From f20ba9f1493a31ca31ee071007533b4e35cb57a2 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 10 Jan 2019 13:29:12 -0500
Subject: [PATCH 1/3] nftables: move OUR_CHAINS inside the class
No reason for it to be at the file level. Lets move it inside the class.
(cherry picked from commit 37606c1eca2b247e648c658ea29af5b5194447e9)
---
src/firewall/core/nftables.py | 47 +++++++++++++++++------------------
1 file changed, 23 insertions(+), 24 deletions(-)
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 1d0ce24d68a2..1eb9c3fb94c2 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -76,13 +76,6 @@ IPTABLES_TO_NFT_HOOK = {
},
}
-OUR_CHAINS = { # chains created by firewalld
- # family: { chains ...}
- "inet": {},
- "ip": {},
- "ip6": {},
-}
-
# Most ICMP types are provided by nft, but for the codes we have to use numeric
# values.
#
@@ -163,6 +156,12 @@ class nftables(object):
self.rule_to_handle = {}
self.rule_ref_count = {}
self.rich_rule_priority_counts = {}
+ self.our_chains = { # chains created by firewalld
+ # family: { chains ...}
+ "inet": {},
+ "ip": {},
+ "ip6": {},
+ }
def fill_exists(self):
self.command_exists = os.path.exists(self._command)
@@ -359,7 +358,7 @@ class nftables(object):
self.rich_rule_priority_counts = {}
rules = []
- for family in OUR_CHAINS.keys():
+ for family in self.our_chains.keys():
rules.append(["delete", "table", family, "%s" % TABLE_NAME])
return rules
@@ -399,13 +398,13 @@ class nftables(object):
def build_default_tables(self):
default_tables = []
- for family in OUR_CHAINS.keys():
+ for family in self.our_chains.keys():
default_tables.append("add table %s %s" % (family, TABLE_NAME))
return map(splitArgs, default_tables)
def build_default_rules(self, log_denied="off"):
default_rules = []
- OUR_CHAINS["inet"]["raw"] = set()
+ self.our_chains["inet"]["raw"] = set()
for chain in IPTABLES_TO_NFT_HOOK["raw"].keys():
default_rules.append("add chain inet %s raw_%s '{ type filter hook %s priority %d ; }'" %
(TABLE_NAME, chain,
@@ -417,9 +416,9 @@ class nftables(object):
default_rules.append("add chain inet %s raw_%s_ZONES" % (TABLE_NAME, chain))
default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES_SOURCE" % (TABLE_NAME, chain, chain))
default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES" % (TABLE_NAME, chain, chain))
- OUR_CHAINS["inet"]["raw"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
+ self.our_chains["inet"]["raw"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
- OUR_CHAINS["inet"]["mangle"] = set()
+ self.our_chains["inet"]["mangle"] = set()
for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys():
default_rules.append("add chain inet %s mangle_%s '{ type filter hook %s priority %d ; }'" %
(TABLE_NAME, chain,
@@ -430,10 +429,10 @@ class nftables(object):
default_rules.append("add chain inet %s mangle_%s_ZONES" % (TABLE_NAME, chain))
default_rules.append("add rule inet %s mangle_%s jump mangle_%s_ZONES_SOURCE" % (TABLE_NAME, chain, chain))
default_rules.append("add rule inet %s mangle_%s jump mangle_%s_ZONES" % (TABLE_NAME, chain, chain))
- OUR_CHAINS["inet"]["mangle"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
+ self.our_chains["inet"]["mangle"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
- OUR_CHAINS["ip"]["nat"] = set()
- OUR_CHAINS["ip6"]["nat"] = set()
+ self.our_chains["ip"]["nat"] = set()
+ self.our_chains["ip6"]["nat"] = set()
for family in ["ip", "ip6"]:
for chain in IPTABLES_TO_NFT_HOOK["nat"].keys():
default_rules.append("add chain %s %s nat_%s '{ type nat hook %s priority %d ; }'" %
@@ -445,9 +444,9 @@ class nftables(object):
default_rules.append("add chain %s %s nat_%s_ZONES" % (family, TABLE_NAME, chain))
default_rules.append("add rule %s %s nat_%s jump nat_%s_ZONES_SOURCE" % (family, TABLE_NAME, chain, chain))
default_rules.append("add rule %s %s nat_%s jump nat_%s_ZONES" % (family, TABLE_NAME, chain, chain))
- OUR_CHAINS[family]["nat"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
+ self.our_chains[family]["nat"].update(set(["%s_ZONES_SOURCE" % chain, "%s_ZONES" % chain]))
- OUR_CHAINS["inet"]["filter"] = set()
+ self.our_chains["inet"]["filter"] = set()
for chain in IPTABLES_TO_NFT_HOOK["filter"].keys():
default_rules.append("add chain inet %s filter_%s '{ type filter hook %s priority %d ; }'" %
(TABLE_NAME, chain,
@@ -486,12 +485,12 @@ class nftables(object):
default_rules.append("add rule inet %s filter_%s %%%%LOGTYPE%%%% log prefix '\"FINAL_REJECT: \"'" % (TABLE_NAME, "FORWARD"))
default_rules.append("add rule inet %s filter_%s reject with icmpx type admin-prohibited" % (TABLE_NAME, "FORWARD"))
- OUR_CHAINS["inet"]["filter"] = set(["INPUT_ZONES_SOURCE",
- "INPUT_ZONES",
- "FORWARD_IN_ZONES_SOURCE",
- "FORWARD_IN_ZONES",
- "FORWARD_OUT_ZONES_SOURCE",
- "FORWARD_OUT_ZONES"])
+ self.our_chains["inet"]["filter"] = set(["INPUT_ZONES_SOURCE",
+ "INPUT_ZONES",
+ "FORWARD_IN_ZONES_SOURCE",
+ "FORWARD_IN_ZONES",
+ "FORWARD_OUT_ZONES_SOURCE",
+ "FORWARD_OUT_ZONES"])
return map(splitArgs, default_rules)
@@ -610,7 +609,7 @@ class nftables(object):
_zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
- OUR_CHAINS[family][table].update(set([_zone,
+ self.our_chains[family][table].update(set([_zone,
"%s_log" % _zone,
"%s_deny" % _zone,
"%s_pre" % _zone,
--
2.18.0