From 2361184479832ac8f2754822e1e5d4de55c4898c Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 14 Nov 2018 11:42:17 -0500
Subject: [PATCH 1/4] remove ability to use nftables backend
---
config/firewalld.conf | 7 -------
configure.ac | 10 ----------
doc/xml/firewalld.conf.xml | 14 --------------
doc/xml/firewalld.dbus.xml | 10 ----------
src/firewall/config/__init__.py.in | 3 +--
src/firewall/core/fw.py | 5 -----
src/firewall/core/io/firewalld_conf.py | 11 +----------
src/firewall/server/config.py | 19 +++----------------
src/tests/dbus/firewalld.conf.at | 2 --
src/tests/functions.at | 3 ---
src/tests/testsuite.at | 2 +-
11 files changed, 6 insertions(+), 80 deletions(-)
diff --git a/config/firewalld.conf b/config/firewalld.conf
index b53c0aa50c53..63df409bf567 100644
--- a/config/firewalld.conf
+++ b/config/firewalld.conf
@@ -55,10 +55,3 @@ LogDenied=off
# will be used. Possible values are: yes, no and system.
# Default: system
AutomaticHelpers=system
-
-# FirewallBackend
-# Selects the firewall backend implementation.
-# Choices are:
-# - nftables (default)
-# - iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
diff --git a/configure.ac b/configure.ac
index db9a39f92def..d1c365e29986 100644
--- a/configure.ac
+++ b/configure.ac
@@ -147,16 +147,6 @@ if test "x$IPSET" = "x"; then
fi
AC_SUBST(IPSET)
-AC_ARG_WITH([nft],
- AS_HELP_STRING([--with-nft], [Path to nft (nftables) executable]),
- [NFT=$withval
- AC_MSG_NOTICE([Using for nft: $NFT])],
- [AC_PATH_PROG([NFT], [nft], [], [$FW_TOOLS_PATH])])
-if test "x$NFT" = "x"; then
- AC_MSG_ERROR([nft was not found in $FW_TOOLS_PATH])
-fi
-AC_SUBST(NFT)
-
#############################################################
AC_SUBST([GETTEXT_PACKAGE], '[PKG_NAME]')
diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index df4b9521fd71..afb94b90937f 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -144,20 +144,6 @@
</listitem>
</varlistentry>
- <varlistentry>
- <term><option>FirewallBackend</option></term>
- <listitem>
- <para>
- Selects the firewall backend implementation. Possible values
- are; <replaceable>nftables</replaceable> (default), or
- <replaceable>iptables</replaceable>. This applies to all
- firewalld primitives. The only exception is direct and
- passthrough rules which always use the traditional iptables,
- ip6tables, and ebtables backends.
- </para>
- </listitem>
- </varlistentry>
-
</variablelist>
</refsect1>
diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index 8352f96cc057..ec82d4cad077 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -2582,16 +2582,6 @@
</para>
</listitem>
</varlistentry>
- <varlistentry id="FirewallD1.config.Properties.FirewallBackend">
- <term>FirewallBackend - s - (rw)</term>
- <listitem>
- <para>
- Selects the firewalld backend for all rules except the direct
- interface. Valid options are; nftables, iptables. Default in
- nftables.
- </para>
- </listitem>
- </varlistentry>
<varlistentry id="FirewallD1.config.Properties.IPv6_rpfilter">
<term><parameter>IPv6_rpfilter</parameter> - s - (rw)</term>
<listitem><para>Indicates whether the reverse path filter test on a packet for IPv6 is enabled. If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.</para></listitem>
diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in
index 955be32077e1..20e4979062d8 100644
--- a/src/firewall/config/__init__.py.in
+++ b/src/firewall/config/__init__.py.in
@@ -118,7 +118,6 @@ COMMANDS = {
LOG_DENIED_VALUES = [ "all", "unicast", "broadcast", "multicast", "off" ]
AUTOMATIC_HELPERS_VALUES = [ "yes", "no", "system" ]
-FIREWALL_BACKEND_VALUES = [ "nftables", "iptables" ]
# fallbacks: will be overloaded by firewalld.conf
FALLBACK_ZONE = "public"
@@ -129,4 +128,4 @@ FALLBACK_IPV6_RPFILTER = True
FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "system"
-FALLBACK_FIREWALL_BACKEND = "nftables"
+FALLBACK_FIREWALL_BACKEND = "iptables"
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 9be13a5c1313..abb25f0c3e72 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -293,11 +293,6 @@ class Firewall(object):
log.debug1("AutomaticHelpers is set to '%s'",
self._automatic_helpers)
- if self._firewalld_conf.get("FirewallBackend"):
- self._firewall_backend = self._firewalld_conf.get("FirewallBackend")
- log.debug1("FirewallBackend is set to '%s'",
- self._firewall_backend)
-
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
self._select_firewall_backend(self._firewall_backend)
diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py
index 4d57bad693c1..9aee2dc6f9b7 100644
--- a/src/firewall/core/io/firewalld_conf.py
+++ b/src/firewall/core/io/firewalld_conf.py
@@ -30,7 +30,7 @@ from firewall.functions import b2u, u2b, PY2
valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown",
"IPv6_rpfilter", "IndividualCalls", "LogDenied",
- "AutomaticHelpers", "FirewallBackend" ]
+ "AutomaticHelpers" ]
class firewalld_conf(object):
def __init__(self, filename):
@@ -79,7 +79,6 @@ class firewalld_conf(object):
self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
self.set("LogDenied", config.FALLBACK_LOG_DENIED)
self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
- self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
raise
for line in f:
@@ -175,14 +174,6 @@ class firewalld_conf(object):
config.FALLBACK_AUTOMATIC_HELPERS)
self.set("AutomaticHelpers", str(config.FALLBACK_AUTOMATIC_HELPERS))
- value = self.get("FirewallBackend")
- if not value or value.lower() not in config.FIREWALL_BACKEND_VALUES:
- if value is not None:
- log.warning("FirewallBackend '%s' is not valid, using default "
- "value %s", value if value else '',
- config.FALLBACK_FIREWALL_BACKEND)
- self.set("FirewallBackend", str(config.FALLBACK_FIREWALL_BACKEND))
-
# save to self.filename if there are key/value changes
def write(self):
if len(self._config) < 1:
diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py
index dfc562b537eb..011052a9cabf 100644
--- a/src/firewall/server/config.py
+++ b/src/firewall/server/config.py
@@ -105,7 +105,6 @@ class FirewallDConfig(slip.dbus.service.Object):
"IndividualCalls": "readwrite",
"LogDenied": "readwrite",
"AutomaticHelpers": "readwrite",
- "FirewallBackend": "readwrite",
})
@handle_exceptions
@@ -485,7 +484,7 @@ class FirewallDConfig(slip.dbus.service.Object):
def _get_property(self, prop):
if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
- "LogDenied", "AutomaticHelpers", "FirewallBackend" ]:
+ "LogDenied", "AutomaticHelpers" ]:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
"Property '%s' does not exist" % prop)
@@ -526,10 +525,6 @@ class FirewallDConfig(slip.dbus.service.Object):
if value is None:
value = config.FALLBACK_AUTOMATIC_HELPERS
return dbus.String(value)
- elif prop == "FirewallBackend":
- if value is None:
- value = config.FALLBACK_FIREWALL_BACKEND
- return dbus.String(value)
@dbus_handle_exceptions
def _get_dbus_property(self, prop):
@@ -549,8 +544,6 @@ class FirewallDConfig(slip.dbus.service.Object):
return dbus.String(self._get_property(prop))
elif prop == "AutomaticHelpers":
return dbus.String(self._get_property(prop))
- elif prop == "FirewallBackend":
- return dbus.String(self._get_property(prop))
else:
raise dbus.exceptions.DBusException(
"org.freedesktop.DBus.Error.InvalidArgs: "
@@ -590,7 +583,7 @@ class FirewallDConfig(slip.dbus.service.Object):
if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit",
"Lockdown", "IPv6_rpfilter", "IndividualCalls",
- "LogDenied", "AutomaticHelpers", "FirewallBackend" ]:
+ "LogDenied", "AutomaticHelpers" ]:
ret[x] = self._get_property(x)
elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT,
config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]:
@@ -616,8 +609,7 @@ class FirewallDConfig(slip.dbus.service.Object):
if interface_name == config.dbus.DBUS_INTERFACE_CONFIG:
if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown",
"IPv6_rpfilter", "IndividualCalls",
- "LogDenied", "AutomaticHelpers",
- "FirewallBackend" ]:
+ "LogDenied", "AutomaticHelpers" ]:
if property_name == "MinimalMark":
try:
int(new_value)
@@ -646,11 +638,6 @@ class FirewallDConfig(slip.dbus.service.Object):
raise FirewallError(errors.INVALID_VALUE,
"'%s' for %s" % \
(new_value, property_name))
- if property_name == "FirewallBackend":
- if new_value not in config.FIREWALL_BACKEND_VALUES:
- raise FirewallError(errors.INVALID_VALUE,
- "'%s' for %s" % \
- (new_value, property_name))
self.config.get_firewalld_conf().set(property_name, new_value)
self.config.get_firewalld_conf().write()
self.PropertiesChanged(interface_name,
diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at
index 473210de10af..3887d7ee4a7d 100644
--- a/src/tests/dbus/firewalld.conf.at
+++ b/src/tests/dbus/firewalld.conf.at
@@ -5,7 +5,6 @@ DBUS_GETALL([config], [config], 0, [dnl
string "AutomaticHelpers" : variant string "system"
string "CleanupOnExit" : variant string "no"
string "DefaultZone" : variant string "public"
-string "FirewallBackend" : variant string "nftables"
m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl
string "IPv6_rpfilter" : variant string "no"],[dnl
string "IPv6_rpfilter" : variant string "yes"])
@@ -29,7 +28,6 @@ _helper([Lockdown], [string:"yes"], [variant string "yes"])
_helper([LogDenied], [string:"all"], [variant string "all"])
_helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"])
_helper([IndividualCalls], [string:"yes"], [variant string "yes"])
-_helper([FirewallBackend], [string:"iptables"], [variant string "iptables"])
_helper([CleanupOnExit], [string:"yes"], [variant string "yes"])
dnl Note: DefaultZone is RO
m4_undefine([_helper])
diff --git a/src/tests/functions.at b/src/tests/functions.at
index f8ab929118e5..b95324847e5c 100644
--- a/src/tests/functions.at
+++ b/src/tests/functions.at
@@ -70,9 +70,6 @@ m4_define([FWD_START_TEST], [
dnl don't unload modules or bother cleaning up, the namespace will be deleted
AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf])
- dnl set the appropriate backend
- AT_CHECK([sed -i 's/^FirewallBackend.*/FirewallBackend=FIREWALL_BACKEND/' ./firewalld.conf])
-
dnl fib matching is pretty new in nftables. Don't use rpfilter on older
dnl kernels.
m4_if(nftables, FIREWALL_BACKEND, [
diff --git a/src/tests/testsuite.at b/src/tests/testsuite.at
index 2943d7460919..68d18c9018b8 100644
--- a/src/tests/testsuite.at
+++ b/src/tests/testsuite.at
@@ -10,7 +10,7 @@ m4_include([functions.at])
m4_include([firewall-offline-cmd.at])
m4_include([dbus.at])
-m4_foreach([FIREWALL_BACKEND], [[nftables], [iptables]], [
+m4_foreach([FIREWALL_BACKEND], [[iptables]], [
m4_include([firewall-cmd.at])
m4_include([regression.at])
m4_include([python.at])
--
2.18.0