commit 2f435f7ab1e85bf958fd3ad933f6837bdcd5c5c3
Author: Thomas Woerner <twoerner@redhat.com>
Date: Tue Feb 11 14:11:07 2014 +0100
firewall-cmd: Create and remove permanent zones, services and icmptypes
diff --git a/doc/xml/firewall-cmd.xml b/doc/xml/firewall-cmd.xml
index 41132ff..b1b1a15 100644
--- a/doc/xml/firewall-cmd.xml
+++ b/doc/xml/firewall-cmd.xml
@@ -10,7 +10,7 @@
<!--
This file is part of firewalld.
- Copyright (C) 2010-2013 Red Hat, Inc.
+ Copyright (C) 2010-2014 Red Hat, Inc.
Authors:
Thomas Woerner <twoerner@redhat.com>
@@ -271,6 +271,24 @@
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><option>--permanent</option> <option>--new-zone</option>=<replaceable>zone</replaceable></term>
+ <listitem>
+ <para>
+ Add a new permanent zone.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--permanent</option> <option>--delete-zone</option>=<replaceable>zone</replaceable></term>
+ <listitem>
+ <para>
+ Delete an existing permanent zone.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
@@ -698,6 +716,52 @@
</variablelist>
</refsect2>
+ <refsect2 id="service_options">
+ <title>Service Options</title>
+ <variablelist>
+ <varlistentry>
+ <term><option>--permanent</option> <option>--new-service</option>=<replaceable>service</replaceable></term>
+ <listitem>
+ <para>
+ Add a new permanent service.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--permanent</option> <option>--delete-service</option>=<replaceable>service</replaceable></term>
+ <listitem>
+ <para>
+ Delete an existing permanent service.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2 id="icmptype_options">
+ <title>Internet Control Message Protocol (ICMP) type Options</title>
+ <variablelist>
+ <varlistentry>
+ <term><option>--permanent</option> <option>--new-icmptype</option>=<replaceable>icmptype</replaceable></term>
+ <listitem>
+ <para>
+ Add a new permanent icmptype.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--permanent</option> <option>--delete-icmptype</option>=<replaceable>icmptype</replaceable></term>
+ <listitem>
+ <para>
+ Delete an existing permanent icmptype.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
<refsect2 id="direct_options">
<title>Direct Options</title>
<para>
diff --git a/src/firewall-cmd b/src/firewall-cmd
index bdb7dbe..3316883 100755
--- a/src/firewall-cmd
+++ b/src/firewall-cmd
@@ -29,7 +29,7 @@ import argparse
import dbus
import os
-from firewall.client import FirewallClient
+from firewall.client import *
from firewall.errors import *
from firewall.functions import joinArgs
@@ -86,9 +86,23 @@ Zone Options
--get-zone-of-source=<source>[/<mask>]
Print name of the zone the source[/mask] is bound to [P]
--list-all-zones List everything added for or enabled in all zones [P]
+ --new-zone=<zone> Add a new zone [P only]
+ --delete-zone=<zone> Delete an existing zone [P only]
--zone=<zone> Use this zone to set or query options, else default zone
Usable for options maked with [Z]
+IcmpType Options
+ --new-icmptype=<icmptype>
+ Add a new icmptype [P only]
+ --delete-icmptype=<icmptype>
+ Delete and existing icmptype [P only]
+
+Service Options
+ --new-service=<service>
+ Add a new service [P only]
+ --delete-service=<service>
+ Delete and existing service [P only]
+
Options to Adapt and Query Zones
--list-all List everything added for or enabled in a zone [P] [Z]
--list-services List services added for a zone [P] [Z]
@@ -373,6 +387,14 @@ parser_group_standalone.add_argument("--get-zone-of-interface", metavar="<iface>
parser_group_standalone.add_argument("--get-zone-of-source", metavar="<source>")
parser_group_standalone.add_argument("--list-all-zones", action="store_true")
+parser_group_config = parser.add_mutually_exclusive_group()
+parser_group_config.add_argument("--new-icmptype", metavar="<icmptype>")
+parser_group_config.add_argument("--delete-icmptype", metavar="<icmptype>")
+parser_group_config.add_argument("--new-service", metavar="<service>")
+parser_group_config.add_argument("--delete-service", metavar="<service>")
+parser_group_config.add_argument("--new-zone", metavar="<zone>")
+parser_group_config.add_argument("--delete-zone", metavar="<zone>")
+
parser_group_lockdown_whitelist = parser.add_mutually_exclusive_group()
parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-commands", action="store_true")
parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-command", metavar="<command>")
@@ -512,6 +534,7 @@ options_zone_adapt_query = \
a.add_rich_rule or a.remove_rich_rule or a.query_rich_rule or \
a.add_masquerade or a.remove_masquerade or a.query_masquerade or \
a.list_services or a.list_ports or a.list_icmp_blocks or \
+ a.list_forward_ports or a.list_rich_rules or a.list_all or \
a.list_forward_ports or a.list_rich_rules or a.list_all
options_zone_ops = options_zone_interfaces_sources or \
@@ -521,6 +544,10 @@ options_zone = a.zone or a.timeout or options_zone_ops
options_permanent = a.permanent or options_config or a.zone or options_zone_ops
+options_permanent_only = a.new_icmptype or a.delete_icmptype or \
+ a.new_service or a.delete_service or \
+ a.new_zone or a.delete_zone
+
options_direct = a.passthrough or \
a.add_chain or a.remove_chain or a.query_chain or \
a.get_chains or a.get_all_chains or \
@@ -543,15 +570,18 @@ options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \
# Check various impossible combinations of options
if not (options_standalone or options_zone or \
- options_permanent or options_direct or options_direct_permanent):
+ options_permanent or options_direct or options_direct_permanent or \
+ options_permanent_only):
__fail(parser.format_usage() + "No option specified.")
if options_standalone and (options_zone or options_permanent or \
- options_direct or options_direct_permanent):
+ options_direct or options_direct_permanent or \
+ options_permanent_only):
__fail(parser.format_usage() +
"Can't use stand-alone options with other options.")
-if (options_direct or options_direct_permanent) and (options_zone):
+if (options_direct or options_direct_permanent or options_permanent_only) and \
+ (options_zone):
__fail(parser.format_usage() +
"Can't use 'direct' options with other options.")
@@ -564,6 +594,10 @@ if options_direct_permanent and not a.permanent:
__fail(parser.format_usage() +
"Option can be used only with --permanent.")
+if options_permanent_only and not a.permanent:
+ __fail(parser.format_usage() +
+ "Option can be used only with --permanent.")
+
if options_config and options_zone:
__fail(parser.format_usage() +
"Wrong usage of --get-zones | --get-services | --get-icmptypes.")
@@ -625,6 +659,30 @@ if a.permanent:
l = [fw.config().getIcmpType(i).get_property("name") for i in icmptypes]
__print_and_exit(" ".join(sorted(l)))
+ elif a.new_zone:
+ config = fw.config()
+ config.addZone(a.new_zone, FirewallClientZoneSettings())
+
+ elif a.delete_zone:
+ zone = fw.config().getZoneByName(a.delete_zone)
+ zone.remove()
+
+ elif a.new_service:
+ config = fw.config()
+ config.addService(a.new_service, FirewallClientServiceSettings())
+
+ elif a.delete_service:
+ service = fw.config().getServiceByName(a.delete_service)
+ service.remove()
+
+ elif a.new_icmptype:
+ config = fw.config()
+ config.addIcmpType(a.new_icmptype, FirewallClientIcmpTypeSettings())
+
+ elif a.delete_icmptype:
+ icmptype = fw.config().getIcmpTypeByName(a.delete_icmptype)
+ icmptype.remove()
+
# lockdown whitelist
elif options_lockdown_whitelist:
commit b270c28945aa0f96e82f2f11a29370a3d57ded03
Author: Thomas Woerner <twoerner@redhat.com>
Date: Tue Feb 11 13:00:16 2014 +0100
FirewallClientZoneSettings: Set proper default target
The default target was set to "" instread of DEFAULT_ZONE_TARGET.
diff --git a/src/firewall/client.py b/src/firewall/client.py
index c557b4f..3168887 100644
--- a/src/firewall/client.py
+++ b/src/firewall/client.py
@@ -30,6 +30,7 @@ import slip.dbus
from firewall.config import *
from firewall.config.dbus import *
+from firewall.core.base import DEFAULT_ZONE_TARGET
from firewall.dbus_utils import dbus_to_python
import dbus
from decorator import decorator
@@ -79,8 +80,8 @@ class FirewallClientZoneSettings(object):
if settings:
self.settings = settings
else:
- self.settings = ["", "", "", False, "", [], [], [], False, [],
- [], [], []]
+ self.settings = ["", "", "", False, DEFAULT_ZONE_TARGET, [], [],
+ [], False, [], [], [], []]
@handle_exceptions
def __repr__(self):
commit 89e034763e98024a81b3018cecd3058af9cce84f
Author: Thomas Woerner <twoerner@redhat.com>
Date: Tue Feb 11 14:11:28 2014 +0100
Fixed creation and deletion of zones, services and icmptypes over D-Bus signals
diff --git a/src/firewall-config b/src/firewall-config
index 363e89c..a00a794 100755
--- a/src/firewall-config
+++ b/src/firewall-config
@@ -1,7 +1,7 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
-# Copyright (C) 2011-2012 Red Hat, Inc.
+# Copyright (C) 2011-2014 Red Hat, Inc.
#
# Authors:
# Thomas Woerner <twoerner@redhat.com>
@@ -912,7 +912,6 @@ class FirewallConfig(object):
self.fw.connect("direct:rule-removed", self.direct_rule_removed_cb)
self.fw.connect("config:direct:updated", self.direct_updated_cb)
- # TODO: zone-added, zone-removed
self.fw.connect("config:zone-added", self.conf_zone_added_cb)
self.fw.connect("config:zone-updated", self.conf_zone_updated_cb)
self.fw.connect("config:zone-removed", self.conf_zone_removed_cb)
@@ -1580,7 +1579,7 @@ class FirewallConfig(object):
def conf_zone_added_cb(self, zone):
if self.runtime_view:
return
- self.load_zones()
+ self.zoneStore.append([zone, Pango.Weight.NORMAL])
def conf_zone_updated_cb(self, zone):
if self.runtime_view or zone != self.get_active_zone():
@@ -3500,20 +3499,20 @@ class FirewallConfig(object):
def conf_service_added_cb(self, service):
if self.runtime_view:
return
- self.serviceStore.append([False, service])
+ self.serviceConfServiceStore.append([service])
- def conf_service_updated_cb(self, zone):
+ def conf_service_updated_cb(self, service):
self.onChangeService()
def conf_service_removed_cb(self, service):
if self.runtime_view:
return
- iter = self.serviceStore.get_iter_first()
+ iter = self.serviceConfServiceStore.get_iter_first()
while iter:
- if self.serviceStore.get_value(iter, 1) == service:
- self.serviceStore.remove(iter)
+ if self.serviceConfServiceStore.get_value(iter, 0) == service:
+ self.serviceConfServiceStore.remove(iter)
break
- iter = self.serviceStore.iter_next(iter)
+ iter = self.serviceConfServiceStore.iter_next(iter)
def onServiceConfAddService(self, *args):
self.add_edit_service(True)
@@ -4066,7 +4065,7 @@ class FirewallConfig(object):
return
if not self.show_icmp_types:
return
- self.icmpStore.append([False, icmp])
+ self.icmpDialogIcmpStore.append([icmp])
def conf_icmp_updated_cb(self, zone):
if self.runtime_view:
@@ -4080,12 +4079,12 @@ class FirewallConfig(object):
return
if not self.show_icmp_types:
return
- iter = self.icmpStore.get_iter_first()
+ iter = self.icmpDialogIcmpStore.get_iter_first()
while iter:
- if self.icmpStore.get_value(iter, 1) == icmp:
- self.icmpStore.remove(iter)
+ if self.icmpDialogIcmpStore.get_value(iter, 0) == icmp:
+ self.icmpDialogIcmpStore.remove(iter)
break
- iter = self.icmpStore.iter_next(iter)
+ iter = self.icmpDialogIcmpStore.iter_next(iter)
def lockdown_check_cb(self, *args):
if self.fw.queryLockdown():