rpms / firewalld

Clone
Source Code
GIT

Blame SOURCES/firewalld-0.7-0018-nftables-Use-index-for-ICMP-block-inversion-rules.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c9 c9-beta
  1.   21c891623aedfc93c402340bdbb20138c7b6dcba
  2.   SOURCES
  3.   firewalld-0.7-0018-nftables-Use-index-for-ICMP-block-inversion-rules.patch
Blob History Raw
21c891 
From 5964984c68b5101c372ce6b067fbe627a7a33d1b Mon Sep 17 00:00:00 2001
21c891 
From: Eric Garver <e@erig.me>
21c891 
Date: Tue, 13 Nov 2018 15:30:08 -0500
21c891 
Subject: [PATCH 18/34] nftables: Use index for ICMP block inversion rules
21c891
21c891 
(cherry picked from commit 54e1bac809fccbc83540f6151a64aeb1f058c06a)
21c891 
---
21c891 
 src/firewall/core/fw_zone.py  |  6 -----
21c891 
 src/firewall/core/nftables.py | 43 +++++++++--------------------------
21c891 
 2 files changed, 11 insertions(+), 38 deletions(-)
21c891
21c891 
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
21c891 
index db90c32be540..afa4b2ce0022 100644
21c891 
--- a/src/firewall/core/fw_zone.py
21c891 
+++ b/src/firewall/core/fw_zone.py
21c891 
@@ -1961,12 +1961,6 @@ class FirewallZone(object):
21c891 
         zone_transaction.add_chain("filter", "INPUT")
21c891 
         zone_transaction.add_chain("filter", "FORWARD_IN")
21c891
21c891 
-        # To satisfy nftables backend rule lookup we must execute pending
21c891 
-        # rules. See nftables.build_zone_icmp_block_inversion_rules()
21c891 
-        if enable:
21c891 
-            zone_transaction.execute(enable)
21c891 
-            zone_transaction.clear()
21c891 
-
21c891 
         for backend in self._fw.enabled_backends():
21c891 
             if not backend.zones_supported:
21c891 
                 continue
21c891 
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
21c891 
index 47b1c27dc8cc..a763ed3ec103 100644
21c891 
--- a/src/firewall/core/nftables.py
21c891 
+++ b/src/firewall/core/nftables.py
21c891 
@@ -1066,50 +1066,29 @@ class nftables(object):
21c891 
     def build_zone_icmp_block_inversion_rules(self, enable, zone):
21c891 
         table = "filter"
21c891 
         rules = []
21c891 
+        add_del = { True: "add", False: "delete" }[enable]
21c891 
+
21c891 
         for chain in ["INPUT", "FORWARD_IN"]:
21c891 
             _zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
21c891 
                                                zone=zone)
21c891 
-            # HACK: nft position is actually a handle, so we need to lookup the
21c891 
-            # handle of the rule we want to insert this after.
21c891 
-            #
21c891 
-            # This must be kept in sync with build_zone_chain_rules()
21c891 
-            #
21c891 
-            # WARN: This does not work if we haven't executed the transaction
21c891 
-            # yet, because we don't have a handle for our rule_key!! As such,
21c891 
-            # we execute transactions before calling this function.
21c891 
-            #
21c891 
-            rule_key = " ".join(["inet", "%s" % TABLE_NAME,
21c891 
-                                 "%s_%s" % (table, _zone),
21c891 
-                                 "jump", "%s_%s_allow" % (table, _zone)])
21c891 
-            rule_handle = self.rule_to_handle[rule_key]
21c891
21c891 
             if self._fw.zone.query_icmp_block_inversion(zone):
21c891 
                 ibi_target = "%%REJECT%%"
21c891 
             else:
21c891 
                 ibi_target = "accept"
21c891
21c891 
-            if enable:
21c891 
-                # FIXME: can we get rid of position ?
21c891 
-                rule = ["add", "rule", "inet", "%s" % TABLE_NAME,
21c891 
-                        "%s_%s" % (table, _zone), "position", rule_handle]
21c891 
-            else:
21c891 
-                rule = ["delete", "rule", "inet", "%s" % TABLE_NAME,
21c891 
-                        "%s_%s" % (table, _zone)]
21c891 
-            rule += ["%%ICMP%%", ibi_target]
21c891 
-            rules.append(rule)
21c891 
+            # WARN: index must be kept in sync with build_zone_chain_rules()
21c891 
+            rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME,
21c891 
+                          "%s_%s" % (table, _zone), "index", "2",
21c891 
+                          "%%ICMP%%", ibi_target])
21c891
21c891 
             if self._fw.zone.query_icmp_block_inversion(zone):
21c891 
                 if self._fw.get_log_denied() != "off":
21c891 
-                    if enable:
21c891 
-                        # FIXME: can we get rid of position ?
21c891 
-                        rule = ["add", "rule", "inet", "%s" % TABLE_NAME,
21c891 
-                                "%s_%s" % (table, _zone), "position", rule_handle]
21c891 
-                    else:
21c891 
-                        rule = ["delete", "rule", "inet", "%s" % TABLE_NAME,
21c891 
-                                "%s_%s" % (table, _zone)]
21c891 
-                    rule += ["%%ICMP%%", "%%LOGTYPE%%", "log", "prefix",
21c891 
-                             "\"%s_%s_ICMP_BLOCK: \"" % (table, _zone)]
21c891 
-                    rules.append(rule)
21c891 
+                    # WARN: index must be kept in sync with build_zone_chain_rules()
21c891 
+                    rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME,
21c891 
+                                  "%s_%s" % (table, _zone), "index", "2",
21c891 
+                                  "%%ICMP%%", "%%LOGTYPE%%", "log", "prefix",
21c891 
+                                  "\"%s_%s_ICMP_BLOCK: \"" % (table, _zone)])
21c891
21c891 
         return rules
21c891
21c891 
--
21c891 
2.18.0
21c891

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation