rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/firewalld-0.7-0001-nftables-rpfilter-collapse-log-and-drop-into-same-ru.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   21c891623aedfc93c402340bdbb20138c7b6dcba
  2.   SOURCES
  3.   firewalld-0.7-0001-nftables-rpfilter-collapse-log-and-drop-into-same-ru.patch
Blob History Raw
21c891 
From dc5771fe648410f8097fe68003e6449f20470d04 Mon Sep 17 00:00:00 2001
21c891 
From: Eric Garver <e@erig.me>
21c891 
Date: Thu, 20 Dec 2018 15:55:01 -0500
21c891 
Subject: [PATCH 1/8] nftables: rpfilter: collapse log and drop into same rule
21c891
21c891 
(cherry picked from commit 759680552bef435ae4142a2e2bd5591e5f00ae50)
21c891 
---
21c891 
 src/firewall/core/nftables.py | 15 +++++++--------
21c891 
 1 file changed, 7 insertions(+), 8 deletions(-)
21c891
21c891 
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
21c891 
index d0d1f6d1610d..72f2180ec504 100644
21c891 
--- a/src/firewall/core/nftables.py
21c891 
+++ b/src/firewall/core/nftables.py
21c891 
@@ -1230,16 +1230,15 @@ class nftables(object):
21c891 
         return rules
21c891
21c891 
     def build_rpfilter_rules(self, log_denied=False):
21c891 
+        rule_fragment = ["meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif",
21c891 
+                         "oif", "missing"]
21c891 
+        if log_denied != "off":
21c891 
+            rule_fragment += ["log", "prefix", "\"rpfilter_DROP: \""]
21c891 
+        rule_fragment += ["drop"]
21c891 
+
21c891 
         rules = []
21c891 
         rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
21c891 
-                      "raw_%s" % "PREROUTING",
21c891 
-                      "meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif",
21c891 
-                      "oif", "missing", "drop"])
21c891 
-        if log_denied != "off":
21c891 
-            rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
21c891 
-                          "raw_%s" % "PREROUTING",
21c891 
-                          "meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif",
21c891 
-                          "oif", "missing", "log", "prefix", "\"rpfilter_DROP: \""])
21c891 
+                      "raw_%s" % "PREROUTING"] + rule_fragment)
21c891 
         rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME,
21c891 
                       "raw_%s" % "PREROUTING",
21c891 
                       "icmpv6", "type", "{ nd-router-advert, nd-neighbor-solicit }",
21c891 
--
21c891 
2.18.0
21c891

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation