rpms / firewalld

Clone
Source Code
GIT

Files

  1.   725d6a1f3687696146fa7d1f8f1bc512623b6dae
  2.   SOURCES
  3.   0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch
Blob Blame History Raw 
From 4d099f4c0866801e40e362090e6986c693386e2c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Thu, 27 Aug 2020 15:30:45 -0400
Subject: [PATCH 50/62] fix(icmptype): when applying rules get ict from perm
 config

Otherwise we may get runtime errors because the running kernel doesn't
support the ict. Use the permanent ict definition so we allow the case
where ip6tables is missing or not available. Explicit usage of an ict
not supported by the kernel will still fail to apply at runtime
(iptables complains), but if ip6tables is missing we don't attempt to
apply the ipv6 rules thus avoiding the issue.

(cherry picked from commit fdc44800aef4ec166987d529ffaea51f13ff54c2)
(cherry picked from commit 0016ec8e4aefb6cf2a8986a91530eae25a28ead7)
---
 src/firewall/core/fw_zone.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index b9fe1f6aae97..9d8bcf620251 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -1526,7 +1526,7 @@ class FirewallZone(object):
         if rule.family:
             ipvs = [ rule.family ]
         elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)):
-            ict = self._fw.icmptype.get_icmptype(rule.element.name)
+            ict = self._fw.config.get_icmptype(rule.element.name)
             if ict.destination:
                 ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination]
 
@@ -1698,7 +1698,7 @@ class FirewallZone(object):
             # ICMP BLOCK and ICMP TYPE
             elif type(rule.element) == Rich_IcmpBlock or \
                  type(rule.element) == Rich_IcmpType:
-                ict = self._fw.icmptype.get_icmptype(rule.element.name)
+                ict = self._fw.config.get_icmptype(rule.element.name)
 
                 if type(rule.element) == Rich_IcmpBlock and \
                    rule.action and type(rule.action) == Rich_Accept:
@@ -1862,7 +1862,7 @@ class FirewallZone(object):
         transaction.add_rules(backend, rules)
 
     def _icmp_block(self, enable, zone, icmp, transaction):
-        ict = self._fw.icmptype.get_icmptype(icmp)
+        ict = self._fw.config.get_icmptype(icmp)
 
         if enable:
             transaction.add_chain(zone, "filter", "INPUT")
-- 
2.28.0

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation