diff -up firewalld-0.3.9/doc/xml/firewall-cmd.xml.RHBZ#993650_add firewalld-0.3.9/doc/xml/firewall-cmd.xml
--- firewalld-0.3.9/doc/xml/firewall-cmd.xml.RHBZ#993650_add 2014-10-20 22:03:54.453869807 +0200
+++ firewalld-0.3.9/doc/xml/firewall-cmd.xml 2014-10-20 22:03:54.460869767 +0200
@@ -943,16 +943,16 @@
<term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-all-passthroughs</option></term>
<listitem>
<para>
- Get all permanent passthrough as a newline separated list of the ipv value and arguments.
+ Get all passthrough rules as a newline separated list of the ipv value and arguments.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-passthroughs</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } </term>
+ <term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--get-passthroughs</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> }</term>
<listitem>
<para>
- Get all permanent passthrough rules for the ipv value as a newline separated list of the priority and arguments.
+ Get all passthrough rules for the ipv value as a newline separated list of the priority and arguments.
</para>
</listitem>
</varlistentry>
@@ -961,7 +961,7 @@
<term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--add-passthrough</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>args</replaceable></term>
<listitem>
<para>
- Add a permanent passthrough rule with the arguments <replaceable>args</replaceable> for the ipv value.
+ Add a passthrough rule with the arguments <replaceable>args</replaceable> for the ipv value.
</para>
</listitem>
</varlistentry>
@@ -970,7 +970,7 @@
<term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--remove-passthrough</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>args</replaceable></term>
<listitem>
<para>
- Remove a permanent passthrough rule with the arguments <replaceable>args</replaceable> for the ipv value.
+ Remove a passthrough rule with the arguments <replaceable>args</replaceable> for the ipv value.
</para>
</listitem>
</varlistentry>
@@ -979,7 +979,7 @@
<term><optional><option>--permanent</option></optional> <option>--direct</option> <option>--query-passthrough</option> { <literal>ipv4</literal> | <literal>ipv6</literal> | <literal>eb</literal> } <replaceable>args</replaceable></term>
<listitem>
<para>
- Return whether a permanent passthrough rule with the arguments <replaceable>args</replaceable> exists for the ipv value. Returns 0 if true, 1 otherwise.
+ Return whether a passthrough rule with the arguments <replaceable>args</replaceable> exists for the ipv value. Returns 0 if true, 1 otherwise.
</para>
</listitem>
</varlistentry>
diff -up firewalld-0.3.9/src/firewall/client.py.RHBZ#993650_add firewalld-0.3.9/src/firewall/client.py
--- firewalld-0.3.9/src/firewall/client.py.RHBZ#993650_add 2014-10-20 22:03:54.447869842 +0200
+++ firewalld-0.3.9/src/firewall/client.py 2014-10-20 22:03:54.461869762 +0200
@@ -1314,7 +1314,7 @@ class FirewallClientDirect(object):
self.settings[2] = passthroughs
@handle_exceptions
def removeAllPassthroughs(self):
- self.settings[2] = passthroughs
+ self.settings[2] = []
@handle_exceptions
def getPassthroughs(self, ipv):
return [ entry[1] for entry in self.settings[2] \
diff -up firewalld-0.3.9/src/firewall/core/fw_direct.py.RHBZ#993650_add firewalld-0.3.9/src/firewall/core/fw_direct.py
--- firewalld-0.3.9/src/firewall/core/fw_direct.py.RHBZ#993650_add 2014-10-20 22:03:54.392870157 +0200
+++ firewalld-0.3.9/src/firewall/core/fw_direct.py 2014-10-20 22:04:44.901595326 +0200
@@ -280,7 +280,7 @@ class FirewallDirect:
r.append((ipv, table, chain, priority, list(args)))
return r
- # DIRECT PASSTROUGH (untracked)
+ # DIRECT PASSTHROUGH (untracked)
def passthrough(self, ipv, args):
try:
@@ -289,7 +289,7 @@ class FirewallDirect:
log.debug2(msg)
raise FirewallError(COMMAND_FAILED, msg)
- # DIRECT PASSTROUGH (tracked)
+ # DIRECT PASSTHROUGH (tracked)
def _check_ipv(self, ipv):
ipvs = [ 'ipv4', 'ipv6', 'eb' ]
@@ -311,8 +311,14 @@ class FirewallDirect:
raise FirewallError(NOT_ENABLED,
"passthrough '%s', '%s'" % (ipv, args))
+ if enable:
+ self.check_passthrough(args)
+ _args = args
+ else:
+ _args = self.reverse_passthrough(args)
+
try:
- self._fw.rule(ipv, args)
+ self._fw.rule(ipv, _args)
except Exception as msg:
log.debug2(msg)
raise FirewallError(COMMAND_FAILED, msg)
@@ -349,3 +355,74 @@ class FirewallDirect:
for args in self._passthroughs[ipv]:
r.append(list(args))
return r
+
+ def check_passthrough(self, args):
+ """ Check if passthough rule is valid (only add, insert and new chain
+ rules are allowed) """
+
+ args = set(args)
+ not_allowed = set(["-C", "--check", # check rule
+ "-D", "--delete", # delete rule
+ "-R", "--replace", # replace rule
+ "-L", "--list", # list rule
+ "-S", "--list-rules", # print rules
+ "-F", "--flush", # flush rules
+ "-Z", "--zero", # zero rules
+ "-X", "--delete-chain", # delete chain
+ "-P", "--policy", # policy
+ "-E", "--rename-chain"]) # rename chain)
+ # intersection of args and not_allowed is not empty, i.e.
+ # something from args is not allowed
+ if len(args & not_allowed) > 0:
+ raise FirewallError(INVALID_PASSTHROUGH,
+ "arg '%s' is not allowed" %
+ list(args & not_allowed)[0] )
+
+ # args need to contain one of -A, -I, -N
+ needed = set(["-A", "--append",
+ "-I", "--insert",
+ "-N", "--new-chain"])
+ # empty intersection of args and needed, i.e.
+ # none from args contains any needed command
+ if len(args & needed) == 0:
+ raise FirewallError(INVALID_PASSTHROUGH,
+ "no '-A', '-I' or '-N' arg")
+
+ def reverse_passthrough(self, args):
+ """ Reverse valid passthough rule """
+
+ replace_args = {
+ # Append
+ "-A": "-D",
+ "--append": "--delete",
+ # Insert
+ "-I": "-D",
+ "--insert": "--delete",
+ # New chain
+ "-N": "-X",
+ "--new-chain": "--delete-chain",
+ }
+
+ ret_args = args[:]
+
+ for x in replace_args:
+ try:
+ idx = ret_args.index(x)
+ except:
+ continue
+
+ if x in [ "-I", "--insert" ]:
+ # With insert rulenum, then remove it if it is a number
+ # Opt at position idx, chain at position idx+1, [rulenum] at
+ # position idx+2
+ try:
+ int(ret_args[idx+2])
+ except:
+ pass
+ else:
+ ret_args.pop(idx+2)
+
+ ret_args[idx] = replace_args[x]
+ return ret_args
+
+ raise FirewallError(INVALID_PASSTHROUGH, "no '-A', '-I' or '-N' arg")
diff -up firewalld-0.3.9/src/firewall/errors.py.RHBZ#993650_add firewalld-0.3.9/src/firewall/errors.py
--- firewalld-0.3.9/src/firewall/errors.py.RHBZ#993650_add 2014-10-20 22:03:54.448869836 +0200
+++ firewalld-0.3.9/src/firewall/errors.py 2014-10-20 22:03:54.461869762 +0200
@@ -74,6 +74,7 @@ INVALID_COMMAND = 129
INVALID_USER = 130
INVALID_UID = 131
INVALID_MODULE = 132
+INVALID_PASSTHROUGH = 133
MISSING_TABLE = 200
MISSING_CHAIN = 201
diff -up firewalld-0.3.9/src/firewall/server/config.py.RHBZ#993650_add firewalld-0.3.9/src/firewall/server/config.py
--- firewalld-0.3.9/src/firewall/server/config.py.RHBZ#993650_add 2014-10-20 22:03:54.449869830 +0200
+++ firewalld-0.3.9/src/firewall/server/config.py 2014-10-20 22:03:54.461869762 +0200
@@ -897,6 +897,19 @@ class FirewallDConfig(slip.dbus.service.
idx = (ipv, table, chain, priority, args)
return idx in self.getSettings()[1]
+ @dbus_service_method(DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sss')
+ @dbus_handle_exceptions
+ def removeRules(self, ipv, table, chain, sender=None):
+ ipv = dbus_to_python(ipv)
+ table = dbus_to_python(table)
+ chain = dbus_to_python(chain)
+ log.debug1("config.direct.removeRules('%s', '%s', '%s')" %
+ (ipv, table, chain, ))
+ self.accessCheck(sender)
+ settings = list(self.getSettings())
+ settings[1] = []
+ self.update(tuple(settings))
+
@dbus_service_method(DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sss',
out_signature='a(ias)')
@dbus_handle_exceptions