
34e49f |
</para>
|
|
|
34e49f |
</listitem>
|
|
|
34e49f |
</varlistentry>
|
|
|
34791e |
diff --git a/doc/xml/firewalld.zone.xml b/doc/xml/firewalld.zone.xml
|
|
|
34791e |
index 80290e7..c3283c0 100644
|
|
|
34791e |
--- a/doc/xml/firewalld.zone.xml
|
|
|
34791e |
+++ b/doc/xml/firewalld.zone.xml
|
|
|
34791e |
@@ -73,25 +73,25 @@
|
|
|
34e49f |
[ <interface name="<replaceable>string</replaceable>"/> ]
|
|
|
34e49f |
[ <source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|mac="<replaceable>MAC</replaceable>"|ipset="<replaceable>ipset</replaceable>"/> ]
|
|
|
34e49f |
[ <service name="<replaceable>string</replaceable>"/> ]
|
|
|
34e49f |
- [ <port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>"/> ]
|
|
|
34e49f |
+ [ <port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"/> ]
|
|
|
34e49f |
[ <protcol value="<replaceable>protocol</replaceable>"/> ]
|
|
|
34e49f |
[ <icmp-block name="<replaceable>string</replaceable>"/> ]
|
|
|
34e49f |
[ <icmp-block-inversion/> ]
|
|
|
34e49f |
[ <masquerade/> ]
|
|
|
34e49f |
- [ <forward-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>" [to-port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]"] [to-addr="<replaceable>ipv4address</replaceable>"]/> ]
|
|
|
34e49f |
- [ <source-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>"/> ]
|
|
|
34e49f |
+ [ <forward-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>" [to-port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]"] [to-addr="<replaceable>ipv4address</replaceable>"]/> ]
|
|
|
34e49f |
+ [ <source-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"/> ]
|
|
|
34e49f |
[
|
|
|
34e49f |
<rule [family="<literal>ipv4</literal>|<literal>ipv6</literal>"]>
|
|
|
34e49f |
[ <source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|mac="<replaceable>MAC</replaceable>"|ipset="<replaceable>ipset</replaceable>" [invert="<replaceable>True</replaceable>"]/> ]
|
|
|
34e49f |
[ <destination address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]" [invert="<replaceable>True</replaceable>"]/> ]
|
|
|
34e49f |
[
|
|
|
34e49f |
<service name="<replaceable>string</replaceable>"/> |
|
|
|
34e49f |
- <port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>"/> |
|
|
|
34e49f |
+ <port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"/> |
|
|
|
34e49f |
<protocol value="<replaceable>protocol</replaceable>"/> |
|
|
|
34e49f |
<icmp-block name="<replaceable>icmptype</replaceable>"/> |
|
|
|
34791e |
<icmp-type name="<replaceable>icmptype</replaceable>"/> |
|
|
|
34e49f |
<masquerade/> |
|
|
|
34e49f |
- <forward-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>" [to-port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]"] [to-addr="<replaceable>address</replaceable>"]/>
|
|
|
34e49f |
+ <forward-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>" [to-port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]"] [to-addr="<replaceable>address</replaceable>"]/>
|
|
|
34e49f |
]
|
|
|
34e49f |
[ <log [prefix="<replaceable>prefixtext</replaceable>"] [level="<literal>emerg</literal>|<literal>alert</literal>|<literal>crit</literal>|<literal>err</literal>|<literal>warn</literal>|<literal>notice</literal>|<literal>info</literal>|<literal>debug</literal>"]> [<limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/>] </log> ]
|
|
|
34e49f |
[ <audit> [<limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/>] </audit> ]
|
|
|
34791e |
@@ -249,10 +249,10 @@
|
|
|
34e49f |
</varlistentry>
|
|
|
34e49f |
|
|
|
34e49f |
<varlistentry>
|
|
|
34e49f |
- <term>protocol="<literal>tcp</literal>|<literal>udp</literal>"</term>
|
|
|
34e49f |
+ <term>protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"</term>
|
|
|
34e49f |
<listitem>
|
|
|
34e49f |
<para>
|
|
|
34e49f |
- The protocol can either be <replaceable>tcp</replaceable> or <replaceable>udp</replaceable>.
|
|
|
34e49f |
+ The protocol can either be <replaceable>tcp</replaceable>, <option>udp</option>, <option>sctp</option> or <option>dccp</option>.
|
|
|
34e49f |
</para>
|
|
|
34e49f |
</listitem>
|
|
|
34e49f |
</varlistentry>
|
|
|
34791e |
@@ -329,10 +329,10 @@
|
|
|
34e49f |
</varlistentry>
|
|
|
34e49f |
|
|
|
34e49f |
<varlistentry>
|
|
|
34e49f |
- <term>protocol="<literal>tcp</literal>|<literal>udp</literal>"</term>
|
|
|
34e49f |
+ <term>protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"</term>
|
|
|
34e49f |
<listitem>
|
|
|
34e49f |
<para>
|
|
|
34e49f |
- The protocol can either be <replaceable>tcp</replaceable> or <replaceable>udp</replaceable>.
|
|
|
34e49f |
+ The protocol can either be <replaceable>tcp</replaceable>, <option>udp</option>, <option>sctp</option> or <option>dccp</option>.
|
|
|
34e49f |
</para>
|
|
|
34e49f |
</listitem>
|
|
|
34e49f |
</varlistentry>
|
|
|
34791e |
@@ -382,10 +382,10 @@
|
|
|
34e49f |
</varlistentry>
|
|
|
34e49f |
|
|
|
34e49f |
<varlistentry>
|
|
|
34e49f |
- <term>protocol="<literal>tcp</literal>|<literal>udp</literal>"</term>
|
|
|
34e49f |
+ <term>protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"</term>
|
|
|
34e49f |
<listitem>
|
|
|
34e49f |
<para>
|
|
|
34e49f |
- The protocol can either be <replaceable>tcp</replaceable> or <replaceable>udp</replaceable>.
|
|
|
34e49f |
+ The protocol can either be <replaceable>tcp</replaceable>, <option>udp</option>, <option>sctp</option> or <option>dccp</option>.
|
|
|
34e49f |
</para>
|
|
|
34e49f |
</listitem>
|
|
|
34e49f |
</varlistentry>
|
|
|
34791e |
@@ -407,13 +407,13 @@
|
|
|
34e49f |
[ <destination address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]" [invert="<replaceable>True</replaceable>"]/> ]
|
|
|
34e49f |
[
|
|
|
34e49f |
<service name="<replaceable>string</replaceable>"/> |
|
|
|
34e49f |
- <port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>"/> |
|
|
|
34e49f |
+ <port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"/> |
|
|
|
34e49f |
<protocol value="<replaceable>protocol</replaceable>"/> |
|
|
|
34e49f |
<icmp-block name="<replaceable>icmptype</replaceable>"/> |
|
|
|
34791e |
<icmp-type name="<replaceable>icmptype</replaceable>"/> |
|
|
|
34e49f |
<masquerade/> |
|
|
|
34e49f |
- <forward-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>" [to-port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]"] [to-addr="<replaceable>address</replaceable>"]/> |
|
|
|
34e49f |
- <source-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>"/> |
|
|
|
34e49f |
+ <forward-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>" [to-port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]"] [to-addr="<replaceable>address</replaceable>"]/> |
|
|
|
34e49f |
+ <source-port port="<replaceable>portid</replaceable>[-<replaceable>portid</replaceable>]" protocol="<literal>tcp</literal>|<literal>udp</literal>|<literal>sctp</literal>|<literal>dccp</literal>"/> |
|
|
|
34e49f |
]
|
|
|
34e49f |
[ <log [prefix="<replaceable>prefixtext</replaceable>"] [level="<literal>emerg</literal>|<literal>alert</literal>|<literal>crit</literal>|<literal>err</literal>|<literal>warn</literal>|<literal>notice</literal>|<literal>info</literal>|<literal>debug</literal>"]/> [<limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/>] </log> ]
|
|
|
34e49f |
[ <audit> [<limit value="<replaceable>rate</replaceable>/<replaceable>duration</replaceable>"/>] </audit> ]
|
|
|
34791e |
diff --git a/src/firewall-config.glade b/src/firewall-config.glade
|
|
|
34791e |
index 73cee5c..d209a34 100644
|
|
|
34791e |
--- a/src/firewall-config.glade
|
|
|
34791e |
+++ b/src/firewall-config.glade
|
|
|
34791e |
@@ -1263,6 +1263,8 @@
|
|
|
34791e |
<items>
|
|
|
34791e |
<item>tcp</item>
|
|
|
34791e |
<item>udp</item>
|
|
|
34791e |
+ <item>sctp</item>
|
|
|
34791e |
+ <item>dccp</item>
|
|
|
34791e |
</items>
|
|
|
34791e |
<signal name="changed" handler="onForwardChanged" swapped="no"/>
|
|
|
34791e |
</object>
|
|
|
34791e |
@@ -9196,6 +9198,8 @@
|
|
|
34791e |
<items>
|
|
|
34791e |
<item>tcp</item>
|
|
|
34791e |
<item>udp</item>
|
|
|
34791e |
+ <item>sctp</item>
|
|
|
34791e |
+ <item>dccp</item>
|
|
|
34791e |
</items>
|
|
|
34791e |
<signal name="changed" handler="onPortChanged" swapped="no"/>
|
|
|
34791e |
</object>
|
|
|
34791e |
@@ -9597,6 +9601,7 @@
|
|
|
34791e |
<item translatable="yes">- Select -</item>
|
|
|
34791e |
<item>ah</item>
|
|
|
34791e |
<item>esp</item>
|
|
|
34791e |
+ <item>dccp</item>
|
|
|
34791e |
<item>ddp</item>
|
|
|
34791e |
<item>icmp</item>
|
|
|
34791e |
<item>igmp</item>
|
|
|
34791e |
diff --git a/src/firewall/command.py b/src/firewall/command.py
|
|
|
34791e |
index e3adde0..e2d032f 100644
|
|
|
34791e |
--- a/src/firewall/command.py
|
|
|
34791e |
+++ b/src/firewall/command.py
|
|
|
34791e |
@@ -267,9 +267,10 @@ class FirewallCommand(object):
|
|
|
34e49f |
"portid[-portid]%sprotocol" % separator)
|
|
|
34e49f |
if not check_port(port):
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PORT, port)
|
|
|
34e49f |
- if proto not in [ "tcp", "udp" ]:
|
|
|
34e49f |
+ if proto not in [ "tcp", "udp", "sctp", "dccp" ]:
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PROTOCOL,
|
|
|
34e49f |
- "'%s' not in {'tcp'|'udp'}" % proto)
|
|
|
34e49f |
+ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \
|
|
|
34e49f |
+ proto)
|
|
|
34e49f |
return (port, proto)
|
|
|
34e49f |
|
|
|
34e49f |
def parse_forward_port(self, value):
|
|
|
34791e |
@@ -301,9 +302,10 @@ class FirewallCommand(object):
|
|
|
34e49f |
|
|
|
34e49f |
if not check_port(port):
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PORT, port)
|
|
|
34e49f |
- if protocol not in [ "tcp", "udp" ]:
|
|
|
34e49f |
+ if protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PROTOCOL,
|
|
|
34e49f |
- "'%s' not in {'tcp'|'udp'}" % protocol)
|
|
|
34e49f |
+ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \
|
|
|
34e49f |
+ protocol)
|
|
|
34e49f |
if toport and not check_port(toport):
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PORT, toport)
|
|
|
34e49f |
if toaddr and not check_single_address("ipv4", toaddr):
|
|
|
34791e |
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
|
|
|
34791e |
index f32ec22..8dbe59b 100644
|
|
|
34791e |
--- a/src/firewall/core/fw.py
|
|
|
34791e |
+++ b/src/firewall/core/fw.py
|
|
|
34791e |
@@ -989,9 +989,10 @@ class Firewall(object):
|
|
|
34e49f |
def check_tcpudp(self, protocol):
|
|
|
34e49f |
if not protocol:
|
|
|
34e49f |
raise FirewallError(errors.MISSING_PROTOCOL)
|
|
|
34e49f |
- if protocol not in [ "tcp", "udp" ]:
|
|
|
34e49f |
+ if protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PROTOCOL,
|
|
|
34e49f |
- "'%s' not in {'tcp'|'udp'}" % protocol)
|
|
|
34e49f |
+ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \
|
|
|
34e49f |
+ protocol)
|
|
|
34e49f |
|
|
|
34e49f |
def check_ip(self, ip):
|
|
|
34e49f |
if not functions.checkIP(ip):
|
|
|
34791e |
diff --git a/src/firewall/core/fw_test.py b/src/firewall/core/fw_test.py
|
|
|
34791e |
index 62385e6..9516823 100644
|
|
|
34791e |
--- a/src/firewall/core/fw_test.py
|
|
|
34791e |
+++ b/src/firewall/core/fw_test.py
|
|
|
34791e |
@@ -456,9 +456,10 @@ class Firewall_test(object):
|
|
|
34e49f |
def check_tcpudp(self, protocol):
|
|
|
34e49f |
if not protocol:
|
|
|
34e49f |
raise FirewallError(errors.MISSING_PROTOCOL)
|
|
|
34e49f |
- if not protocol in [ "tcp", "udp" ]:
|
|
|
34e49f |
+ if not protocol in [ "tcp", "udp", "sctp", "dccp" ]:
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PROTOCOL,
|
|
|
34e49f |
- "'%s' not in {'tcp'|'udp'}" % protocol)
|
|
|
34e49f |
+ "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \
|
|
|
34e49f |
+ protocol)
|
|
|
34e49f |
|
|
|
34e49f |
def check_ip(self, ip):
|
|
|
34e49f |
if not functions.checkIP(ip):
|
|
|
34791e |
diff --git a/src/firewall/core/io/io_object.py b/src/firewall/core/io/io_object.py
|
|
|
34791e |
index 3ae180a..139439f 100644
|
|
|
34791e |
--- a/src/firewall/core/io/io_object.py
|
|
|
34791e |
+++ b/src/firewall/core/io/io_object.py
|
|
|
34791e |
@@ -292,9 +292,10 @@ def check_port(port):
|
|
|
34e49f |
"'%s' is invalid port range" % port)
|
|
|
34e49f |
|
|
|
34e49f |
def check_tcpudp(protocol):
|
|
|
34e49f |
- if protocol not in [ "tcp", "udp" ]:
|
|
|
34e49f |
+ if protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PROTOCOL,
|
|
|
34e49f |
- "'%s' not from {'tcp'|'udp'}" % protocol)
|
|
|
34e49f |
+ "'%s' not from {'tcp'|'udp'|'sctp'|'dccp'}" % \
|
|
|
34e49f |
+ protocol)
|
|
|
34e49f |
|
|
|
34e49f |
def check_protocol(protocol):
|
|
|
34e49f |
if not functions.checkProtocol(protocol):
|
|
|
34791e |
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
|
|
|
34791e |
index b33009f..3adcb4d 100644
|
|
|
34791e |
--- a/src/firewall/core/rich.py
|
|
|
34791e |
+++ b/src/firewall/core/rich.py
|
|
|
34791e |
@@ -576,7 +576,7 @@ class Rich_Rule(object):
|
|
|
34e49f |
elif type(self.element) == Rich_Port:
|
|
|
34e49f |
if not functions.check_port(self.element.port):
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PORT, self.element.port)
|
|
|
34e49f |
- if self.element.protocol not in [ "tcp", "udp" ]:
|
|
|
34e49f |
+ if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
|
|
|
34e49f |
|
|
|
34e49f |
# protocol
|
|
|
34791e |
@@ -611,7 +611,7 @@ class Rich_Rule(object):
|
|
|
34e49f |
elif type(self.element) == Rich_ForwardPort:
|
|
|
34e49f |
if not functions.check_port(self.element.port):
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PORT, self.element.port)
|
|
|
34e49f |
- if self.element.protocol not in [ "tcp", "udp" ]:
|
|
|
34e49f |
+ if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
|
|
|
34e49f |
if self.element.to_port == "" and self.element.to_address == "":
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
|
|
|
34791e |
@@ -631,7 +631,7 @@ class Rich_Rule(object):
|
|
|
34e49f |
elif type(self.element) == Rich_SourcePort:
|
|
|
34e49f |
if not functions.check_port(self.element.port):
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PORT, self.element.port)
|
|
|
34e49f |
- if self.element.protocol not in [ "tcp", "udp" ]:
