From 0e28840f5c3362d032f2f805cbbe6fbbaa217437 Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Wed, 27 Oct 2021 13:58:27 -0400
Subject: [PATCH 44/50] fix(io/functions): check_config against on disk conf
Before this change the runtime FirewallConfig() instance was used. This
caused some permanent configuration issues to not be caught due to
comparing against the runtime instances of all objects.
For example, two zones in permanent configuration may use the same
interface (which is not valid), but if the runtime configuration does
not have have these interface assignments then check_config() won't
catch the issue since it compares against the runtime configuration.
Fix is to build a temporary FirewallConfig() instance for all the
on-disk/permanent configuration.
(cherry picked from commit 35d4facc8962cd1b66bc245fe03f658d491e1061)
(cherry picked from commit 55a799e872dc88b1341a6bc38af33e77dfedb72f)
---
src/firewall/core/io/functions.py | 47 ++++++++++++++++++++++---------
1 file changed, 34 insertions(+), 13 deletions(-)
diff --git a/src/firewall/core/io/functions.py b/src/firewall/core/io/functions.py
index 0c7b1886426c..35a7eaf8dec8 100644
--- a/src/firewall/core/io/functions.py
+++ b/src/firewall/core/io/functions.py
@@ -24,6 +24,7 @@ import os
from firewall import config
from firewall.errors import FirewallError
+from firewall.core.fw_config import FirewallConfig
from firewall.core.io.zone import zone_reader
from firewall.core.io.service import service_reader
from firewall.core.io.ipset import ipset_reader
@@ -34,26 +35,46 @@ from firewall.core.io.direct import Direct
from firewall.core.io.lockdown_whitelist import LockdownWhitelist
from firewall.core.io.firewalld_conf import firewalld_conf
-def check_config(fw=None):
+def check_config(fw):
+ fw_config = FirewallConfig(fw)
readers = {
- "ipset" : (ipset_reader, [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS]),
- "helper" : (helper_reader, [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS]),
- "icmptype" : (icmptype_reader, [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES]),
- "service" : (service_reader, [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES]),
- "zone" : (zone_reader, [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES]),
- "policy" : (policy_reader, [config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES]),
+ "ipset": {"reader": ipset_reader,
+ "add": fw_config.add_ipset,
+ "dirs": [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS],
+ },
+ "helper": {"reader": helper_reader,
+ "add": fw_config.add_helper,
+ "dirs": [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS],
+ },
+ "icmptype": {"reader": icmptype_reader,
+ "add": fw_config.add_icmptype,
+ "dirs": [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES],
+ },
+ "service": {"reader": service_reader,
+ "add": fw_config.add_service,
+ "dirs": [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES],
+ },
+ "zone": {"reader": zone_reader,
+ "add": fw_config.add_zone,
+ "dirs": [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES],
+ },
+ "policy": {"reader": policy_reader,
+ "add": fw_config.add_policy_object,
+ "dirs": [config.FIREWALLD_POLICIES, config.ETC_FIREWALLD_POLICIES],
+ },
}
for reader in readers.keys():
- for dir in readers[reader][1]:
- if not os.path.isdir(dir):
+ for _dir in readers[reader]["dirs"]:
+ if not os.path.isdir(_dir):
continue
- for file in sorted(os.listdir(dir)):
+ for file in sorted(os.listdir(_dir)):
if file.endswith(".xml"):
try:
- obj = readers[reader][0](file, dir)
- if fw and reader in ["zone", "policy"]:
- obj.fw_config = fw.config
+ obj = readers[reader]["reader"](file, _dir)
+ if reader in ["zone", "policy"]:
+ obj.fw_config = fw_config
obj.check_config(obj.export_config())
+ readers[reader]["add"](obj)
except FirewallError as error:
raise FirewallError(error.code, "'%s': %s" % (file, error.msg))
except Exception as msg:
--
2.27.0