|
 |
21c891 |
From 21dae834490f1d004b2468c1532bf78fbf455d9e Mon Sep 17 00:00:00 2001
|
|
|
21c891 |
From: Eric Garver <e@erig.me>
|
|
|
21c891 |
Date: Wed, 19 Dec 2018 13:40:22 -0500
|
|
|
21c891 |
Subject: [PATCH 2/8] Add "RFC3964_IPv4" config option
|
|
|
21c891 |
|
|
|
21c891 |
As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses
|
|
|
21c891 |
that correspond to IPv4 addresses that should not be routed over the
|
|
|
21c891 |
public internet.
|
|
|
21c891 |
|
|
|
21c891 |
Defaults to "yes".
|
|
|
21c891 |
|
|
|
21c891 |
(cherry picked from commit fce80236bf38dcdfa4a66cd86e6dc03dd08d7f03)
|
|
|
21c891 |
---
|
|
|
21c891 |
config/firewalld.conf | 7 +++++++
|
|
|
21c891 |
doc/xml/firewalld.conf.xml | 12 ++++++++++++
|
|
|
21c891 |
doc/xml/firewalld.dbus.xml | 10 ++++++++++
|
|
|
21c891 |
src/firewall/config/__init__.py.in | 1 +
|
|
|
21c891 |
src/firewall/core/fw.py | 9 +++++++++
|
|
|
21c891 |
src/firewall/core/io/firewalld_conf.py | 12 +++++++++++-
|
|
|
21c891 |
src/firewall/server/config.py | 20 +++++++++++++++++---
|
|
|
21c891 |
src/tests/dbus/firewalld.conf.at | 2 ++
|
|
|
21c891 |
8 files changed, 69 insertions(+), 4 deletions(-)
|
|
|
21c891 |
|
|
|
21c891 |
diff --git a/config/firewalld.conf b/config/firewalld.conf
|
|
|
21c891 |
index 7cb02561fd4d..1dbce81469e0 100644
|
|
|
21c891 |
--- a/config/firewalld.conf
|
|
|
21c891 |
+++ b/config/firewalld.conf
|
|
|
21c891 |
@@ -70,3 +70,10 @@ FirewallBackend=nftables
|
|
|
21c891 |
# behavior set this to "no".
|
|
|
21c891 |
# Default: yes
|
|
|
21c891 |
FlushAllOnReload=yes
|
|
|
21c891 |
+
|
|
|
21c891 |
+# RFC3964_IPv4
|
|
|
21c891 |
+# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
|
|
|
21c891 |
+# correspond to IPv4 addresses that should not be routed over the public
|
|
|
21c891 |
+# internet.
|
|
|
21c891 |
+# Defaults to "yes".
|
|
|
21c891 |
+RFC3964_IPv4=yes
|
|
|
21c891 |
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
|
|
|
21c891 |
index 600919ae822d..457cadfaa38e 100644
|
|
|
21c891 |
--- a/doc/xml/firewalld.conf.xml
|
|
|
21c891 |
+++ b/doc/xml/firewalld.conf.xml
|
|
|
21c891 |
@@ -171,6 +171,18 @@
|
|
|
21c891 |
</listitem>
|
|
|
21c891 |
</varlistentry>
|
|
|
21c891 |
|
|
|
21c891 |
+ <varlistentry>
|
|
|
21c891 |
+ <term><option>RFC3964_IPv4</option></term>
|
|
|
21c891 |
+ <listitem>
|
|
|
21c891 |
+ <para>
|
|
|
21c891 |
+ As per RFC 3964, filter IPv6 traffic with 6to4 destination
|
|
|
21c891 |
+ addresses that correspond to IPv4 addresses that should not
|
|
|
21c891 |
+ be routed over the public internet.
|
|
|
21c891 |
+ Defaults to "yes".
