diff -up firewalld-0.3.9/doc/man/man1/firewall-offline-cmd.1.RHBZ#1059800 firewalld-0.3.9/doc/man/man1/firewall-offline-cmd.1
--- firewalld-0.3.9/doc/man/man1/firewall-offline-cmd.1.RHBZ#1059800 2014-01-13 17:07:04.000000000 +0100
+++ firewalld-0.3.9/doc/man/man1/firewall-offline-cmd.1 2014-02-26 09:30:43.439191822 +0100
@@ -66,7 +66,7 @@ is not given\&.
.RS 4
Disable the firewall by disabling the firewalld service\&.
.RE
-.SS "General Options"
+.SS "Lokkit Compatibility Options"
.PP
\fB\-\-addmodule\fR=\fImodule\fR
.RS 4
@@ -168,6 +168,813 @@ The
is the one of the icmp types firewalld supports\&. To get a listing of supported icmp types:
\fBfirewall\-cmd \-\-get\-icmptypes\fR
.RE
+.SS "Zone Options"
+.PP
+\fB\-\-get\-default\-zone\fR
+.RS 4
+Print default zone for connections and interfaces\&.
+.RE
+.PP
+\fB\-\-set\-default\-zone\fR=\fIzone\fR
+.RS 4
+Set default zone for connections and interfaces where no zone has been selected\&. Setting the default zone changes the zone for the connections or interfaces, that are using the default zone\&.
+.RE
+.PP
+\fB\-\-get\-zones\fR
+.RS 4
+Print predefined zones as a space separated list\&.
+.RE
+.PP
+\fB\-\-get\-services\fR
+.RS 4
+Print predefined services as a space separated list\&.
+.RE
+.PP
+\fB\-\-get\-icmptypes\fR
+.RS 4
+Print predefined icmptypes as a space separated list\&.
+.RE
+.PP
+\fB\-\-get\-zone\-of\-interface\fR=\fIinterface\fR
+.RS 4
+Print the name of the zone the
+\fIinterface\fR
+is bound to or
+\fIno zone\fR\&.
+.RE
+.PP
+\fB\-\-get\-zone\-of\-source\fR=\fIsource\fR[/\fImask\fR]
+.RS 4
+Print the name of the zone the
+\fIsource\fR[/\fImask\fR]
+is bound to or
+\fIno zone\fR\&.
+.RE
+.PP
+\fB\-\-list\-all\-zones\fR
+.RS 4
+List everything added for or enabled in all zones\&. The output format is:
+.sp
+.if n \{\
+.RS 4
+.\}
+.nf
+\fIzone1\fR
+ interfaces: \fIinterface1\fR \&.\&.
+ sources: \fIsource1\fR \&.\&.
+ services: \fIservice1\fR \&.\&.
+ ports: \fIport1\fR \&.\&.
+ forward\-ports:
+ \fIforward\-port1\fR
+ \&.\&.
+ icmp\-blocks: \fIicmp\-type1\fR \&.\&.
+ rich rules:
+ \fIrich\-rule1\fR
+ \&.\&.
+\&.\&.
+
+.fi
+.if n \{\
+.RE
+.\}
+.sp
+.RE
+.PP
+\fB\-\-new\-zone\fR=\fIzone\fR
+.RS 4
+Add a new permanent zone\&.
+.RE
+.PP
+\fB\-\-delete\-zone\fR=\fIzone\fR
+.RS 4
+Delete an existing permanent zone\&.
+.RE
+.PP
+\fB\-\-zone\fR=\fIzone\fR \fB\-\-get\-target\fR
+.RS 4
+Get the target of a permanent zone\&.
+.RE
+.PP
+\fB\-\-zone\fR=\fIzone\fR \fB\-\-set\-target\fR=\fIzone\fR
+.RS 4
+Set the target of a permanent zone\&.
+.RE
+.SS "Options to Adapt and Query Zones"
+.PP
+Options in this section affect only one particular zone\&. If used with
+\fB\-\-zone\fR=\fIzone\fR
+option, they affect the zone
+\fIzone\fR\&. If the option is omitted, they affect default zone (see
+\fB\-\-get\-default\-zone\fR)\&.
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-all\fR
+.RS 4
+List everything added for or enabled in
+\fIzone\fR\&. If zone is omitted, default zone will be used\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-services\fR
+.RS 4
+List services added for
+\fIzone\fR
+as a space separated list\&. If zone is omitted, default zone will be used\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-service\fR=\fIservice\fR
+.RS 4
+Add a service for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&.
+.sp
+The service is one of the firewalld provided services\&. To get a list of the supported services, use
+\fBfirewall\-cmd \-\-get\-services\fR\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-service\-from\-zone\fR=\fIservice\fR
+.RS 4
+Remove a service from
+\fIzone\fR\&. This option can be specified multiple times\&. If zone is omitted, default zone will be used\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-service\fR=\fIservice\fR
+.RS 4
+Return whether
+\fIservice\fR
+has been added for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-ports\fR
+.RS 4
+List ports added for
+\fIzone\fR
+as a space separated list\&. A port is of the form
+\fIportid\fR[\-\fIportid\fR]/\fIprotocol\fR, it can be either a port and protocol pair or a port range with a protocol\&. If zone is omitted, default zone will be used\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-port\fR=\fIportid\fR[\-\fIportid\fR]/\fIprotocol\fR
+.RS 4
+Add the port for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&.
+.sp
+The port can either be a single port number or a port range
+\fIportid\fR\-\fIportid\fR\&. The protocol can either be
+\fItcp\fR
+or
+\fIudp\fR\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-port\fR=\fIportid\fR[\-\fIportid\fR]/\fIprotocol\fR
+.RS 4
+Remove the port from
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-port\fR=\fIportid\fR[\-\fIportid\fR]/\fIprotocol\fR
+.RS 4
+Return whether the port has been added for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-icmp\-blocks\fR
+.RS 4
+List Internet Control Message Protocol (ICMP) type blocks added for
+\fIzone\fR
+as a space separated list\&. If zone is omitted, default zone will be used\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-icmp\-block\fR=\fIicmptype\fR
+.RS 4
+Add an ICMP block for
+\fIicmptype\fR
+for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&.
+.sp
+The
+\fIicmptype\fR
+is the one of the icmp types firewalld supports\&. To get a listing of supported icmp types:
+\fBfirewall\-cmd \-\-get\-icmptypes\fR
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-icmp\-block\fR=\fIicmptype\fR
+.RS 4
+Remove the ICMP block for
+\fIicmptype\fR
+from
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-icmp\-block\fR=\fIicmptype\fR
+.RS 4
+Return whether an ICMP block for
+\fIicmptype\fR
+has been added for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-forward\-ports\fR
+.RS 4
+List
+\fIIPv4\fR
+forward ports added for
+\fIzone\fR
+as a space separated list\&. If zone is omitted, default zone will be used\&.
+.sp
+For
+\fIIPv6\fR
+forward ports, please use the rich language\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-forward\-port\fR=port=\fIportid\fR[\-\fIportid\fR]:proto=\fIprotocol\fR[:toport=\fIportid\fR[\-\fIportid\fR]][:toaddr=\fIaddress\fR[/\fImask\fR]]
+.RS 4
+Add the
+\fIIPv4\fR
+forward port for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&.
+.sp
+The port can either be a single port number
+\fIportid\fR
+or a port range
+\fIportid\fR\-\fIportid\fR\&. The protocol can either be
+\fItcp\fR
+or
+\fIudp\fR\&. The destination address is a simple IP address\&.
+.sp
+For
+\fIIPv6\fR
+forward ports, please use the rich language\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-forward\-port\fR=port=\fIportid\fR[\-\fIportid\fR]:proto=\fIprotocol\fR[:toport=\fIportid\fR[\-\fIportid\fR]][:toaddr=\fIaddress\fR[/\fImask\fR]]
+.RS 4
+Remove the
+\fIIPv4\fR
+forward port from
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&.
+.sp
+For
+\fIIPv6\fR
+forward ports, please use the rich language\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-forward\-port\fR=port=\fIportid\fR[\-\fIportid\fR]:proto=\fIprotocol\fR[:toport=\fIportid\fR[\-\fIportid\fR]][:toaddr=\fIaddress\fR[/\fImask\fR]]
+.RS 4
+Return whether the
+\fIIPv4\fR
+forward port has been added for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&.
+.sp
+For
+\fIIPv6\fR
+forward ports, please use the rich language\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-masquerade\fR
+.RS 4
+Enable
+\fIIPv4\fR
+masquerade for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. Masquerading is useful if the machine is a router and machines connected over an interface in another zone should be able to use the first connection\&.
+.sp
+For
+\fIIPv6\fR
+masquerading, please use the rich language\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-masquerade\fR
+.RS 4
+Disable
+\fIIPv4\fR
+masquerade for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&.
+.sp
+For
+\fIIPv6\fR
+masquerading, please use the rich language\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-masquerade\fR
+.RS 4
+Return whether
+\fIIPv4\fR
+masquerading has been enabled for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&.
+.sp
+For
+\fIIPv6\fR
+masquerading, please use the rich language\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-rich\-rules\fR
+.RS 4
+List rich language rules added for
+\fIzone\fR
+as a newline separated list\&. If zone is omitted, default zone will be used\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-rich\-rule\fR=\*(Aq\fIrule\fR\*(Aq
+.RS 4
+Add rich language rule \*(Aq\fIrule\fR\*(Aq for
+\fIzone\fR\&. This option can be specified multiple times\&. If zone is omitted, default zone will be used\&.
+.sp
+For the rich language rule syntax, please have a look at
+\fBfirewalld.richlanguage\fR(5)\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-rich\-rule\fR=\*(Aq\fIrule\fR\*(Aq
+.RS 4
+Remove rich language rule \*(Aq\fIrule\fR\*(Aq from
+\fIzone\fR\&. This option can be specified multiple times\&. If zone is omitted, default zone will be used\&.
+.sp
+For the rich language rule syntax, please have a look at
+\fBfirewalld.richlanguage\fR(5)\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-rich\-rule\fR=\*(Aq\fIrule\fR\*(Aq
+.RS 4
+Return whether a rich language rule \*(Aq\fIrule\fR\*(Aq has been added for
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&.
+.sp
+For the rich language rule syntax, please have a look at
+\fBfirewalld.richlanguage\fR(5)\&.
+.RE
+.SS "Options to Handle Bindings of Interfaces"
+.PP
+Binding an interface to a zone means that this zone settings are used to restrict traffic via the interface\&.
+.PP
+Options in this section affect only one particular zone\&. If used with
+\fB\-\-zone\fR=\fIzone\fR
+option, they affect the zone
+\fIzone\fR\&. If the option is omitted, they affect default zone (see
+\fB\-\-get\-default\-zone\fR)\&.
+.PP
+For a list of predefined zones use
+\fBfirewall\-cmd \-\-get\-zones\fR\&.
+.PP
+An interface name is a string up to 16 characters long, that may not contain
+\fB\*(Aq \*(Aq\fR,
+\fB\*(Aq/\*(Aq\fR,
+\fB\*(Aq!\*(Aq\fR
+and
+\fB\*(Aq*\*(Aq\fR\&.
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-interfaces\fR
+.RS 4
+List interfaces that are bound to zone
+\fIzone\fR
+as a space separated list\&. If zone is omitted, default zone will be used\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-interface\fR=\fIinterface\fR
+.RS 4
+Bind interface
+\fIinterface\fR
+to zone
+\fIzone\fR\&. If zone is omitted, default zone will be used\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-change\-interface\fR=\fIinterface\fR
+.RS 4
+Change zone the interface
+\fIinterface\fR
+is bound to to zone
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. If old and new zone are the same, the call will be ignored without an error\&. If the interface has not been bound to a zone before, it will behave like
+\fB\-\-add\-interface\fR\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-interface\fR=\fIinterface\fR
+.RS 4
+Query whether interface
+\fIinterface\fR
+is bound to zone
+\fIzone\fR\&. Returns 0 if true, 1 otherwise\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-interface\fR=\fIinterface\fR
+.RS 4
+Remove binding of interface
+\fIinterface\fR
+from zone
+\fIzone\fR\&. If zone is omitted, default zone will be used\&.
+.RE
+.SS "Options to Handle Bindings of Sources"
+.PP
+Binding a source to a zone means that this zone settings will be used to restrict traffic from this source\&.
+.PP
+A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6\&. For IPv4, the mask can be a network mask or a plain number\&. For IPv6 the mask is a plain number\&. The use of host names is not supported\&.
+.PP
+Options in this section affect only one particular zone\&. If used with
+\fB\-\-zone\fR=\fIzone\fR
+option, they affect the zone
+\fIzone\fR\&. If the option is omitted, they affect default zone (see
+\fB\-\-get\-default\-zone\fR)\&.
+.PP
+For a list of predefined zones use
+\fBfirewall\-cmd \-\-get\-zones\fR\&.
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-sources\fR
+.RS 4
+List sources that are bound to zone
+\fIzone\fR
+as a space separated list\&. If zone is omitted, default zone will be used\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-source\fR=\fIsource\fR[/\fImask\fR]
+.RS 4
+Bind source
+\fIsource\fR[/\fImask\fR]
+to zone
+\fIzone\fR\&. If zone is omitted, default zone will be used\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-change\-source\fR=\fIsource\fR[/\fImask\fR]
+.RS 4
+Change zone the source
+\fIsource\fR[/\fImask\fR]
+is bound to to zone
+\fIzone\fR\&. If zone is omitted, default zone will be used\&. If old and new zone are the same, the call will be ignored without an error\&. If the source has not been bound to a zone before, it will behave like
+\fB\-\-add\-source\fR\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-source\fR=\fIsource\fR[/\fImask\fR]
+.RS 4
+Query whether the source
+\fIsource\fR[/\fImask\fR]
+is bound to the zone
+\fIzone\fR\&. Returns 0 if true, 1 otherwise\&.
