From da851982df4020460fe4fa005dd99be4357ff9bd Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Fri, 2 Nov 2018 14:10:38 -0400
Subject: [PATCH 4/5] rich rules: fix mark action
They were being placed in the wrong (and nonexistent) chain. Also add
test coverage for the "mark" action.
Fixes: 7c5f5f4d12ee ("fw_zone: push rich rule generation to backend")
Tested-by: Felix Kaechele <heffer@fedoraproject.org>
(cherry picked from commit 5d36e0f55887c6204e07bd8095ead1ce2d535ddb)
---
src/firewall/core/ipXtables.py | 4 ++--
src/firewall/core/nftables.py | 4 ++--
src/tests/firewall-cmd.at | 1 +
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
index 11aebec6e05a..b98ba5228e68 100644
--- a/src/firewall/core/ipXtables.py
+++ b/src/firewall/core/ipXtables.py
@@ -807,10 +807,10 @@ class ip4tables(object):
chain = "%s_deny" % target
rule_action = [ "-j", "DROP" ]
elif type(rich_rule.action) == Rich_Mark:
- chain = "%s_allow" % target
- table = "mangle"
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
+ table = "mangle"
+ chain = "%s_allow" % target
rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ]
else:
raise FirewallError(INVALID_RULE,
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index cd05b2c3137e..69236a9600c2 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -723,10 +723,10 @@ class nftables(object):
chain = "%s_%s_deny" % (table, target)
rule_action = ["drop"]
elif type(rich_rule.action) == Rich_Mark:
- table = "mangle"
- chain = "%s_%s_allow" % (table, target)
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
+ table = "mangle"
+ chain = "%s_%s_allow" % (table, target)
rule_action = ["meta", "mark", "set", rich_rule.action.set]
else:
raise FirewallError(INVALID_RULE,
diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
index f496b67e4a35..82ffa9f52b47 100644
--- a/src/tests/firewall-cmd.at
+++ b/src/tests/firewall-cmd.at
@@ -863,6 +863,7 @@ FWD_START_TEST([rich rules good])
rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"])
rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"])
+ rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"])
FWD_END_TEST
FWD_START_TEST([rich rules audit])
CHECK_LOG_AUDIT
--
2.18.0