|
|
|
21c891 |
+ </para>
|
|
|
21c891 |
+ </listitem>
|
|
|
21c891 |
+ </varlistentry>
|
|
|
21c891 |
+
|
|
|
21c891 |
</variablelist>
|
|
|
21c891 |
|
|
|
21c891 |
</refsect1>
|
|
|
21c891 |
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
|
|
|
21c891 |
index 132200f3cb42..028d3778e4b6 100644
|
|
|
21c891 |
--- a/doc/xml/firewalld.dbus.xml
|
|
|
21c891 |
+++ b/doc/xml/firewalld.dbus.xml
|
|
|
21c891 |
@@ -2635,6 +2635,16 @@
|
|
|
21c891 |
</para>
|
|
|
21c891 |
</listitem>
|
|
|
21c891 |
</varlistentry>
|
|
|
21c891 |
+ <varlistentry id="FirewallD1.config.Properties.RFC3964_IPv4">
|
|
|
21c891 |
+ <term>FirewallBackend - s - (rw)</term>
|
|
|
21c891 |
+ <listitem>
|
|
|
21c891 |
+ <para>
|
|
|
21c891 |
+ As per RFC 3964, filter IPv6 traffic with 6to4 destination
|
|
|
21c891 |
+ addresses that correspond to IPv4 addresses that should not be
|
|
|
21c891 |
+ routed over the public internet. Valid options are; yes, no.
|
|
|
21c891 |
+ </para>
|
|
|
21c891 |
+ </listitem>
|
|
|
21c891 |
+ </varlistentry>
|
|
|
21c891 |
</variablelist>
|
|
|
21c891 |
</refsect3>
|
|
|
21c891 |
</refsect2>
|
|
|
21c891 |
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
|
|
|
21c891 |
index 2cfbef804778..5bb318c5b269 100644
|
|
|
21c891 |
--- a/src/firewall/config/__init__.py.in
|
|
|
21c891 |
+++ b/src/firewall/config/__init__.py.in
|
|
|
21c891 |
@@ -131,3 +131,4 @@ FALLBACK_LOG_DENIED = "off"
|
|
|
21c891 |
FALLBACK_AUTOMATIC_HELPERS = "system"
|
|
|
21c891 |
FALLBACK_FIREWALL_BACKEND = "nftables"
|
|
|
21c891 |
FALLBACK_FLUSH_ALL_ON_RELOAD = True
|
|
|
21c891 |
+FALLBACK_RFC3964_IPV4 = True
|
|
|
21c891 |
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
|
|
|
21c891 |
index e614a4609edc..e8d77f11b2ae 100644
|
|
|
21c891 |
--- a/src/firewall/core/fw.py
|
|
|
21c891 |
+++ b/src/firewall/core/fw.py
|
|
|
21c891 |
@@ -309,6 +309,15 @@ class Firewall(object):
|
|
|
21c891 |
log.debug1("FlushAllOnReload is set to '%s'",
|
|
|
21c891 |
self._flush_all_on_reload)
|
|
|
21c891 |
|
|
|
21c891 |
+ if self._firewalld_conf.get("RFC3964_IPv4"):
|
|
|
21c891 |
+ value = self._firewalld_conf.get("RFC3964_IPv4")
|
|
|
21c891 |
+ if value.lower() in [ "no", "false" ]:
|
|
|
21c891 |
+ self._rfc3964_ipv4 = False
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ self._rfc3964_ipv4 = True
|
|
|
21c891 |
+ log.debug1("RFC3964_IPv4 is set to '%s'",
|
|
|
21c891 |
+ self._rfc3964_ipv4)
|
|
|
21c891 |
+
|
|
|
21c891 |
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
|
|
|
21c891 |
|
|
|
21c891 |
self._select_firewall_backend(self._firewall_backend)
|
|
|
21c891 |
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
|
|
|
21c891 |
index 953a6d2618ec..4ba5bf5f218d 100644
|
|
|
21c891 |
--- a/src/firewall/core/io/firewalld_conf.py
|
|
|
21c891 |
+++ b/src/firewall/core/io/firewalld_conf.py
|
|
|
21c891 |
@@ -30,7 +30,8 @@ from firewall.functions import b2u, u2b, PY2
|
|
|
21c891 |
|
|
|
21c891 |
valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
|
|
|
21c891 |
"IPv6_rpfilter", "IndividualCalls", "LogDenied",
|
|
|
21c891 |
- "AutomaticHelpers", "FirewallBackend", "FlushAllOnReload" ]
|
|
|
21c891 |
+ "AutomaticHelpers", "FirewallBackend", "FlushAllOnReload",
|
|
|
21c891 |
+ "RFC3964_IPv4" ]
|
|
|
21c891 |
|
|
|
21c891 |
class firewalld_conf(object):
|
|
|
21c891 |
def __init__(self, filename):
|
|
|
21c891 |
@@ -81,6 +82,7 @@ class firewalld_conf(object):
|
|
|
21c891 |
self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
|
|
|
21c891 |
self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
|
|
|
21c891 |
self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no")
|
|
|
21c891 |
+ self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no")
|
|
|
21c891 |
raise
|
|
|
21c891 |
|
|
|
21c891 |
for line in f:
|
|
|
21c891 |
@@ -192,6 +194,14 @@ class firewalld_conf(object):
|
|
|
21c891 |
config.FALLBACK_FLUSH_ALL_ON_RELOAD)
|
|
|
21c891 |
self.set("FlushAllOnReload", str(config.FALLBACK_FLUSH_ALL_ON_RELOAD))
|
|
|
21c891 |
|
|
|
21c891 |
+ value = self.get("RFC3964_IPv4")
|
|
|
21c891 |
+ if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
|
|
|
21c891 |
+ if value is not None:
|
|
|
21c891 |
+ log.warning("RFC3964_IPv4 '%s' is not valid, using default "
|
|
|
21c891 |
+ "value %s", value if value else '',
|
|
|
21c891 |
+ config.FALLBACK_RFC3964_IPV4)
|
|
|
21c891 |
+ self.set("RFC3964_IPv4", str(config.FALLBACK_RFC3964_IPV4))
|
|
|
21c891 |
+
|
|
|
21c891 |
# save to self.filename if there are key/value changes
|
|
|
21c891 |
def write(self):
|
|
|
21c891 |
if len(self._config) < 1:
|
|
|
21c891 |
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
|
|
|
21c891 |
index ba04107fe4a1..971dc7d4a14a 100644
|
|
|
21c891 |
--- a/src/firewall/server/config.py
|
|
|
21c891 |
+++ b/src/firewall/server/config.py
|
|
|
21c891 |
@@ -107,6 +107,7 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
21c891 |
"AutomaticHelpers": "readwrite",
|
|
|
21c891 |
"FirewallBackend": "readwrite",
|
|
|
21c891 |
"FlushAllOnReload": "readwrite",
|
|
|
21c891 |
+ "RFC3964_IPv4": "readwrite",
|
|
|
21c891 |
})
|
|
|
21c891 |
|
|
|
21c891 |
@handle_exceptions
|
|
|
21c891 |
@@ -487,7 +488,7 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
21c891 |
if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
|
|
|
21c891 |
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
|
|
|
21c891 |
"LogDenied", "AutomaticHelpers", "FirewallBackend",
|
|
|
21c891 |
- "FlushAllOnReload" ]:
|
|
|
21c891 |
+ "FlushAllOnReload", "RFC3964_IPv4" ]:
|
|
|
21c891 |
raise dbus.exceptions.DBusException(
|
|
|
21c891 |
"org.freedesktop.DBus.Error.InvalidArgs: "
|
|
|
21c891 |
"Property '%s' does not exist" % prop)
|
|
|
21c891 |
@@ -536,6 +537,10 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
21c891 |
if value is None:
|
|
|
21c891 |
value = "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no"
|
|
|
21c891 |
return dbus.String(value)
|
|
|
21c891 |
+ elif prop == "RFC3964_IPv4":
|
|
|
21c891 |
+ if value is None:
|
|
|
21c891 |
+ value = "yes" if config.FALLBACK_RFC3964_IPV4 else "no"
|
|
|
21c891 |
+ return dbus.String(value)
|
|
|
21c891 |
|
|
|
21c891 |
@dbus_handle_exceptions
|
|
|
21c891 |
def _get_dbus_property(self, prop):
|
|
|
21c891 |
@@ -559,6 +564,8 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
21c891 |
return dbus.String(self._get_property(prop))
|
|
|
21c891 |
elif prop == "FlushAllOnReload":
|
|
|
21c891 |
return dbus.String(self._get_property(prop))
|
|
|
21c891 |
+ elif prop == "RFC3964_IPv4":
|
|
|
21c891 |
+ return dbus.String(self._get_property(prop))
|
|
|
21c891 |
else:
|
|
|
21c891 |
raise dbus.exceptions.DBusException(
|
|
|
21c891 |
"org.freedesktop.DBus.Error.InvalidArgs: "
|
|
|
21c891 |
@@ -599,7 +606,7 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
21c891 |
for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
|
|
|
21c891 |
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
|
|
|
21c891 |
"LogDenied", "AutomaticHelpers", "FirewallBackend",
|
|
|
21c891 |
- "FlushAllOnReload" ]:
|
|
|
21c891 |
+ "FlushAllOnReload", "RFC3964_IPv4" ]:
|
|
|
21c891 |
ret[x] = self._get_property(x)
|
|
|
21c891 |
elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
|
|
|
21c891 |
config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
|
|
|
21c891 |
@@ -626,7 +633,8 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
21c891 |
if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown",
|
|
|
21c891 |
"IPv6_rpfilter", "IndividualCalls",
|
|
|
21c891 |
"LogDenied", "AutomaticHelpers",
|
|
|
21c891 |
- "FirewallBackend", "FlushAllOnReload" ]:
|
|
|
21c891 |
+ "FirewallBackend", "FlushAllOnReload",
|
|
|
21c891 |
+ "RFC3964_IPv4" ]:
|
|
|
21c891 |
if property_name == "MinimalMark":
|
|
|
21c891 |
try:
|
|
|
21c891 |
int(new_value)
|
|
|
21c891 |
@@ -665,6 +673,12 @@ class FirewallDConfig(slip.dbus.service.Object):
|
|
|
21c891 |
raise FirewallError(errors.INVALID_VALUE,
|
|
|
21c891 |
"'%s' for %s" % \
|
|
|
21c891 |
(new_value, property_name))
|
|
|
21c891 |
+ if property_name == "RFC3964_IPv4":
|
|
|
21c891 |
+ if new_value.lower() not in ["yes", "true", "no", "false"]:
|
|
|
21c891 |
+ raise FirewallError(errors.INVALID_VALUE,
|
|
|
21c891 |
+ "'%s' for %s" % \
|
|
|
21c891 |
+ (new_value, property_name))
|
|
|
21c891 |
+
|
|
|
21c891 |
self.config.get_firewalld_conf().set(property_name, new_value)
|
|
|
21c891 |
self.config.get_firewalld_conf().write()
|
|
|
21c891 |
self.PropertiesChanged(interface_name,
|
|
|
21c891 |
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
|
|
|
21c891 |
index 72c61bdc4940..07f6d31de725 100644
|
|
|
21c891 |
--- a/src/tests/dbus/firewalld.conf.at
|
|
|
21c891 |
+++ b/src/tests/dbus/firewalld.conf.at
|
|
|
21c891 |
@@ -14,6 +14,7 @@ string "IndividualCalls" : variant string "no"
|
|
|
21c891 |
string "Lockdown" : variant string "no"
|
|
|
21c891 |
string "LogDenied" : variant string "off"
|
|
|
21c891 |
string "MinimalMark" : variant int32 100
|
|
|
21c891 |
+string "RFC3964_IPv4" : variant string "yes"
|
|
|
21c891 |
])
|
|
|
21c891 |
|
|
|
21c891 |
m4_define([_helper], [
|
|
|
21c891 |
@@ -33,6 +34,7 @@ _helper([IndividualCalls], [string:"yes"], [variant string "yes"])
|
|
|
21c891 |
_helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
|
|
|
21c891 |
_helper([FlushAllOnReload], [string:"no"], [variant string "no"])
|
|
|
21c891 |
_helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
|
|
|
21c891 |
+_helper([RFC3964_IPv4], [string:"no"], [variant string "no"])
|
|
|
21c891 |
dnl Note: DefaultZone is RO
|
|
|
21c891 |
m4_undefine([_helper])
|
|
|
21c891 |
|
|
|
21c891 |
--
|
|
|
21c891 |
2.18.0
|
|
|
21c891 |
|