+.RE
+.PP
+[\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-source\fR=\fIsource\fR[/\fImask\fR]
+.RS 4
+Remove binding of source
+\fIsource\fR[/\fImask\fR]
+from zone
+\fIzone\fR\&. If zone is omitted, default zone will be used\&.
+.RE
+.SS "Service Options"
+.PP
+\fB\-\-new\-service\fR=\fIservice\fR
+.RS 4
+Add a new permanent service\&.
+.RE
+.PP
+\fB\-\-delete\-service\fR=\fIservice\fR
+.RS 4
+Delete an existing permanent service\&.
+.RE
+.SS "Internet Control Message Protocol (ICMP) type Options"
+.PP
+\fB\-\-new\-icmptype\fR=\fIicmptype\fR
+.RS 4
+Add a new permanent icmptype\&.
+.RE
+.PP
+\fB\-\-delete\-icmptype\fR=\fIicmptype\fR
+.RS 4
+Delete an existing permanent icmptype\&.
+.RE
+.SS "Direct Options"
+.PP
+The direct options give a more direct access to the firewall\&. These options require user to know basic iptables concepts, i\&.e\&.
+\fItable\fR
+(filter/mangle/nat/\&.\&.\&.),
+\fIchain\fR
+(INPUT/OUTPUT/FORWARD/\&.\&.\&.),
+\fIcommands\fR
+(\-A/\-D/\-I/\&.\&.\&.),
+\fIparameters\fR
+(\-p/\-s/\-d/\-j/\&.\&.\&.) and
+\fItargets\fR
+(ACCEPT/DROP/REJECT/\&.\&.\&.)\&.
+.PP
+Direct options should be used only as a last resort when it\*(Aqs not possible to use for example
+\fB\-\-add\-service\fR=\fIservice\fR
+or
+\fB\-\-add\-rich\-rule\fR=\*(Aq\fIrule\fR\*(Aq\&.
+.PP
+The first argument of each option has to be
+\fIipv4\fR
+or
+\fIipv6\fR
+or
+\fIeb\fR\&. With
+\fIipv4\fR
+it will be for IPv4 (\fBiptables\fR(8)), with
+\fIipv6\fR
+for IPv6 (\fBip6tables\fR(8)) and with
+\fIeb\fR
+for ethernet bridges (\fBebtables\fR(8))\&.
+.PP
+\fB\-\-direct\fR \fB\-\-get\-all\-chains\fR
+.RS 4
+Get all chains added to all tables\&.
+.sp
+This option concerns only chains previously added with
+\fB\-\-direct \-\-add\-chain\fR\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-get\-chains\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR
+.RS 4
+Get all chains added to table
+\fItable\fR
+as a space separated list\&.
+.sp
+This option concerns only chains previously added with
+\fB\-\-direct \-\-add\-chain\fR\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-add\-chain\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR
+.RS 4
+Add a new chain with name
+\fIchain\fR
+to table
+\fItable\fR\&.
+.sp
+There already exist basic chains to use with direct options, for example
+\fIINPUT_direct\fR
+chain (see
+\fIiptables\-save | grep direct\fR
+output for all of them)\&. These chains are jumped into before chains for zones, i\&.e\&. every rule put into
+\fIINPUT_direct\fR
+will be checked before rules in zones\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-remove\-chain\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR
+.RS 4
+Remove the chain with name
+\fIchain\fR
+from table
+\fItable\fR\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-query\-chain\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR
+.RS 4
+Return whether a chain with name
+\fIchain\fR
+exists in table
+\fItable\fR\&. Returns 0 if true, 1 otherwise\&.
+.sp
+This option concerns only chains previously added with
+\fB\-\-direct \-\-add\-chain\fR\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-get\-all\-rules\fR
+.RS 4
+Get all rules added to all chains in all tables as a newline separated list of the priority and arguments\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-get\-rules\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR
+.RS 4
+Get all rules added to chain
+\fIchain\fR
+in table
+\fItable\fR
+as a newline separated list of the priority and arguments\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-add\-rule\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR \fIpriority\fR \fIargs\fR
+.RS 4
+Add a rule with the arguments
+\fIargs\fR
+to chain
+\fIchain\fR
+in table
+\fItable\fR
+with priority
+\fIpriority\fR\&.
+.sp
+The
+\fIpriority\fR
+is used to order rules\&. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down\&. Rules with the same priority are on the same level and the order of these rules is not fixed and may change\&. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-remove\-rule\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR \fIpriority\fR \fIargs\fR
+.RS 4
+Remove a rule with
+\fIpriority\fR
+and the arguments
+\fIargs\fR
+from chain
+\fIchain\fR
+in table
+\fItable\fR\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-remove\-rules\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR
+.RS 4
+Remove all rules in the chain with name
+\fIchain\fR
+exists in table
+\fItable\fR\&.
+.sp
+This option concerns only rules previously added with
+\fB\-\-direct \-\-add\-rule\fR
+in this chain\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-query\-rule\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR \fIpriority\fR \fIargs\fR
+.RS 4
+Return whether a rule with
+\fIpriority\fR
+and the arguments
+\fIargs\fR
+exists in chain
+\fIchain\fR
+in table
+\fItable\fR\&. Returns 0 if true, 1 otherwise\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-get\-all\-passthroughs\fR
+.RS 4
+Get all permanent passthrough as a newline separated list of the ipv value and arguments\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-get\-passthroughs\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR }
+.RS 4
+Get all permanent passthrough rules for the ipv value as a newline separated list of the priority and arguments\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-add\-passthrough\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fIargs\fR
+.RS 4
+Add a permanent passthrough rule with the arguments
+\fIargs\fR
+for the ipv value\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-remove\-passthrough\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fIargs\fR
+.RS 4
+Remove a permanent passthrough rule with the arguments
+\fIargs\fR
+for the ipv value\&.
+.RE
+.PP
+\fB\-\-direct\fR \fB\-\-query\-passthrough\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fIargs\fR
+.RS 4
+Return whether a permanent passthrough rule with the arguments
+\fIargs\fR
+exists for the ipv value\&. Returns 0 if true, 1 otherwise\&.
+.RE
+.SS "Lockdown Options"
+.PP
+Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt) or are authenticated using PolicyKit\&. With this feature administrators can lock the firewall configuration so that only applications on lockdown whitelist are able to request firewall changes\&.
+.PP
+The lockdown access check limits D\-Bus methods that are changing firewall rules\&. Query, list and get methods are not limited\&.
+.PP
+The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default\&.
+.PP
+\fB\-\-lockdown\-on\fR
+.RS 4
+Enable lockdown\&. Be careful \- if firewall\-cmd is not on lockdown whitelist when you enable lockdown you won\*(Aqt be able to disable it again with firewall\-cmd, you would need to edit firewalld\&.conf\&.
+.RE
+.PP
+\fB\-\-lockdown\-off\fR
+.RS 4
+Disable lockdown\&.
+.RE
+.PP
+\fB\-\-query\-lockdown\fR
+.RS 4
+Query whether lockdown is enabled\&. Returns 0 if lockdown is enabled, 1 otherwise\&.
+.RE
+.SS "Lockdown Whitelist Options"
+.PP
+The lockdown whitelist can contain
+\fIcommands\fR,
+\fIcontexts\fR,
+\fIusers\fR
+and
+\fIuser ids\fR\&.
+.PP
+If a command entry on the whitelist ends with an asterisk \*(Aq*\*(Aq, then all command lines starting with the command will match\&. If the \*(Aq*\*(Aq is not there the absolute command inclusive arguments must match\&.
+.PP
+Commands for user root and others is not always the same\&. Example: As root
+\fB/bin/firewall\-cmd\fR
+is used, as a normal user
+\fB/usr/bin/firewall\-cmd\fR
+is be used on Fedora\&.
+.PP
+The context is the security (SELinux) context of a running application or service\&. To get the context of a running application use
+\fBps \-e \-\-context\fR\&.
+.PP
+\fBWarning:\fR
+If the context is unconfined, then this will open access for more than the desired application\&.
+.PP
+The lockdown whitelist entries are checked in the following order:
+.RS 4
+1\&. \fIcontext\fR
+.RE
+.RS 4
+2\&. \fIuid\fR
+.RE
+.RS 4
+3\&. \fIuser\fR
+.RE
+.RS 4
+4\&. \fIcommand\fR
+.RE
+.PP
+\fB\-\-list\-lockdown\-whitelist\-commands\fR
+.RS 4
+List all command lines that are on the whitelist\&.
+.RE
+.PP
+\fB\-\-add\-lockdown\-whitelist\-command\fR=\fIcommand\fR
+.RS 4
+Add the
+\fIcommand\fR
+to the whitelist\&.
+.RE
+.PP
+\fB\-\-remove\-lockdown\-whitelist\-command\fR=\fIcommand\fR
+.RS 4
+Remove the
+\fIcommand\fR
+from the whitelist\&.
+.RE
+.PP
+\fB\-\-query\-lockdown\-whitelist\-command\fR=\fIcommand\fR
+.RS 4
+Query whether the
+\fIcommand\fR
+is on the whitelist\&. Returns 0 if true, 1 otherwise\&.
+.RE
+.PP
+\fB\-\-list\-lockdown\-whitelist\-contexts\fR
+.RS 4
+List all contexts that are on the whitelist\&.
+.RE
+.PP
+\fB\-\-add\-lockdown\-whitelist\-context\fR=\fIcontext\fR
+.RS 4
+Add the context
+\fIcontext\fR
+to the whitelist\&.
+.RE
+.PP
+\fB\-\-remove\-lockdown\-whitelist\-context\fR=\fIcontext\fR
+.RS 4
+Remove the
+\fIcontext\fR
+from the whitelist\&.
+.RE
+.PP
+\fB\-\-query\-lockdown\-whitelist\-context\fR=\fIcontext\fR
+.RS 4
+Query whether the
+\fIcontext\fR
+is on the whitelist\&. Returns 0 if true, 1 otherwise\&.
+.RE
+.PP
+\fB\-\-list\-lockdown\-whitelist\-uids\fR
+.RS 4
+List all user ids that are on the whitelist\&.
+.RE
+.PP
+\fB\-\-add\-lockdown\-whitelist\-uid\fR=\fIuid\fR
+.RS 4
+Add the user id
+\fIuid\fR
+to the whitelist\&.
+.RE
+.PP
+\fB\-\-remove\-lockdown\-whitelist\-uid\fR=\fIuid\fR
+.RS 4
+Remove the user id
+\fIuid\fR
+from the whitelist\&.
+.RE
+.PP
+\fB\-\-query\-lockdown\-whitelist\-uid\fR=\fIuid\fR
+.RS 4
+Query whether the user id
+\fIuid\fR
+is on the whitelist\&. Returns 0 if true, 1 otherwise\&.
+.RE
+.PP
+\fB\-\-list\-lockdown\-whitelist\-users\fR
+.RS 4
+List all user names that are on the whitelist\&.
+.RE
+.PP
+\fB\-\-add\-lockdown\-whitelist\-user\fR=\fIuser\fR
+.RS 4
+Add the user name
+\fIuser\fR
+to the whitelist\&.
+.RE
+.PP
+\fB\-\-remove\-lockdown\-whitelist\-user\fR=\fIuser\fR
+.RS 4
+Remove the user name
+\fIuser\fR
+from the whitelist\&.
+.RE
+.PP
+\fB\-\-query\-lockdown\-whitelist\-user\fR=\fIuser\fR
+.RS 4
+Query whether the user name
+\fIuser\fR
+is on the whitelist\&. Returns 0 if true, 1 otherwise\&.
+.RE
.SH "SEE ALSO"
\fBfirewall-applet\fR(1), \fBfirewalld\fR(1), \fBfirewall-cmd\fR(1), \fBfirewall-config\fR(1), \fBfirewalld.conf\fR(5), \fBfirewalld.direct\fR(5), \fBfirewalld.icmptype\fR(5), \fBfirewalld.lockdown-whitelist\fR(5), \fBfirewall-offline-cmd\fR(1), \fBfirewalld.richlanguage\fR(5), \fBfirewalld.service\fR(5), \fBfirewalld.zone\fR(5), \fBfirewalld.zones\fR(5)
.SH "NOTES"
diff -up firewalld-0.3.9/src/firewall/core/fw_test.py.RHBZ#1059800 firewalld-0.3.9/src/firewall/core/fw_test.py
--- firewalld-0.3.9/src/firewall/core/fw_test.py.RHBZ#1059800 2014-02-26 09:30:43.439191822 +0100
+++ firewalld-0.3.9/src/firewall/core/fw_test.py 2014-02-26 09:30:43.439191822 +0100
@@ -0,0 +1,420 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2010-2012 Red Hat, Inc.
+#
+# Authors:
+# Thomas Woerner <twoerner@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os.path
+import copy
+from firewall.config import *
+from firewall import functions
+from firewall.core.fw_icmptype import FirewallIcmpType
+from firewall.core.fw_service import FirewallService
+from firewall.core.fw_zone import FirewallZone
+from firewall.core.fw_direct import FirewallDirect
+from firewall.core.fw_config import FirewallConfig
+from firewall.core.fw_policies import FirewallPolicies
+from firewall.core.logger import log
+from firewall.core.io.firewalld_conf import firewalld_conf
+from firewall.core.io.direct import Direct
+from firewall.core.io.service import service_reader
+from firewall.core.io.icmptype import icmptype_reader
+from firewall.core.io.zone import zone_reader, Zone
+from firewall.errors import *
+
+############################################################################
+#
+# class Firewall
+#
+############################################################################
+
+class Firewall_test:
+ def __init__(self):
+ self._firewalld_conf = firewalld_conf(FIREWALLD_CONF)
+
+ self.ip4tables_enabled = False
+ self.ip6tables_enabled = False
+ self.ebtables_enabled = False
+
+ self.icmptype = FirewallIcmpType(self)
+ self.service = FirewallService(self)
+ self.zone = FirewallZone(self)
+ self.direct = FirewallDirect(self)
+ self.config = FirewallConfig(self)
+ self.policies = FirewallPolicies()
+
+ self.__init_vars()
+
+ def __repr__(self):
+ return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \
+ (self.__class__, self.ip4tables_enabled, self.ip6tables_enabled,
+ self.ebtables_enabled, self._state, self._panic,
+ self._default_zone, self._module_refcount, self._marks,
+ self._min_mark, self.cleanup_on_exit, self.ipv6_rpfilter_enabled)
+
+ def __init_vars(self):
+ self._state = "INIT"
+ self._panic = False
+ self._default_zone = ""
+ self._module_refcount = { }
+ self._marks = [ ]
+ self._min_mark = FALLBACK_MINIMAL_MARK # will be overloaded by firewalld.conf
+ self.cleanup_on_exit = True
+ self.ipv6_rpfilter_enabled = True
+
+ def start(self):
+ # initialize firewall
+ default_zone = FALLBACK_ZONE
+
+ # load firewalld config
+ log.debug1("Loading firewalld config file '%s'", FIREWALLD_CONF)
+ try:
+ self._firewalld_conf.read()
+ except Exception as msg:
+ log.error("Failed to open firewalld config file '%s': %s",
+ FIREWALLD_CONF, msg)
+ else:
+ if self._firewalld_conf.get("DefaultZone"):
+ default_zone = self._firewalld_conf.get("DefaultZone")
+ if self._firewalld_conf.get("MinimalMark"):
+ mark = self._firewalld_conf.get("MinimalMark")
+ if mark != None:
+ try:
+ self._min_mark = int(mark)
+ except Exception as msg:
+ log.error("MinimalMark %s is not valid, using default "
+ "value %d", mark, self._min_mark)
+ if self._firewalld_conf.get("CleanupOnExit"):
+ value = self._firewalld_conf.get("CleanupOnExit")
+ if value != None and value.lower() in [ "no", "false" ]:
+ self.cleanup_on_exit = False
+
+ if self._firewalld_conf.get("Lockdown"):
+ value = self._firewalld_conf.get("Lockdown")
+ if value != None and value.lower() in [ "yes", "true" ]:
+ log.debug1("Lockdown is enabled")
+ try:
+ self.policies.enable_lockdown()
+ except FirewallError:
+ # already enabled, this is probably reload
+ pass
+
+ if self._firewalld_conf.get("IPv6_rpfilter"):
+ value = self._firewalld_conf.get("IPv6_rpfilter")
+ if value != None:
+ if value.lower() in [ "no", "false" ]:
+ self.ipv6_rpfilter_enabled = False
+ if value.lower() in [ "yes", "true" ]:
+ self.ipv6_rpfilter_enabled = True
+ if self.ipv6_rpfilter_enabled:
+ log.debug1("IPv6 rpfilter is enabled")
+ else:
+ log.debug1("IPV6 rpfilter is disabled")
+
+ self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
+
+ # load lockdown whitelist
+ log.debug1("Loading lockdown whitelist")
+ try:
+ self.policies.lockdown_whitelist.read()
+ except Exception as msg:
+ log.error("Failed to load lockdown whitelist '%s': %s",
+ self.policies.lockdown_whitelist.filename, msg)
+
+ # copy policies to config interface
+ self.config.set_policies(copy.deepcopy(self.policies))
+
+ # load icmptype files
+ self._loader(FIREWALLD_ICMPTYPES, "icmptype")
+ self._loader(ETC_FIREWALLD_ICMPTYPES, "icmptype")
+
+ if len(self.icmptype.get_icmptypes()) == 0:
+ log.error("No icmptypes found.")
+
+ # load service files
+ self._loader(FIREWALLD_SERVICES, "service")
+ self._loader(ETC_FIREWALLD_SERVICES, "service")
+
+ if len(self.service.get_services()) == 0:
+ log.error("No services found.")
+
+ # load zone files
+ self._loader(FIREWALLD_ZONES, "zone")
+ self._loader(ETC_FIREWALLD_ZONES, "zone")
+
+ if len(self.zone.get_zones()) == 0:
+ log.fatal("No zones found.")
+ sys.exit(1)
+
+ # check minimum required zones
+ error = False
+ for z in [ "block", "drop", "trusted" ]:
+ if not z in self.zone.get_zones():
+ log.fatal("Zone '%s' is not available.", z)
+ error = True
+ if error:
+ sys.exit(1)
+
+ # load direct rules
+ obj = Direct(FIREWALLD_DIRECT)
+ if os.path.exists(FIREWALLD_DIRECT):
+ log.debug1("Loading direct rules file '%s'" % FIREWALLD_DIRECT)
+ try:
+ obj.read()
+ except Exception as msg:
+ log.debug1("Failed to load direct rules file '%s': %s",
+ FIREWALLD_DIRECT, msg)
+ self.config.set_direct(copy.deepcopy(obj))
+
+ # check if default_zone is a valid zone
+ if default_zone not in self.zone.get_zones():
+ if "public" in self.zone.get_zones():
+ zone = "public"
+ elif "external" in self.zone.get_zones():
+ zone = "external"
+ else:
+ zone = "block" # block is a base zone, therefore it has to exist
+
+ log.error("Default zone '%s' is not valid. Using '%s'.",
+ default_zone, zone)
+ default_zone = zone
+ else:
+ log.debug1("Using default zone '%s'", default_zone)
+
+ self._default_zone = self.check_zone(default_zone)
+
+ self._state = "RUNNING"
+
+ def _loader(self, path, reader_type, combine=False):
+ # combine: several zone files are getting combined into one obj
+ if not os.path.isdir(path):
+ return
+
+ if combine == True:
+ if path.startswith(ETC_FIREWALLD) and reader_type == "zone":
+ combined_zone = Zone()
+ combined_zone.name = os.path.basename(path)
+ combined_zone.check_name(combined_zone.name)
+ combined_zone.path = path
+ combined_zone.default = False
+ else:
+ combine = False
+
+ for filename in sorted(os.listdir(path)):
+ if not filename.endswith(".xml"):
+ if path.startswith(ETC_FIREWALLD) and \
+ reader_type == "zone" and \
+ os.path.isdir("%s/%s" % (path, filename)):
+ self._loader("%s/%s" % (path, filename), reader_type,
+ combine=True)
+ continue
+
+ name = "%s/%s" % (path, filename)
+ log.debug1("Loading %s file '%s'", reader_type, name)
+ try:
+ if reader_type == "icmptype":
+ obj = icmptype_reader(filename, path)
+ if obj.name in self.icmptype.get_icmptypes():
+ orig_obj = self.icmptype.get_icmptype(obj.name)
+ log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
+ orig_obj.name, orig_obj.path,
+ orig_obj.filename)
+ self.icmptype.remove_icmptype(orig_obj.name)
+ self.icmptype.add_icmptype(obj)
+ # add a deep copy to the configuration interface
+ self.config.add_icmptype(copy.deepcopy(obj))
+ elif reader_type == "service":
+ obj = service_reader(filename, path)
+ if obj.name in self.service.get_services():
+ orig_obj = self.service.get_service(obj.name)
+ log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
+ orig_obj.name, orig_obj.path,
+ orig_obj.filename)
+ self.service.remove_service(orig_obj.name)
+ self.service.add_service(obj)
+ # add a deep copy to the configuration interface
+ self.config.add_service(copy.deepcopy(obj))
+ elif reader_type == "zone":
+ obj = zone_reader(filename, path)
+ if combine:
+ # Change name for permanent configuration
+ obj.name = "%s/%s" % (
+ os.path.basename(path),
+ os.path.basename(filename)[0:-4])
+ obj.check_name(obj.name)
+ # Copy object before combine
+ config_obj = copy.deepcopy(obj)
+ if obj.name in self.zone.get_zones():
+ orig_obj = self.zone.get_zone(obj.name)
+ self.zone.remove_zone(orig_obj.name)
+ if orig_obj.combined:
+ log.debug1(" Combining %s '%s' ('%s/%s')",
+ reader_type, obj.name,
+ path, filename)
+ obj.combine(orig_obj)
+ else:
+ log.debug1(" Overloads %s '%s' ('%s/%s')",
+ reader_type,
+ orig_obj.name, orig_obj.path,
+ orig_obj.filename)
+ self.config.add_zone(config_obj)
+ if combine:
+ log.debug1(" Combining %s '%s' ('%s/%s')",
+ reader_type, combined_zone.name,
+ path, filename)
+ combined_zone.combine(obj)
+ else:
+ self.zone.add_zone(obj)
+ else:
+ log.fatal("Unknown reader type %s", reader_type)
+ except FirewallError as msg:
+ log.error("Failed to load %s file '%s': %s", reader_type,
+ name, msg)
+ except Exception as msg:
+ log.error("Failed to load %s file '%s':", reader_type, name)
+ log.exception()
+
+ if combine == True and combined_zone.combined == True:
+ if combined_zone.name in self.zone.get_zones():
+ orig_obj = self.zone.get_zone(combined_zone.name)
+ log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')",
+ reader_type, orig_obj.name, orig_obj.path,
+ orig_obj.filename)
+ try:
+ self.zone.remove_zone(combined_zone.name)
+ except:
+ pass
+ self.config.forget_zone(combined_zone.name)
+ self.zone.add_zone(combined_zone)
+
+ def cleanup(self):
+ self.icmptype.cleanup()
+ self.service.cleanup()
+ self.zone.cleanup()
+ self.config.cleanup()
+ self.direct.cleanup()
+ self.policies.cleanup()
+ self._firewalld_conf.cleanup()
+ self.__init_vars()
+
+ def stop(self):
+ self.cleanup()
+
+ # check functions
+
+ def check_panic(self):
+ return
+
+ def check_zone(self, zone):
+ _zone = zone
+ if not _zone or _zone == "":
+ _zone = self.get_default_zone()
+ if _zone not in self.zone.get_zones():
+ raise FirewallError(INVALID_ZONE, _zone)
+ return _zone
+
+ def check_interface(self, interface):
+ if not functions.checkInterface(interface):
+ raise FirewallError(INVALID_INTERFACE, interface)
+
+ def check_service(self, service):
+ self.service.check_service(service)
+
+ def check_port(self, port):
+ range = functions.getPortRange(port)
+
+ if range == -2 or range == -1 or range == None or \
+ (len(range) == 2 and range[0] >= range[1]):
+ if range == -2:
+ log.debug2("'%s': port > 65535" % port)
+ elif range == -1:
+ log.debug2("'%s': port is invalid" % port)
+ elif range == None:
+ log.debug2("'%s': port is ambiguous" % port)
+ elif len(range) == 2 and range[0] >= range[1]:
+ log.debug2("'%s': range start >= end" % port)
+ raise FirewallError(INVALID_PORT, port)
+
+ def check_protocol(self, protocol):
+ if not protocol:
+ raise FirewallError(MISSING_PROTOCOL)
+ if not protocol in [ "tcp", "udp" ]:
+ raise FirewallError(INVALID_PROTOCOL, protocol)
+
+ def check_ip(self, ip):
+ if not functions.checkIP(ip):
+ raise FirewallError(INVALID_ADDR, ip)
+
+ def check_address(self, ipv, source):
+ if ipv == "ipv4":
+ if not functions.checkIPnMask(source):
+ raise FirewallError(INVALID_ADDR, source)
+ elif ipv == "ipv6":
+ if not functions.checkIP6nMask(source):
+ raise FirewallError(INVALID_ADDR, source)
+ else:
+ raise FirewallError(INVALID_IPV)
+
+ def check_icmptype(self, icmp):
+ self.icmptype.check_icmptype(icmp)
+
+ # RELOAD
+
+ def reload(self, stop=False):
+ return
+
+ # STATE
+
+ def get_state(self):
+ return self._state
+
+ # PANIC MODE
+
+ def enable_panic_mode(self):
+ return
+
+ def disable_panic_mode(self):
+ return
+
+ def query_panic_mode(self):
+ return (self._panic == True)
+
+ # DEFAULT ZONE
+
+ def get_default_zone(self):
+ return self._default_zone
+
+ def set_default_zone(self, zone):
+ _zone = self.check_zone(zone)
+ if _zone != self._default_zone:
+ _old_dz = self._default_zone
+ self._default_zone = _zone
+ self._firewalld_conf.set("DefaultZone", _zone)
+ self._firewalld_conf.write()
+ else:
+ raise FirewallError(ZONE_ALREADY_SET, _zone)
+
+ # lockdown
+
+ def enable_lockdown(self):
+ self._firewalld_conf.set("Lockdown", "yes")
+ self._firewalld_conf.write()
+
+ def disable_lockdown(self):
+ self._firewalld_conf.set("Lockdown", "no")
+ self._firewalld_conf.write()
diff -up firewalld-0.3.9/src/firewall/core/io/direct.py.RHBZ#1059800 firewalld-0.3.9/src/firewall/core/io/direct.py
--- firewalld-0.3.9/src/firewall/core/io/direct.py.RHBZ#1059800 2014-02-26 09:30:43.357192830 +0100
+++ firewalld-0.3.9/src/firewall/core/io/direct.py 2014-02-26 09:30:43.440191809 +0100
@@ -199,28 +199,28 @@ class Direct(IO_Object):
(chain, table, ipv)
+ "already in list, ignoring")
-# def remove_chain(self, ipv, table, chain):
-# key = (ipv, table)
-# if key in self.chains and chain in self.chains[key]:
-# self.chains[key].remove(chain)
-# if len(self.chains[key]) == 0:
-# del self.chains[key]
-# else:
-# raise ValueError( \
-# "Chain '%s' with table '%s' with ipv '%s' not in list" % \
-# (chain, table, ipv))
-
-# def query_chain(self, ipv, table, chain):
-# key = (ipv, table)
-# return (key in self.chains and chain in self.chains[key])
-
-# def get_chains(self, ipv, table):
-# key = (ipv, table)
-# if key in self.chains:
-# return self.chains[key]
-# else:
-# raise ValueError("No chains for table '%s' with ipv '%s'" % \
-# (table, ipv))
+ def remove_chain(self, ipv, table, chain):
+ key = (ipv, table)
+ if key in self.chains and chain in self.chains[key]:
+ self.chains[key].remove(chain)
+ if len(self.chains[key]) == 0:
+ del self.chains[key]
+ else:
+ raise ValueError( \
+ "Chain '%s' with table '%s' with ipv '%s' not in list" % \
+ (chain, table, ipv))
+
+ def query_chain(self, ipv, table, chain):
+ key = (ipv, table)
+ return (key in self.chains and chain in self.chains[key])
+
+ def get_chains(self, ipv, table):
+ key = (ipv, table)
+ if key in self.chains:
+ return self.chains[key]
+ else:
+ raise ValueError("No chains for table '%s' with ipv '%s'" % \
+ (table, ipv))
def get_all_chains(self):
return self.chains
@@ -240,30 +240,38 @@ class Direct(IO_Object):
+ "with ipv '%s' and priority %d " % (ipv, priority)
+ "already in list, ignoring")
-# def remove_rule(self, ipv, table, chain, priority, args):
-# key = (ipv, table, chain)
-# value = (priority, tuple(args))
-# if key in self.rules and value in self.rules[key]:
-# del self.rules[key][value]
-# if len(self.rules[key]) == 0:
-# del self.rules[key]
-# else:
-# raise ValueError("Rule '%s' for table '%s' and chain '%s' " % \
-# ("',".join(args), table, chain) + \
-# "with ipv '%s' and priority %d not in list" % (ipv, priority))
-
-# def query_rule(self, ipv, table, chain, priority, args):
-# key = (ipv, table, chain)
-# value = (priority, tuple(args))
-# return (key in self.rules and value in self.rules[key])
-
-# def get_rules(self, ipv, table, chain):
-# key = (ipv, table, chain)
-# if key in self.rules:
-# return self.rules[key]
-# else:
-# raise ValueError("No rules for table '%s' and chain '%s' " %\
-# (table, chain) + "with ipv '%s'" % (ipv))
+ def remove_rule(self, ipv, table, chain, priority, args):
+ key = (ipv, table, chain)
+ value = (priority, tuple(args))
+ if key in self.rules and value in self.rules[key]:
+ del self.rules[key][value]
+ if len(self.rules[key]) == 0:
+ del self.rules[key]
+ else:
+ raise ValueError("Rule '%s' for table '%s' and chain '%s' " % \
+ ("',".join(args), table, chain) + \
+ "with ipv '%s' and priority %d not in list" % (ipv, priority))
+
+ def remove_rules(self, ipv, table, chain):
+ key = (ipv, table, chain)
+ if key in self.rules:
+ for value in self.rules[key].keys():
+ del self.rules[key][value]
+ if len(self.rules[key]) == 0:
+ del self.rules[key]
+
+ def query_rule(self, ipv, table, chain, priority, args):
+ key = (ipv, table, chain)
+ value = (priority, tuple(args))
+ return (key in self.rules and value in self.rules[key])
+
+ def get_rules(self, ipv, table, chain):
+ key = (ipv, table, chain)
+ if key in self.rules:
+ return self.rules[key]
+ else:
+ raise ValueError("No rules for table '%s' and chain '%s' " %\
+ (table, chain) + "with ipv '%s'" % (ipv))
def get_all_rules(self):
return self.rules
@@ -279,25 +287,25 @@ class Direct(IO_Object):
log.warning("Passthrough '%s' for ipv '%s'" % \
("',".join(args), ipv)
+ "already in list, ignoring")
-#
-# def remove_passthrough(self, ipv, args):
-# if ipv in self.passthroughs and args in self.passthroughs[ipv]:
-# self.passthroughs[ipv].remove(args)
-# if len(self.passthroughs[ipv]) == 0:
-# del self.passthroughs[ipv]
-# else:
-# raise ValueError, "Passthrough '%s' for ipv '%s'" % \
-# ("',".join(args), ipv) + "not in list"
-#
-# def query_passthrough(self, ipv, args):
-# return (ipv in self.passthroughs and args in self.passthroughs[ipv])
-#
-# def get_passthroughs(self, ipv):
-# if ipv in self.passthroughs:
-# return self.passthroughs[ipv]
-# else:
-# raise ValueError, "No passthroughs for ipv '%s'" % (ipv)
-#
+
+ def remove_passthrough(self, ipv, args):
+ if ipv in self.passthroughs and args in self.passthroughs[ipv]:
+ self.passthroughs[ipv].remove(args)
+ if len(self.passthroughs[ipv]) == 0:
+ del self.passthroughs[ipv]
+ else:
+ raise ValueError, "Passthrough '%s' for ipv '%s'" % \
+ ("',".join(args), ipv) + "not in list"
+
+ def query_passthrough(self, ipv, args):
+ return (ipv in self.passthroughs and args in self.passthroughs[ipv])
+
+ def get_passthroughs(self, ipv):
+ if ipv in self.passthroughs:
+ return self.passthroughs[ipv]
+ else:
+ raise ValueError, "No passthroughs for ipv '%s'" % (ipv)
+
def get_all_passthroughs(self):
return self.passthroughs
diff -up firewalld-0.3.9/src/firewall/core/ipXtables.py.RHBZ#1059800 firewalld-0.3.9/src/firewall/core/ipXtables.py
--- firewalld-0.3.9/src/firewall/core/ipXtables.py.RHBZ#1059800 2013-12-03 14:59:48.000000000 +0100
+++ firewalld-0.3.9/src/firewall/core/ipXtables.py 2014-02-26 09:30:43.440191809 +0100
@@ -153,7 +153,7 @@ class ip4tables:
self.__run(["-t", table, "-L"])
ret.append(table)
except ValueError:
- log.error("%s table '%s' does not exist (or not enough permission to check)." % (self.ipv, table))
+ log.debug1("%s table '%s' does not exist (or not enough permission to check)." % (self.ipv, table))
return ret
diff -up firewalld-0.3.9/src/firewall/core/ebtables.py.RHBZ#1059800 firewalld-0.3.9/src/firewall/core/ebtables.py
--- firewalld-0.3.9/src/firewall/core/ebtables.py.RHBZ#1059800 2014-02-26 09:31:12.702831560 +0100
+++ firewalld-0.3.9/src/firewall/core/ebtables.py 2014-02-26 09:31:24.722683430 +0100
@@ -66,7 +66,7 @@ class ebtables:
self.__run(["-t", table, "-L"])
ret.append(table)
except ValueError:
- log.warning("ebtables table '%s' does not exist." % table)
+ log.debug1("ebtables table '%s' does not exist." % table)
return ret
diff -up firewalld-0.3.9/src/firewall-offline-cmd.RHBZ#1059800 firewalld-0.3.9/src/firewall-offline-cmd
--- firewalld-0.3.9/src/firewall-offline-cmd.RHBZ#1059800 2013-12-03 14:59:48.000000000 +0100
+++ firewalld-0.3.9/src/firewall-offline-cmd 2014-02-26 09:30:43.442191785 +0100
@@ -1,10 +1,11 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
-# Copyright (C) 2009-2012 Red Hat, Inc.
+# Copyright (C) 2009-2014 Red Hat, Inc.
#
# Authors:
# Thomas Woerner <twoerner@redhat.com>
+# Jiri Popelka <jpopelka@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -20,307 +21,346 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-from __future__ import print_function
+from gi.repository import GObject
import sys
-import os, os.path
-from copy import copy
+sys.modules['gobject'] = GObject
-from firewall.config import *
-from firewall.core.io.firewalld_conf import firewalld_conf
-from firewall.core.io.zone import Zone, zone_reader, zone_writer
-from optparse import Option, OptionError, OptionParser, Values, \
- SUPPRESS_HELP, BadOptionError, OptionGroup
-from firewall.functions import getPortID, getPortRange, getServiceName, \
- checkIP, checkInterface
+import argparse
+import dbus
+import os
+
+#from firewall.config import *
+from firewall.core.fw_test import Firewall_test
+from firewall.client import *
+from firewall.errors import *
+from firewall.functions import joinArgs
# check for root user
if os.getuid() != 0:
print(_("You need to be root to run %s.") % sys.argv[0])
sys.exit(-1)
-def usage():
- print("Usage: %s -h | --help" % sys.argv[0])
+def __usage():
+ print ("""
+Usage: firewall-offline-cmd [OPTIONS...]
+
+If no options are given, configuration from '/etc/sysconfig/system-config-firewall' will be migrated.
+
+General Options
+ -h, --help Prints a short help text and exists
+ -V, --version Print the version string of firewalld
+
+Lokkit Compatibility Options
+ --enabled Enable firewall (default)
+ --disabled Disable firewall
+ --addmodule=<module> Ignored option, was used to enable an iptables module
+ --removemodule=<module>
+ Ignored option, was used to disable an iptables module
+ -s <service>, --service=<service>
+ Enable a service in the default zone (example: ssh)
+ --remove-service=<service>
+ Disable a service in the default zone (example: ssh)
+ -p <port>[-<port>]:<protocol>, --port=<port>[-<port>]:<protocol>
+ Enable a port in the default zone (example: ssh:tcp)
+ -t <interface>, --trust=<interface>
+ Bind an interface to the trusted zone
+ -m <interface>, --masq=<interface>
+ Enables masquerading in the default zone, interface
+ argument is ignored. This is IPv4 only.
+ --custom-rules=[<type>:][<table>:]<filename>
+ Ignored option. Was used to add custom rules to the
+ firewall (Example:
+ ipv4:filter:/etc/sysconfig/ipv4_filter_addon)
+ --forward-port=if=<interface>:port=<port>:proto=<protocol>[:toport=<destination port>][:toaddr=<destination address>]
+ Forward the port with protocol for the interface to
+ either another local destination port (no destination
+ address given) or to an other destination address with
+ an optional destination port. This will be added to
+ the default zone. This is IPv4 only.
+ --block-icmp=<icmp type>
+ Block this ICMP type in the default zone. The default
+ is to accept all ICMP types.
+
+Zone Options
+ --get-default-zone Print default zone for connections and interfaces
+ --set-default-zone=<zone>
+ Set default zone
+ --get-zones Print predefined zones
+ --get-services Print predefined services
+ --get-icmptypes Print predefined icmptypes
+ --get-zone-of-interface=<interface>
+ Print name of the zone the interface is bound to
+ --get-zone-of-source=<source>[/<mask>]
+ Print name of the zone the source[/mask] is bound to
+ --list-all-zones List everything added for or enabled in all zones
+ --new-zone=<zone> Add a new zone
+ --delete-zone=<zone> Delete an existing zone
+ --zone=<zone> Use this zone to set or query options, else default zone
+ Usable for options maked with [Z]
+ --get-target Get the zone target
+ --set-target=<target>
+ Set the zone target
+
+IcmpType Options
+ --new-icmptype=<icmptype>
+ Add a new icmptype
+ --delete-icmptype=<icmptype>
+ Delete and existing icmptype
+
+Service Options
+ --new-service=<service>
+ Add a new service
+ --delete-service=<service>
+ Delete and existing service
+
+Options to Adapt and Query Zones
+ --list-all List everything added for or enabled in a zone [Z]
+ --list-services List services added for a zone [Z]
+ --add-service=<service>
+ Add a service for a zone [Z]
+ --remove-service-from-zone=<service>
+ Remove a service from a zone [Z]
+ --query-service=<service>
+ Return whether service has been added for a zone [Z]
+ --list-ports List ports added for a zone [Z]
+ --add-port=<portid>[-<portid>]/<protocol>
+ Add the port for a zone [Z]
+ --remove-port=<portid>[-<portid>]/<protocol>
+ Remove the port from a zone [Z]
+ --query-port=<portid>[-<portid>]/<protocol>
+ Return whether the port has been added for zone [Z]
+ --list-icmp-blocks List Internet ICMP type blocks added for a zone [Z]
+ --add-icmp-block=<icmptype>
+ Add an ICMP block for a zone [Z]
+ --remove-icmp-block=<icmptype>
+ Remove the ICMP block from a zone [Z]
+ --query-icmp-block=<icmptype>
+ Return whether an ICMP block has been added for a zone
+ [Z]
+ --list-forward-ports List IPv4 forward ports added for a zone [Z]
+ --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
+ Add the IPv4 forward port for a zone [Z]
+ --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
+ Remove the IPv4 forward port from a zone [Z]
+
+
+ --query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
+ Return whether the IPv4 forward port has been added for
+ a zone [Z]
+ --add-masquerade Enable IPv4 masquerade for a zone [Z]
+ --remove-masquerade Disable IPv4 masquerade for a zone [Z]
+ --query-masquerade Return whether IPv4 masquerading has been enabled for a
+ zone [Z]
+ --list-rich-rules List rich language rules added for a zone [Z]
+ --add-rich-rule=<rule>
+ Add rich language rule 'rule' for a zone [Z]
+ --remove-rich-rule=<rule>
+ Remove rich language rule 'rule' from a zone [Z]
+ --query-rich-rule=<rule>
+ Return whether a rich language rule 'rule' has been
+ added for a zone [Z]
+
+Options to Handle Bindings of Interfaces
+ --list-interfaces List interfaces that are bound to a zone [Z]
+ --add-interface=<interface>
+ Bind the <interface> to a zone [Z]
+ --change-interface=<interface>
+ Change zone the <interface> is bound to [Z]
+ --query-interface=<interface>
+ Query whether <interface> is bound to a zone [Z]
+ --remove-interface=<interface>
+ Remove binding of <interface> from a zone [Z]
+
+Options to Handle Bindings of Sources
+ --list-sources List sources that are bound to a zone [Z]
+ --add-source=<source>[/<mask>]
+ Bind <source>[/<mask>] to a zone [Z]
+ --change-source=<source>[/<mask>]
+ Change zone the <source>[/<mask>] is bound to [Z]
+ --query-source=<source>[/<mask>]
+ Query whether <source>[/<mask>] is bound to a zone
+ [Z]
+ --remove-source=<source>[/<mask>]
+ Remove binding of <source>[/<mask>] from a zone [Z]
+
+Direct Options
+ --direct First option for all direct options
+ --get-all-chains
+ Get all chains
+ --get-chains {ipv4|ipv6|eb} <table>
+ Get all chains added to the table
+ --add-chain {ipv4|ipv6|eb} <table> <chain>
+ Add a new chain to the table
+ --remove-chain {ipv4|ipv6|eb} <table> <chain>
+ Remove the chain from the table
+ --query-chain {ipv4|ipv6|eb} <table> <chain>
+ Return whether the chain has been added to the table
+ --get-all-rules
+ Get all rules
+ --get-rules {ipv4|ipv6|eb} <table> <chain>
+ Get all rules added to chain in table
+ --add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
+ Add rule to chain in table
+ --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
+ Remove rule with priority from chain in table
+ --remove-rules {ipv4|ipv6|eb} <table> <chain>
+ Remove rules from chain in table
+ --query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
+ Return whether a rule with priority has been added to
+ chain in table
+ --get-all-passthroughs
+ Get all passthrough rules
+ --get-passthroughs {ipv4|ipv6|eb} <arg>...
+ Get passthrough rules
+ --add-passthrough {ipv4|ipv6|eb} <arg>...
+ Add a new passthrough rule
+ --remove-passthrough {ipv4|ipv6|eb} <arg>...
+ Remove a passthrough rule
+ --query-passthrough {ipv4|ipv6|eb} <arg>...
+ Return whether the passthrough rule has been added
+
+
+Lockdown Options
+ --lockdown-on Enable lockdown.
+ --lockdown-off Disable lockdown.
+ --query-lockdown Query whether lockdown is enabled
+
+Lockdown Whitelist Options
+ --list-lockdown-whitelist-commands
+ List all command lines that are on the whitelist
+ --add-lockdown-whitelist-command=<command>
+ Add the command to the whitelist
+ --remove-lockdown-whitelist-command=<command>
+ Remove the command from the whitelist
+ --query-lockdown-whitelist-command=<command>
+ Query whether the command is on the whitelist
+ --list-lockdown-whitelist-contexts
+ List all contexts that are on the whitelist
+ --add-lockdown-whitelist-context=<context>
+ Add the context context to the whitelist
+ --remove-lockdown-whitelist-context=<context>
+ Remove the context from the whitelist
+ --query-lockdown-whitelist-context=<context>
+ Query whether the context is on the whitelist
+ --list-lockdown-whitelist-uids
+ List all user ids that are on the whitelist
+ --add-lockdown-whitelist-uid=<uid>
+ Add the user id uid to the whitelist
+ --remove-lockdown-whitelist-uid=<uid>
+ Remove the user id uid from the whitelist
+ --query-lockdown-whitelist-uid=<uid>
+ Query whether the user id uid is on the whitelist
+ --list-lockdown-whitelist-users
+ List all user names that are on the whitelist
+ --add-lockdown-whitelist-user=<user>
+ Add the user name user to the whitelist
+ --remove-lockdown-whitelist-user=<user>
+ Remove the user name user from the whitelist
+ --query-lockdown-whitelist-user=<user>
+ Query whether the user name user is on the whitelist
-def error(text):
- print("%s %s" % (_("Error:"), text))
+""")
-def warning(text):
- print("%s %s" % (_("Warning:"), text))
-
-def __fail(msg=None):
+def __print(msg=None):
if msg:
- error(msg)
- sys.exit(2)
-
-# system-config-firewall: fw_parser
+ print(msg)
-def _check_port(option, opt, value):
- failure = False
- try:
- (ports, protocol) = value.split(":")
- except:
- failure = True
+def __print_and_exit(msg=None, exit_code=0):
+ FAIL = '\033[91m'
+ OK = '\033[92m'
+ END = '\033[00m'
+ if exit_code != 0:
+ __print(msg)
+ #__print(FAIL + msg + END)
else:
- range = getPortRange(ports.strip())
- if range < 0:
- failure = True
- elif range == None:
- raise OptionError(_("port range %s is not unique.") % value, opt)
- elif len(range) == 2 and range[0] >= range[1]:
- raise OptionError(_("%s is not a valid range (start port >= end "
- "port).") % value, opt)
- if not failure:
- protocol = protocol.strip()
- if protocol not in [ "tcp", "udp" ]:
- raise OptionError(_("%s is not a valid protocol.") % protocol, opt)
- if failure:
- raise OptionError(_("invalid port definition %s.") % value, opt)
- return (ports.strip(), protocol)
-
-def _check_forward_port(option, opt, value):
- result = { }
- error = None
- splits = value.split(":", 1)
- while len(splits) > 0:
- key_val = splits[0].split("=")
- if len(key_val) != 2:
- error = _("Invalid argument %s") % splits[0]
- break
- (key, val) = key_val
- if (key == "if" and checkInterface(val)) or \
- (key == "proto" and val in [ "tcp", "udp" ]) or \
- (key == "toaddr" and checkIP(val)):
- result[key] = val
- elif (key == "port" or key == "toport") and getPortRange(val) > 0:
- result[key] = val
- else:
- error = _("Invalid argument %s") % splits[0]
- break
- if len(splits) > 1:
- if splits[1].count("=") == 1:
- # last element
- splits = [ splits[1] ]
- else:
- splits = splits[1].split(":", 1)
- else:
- # finish
- splits.pop()
-
- if error:
- dict = { "option": opt, "value": value, "error": error }
- raise OptionError(_("option %(option)s: invalid forward_port "
- "'%(value)s': %(error)s.") % dict, opt)
-
- error = False
- for key in [ "if", "port", "proto" ]:
- if key not in result.keys():
- error = True
- if not "toport" in result.keys() and not "toaddr" in result.keys():
- error = True
- if error:
- dict = { "option": opt, "value": value }
- raise OptionError(_("option %(option)s: invalid forward_port "
- "'%(value)s'.") % dict, opt)
-
- return result
-
-def _check_interface(option, opt, value):
- if not checkInterface(value):
- raise OptionError(_("invalid interface '%s'.") % value, opt)
- return value
+ __print(msg)
+ #__print(OK + msg + END)
+ sys.exit(exit_code)
-def _append_unique(option, opt, value, parser, *args, **kwargs):
- vals = getattr(parser.values, option.dest)
- if vals and value in vals:
- return
- parser.values.ensure_value(option.dest, []).append(value)
-
-class _Option(Option):
- TYPES = Option.TYPES + ("port", "rulesfile", "service", "forward_port",
- "icmp_type", "interface")
- TYPE_CHECKER = copy(Option.TYPE_CHECKER)
- TYPE_CHECKER["port"] = _check_port
- TYPE_CHECKER["forward_port"] = _check_forward_port
- TYPE_CHECKER["interface"] = _check_interface
-
-def _addStandardOptions(parser):
- parser.add_option("--enabled",
- action="store_true", dest="enabled", default=True,
- help=_("Enable firewall (default)"))
- parser.add_option("--disabled",
- action="store_false", dest="enabled",
- help=_("Disable firewall"))
-# parser.add_option("--update",
-# action="store_false", dest="update",
-# help=_("Ignored option, was used to update the firewall"))
- parser.add_option("--addmodule",
- action="callback", dest="add_module", type="string",
- metavar=_("<module>"), callback=_append_unique,
- help=_("Ignored option, was used to enable an iptables module"))
- parser.add_option("--removemodule",
- action="callback", dest="remove_module", type="string",
- metavar=_("<module>"), callback=_append_unique,
- help=_("Ignored option, was used to disable an iptables module"))
- parser.add_option("-s", "--service",
- action="callback", dest="services", type="service",
- default=[ ],
- metavar=_("<service>"), callback=_append_unique,
- help=_("Enable a service in the default zone (example: ssh)"))
- parser.add_option("--remove-service",
- action="callback", dest="remove_services", type="service",
- default=[ ],
- metavar=_("<service>"), callback=_append_unique,
- help=_("Disable a service in the default zone (example: ssh)"))
- parser.add_option("-p", "--port",
- action="callback", dest="ports", type="port",
- metavar=_("<port>[-<port>]:<protocol>"),
- callback=_append_unique,
- help=_("Enable a port in the default zone "
- "(example: ssh:tcp)"))
- parser.add_option("-t", "--trust",
- action="callback", dest="trust", type="interface",
- metavar=_("<interface>"), callback=_append_unique,
- help=_("Bind an interface to the trusted zone"))
- parser.add_option("-m", "--masq",
- action="callback", dest="masq", type="interface",
- metavar=_("<interface>"), callback=_append_unique,
- help=_("Enables masquerading in the default zone, interface argument is ignored. This is IPv4 only."))
- parser.add_option("--custom-rules",
- action="callback", dest="custom_rules", type="rulesfile",
- metavar=_("[<type>:][<table>:]<filename>"),
- callback=_append_unique,
- help=_("Ignored option. Was used to add custom rules to the firewall (Example: ipv4:filter:/etc/sysconfig/ipv4_filter_addon)"))
- parser.add_option("--forward-port",
- action="callback", dest="forward_port",
- type="forward_port",
- metavar=_("if=<interface>:port=<port>:proto=<protocol>"
- "[:toport=<destination port>]"
- "[:toaddr=<destination address>]"),
- callback=_append_unique,
- help=_("Forward the port with protocol for the interface to either another local destination port (no destination address given) or to an other destination address with an optional destination port. This will be added to the default zone. This is IPv4 only."))
- parser.add_option("--block-icmp",
- action="callback", dest="block_icmp", type="icmp_type",
- default=[ ],
- callback=_append_unique,
- metavar=_("<icmp type>"),
- help=_("Block this ICMP type in the default zone. The default is to accept all ICMP types."))
+def __fail(msg=None):
+ __print_and_exit(msg, 2)
-def _parse_args(parser, args, options=None):
+def __parse_port(value):
try:
- (_options, _args) = parser.parse_args(args, options)
- except Exception as error:
- parser.error(error)
- return None
+ (port, proto) = value.split("/")
+ except Exception as e:
+ __fail("bad port (most likely missing protocol), correct syntax is portid[-portid]/protocol")
+ return (port, proto)
- if len(_args) != 0:
- for arg in _args:
- parser.error(_("no such option: %s") % arg)
- if parser._fw_exit:
- sys.exit(2)
- if not hasattr(_options, "filename"):
- _options.filename = None
- if not hasattr(_options, "converted"):
- _options.converted = False
- return _options
-
-class _OptionParser(OptionParser):
- # overload print_help: rhpl._ returns UTF-8
- def print_help(self, file=None):
- if file is None:
- file = sys.stdout
-
- file.write(_("This tool tries to convert system-config-firewall/lokkit options as much as possible to firewalld, but there are limitations for example with custom rules, modules and masquerading.") + "\n\n")
- str = self.format_help()
- if isinstance(str, unicode):
- encoding = self._get_encoding(file)
- str = str.encode(encoding, "replace")
- file.write(str)
- file.write("\n" + _("If no options are given, the configuration from '%s' be migrated.") % (CONFIG) + "\n")
- self.exit()
- def print_usage(self, file=None):
- pass
- def exit(self, status=0, msg=None):
- if msg:
- print(msg, file=sys.stderr)
- sys.exit(status)
- def error(self, msg):
- if self._fw_source:
- text = "%s: %s" % (self._fw_source, msg)
- else:
- text = str(msg)
- self.exit(2, msg=text)
- def _match_long_opt(self, opt):
- if opt in self._long_opt:
- return opt
- raise BadOptionError(opt)
- def _process_long_opt(self, rargs, values):
- # allow to ignore errors in the ui
- try:
- self.__process_long_opt(rargs, values)
- except Exception as msg:
- self.error(msg)
- def _process_short_opts(self, rargs, values):
- # allow to ignore errors in the ui
+def __parse_port_lokkit(value):
+ try:
+ (port, proto) = value.split(":")
+ except Exception as e:
+ __fail("bad port (most likely missing protocol), correct syntax is portid[-portid]:protocol")
+ return (port, proto)
+
+def __parse_forward_port(value):
+ port = None
+ protocol = None
+ toport = None
+ toaddr = None
+ args = value.split(":")
+ for arg in args:
try:
- OptionParser._process_short_opts(self, rargs, values)
- except Exception as msg:
- self.error(msg)
- def __process_long_opt(self, rargs, values):
- arg = rargs.pop(0)
-
- # Value explicitly attached to arg? Pretend it's the next
- # argument.
- if "=" in arg:
- (opt, next_arg) = arg.split("=", 1)
- had_explicit_value = True
- else:
- opt = arg
- had_explicit_value = False
-
- opt = self._match_long_opt(opt)
- option = self._long_opt[opt]
- if option.takes_value():
- nargs = option.nargs
- if len(rargs)+int(had_explicit_value) < nargs:
- if nargs == 1:
- self.error(_("%s option requires an argument") % opt)
- else:
- dict = { "option": opt, "count": nargs }
- self.error(_("%(option)s option requires %(count)s "
- "arguments") % dict)
- elif nargs == 1 and had_explicit_value:
- value = next_arg
- elif nargs == 1:
- value = rargs.pop(0)
- elif had_explicit_value:
- value = tuple([ next_arg ] + rargs[0:nargs-1])
- del rargs[0:nargs-1]
- else:
- value = tuple(rargs[0:nargs])
- del rargs[0:nargs]
-
- elif had_explicit_value:
- self.error(_("%s option does not take a value") % opt)
-
- else:
- value = None
+ (opt,val) = arg.split("=")
+ if opt == "port":
+ port = val
+ elif opt == "proto":
+ protocol = val
+ elif opt == "toport":
+ toport = val
+ elif opt == "toaddr":
+ toaddr = val
+ except:
+ __fail("invalid forward port arg '%s'" % (arg))
+ if not port:
+ __fail("missing port")
+ if not protocol:
+ __fail("missing protocol")
+ if not (toport or toaddr):
+ __fail("missing destination")
+ return (port, protocol, toport, toaddr)
+
+def _check_ipv(value):
+ if value != "ipv4" and value != "ipv6" and value != "eb":
+ __fail("invalid argument: %s (choose from 'ipv4', 'ipv6', 'eb')" % value)
+ return value
- option.process(opt, value, values, self)
-
-def _gen_parser(source=None):
- parser = _OptionParser(option_class=_Option)
- parser._fw_source = source
- parser._fw_exit = False
- return parser
-
-def parseSysconfigArgs(args, options=None, source=None):
- parser = _gen_parser(source)
- _addStandardOptions(parser)
- return _parse_args(parser, args, options)
+def __print_all(zone, interfaces, sources, services, ports, masquerade, forward_ports, icmp_blocks, rules):
+ attributes = []
+ if zone == fw.get_default_zone():
+ attributes.append("default")
+ if attributes:
+ zone = zone + " (%s)" % ", ".join(attributes)
+ __print(zone)
+ __print(" interfaces: " + " ".join(interfaces))
+ __print(" sources: " + " ".join(sources))
+ __print(" services: " + " ".join(services))
+ __print(" ports: " + " ".join(["%s/%s" % (port[0], port[1]) for port in ports]))
+ __print(" masquerade: %s" % ("yes" if masquerade else "no"))
+ __print(" forward-ports: " + "\n\t".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in forward_ports]))
+ __print(" icmp-blocks: " + " ".join(icmp_blocks))
+ __print(" rich rules: \n\t" + "\n\t".join(rules))
+
+def __list_all_permanent(fw_settings, zone):
+ interfaces = fw_settings.getInterfaces()
+ sources = fw_settings.getSources()
+ services = fw_settings.getServices()
+ ports = fw_settings.getPorts()
+ masquerade = fw_settings.getMasquerade()
+ forward_ports = fw_settings.getForwardPorts()
+ icmp_blocks = fw_settings.getIcmpBlocks()
+ rules = fw_settings.getRichRules()
+ __print_all(zone, interfaces, sources, services, ports, masquerade, forward_ports, icmp_blocks, rules)
+
+def __print_query_result(value):
+ if value:
+ __print_and_exit("yes")
+ else:
+ __print_and_exit("no", 1)
# system-config-firewall: fw_sysconfig
CONFIG = '/etc/sysconfig/system-config-firewall'
-
def read_sysconfig_args():
filename = None
if os.path.exists(CONFIG) and os.path.isfile(CONFIG):
@@ -338,163 +378,738 @@ def read_sysconfig_args():
continue
argv.append(line)
f.close()
- return (argv, filename)
+ return argv
-def parse_sysconfig_args(args, merge_config=None, filename=None):
- config = parseSysconfigArgs(args, options=merge_config, source=filename)
- if not config:
- return None
- config.filename = filename
- return config
+##############################################################################
-def read_sysconfig_config(merge_config=None):
- args = read_sysconfig_args() # returns: (args, filename) or None
- if not args:
- return merge_config
- return parse_sysconfig_args(args[0], merge_config, args[1])
+parser = argparse.ArgumentParser(usage="see firewall-offline-cmd man page",
+ add_help=False)
-if len(sys.argv) > 1:
- # Parse the cmdline args and setup the initial firewall state
- conf = parse_sysconfig_args(None)
- if not conf:
- error(_("Problem parsing arguments."))
- sys.exit(1)
-else:
- # open system-config-firewall config
- conf = read_sysconfig_config()
- if not conf:
- error(_("Opening of '%s' failed, exiting." % CONFIG))
- sys.exit(1)
+parser_group_lokkit = parser.add_argument_group()
+parser_group_lokkit.add_argument("--enabled", action="store_true")
+parser_group_lokkit.add_argument("--disabled", action="store_true")
+parser_group_lokkit.add_argument("--addmodule", metavar="<module>", action='append')
+parser_group_lokkit.add_argument("--removemodule", metavar="<module>", action='append')
+parser_group_lokkit.add_argument("--service", "-s", metavar="<service>", action='append')
+parser_group_lokkit.add_argument("--remove-service", metavar="<service>", action='append')
+parser_group_lokkit.add_argument("--port", "-p", metavar="<port>", action='append')
+parser_group_lokkit.add_argument("--trust", "-t", metavar="<iface>", action='append')
+parser_group_lokkit.add_argument("--masq", "-m", metavar="<iface>", action='append')
+parser_group_lokkit.add_argument("--custom-rules", metavar="<filename>", action='append')
+parser_group_lokkit.add_argument("--forward-port", metavar="<port>", action='append')
+parser_group_lokkit.add_argument("--block-icmp", metavar="<icmptype>", action='append')
+
+parser_group_standalone = parser.add_mutually_exclusive_group()
+parser_group_standalone.add_argument("-h", "--help",
+ action="store_true")
+parser_group_standalone.add_argument("-V", "--version", action="store_true")
+parser_group_standalone.add_argument("--lockdown-on", action="store_true")
+parser_group_standalone.add_argument("--lockdown-off", action="store_true")
+parser_group_standalone.add_argument("--query-lockdown", action="store_true")
+
+parser_group_standalone.add_argument("--get-default-zone", action="store_true")
+parser_group_standalone.add_argument("--set-default-zone", metavar="<zone>")
+parser_group_standalone.add_argument("--get-zones", action="store_true")
+parser_group_standalone.add_argument("--get-services", action="store_true")
+parser_group_standalone.add_argument("--get-icmptypes", action="store_true")
+parser_group_standalone.add_argument("--get-zone-of-interface", metavar="<iface>")
+parser_group_standalone.add_argument("--get-zone-of-source", metavar="<source>")
+parser_group_standalone.add_argument("--list-all-zones", action="store_true")
+
+parser_group_config = parser.add_mutually_exclusive_group()
+parser_group_config.add_argument("--new-icmptype", metavar="<icmptype>")
+parser_group_config.add_argument("--delete-icmptype", metavar="<icmptype>")
+parser_group_config.add_argument("--new-service", metavar="<service>")
+parser_group_config.add_argument("--delete-service", metavar="<service>")
+parser_group_config.add_argument("--new-zone", metavar="<zone>")
+parser_group_config.add_argument("--delete-zone", metavar="<zone>")
+
+parser_group_lockdown_whitelist = parser.add_mutually_exclusive_group()
+parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-commands", action="store_true")
+parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-command", metavar="<command>")
+parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-command", metavar="<command>")
+parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-command", metavar="<command>")
+
+parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-contexts", action="store_true")
+parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-context", metavar="<context>")
+parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-context", metavar="<context>")
+parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-context", metavar="<context>")
+
+parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-uids", action="store_true")
+parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-uid", metavar="<uid>", type=int)
+parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-uid", metavar="<uid>", type=int)
+parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-uid", metavar="<uid>", type=int)
+
+parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-users", action="store_true")
+parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-user", metavar="<user>")
+parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-user", metavar="<user>")
+parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-user", metavar="<user>")
+
+parser.add_argument("--zone", default="", metavar="<zone>")
+
+parser_group_zone = parser.add_mutually_exclusive_group()
+parser_group_zone.add_argument("--add-interface", metavar="<iface>")
+parser_group_zone.add_argument("--remove-interface", metavar="<iface>")
+parser_group_zone.add_argument("--query-interface", metavar="<iface>")
+parser_group_zone.add_argument("--change-interface", "--change-zone", metavar="<iface>")
+parser_group_zone.add_argument("--list-interfaces", action="store_true")
+parser_group_zone.add_argument("--add-source", metavar="<source>")
+parser_group_zone.add_argument("--remove-source", metavar="<source>")
+parser_group_zone.add_argument("--query-source", metavar="<source>")
+parser_group_zone.add_argument("--change-source", metavar="<source>")
+parser_group_zone.add_argument("--list-sources", action="store_true")
+parser_group_zone.add_argument("--add-rich-rule", metavar="<rule>", action='append')
+parser_group_zone.add_argument("--remove-rich-rule", metavar="<rule>", action='append')
+parser_group_zone.add_argument("--query-rich-rule", metavar="<rule>")
+parser_group_zone.add_argument("--add-service", metavar="<service>", action='append')
+parser_group_zone.add_argument("--remove-service-from-zone", metavar="<zone>", action='append')
+parser_group_zone.add_argument("--query-service", metavar="<zone>")
+parser_group_zone.add_argument("--add-port", metavar="<port>", action='append')
+parser_group_zone.add_argument("--remove-port", metavar="<port>", action='append')
+parser_group_zone.add_argument("--query-port", metavar="<port>")
+parser_group_zone.add_argument("--add-masquerade", action="store_true")
+parser_group_zone.add_argument("--remove-masquerade", action="store_true")
+parser_group_zone.add_argument("--query-masquerade", action="store_true")
+parser_group_zone.add_argument("--add-icmp-block", metavar="<icmptype>", action='append')
+parser_group_zone.add_argument("--remove-icmp-block", metavar="<icmptype>", action='append')
+parser_group_zone.add_argument("--query-icmp-block", metavar="<icmptype>")
+parser_group_zone.add_argument("--add-forward-port", metavar="<port>", action='append')
+parser_group_zone.add_argument("--remove-forward-port", metavar="<port>", action='append')
+parser_group_zone.add_argument("--query-forward-port", metavar="<port>")
+parser_group_zone.add_argument("--list-rich-rules", action="store_true")
+parser_group_zone.add_argument("--list-services", action="store_true")
+parser_group_zone.add_argument("--list-ports", action="store_true")
+parser_group_zone.add_argument("--list-icmp-blocks", action="store_true")
+parser_group_zone.add_argument("--list-forward-ports", action="store_true")
+parser_group_zone.add_argument("--list-all", action="store_true")
+parser_group_zone.add_argument("--get-target", action="store_true")
+parser_group_zone.add_argument("--set-target", metavar="<target>")
+
+parser.add_argument("--direct", action="store_true")
+
+parser_direct = parser.add_mutually_exclusive_group()
+parser_direct.add_argument("--add-passthrough", nargs=argparse.REMAINDER,
+ metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
+parser_direct.add_argument("--remove-passthrough", nargs=argparse.REMAINDER,
+ metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
+parser_direct.add_argument("--query-passthrough", nargs=argparse.REMAINDER,
+ metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
+parser_direct.add_argument("--get-passthroughs", nargs=1,
+ metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
+parser_direct.add_argument("--get-all-passthroughs", action="store_true")
+parser_direct.add_argument("--add-chain", nargs=3,
+ metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>"))
+parser_direct.add_argument("--remove-chain", nargs=3,
+ metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>"))
+parser_direct.add_argument("--query-chain", nargs=3,
+ metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>"))
+parser_direct.add_argument("--get-all-chains", action="store_true")
+parser_direct.add_argument("--get-chains", nargs=2,
+ metavar=("{ ipv4 | ipv6 | eb }", "<table>"))
+parser_direct.add_argument("--add-rule", nargs=argparse.REMAINDER,
+ metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>"))
+parser_direct.add_argument("--remove-rule", nargs=argparse.REMAINDER,
+ metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>"))
+parser_direct.add_argument("--remove-rules", nargs=3,
+ metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <args>"))
+parser_direct.add_argument("--query-rule", nargs=argparse.REMAINDER,
+ metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>"))
+parser_direct.add_argument("--get-rules", nargs=3,
+ metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>"))
+parser_direct.add_argument("--get-all-rules", action="store_true")
+##############################################################################
-if conf.enabled == False:
- os.system("systemctl disable firewalld.service")
+if len(sys.argv) > 1:
+ a = parser.parse_args()
else:
- os.system("systemctl enable firewalld.service")
-
-
-# open firewalld config file to get default zone
+ # migrate configuration from /etc/sysconfig/system-config-firewall
+ args = read_sysconfig_args()
+ if args:
+ a = parser.parse_args(args)
+ else:
+ __fail("Opening of '%s' failed, exiting." % CONFIG)
-default_zone = "public" # default zone in case of missing config file
-trusted_zone = "trusted"
+options_lokkit = a.enabled or a.disabled or a.addmodule or a.removemodule or \
+ a.trust or a.masq or a.custom_rules or \
+ a.service or a.remove_service or a.port or \
+ a.trust or a.masq or a.forward_port or a.block_icmp
+
+options_standalone = a.help or a.version or \
+ a.lockdown_on or a.lockdown_off or a.query_lockdown or \
+ a.get_default_zone or a.set_default_zone
+
+options_lockdown_whitelist = \
+ a.list_lockdown_whitelist_commands or a.add_lockdown_whitelist_command or \
+ a.remove_lockdown_whitelist_command or \
+ a.query_lockdown_whitelist_command or \
+ a.list_lockdown_whitelist_contexts or a.add_lockdown_whitelist_context or \
+ a.remove_lockdown_whitelist_context or \
+ a.query_lockdown_whitelist_context or \
+ a.list_lockdown_whitelist_uids or a.add_lockdown_whitelist_uid != None or \
+ a.remove_lockdown_whitelist_uid != None or \
+ a.query_lockdown_whitelist_uid != None or \
+ a.list_lockdown_whitelist_users or a.add_lockdown_whitelist_user or \
+ a.remove_lockdown_whitelist_user or \
+ a.query_lockdown_whitelist_user
+
+options_config = a.get_zones or a.get_services or a.get_icmptypes or \
+ options_lockdown_whitelist or a.list_all_zones or \
+ a.get_zone_of_interface or a.get_zone_of_source
+
+options_zone_action_action = \
+ a.add_service or a.remove_service_from_zone or a.query_service or \
+ a.add_port or a.remove_port or a.query_port or \
+ a.add_icmp_block or a.remove_icmp_block or a.query_icmp_block or \
+ a.add_forward_port or a.remove_forward_port or a.query_forward_port
+
+options_zone_interfaces_sources = \
+ a.list_interfaces or a.change_interface or \
+ a.add_interface or a.remove_interface or a.query_interface or \
+ a.list_sources or a.change_source or \
+ a.add_source or a.remove_source or a.query_source
+
+options_zone_adapt_query = \
+ a.add_rich_rule or a.remove_rich_rule or a.query_rich_rule or \
+ a.add_masquerade or a.remove_masquerade or a.query_masquerade or \
+ a.list_services or a.list_ports or a.list_icmp_blocks or \
+ a.list_forward_ports or a.list_rich_rules or a.list_all or \
+ a.get_target or a.set_target
+
+options_zone_ops = options_zone_interfaces_sources or \
+ options_zone_action_action or options_zone_adapt_query
+
+options_zone = a.zone or options_zone_ops
+
+options_permanent = options_config or options_zone or \
+ a.new_icmptype or a.delete_icmptype or \
+ a.new_service or a.delete_service or \
+ a.new_zone or a.delete_zone
+
+options_direct = \
+ a.add_chain or a.remove_chain or a.query_chain or \
+ a.get_chains or a.get_all_chains or \
+ a.add_rule or a.remove_rule or a.remove_rules or a.query_rule or \
+ a.get_rules or a.get_all_rules or \
+ a.add_passthrough or a.remove_passthrough or a.query_passthrough or \
+ a.get_passthroughs or a.get_all_passthroughs
+
+# these are supposed to only write out some output
+options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \
+ a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
+ a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
+ a.list_services or a.list_ports or a.list_icmp_blocks or a.list_forward_ports \
+ or a.list_rich_rules or a.list_interfaces or a.list_sources or \
+ a.get_default_zone or a.get_zone_of_interface or \
+ a.get_zone_of_source or a.get_zones or a.get_services or a.get_icmptypes or \
+ a.get_target or a.set_target
+
+###############################################################################
+
+# Check various impossible combinations of options
+
+if not (options_lokkit or options_standalone or \
+ options_permanent or options_direct):
+ __fail(parser.format_usage() + "No option specified.")
+
+if options_lokkit and (options_standalone or \
+ options_permanent or options_direct):
+ __fail(parser.format_usage() +
+ "Can't use lokkit options with other options.")
+
+if options_standalone and (options_permanent or \
+ options_direct):
+ __fail(parser.format_usage() +
+ "Can't use stand-alone options with other options.")
+
+if options_direct and options_zone:
+ __fail(parser.format_usage() +
+ "Can't use 'direct' options with other options.")
+
+if (a.direct and not options_direct) or (options_direct and not a.direct):
+ __fail(parser.format_usage() +
+ "Wrong usage of 'direct' options.")
+
+if options_config and options_zone:
+ __fail(parser.format_usage() +
+ "Wrong usage of --get-zones | --get-services | --get-icmptypes.")
+
+if a.help:
+ __usage()
+ sys.exit(0)
+
+zone = a.zone
+fw = Firewall_test()
+fw.start()
-_firewalld_conf = firewalld_conf(FIREWALLD_CONF)
try:
- _firewalld_conf.read()
-except Exception as msg:
- # ignore read error, use default zone
- pass
-else:
- default_zone = _firewalld_conf.get("DefaultZone")
+ if a.version:
+ __print_and_exit(VERSION)
-obj = None
-for path in [ ETC_FIREWALLD_ZONES, FIREWALLD_ZONES ]:
- filename = "%s.xml" % default_zone
- if os.path.exists("%s/%s" %(path, filename)):
- print(_("Opening default zone '%s'" % default_zone))
- obj = zone_reader(filename, path)
- break
-
-if not obj:
- error(_("Unable to open default zone '%s', exiting.") % default_zone)
- # create new zone?
- sys.exit(1)
-
-trusted_obj = None
-if default_zone != trusted_zone:
- for path in [ ETC_FIREWALLD_ZONES, FIREWALLD_ZONES ]:
- filename = "%s.xml" % trusted_zone
- if os.path.exists("%s/%s" %(path, filename)):
- trusted_obj = zone_reader(filename, path)
- break
- if conf.trust and not trusted_obj:
- error(_("Unable to open zone '%s', exiting.") % trusted_zone)
- sys.exit(1)
-else:
- trusted_obj = obj
+ # Lokkit Compatibility Options
+ if options_lokkit:
+ trusted_zone = "trusted"
+ default_zone = fw.get_default_zone()
+ fw_zone = fw.config.get_zone(default_zone)
+ fw_settings = FirewallClientZoneSettings(
+ list(fw.config.get_zone_config(fw_zone)))
+
+ if a.enabled:
+ # Enable firewall (default)
+ os.system("systemctl enable firewalld.service")
+ if a.disabled:
+ # Disable firewall
+ os.system("systemctl disable firewalld.service")
+ if a.addmodule:
+ for m in a.addmodule:
+ __print("Ignoring addmodule '%s'" % m)
+ if a.removemodule:
+ for m in a.removemodule:
+ __print("Ignoring removemodule '%s'" % m)
+ if a.custom_rules:
+ for c in a.custom_rules:
+ __print("Ignoring custom-rule '%s'" % c)
+ if a.service:
+ for s in a.service:
+ __print("Adding service '%s' to default zone." % s)
+ fw_settings.addService(s)
+ if a.remove_service:
+ for s in a.remove_service:
+ __print("Removing service '%s' from default zone." % s)
+ fw_settings.removeService(s)
+ if a.port:
+ for port_proto in a.port:
+ (port, proto) = __parse_port_lokkit(port_proto)
+ __print("Adding port '%s/%s' to default zone." % (port, proto))
+ fw_settings.addPort(port, proto)
+ if a.trust:
+ if default_zone != trusted_zone:
+ fw_trusted = fw.config.get_zone("trusted")
+ fw_trusted_settings = FirewallClientZoneSettings(
+ list(fw.config.get_zone_config(fw_trusted)))
+ # Bind an interface to the trusted zone
+ for i in a.trust:
+ __print("Interface '%s' will be bound to zone '%s'." % \
+ (i, trusted_zone))
+ fw_trusted_settings.addInterface(i)
+ fw.config.set_zone_config(fw_trusted, fw_trusted_settings.settings)
+ else:
+ for i in a.trust:
+ __print("Interface '%s' will be bound to zone '%s'." % \
+ (i, trusted_zone))
+ fw_settings.addInterface(i)
+ if a.masq:
+ # Enables masquerading in the default zone, interface argument is ignored
+ __print("Enabling masquerade for the default zone.")
+ fw_settings.setMasquerade(True)
+ if a.forward_port:
+ for fp in a.forward_port:
+ (port, protocol, toport, toaddr) = __parse_forward_port(fp)
+ __print("Adding forward port %s:%s:%s:%s to default zone." % \
+ (port, protocol, toport, toaddr))
+ fw_settings.addForwardPort(port, protocol, toport, toaddr)
+ if a.block_icmp:
+ for ib in a.block_icmp:
+ __print("Adding icmpblock '%s' to default zone." % ib)
+ fw_settings.addIcmpBlock(ib)
+
+ fw.config.set_zone_config(fw_zone, fw_settings.settings)
+
+ # options from firewall-cmd
+ elif a.get_default_zone:
+ __print_and_exit(fw.get_default_zone())
+ elif a.set_default_zone:
+ fw.set_default_zone(a.set_default_zone)
+
+ # lockdown
+ elif a.lockdown_on:
+ fw.enable_lockdown()
+ elif a.lockdown_off:
+ fw.disable_lockdown()
+ elif a.query_lockdown:
+ __print_query_result(fw.policies.query_lockdown())
+
+ # zones
+ elif a.get_zones:
+ zones = fw.config.get_zones()
+ __print_and_exit(" ".join(zones))
+ elif a.get_services:
+ services = fw.config.get_services()
+ __print_and_exit(" ".join(services))
+ elif a.get_icmptypes:
+ icmptypes = fw.config.get_icmptypes()
+ __print_and_exit(" ".join(icmptypes))
+
+ elif a.new_zone:
+ fw.config.new_zone(a.new_zone, FirewallClientZoneSettings().settings)
+
+ elif a.delete_zone:
+ obj = fw.config.get_zone(a.delete_zone)
+ fw.config.remove_zone(obj)
+
+ elif a.new_service:
+ fw.config.new_service(a.new_service,
+ FirewallClientServiceSettings().settings)
+
+ elif a.delete_service:
+ obj = fw.config.get_service(a.delete_service)
+ fw.config.remove_service(obj)
+
+ elif a.new_icmptype:
+ fw.config.new_icmptype(a.new_icmptype,
+ FirewallClientIcmpTypeSettings().settings)
+
+ elif a.delete_icmptype:
+ obj = fw.config.get_icmptype(a.delete_icmptype)
+ fw.config.remove_icmptype(obj)
+
+ # lockdown whitelist
+
+ elif options_lockdown_whitelist:
+ whitelist = fw.config.get_policies().lockdown_whitelist
+
+ # commands
+ if a.list_lockdown_whitelist_commands:
+ l = whitelist.get_commands()
+ __print_and_exit("\n".join(l))
+ elif a.add_lockdown_whitelist_command:
+ whitelist.add_command(a.add_lockdown_whitelist_command)
+ elif a.remove_lockdown_whitelist_command:
+ whitelist.remove_command(a.remove_lockdown_whitelist_command)
+ elif a.query_lockdown_whitelist_command:
+ __print_query_result(a.query_lockdown_whitelist_command in
+ whitelist.get_commands())
+
+ # contexts
+ elif a.list_lockdown_whitelist_contexts:
+ l = whitelist.get_contexts()
+ __print_and_exit("\n".join(l))
+ elif a.add_lockdown_whitelist_context:
+ whitelist.add_context(a.add_lockdown_whitelist_context)
+ elif a.remove_lockdown_whitelist_context:
+ whitelist.remove_context(a.remove_lockdown_whitelist_context)
+ elif a.query_lockdown_whitelist_context:
+ __print_query_result(a.query_lockdown_whitelist_context in
+ whitelist.get_contexts())
+
+ # uids
+ elif a.list_lockdown_whitelist_uids:
+ l = whitelist.get_uids()
+ __print_and_exit(" ".join(map(str, l)))
+ elif a.add_lockdown_whitelist_uid != None:
+ whitelist.add_uid(a.add_lockdown_whitelist_uid)
+ elif a.remove_lockdown_whitelist_uid != None:
+ whitelist.remove_uid(a.remove_lockdown_whitelist_uid)
+ elif a.query_lockdown_whitelist_uid != None:
+ __print_query_result(a.query_lockdown_whitelist_uid in
+ whitelist.get_uids())
+
+ # users
+ elif a.list_lockdown_whitelist_users:
+ l = whitelist.get_users()
+ __print_and_exit("\n".join(l))
+ elif a.add_lockdown_whitelist_user:
+ whitelist.add_user(a.add_lockdown_whitelist_user)
+ elif a.remove_lockdown_whitelist_user:
+ whitelist.remove_user(a.remove_lockdown_whitelist_user)
+ elif a.query_lockdown_whitelist_user:
+ __print_query_result(a.query_lockdown_whitelist_user in
+ whitelist.get_users())
+
+ # apply whitelist changes
+ whitelist.write()
+
+ elif options_direct:
+ settings = fw.config.get_direct()
+
+ if a.add_passthrough:
+ if len (a.add_passthrough) < 2:
+ __fail("usage: --direct --add-passthrough { ipv4 | ipv6 | eb } <args>")
+ __print(settings.add_passthrough(_check_ipv(a.add_passthrough[0]),
+ a.add_passthrough[1:]))
+
+ elif a.remove_passthrough:
+ if len (a.remove_passthrough) < 2:
+ __fail("usage: --direct --remove-passthrough { ipv4 | ipv6 | eb } <args>")
+ settings.remove_passthrough(_check_ipv(a.remove_passthrough[0]),
+ a.remove_passthrough[1:])
+ elif a.query_passthrough:
+ if len (a.query_passthrough) < 2:
+ __fail("usage: --direct --query-passthrough { ipv4 | ipv6 | eb } <args>")
+ __print_query_result(
+ settings.query_passthrough(_check_ipv(a.query_passthrough[0]),
+ a.query_passthrough[1:]))
+ sys.exit(0)
+ elif a.get_passthroughs:
+ rules = settings.get_passthroughs(_check_ipv(a.get_passthroughs[0]))
+ for rule in rules:
+ __print(joinArgs(rule))
+ sys.exit(0)
+ elif a.get_all_passthroughs:
+ pt = settings.get_all_passthroughs()
+ for ipv in pt:
+ for rule in pt[ipv]:
+ __print("%s %s" % (ipv, joinArgs(rule)))
+ sys.exit(0)
+
+ elif a.add_chain:
+ settings.add_chain(_check_ipv(a.add_chain[0]),
+ a.add_chain[1], a.add_chain[2])
+ elif a.remove_chain:
+ settings.remove_chain(_check_ipv(a.remove_chain[0]),
+ a.remove_chain[1], a.remove_chain[2])
+ elif a.query_chain:
+ __print_query_result(
+ settings.query_chain(_check_ipv(a.query_chain[0]),
+ a.query_chain[1], a.query_chain[2]))
+ sys.exit(0)
+ elif a.get_chains:
+ __print_and_exit(
+ " ".join(settings.get_chains(_check_ipv(a.get_chains[0]),
+ a.get_chains[1])))
+ sys.exit(0)
+ elif a.get_all_chains:
+ chains = settings.get_all_chains()
+ for (ipv, table) in chains:
+ for chain in chains[(ipv,table)]:
+ __print("%s %s %s" % (ipv, table, chain))
+ sys.exit(0)
+
+ elif a.add_rule:
+ if len (a.add_rule) < 5:
+ __fail("usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
+ try:
+ priority = int(a.add_rule[3])
+ except ValueError:
+ __fail("wrong priority\nusage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
+ settings.add_rule(_check_ipv(a.add_rule[0]), a.add_rule[1],
+ a.add_rule[2], priority, a.add_rule[4:])
+ elif a.remove_rule:
+ if len (a.remove_rule) < 5:
+ __fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
+ try:
+ priority = int(a.remove_rule[3])
+ except ValueError:
+ __fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
+ settings.remove_rule(_check_ipv(a.remove_rule[0]), a.remove_rule[1],
+ a.remove_rule[2], priority, a.remove_rule[4:])
+ elif a.remove_rules:
+ if len (a.remove_rules) < 3:
+ __fail("usage: --direct --remove-rules { ipv4 | ipv6 | eb } <table> <chain>")
+ settings.remove_rules(_check_ipv(a.remove_rules[0]),
+ a.remove_rules[1], a.remove_rules[2])
+ elif a.query_rule:
+ if len (a.query_rule) < 5:
+ __fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
+ try:
+ priority = int(a.query_rule[3])
+ except ValueError:
+ __fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
+ __print_query_result(
+ settings.query_rule(_check_ipv(a.query_rule[0]),
+ a.query_rule[1], a.query_rule[2],
+ priority, a.query_rule[4:]))
+ sys.exit(0)
+ elif a.get_rules:
+ rules = settings.get_rules(_check_ipv(a.get_rules[0]),
+ a.get_rules[1], a.get_rules[2])
+ for (priority, rule) in rules:
+ __print("%d %s" % (priority, joinArgs(rule)))
+ sys.exit(0)
+ elif a.get_all_rules:
+ rules = settings.get_all_rules()
+ for (ipv, table, chain) in rules:
+ for (priority, rule) in rules[(ipv, table, chain)]:
+ __print("%s %s %s %d %s" % (ipv, table, chain, priority,
+ joinArgs(rule)))
+ sys.exit(0)
-changed = False
-changed_trusted = False
+ settings.write()
-# fields that can not get converted into a zone, need NM work
+ else:
+ if zone == "":
+ zone = fw.get_default_zone()
+ fw_zone = fw.config.get_zone(zone)
+ fw_settings = FirewallClientZoneSettings(
+ list(fw.config.get_zone_config(fw_zone))) # convert to list, for setMasquerade
+
+ # interface
+ if a.list_interfaces:
+ l = fw_settings.getInterfaces()
+ __print_and_exit(" ".join(l))
+ elif a.get_zone_of_interface:
+ ret = []
+ for zone in fw.config.get_zones():
+ obj = fw.config.get_zone(zone)
+ if a.get_zone_of_interface in obj.interfaces:
+ ret.append(obj.name)
+ if len(ret) > 1:
+ # Even it shouldn't happen, it's actually possible that
+ # the same interface is in several zone XML files
+ __print_and_exit(" ".join(ret) + " (ERROR: interface '%s' is in %s zone XML files, can be only in one)" % (a.get_zone_of_interface, len(ret)))
+ if len(ret) == 1:
+ __print_and_exit(ret[0])
+ else:
+ __print_and_exit("no zone", 2)
+ elif a.change_interface:
+ ret = []
+ for old_zone in fw.config.get_zones():
+ old_zone_obj = fw.config.get_zone(old_zone)
+ if a.change_interface in old_zone_obj.interfaces:
+ if old_zone_obj.name != zone:
+ old_zone_settings = FirewallClientZoneSettings(
+ fw.config.get_zone_config(old_zone_obj))
+
+ old_zone_settings.removeInterface(a.change_interface) # remove from old
+ fw.config.set_zone_config(old_zone_obj, old_zone_settings.settings)
+ fw_settings.addInterface(a.change_interface) # add to new
+ elif a.add_interface:
+ fw_settings.addInterface(a.add_interface)
+ elif a.remove_interface:
+ fw_settings.removeInterface(a.remove_interface)
+ elif a.query_interface:
+ __print_query_result(fw_settings.queryInterface(a.query_interface))
+
+ # source
+ if a.list_sources:
+ sources = fw_settings.getSources()
+ __print_and_exit(" ".join(sources))
+ elif a.get_zone_of_source:
+ ret = []
+ for zone in fw.config.get_zones():
+ obj = fw.config.get_zone(zone)
+ if a.get_zone_of_source in obj.sources:
+ ret.append(obj.name)
+ if len(ret) > 1:
+ # Even it shouldn't happen, it's actually possible that
+ # the same source is in several zone XML files
+ __print_and_exit(" ".join(ret) + " (ERROR: source '%s' is in %s zone XML files, can be only in one)" % (a.get_zone_of_source, len(ret)))
+ if len(ret) == 1:
+ __print_and_exit(ret[0])
+ else:
+ __print_and_exit("no zone", 2)
+ elif a.change_source:
+ ret = []
+ for old_zone in fw.config.get_zones():
+ old_zone_obj = fw.config.get_zone(old_zone)
+ if a.change_source in old_zone_obj.sources:
+ if old_zone_obj.name != zone:
+ old_zone_settings = FirewallClientZoneSettings(
+ fw.config.get_zone_config(old_zone_obj))
+
+ old_zone_settings.removeSource(a.change_source) # remove from old
+ fw.config.set_zone_config(old_zone_obj, old_zone_settings.settings)
+ fw_settings.addSource(a.change_source) # add to new
+ elif a.add_source:
+ fw_settings.addSource(a.add_source)
+ elif a.remove_source:
+ fw_settings.removeSource(a.remove_source)
+ elif a.query_source:
+ __print_query_result(fw_settings.querySource(a.query_source))
+
+ # rich rules
+ if a.list_rich_rules:
+ l = fw_settings.getRichRules()
+ __print_and_exit("\n".join(l))
+ elif a.add_rich_rule:
+ for s in a.add_rich_rule:
+ fw_settings.addRichRule(s)
+ elif a.remove_rich_rule:
+ for s in a.remove_rich_rule:
+ fw_settings.removeRichRule(s)
+ elif a.query_rich_rule:
+ __print_query_result(fw_settings.queryRichRule(a.query_rich_rule))
+
+ # service
+ if a.list_services:
+ l = fw_settings.getServices()
+ __print_and_exit(" ".join(l))
+ elif a.add_service:
+ for s in a.add_service:
+ fw_settings.addService(s)
+ elif a.remove_service_from_zone:
+ for s in a.remove_service_from_zone:
+ fw_settings.removeService(s)
+ elif a.query_service:
+ __print_query_result(fw_settings.queryService(a.query_service))
+
+ # port
+ elif a.list_ports:
+ l = fw_settings.getPorts()
+ __print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
+ elif a.add_port:
+ for port_proto in a.add_port:
+ (port, proto) = __parse_port(port_proto)
+ fw_settings.addPort(port, proto)
+ elif a.remove_port:
+ for port_proto in a.remove_port:
+ (port, proto) = __parse_port(port_proto)
+ fw_settings.removePort(port, proto)
+ elif a.query_port:
+ (port, proto) = __parse_port(a.query_port)
+ __print_query_result(fw_settings.queryPort(port, proto))
+
+ # masquerade
+ elif a.add_masquerade:
+ fw_settings.setMasquerade(True)
+ elif a.remove_masquerade:
+ fw_settings.setMasquerade(False)
+ elif a.query_masquerade:
+ __print_query_result(fw_settings.getMasquerade())
+
+ # forward port
+ elif a.list_forward_ports:
+ l = fw_settings.getForwardPorts()
+ __print_and_exit("\n".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in l]))
+ elif a.add_forward_port:
+ for fp in a.add_forward_port:
+ (port, protocol, toport, toaddr) = __parse_forward_port(fp)
+ fw_settings.addForwardPort(port, protocol, toport, toaddr)
+ elif a.remove_forward_port:
+ for fp in a.remove_forward_port:
+ (port, protocol, toport, toaddr) = __parse_forward_port(fp)
+ fw_settings.removeForwardPort(port, protocol, toport, toaddr)
+ elif a.query_forward_port:
+ (port, protocol, toport, toaddr) = __parse_forward_port(a.query_forward_port)
+ __print_query_result(fw_settings.queryForwardPort(port, protocol, toport, toaddr))
+
+ # block icmp
+ elif a.list_icmp_blocks:
+ l = fw_settings.getIcmpBlocks()
+ __print_and_exit(" ".join(l))
+ elif a.add_icmp_block:
+ for ib in a.add_icmp_block:
+ fw_settings.addIcmpBlock(ib)
+ elif a.remove_icmp_block:
+ for ib in a.remove_icmp_block:
+ fw_settings.removeIcmpBlock(ib)
+ elif a.query_icmp_block:
+ __print_query_result(fw_settings.queryIcmpBlock(a.query_icmp_block))
+
+ # zone target
+ elif a.get_target:
+ __print_and_exit(fw_settings.getTarget())
+ elif a.set_target:
+ fw_settings.setTarget(a.set_target)
+
+ # list all zone settings
+ elif a.list_all:
+ __list_all_permanent(fw_settings, zone if zone else fw.get_default_zone())
+ sys.exit(0)
+
+ # list everything
+ elif a.list_all_zones:
+ zones = fw.config.get_zones()
+ for zone in zones:
+ fw_zone = fw.config.get_zone(zone)
+ fw_settings = FirewallClientZoneSettings(list(fw.config.get_zone_config(fw_zone)))
+ __list_all_permanent(fw_settings, zone)
+ __print("")
+ sys.exit(0)
-if conf.trust:
- if trusted_obj:
- for dev in conf.trust:
- warning(_("The device '%s' will be bound to the %s zone.") % \
- (dev, trusted_zone))
- trusted_obj.interfaces.append(dev)
- changed_trusted = True
-
-# no custom rules
-if conf.custom_rules and len(conf.custom_rules) > 0:
- for custom in conf.custom_rules:
- warning(_("Ignoring custom-rule file '%s'") % ":".join(custom))
-
-# no modules
-if conf.add_module and len(conf.add_module) > 0:
- for module in conf.add_module:
- warning(_("Ignoring addmodule '%s'") % module)
-if conf.remove_module and len(conf.remove_module) > 0:
- for module in conf.remove_module:
- warning(_("Ignoring removemodule '%s'") % module)
-
-if conf.masq:
- for dev in conf.masq:
- if obj.masquerade != True:
- warning(_("Device '%s' was masqueraded, enabling masquerade for the default zone.") % dev)
- obj.masquerade = True
- changed = True
-
-if conf.ports and len(conf.ports) > 0:
- for item in conf.ports:
- if item not in obj.ports:
- print(_("Adding port '%s/%s' to default zone.") % \
- (item[0], item[1]))
- obj.ports.append(item)
- changed = True
-
-if conf.remove_services:
- for service in conf.remove_services:
- if service in obj.services:
- print(_("Removing service '%s' from default zone.") % service)
- obj.services.remove(service)
- changed = True
-
-if conf.services:
- for service in conf.services:
- if service not in obj.services:
- print(_("Adding service '%s' to default zone.") % service)
- obj.services.append(service)
- changed = True
-
-if conf.block_icmp:
- for icmp in conf.block_icmp:
- if icmp not in obj.icmp_blocks:
- print(_("Adding icmpblock '%s' to default zone.") % icmp)
- obj.icmp_blocks.append(icmp)
- changed = True
-
-if conf.forward_port:
- for fwd in conf.forward_port:
- # ignore interface, should belong to default zone
- entry = (fwd.get("port", ""), fwd.get("proto", ""),
- fwd.get("toport", ""), fwd.get("toaddr", ""))
- if entry not in obj.forward_ports:
- print(_("Adding forward port %s:%s:%s:%s to default zone.") % \
- (entry[0], entry[1], entry[2], entry[3]))
- obj.forward_ports.append(entry)
- changed = True
+ fw.config.set_zone_config(fw_zone, fw_settings.settings)
-if changed:
- zone_writer(obj, ETC_FIREWALLD_ZONES)
+except Exception as msg:
+ __fail("%s" % msg)
else:
- print(_("No changes to default zone needed."))
-
-if changed_trusted:
- zone_writer(trusted_obj, ETC_FIREWALLD_ZONES)
- print(_("Changed trusted zone configuration."))
- print("\n")
- warning(_("If one of the trusted interfaces is used for a connection with NetworkManager or if there is an ifcfg file for this interface, the zone will be changed to the zone defined in the configuration as soon as it gets activated. To change the zone of a connection use <command>nm-connection-editor</command> and set the zone to trusted, for an ifcfg file, use an editor and add \"ZONE=trusted\". If the zone is not defined in the ifcfg file, the firewalld default zone will be used."))
-
-sys.exit(0)
+ __print_and_exit("success")
diff -up firewalld-0.3.9/src/Makefile.in.RHBZ#1059800 firewalld-0.3.9/src/Makefile.in
--- firewalld-0.3.9/src/Makefile.in.RHBZ#1059800 2014-01-13 17:06:59.000000000 +0100
+++ firewalld-0.3.9/src/Makefile.in 2014-02-26 09:30:43.442191785 +0100
@@ -358,6 +358,7 @@ nobase_dist_python_DATA = \
firewall/core/fw_icmptype.py \
firewall/core/fw_policies.py \
firewall/core/fw.py \
+ firewall/core/fw_test.py \
firewall/core/fw_service.py \
firewall/core/fw_zone.py \
firewall/core/__init__.py \