|
|
|
34e49f |
+ if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
|
|
|
34e49f |
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
|
|
|
34e49f |
|
|
|
34e49f |
# other element and not empty?
|
|
|
34791e |
diff --git a/src/tests/firewall-cmd_test.sh b/src/tests/firewall-cmd_test.sh
|
|
|
34791e |
index 653c644..ea076a0 100755
|
|
|
34791e |
--- a/src/tests/firewall-cmd_test.sh
|
|
|
34791e |
+++ b/src/tests/firewall-cmd_test.sh
|
|
|
34791e |
@@ -339,6 +339,15 @@ assert_good " --query-port=111-222/udp --zone=${default_zone}"
|
|
|
34e49f |
assert_good "--remove-port 111-222/udp"
|
|
|
34e49f |
assert_bad " --query-port=111-222/udp"
|
|
|
34e49f |
|
|
|
34e49f |
+assert_good " --add-port=5000/sctp"
|
|
|
34e49f |
+assert_good " --query-port=5000/sctp --zone=${default_zone}"
|
|
|
34e49f |
+assert_good "--remove-port 5000/sctp"
|
|
|
34e49f |
+assert_bad " --query-port=5000/sctp"
|
|
|
34e49f |
+assert_good " --add-port=222/dccp"
|
|
|
34e49f |
+assert_good " --query-port=222/dccp --zone=${default_zone}"
|
|
|
34e49f |
+assert_good "--remove-port 222/dccp"
|
|
|
34e49f |
+assert_bad " --query-port=222/dccp"
|
|
|
34e49f |
+
|
|
|
34e49f |
assert_bad "--permanent --add-port=666" # no protocol
|
|
|
34e49f |
assert_bad "--permanent --add-port=666/dummy" # bad protocol
|
|
|
34e49f |
assert_good "--permanent --add-port=666/tcp"
|
|
|
34791e |
@@ -348,6 +357,15 @@ assert_good "--permanent --query-port=111-222/udp"
|
|
|
34e49f |
assert_good "--permanent --remove-port 111-222/udp"
|
|
|
34e49f |
assert_bad "--permanent --query-port=111-222/udp"
|
|
|
34e49f |
|
|
|
34e49f |
+assert_good "--permanent --add-port=5000/sctp"
|
|
|
34e49f |
+assert_good "--permanent --query-port=5000/sctp --zone=${default_zone}"
|
|
|
34e49f |
+assert_good "--permanent --remove-port 5000/sctp"
|
|
|
34e49f |
+assert_bad "--permanent --query-port=5000/sctp"
|
|
|
34e49f |
+assert_good "--permanent --add-port=222/dccp"
|
|
|
34e49f |
+assert_good "--permanent --query-port=222/dccp --zone=${default_zone}"
|
|
|
34e49f |
+assert_good "--permanent --remove-port 222/dccp"
|
|
|
34e49f |
+assert_bad "--permanent --query-port=222/dccp"
|
|
|
34e49f |
+
|
|
|
34e49f |
assert_good " --add-port=80/tcp --add-port 443-444/udp"
|
|
|
34e49f |
assert_good " --query-port=80/tcp --zone=${default_zone}"
|
|
|
34e49f |
assert_good " --query-port=443-444/udp"
|
|
|
34791e |
@@ -488,6 +506,10 @@ assert_good " --add-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
assert_good " --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}"
|
|
|
34e49f |
assert_good "--remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
assert_bad " --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
+assert_good " --add-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
+assert_good " --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}"
|
|
|
34e49f |
+assert_good "--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
+assert_bad " --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
|
|
|
34e49f |
assert_bad "--permanent --add-forward-port=666" # no protocol
|
|
|
34e49f |
assert_good "--permanent --add-forward-port=port=11:proto=tcp:toport=22 --zone=${default_zone}"
|
|
|
34791e |
@@ -499,6 +521,10 @@ assert_good "--permanent --add-forward-port=port=55:proto=tcp:toport=66:toadd
|
|
|
34e49f |
assert_good "--permanent --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
assert_good "--permanent --remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
assert_bad "--permanent --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
+assert_good "--permanent --add-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
+assert_good "--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}"
|
|
|
34e49f |
+assert_good "--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
+assert_bad "--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
|
|
|
34e49f |
assert_good " --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200"
|
|
|
34e49f |
assert_good " --query-forward-port=port=100:proto=tcp:toport=200"
|
|
|
34791e |
@@ -597,6 +623,18 @@ assert_good "--permanent --icmptype=${myicmp} --query-destination=ipv4"
|
|
|
34e49f |
assert_good "--permanent --icmptype=${myicmp} --remove-destination=ipv4"
|
|
|
34e49f |
assert_bad "--permanent --icmptype=${myicmp} --query-destination=ipv4"
|
|
|
34e49f |
|
|
|
34e49f |
+# test sctp and dccp ports
|
|
|
34e49f |
+assert_good "--permanent --service=${myservice} --add-port=666/sctp"
|
|
|
34e49f |
+assert_good "--permanent --service=${myservice} --remove-port=666/sctp"
|
|
|
34e49f |
+assert_good "--permanent --service=${myservice} --remove-port 666/sctp"
|
|
|
34e49f |
+assert_bad "--permanent --service=${myservice} --query-port=666/sctp"
|
|
|
34e49f |
+assert_good "--permanent --service=${myservice} --add-port=999/dccp"
|
|
|
34e49f |
+assert_good "--permanent --service=${myservice} --remove-port=999/dccp"
|
|
|
34e49f |
+assert_good "--permanent --service=${myservice} --remove-port 999/dccp"
|
|
|
34e49f |
+assert_bad "--permanent --service=${myservice} --query-port=999/dccp"
|
|
|
34e49f |
+assert_good "--permanent --service=${myservice} --add-port=666/sctp"
|
|
|
34e49f |
+assert_good "--permanent --service=${myservice} --add-port=999/dccp"
|
|
|
34e49f |
+
|
|
|
34e49f |
# add them to zone
|
|
|
34e49f |
assert_good "--permanent --zone=${myzone} --add-service=${myservice}"
|
|
|
34e49f |
assert_good "--permanent --zone=${myzone} --add-icmp-block=${myicmp}"
|
|
|
34791e |
@@ -906,7 +944,9 @@ good_rules=(
|
|
|
34e49f |
'rule family="ipv4" source address="192.168.1.0/24" masquerade'
|
|
|
34e49f |
'rule family="ipv4" destination address="192.168.1.0/24" masquerade' # masquerade & destination
|
|
|
34e49f |
'rule family="ipv6" masquerade'
|
|
|
34e49f |
- 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"')
|
|
|
34e49f |
+ 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"'
|
|
|
34e49f |
+ 'rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"'
|
|
|
34e49f |
+ 'rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"')
|
|
|
34e49f |
|
|
|
34e49f |
for (( i=0;i<${#good_rules[@]};i++)); do
|
|
|
34e49f |
rule=${good_rules[${i}]}
|
|
|
34791e |
diff --git a/src/tests/firewall-offline-cmd_test.sh b/src/tests/firewall-offline-cmd_test.sh
|
|
|
34791e |
index ee7ffcd..f81c853 100755
|
|
|
34791e |
--- a/src/tests/firewall-offline-cmd_test.sh
|
|
|
34791e |
+++ b/src/tests/firewall-offline-cmd_test.sh
|
|
|
34791e |
@@ -332,6 +332,15 @@ assert_good " --query-port=111-222/udp --zone=${default_zone}"
|
|
|
34e49f |
assert_good "--remove-port 111-222/udp"
|
|
|
34e49f |
assert_bad " --query-port=111-222/udp"
|
|
|
34e49f |
|
|
|
34e49f |
+assert_good " --add-port=5000/sctp"
|
|
|
34e49f |
+assert_good " --query-port=5000/sctp --zone=${default_zone}"
|
|
|
34e49f |
+assert_good "--remove-port 5000/sctp"
|
|
|
34e49f |
+assert_bad " --query-port=5000/sctp"
|
|
|
34e49f |
+assert_good " --add-port=222/dccp"
|
|
|
34e49f |
+assert_good " --query-port=222/dccp --zone=${default_zone}"
|
|
|
34e49f |
+assert_good "--remove-port 222/dccp"
|
|
|
34e49f |
+assert_bad " --query-port=222/dccp"
|
|
|
34e49f |
+
|
|
|
34e49f |
assert_good " --add-port=80/tcp --add-port 443-444/udp"
|
|
|
34e49f |
assert_good " --query-port=80/tcp --zone=${default_zone}"
|
|
|
34e49f |
assert_good " --query-port=443-444/udp"
|
|
|
34791e |
@@ -409,6 +418,10 @@ assert_good " --add-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
assert_good " --query-forward-port port=55:proto=tcp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}"
|
|
|
34e49f |
assert_good "--remove-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
assert_bad " --query-forward-port=port=55:proto=tcp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
+assert_good " --add-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
+assert_good " --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=${default_zone}"
|
|
|
34e49f |
+assert_good "--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
+assert_bad " --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7"
|
|
|
34e49f |
|
|
|
34e49f |
assert_good " --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200"
|
|
|
34e49f |
assert_good " --query-forward-port=port=100:proto=tcp:toport=200"
|
|
|
34791e |
@@ -494,6 +507,18 @@ assert_good "--icmptype=${myicmp} --query-destination=ipv4"
|
|
|
34e49f |
assert_good "--icmptype=${myicmp} --remove-destination=ipv4"
|
|
|
34e49f |
assert_bad "--icmptype=${myicmp} --query-destination=ipv4"
|
|
|
34e49f |
|
|
|
34e49f |
+# test sctp and dccp ports
|
|
|
34e49f |
+assert_good "--service=${myservice} --add-port=666/sctp"
|
|
|
34e49f |
+assert_good "--service=${myservice} --remove-port=666/sctp"
|
|
|
34e49f |
+assert_good "--service=${myservice} --remove-port 666/sctp"
|
|
|
34e49f |
+assert_bad "--service=${myservice} --query-port=666/sctp"
|
|
|
34e49f |
+assert_good "--service=${myservice} --add-port=999/dccp"
|
|
|
34e49f |
+assert_good "--service=${myservice} --remove-port=999/dccp"
|
|
|
34e49f |
+assert_good "--service=${myservice} --remove-port 999/dccp"
|
|
|
34e49f |
+assert_bad "--service=${myservice} --query-port=999/dccp"
|
|
|
34e49f |
+assert_good "--service=${myservice} --add-port=666/sctp"
|
|
|
34e49f |
+assert_good "--service=${myservice} --add-port=999/dccp"
|
|
|
34e49f |
+
|
|
|
34e49f |
# add them to zone
|
|
|
34e49f |
assert_good "--zone=${myzone} --add-service=${myservice}"
|
|
|
34e49f |
assert_good "--zone=${myzone} --add-icmp-block=${myicmp}"
|
|
|
34791e |
@@ -688,7 +713,9 @@ good_rules=(
|
|
|
34e49f |
'rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirect" level="info" limit value="4/m"'
|
|
|
34e49f |
'rule family="ipv4" source address="192.168.1.0/24" masquerade'
|
|
|
34e49f |
'rule family="ipv6" masquerade'
|
|
|
34e49f |
- 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"')
|
|
|
34e49f |
+ 'rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"'
|
|
|
34e49f |
+ 'rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"'
|
|
|
34e49f |
+ 'rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"')
|
|
|
34e49f |
|
|
|
34e49f |
for (( i=0;i<${#good_rules[@]};i++)); do
|
|
|
34e49f |
rule=${good_rules[${i}]}
|