From 00d0183d97e6d5d596b74af3273b1c6a6fa1bb99 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 18 2021 06:38:19 +0000 Subject: import firewalld-0.8.2-6.el8 --- diff --git a/SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch b/SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch new file mode 100644 index 0000000..4c1e8c1 --- /dev/null +++ b/SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch @@ -0,0 +1,29 @@ +From 2a1a55209a95c5463e07cc3eb048d128ab7593ed Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 10 Aug 2020 09:29:05 -0400 +Subject: [PATCH 48/62] test(regression/rhbz1541077): use FWD_OFFLINE_CHECK + macro + +Fixes: 6e279ef6517a ("test(regression/rhbz1541077): correctly use macros") +Fixes: dddba7b9c276 ("fix(cli): add ipset type hash:mac is incompatible with the family parameter") +(cherry picked from commit fae16b550ed8b384ee24691e6442b7cbd6b776aa) +(cherry picked from commit 3efe0f30d4499763aacc573dc634b52ceb11a017) +--- + src/tests/regression/rhbz1541077.at | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at +index 692ca8ecc892..73ad4b49cb3d 100644 +--- a/src/tests/regression/rhbz1541077.at ++++ b/src/tests/regression/rhbz1541077.at +@@ -4,6 +4,6 @@ AT_KEYWORDS(ipset rhbz1541077) + FWD_CHECK([--permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) + FWD_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) + +-AT_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) ++FWD_OFFLINE_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) + + FWD_END_TEST +-- +2.28.0 + diff --git a/SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch b/SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch new file mode 100644 index 0000000..41f7cb1 --- /dev/null +++ b/SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch @@ -0,0 +1,30 @@ +From 5326d7a86d6e7413dee343b795a352d8b4e6ab0d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 10 Aug 2020 09:33:22 -0400 +Subject: [PATCH 49/62] test(regression/rhbz1855140.at): avoid IPv6 tests if + IPv6 not available + +Fixes: 87ec14dddd74 ("test(rich): icmptypes with one family") +(cherry picked from commit a47819d346fbd0f4d4d382a6a795c76c7f443a3b) +(cherry picked from commit 1b4fea7277c26026ecbe09f79928c794489424b9) +--- + src/tests/regression/rhbz1855140.at | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at +index 8059e29fe71a..cea943e0bf24 100644 +--- a/src/tests/regression/rhbz1855140.at ++++ b/src/tests/regression/rhbz1855140.at +@@ -2,7 +2,9 @@ FWD_START_TEST([rich rule icmptypes with one family]) + AT_KEYWORDS(rich icmp rhbz1855140) + + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore) ++IF_HOST_SUPPORTS_IPV6_RULES([ + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore) ++]) + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore) + FWD_RELOAD + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl +-- +2.28.0 + diff --git a/SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch b/SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch new file mode 100644 index 0000000..f0d495e --- /dev/null +++ b/SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch @@ -0,0 +1,53 @@ +From 4d099f4c0866801e40e362090e6986c693386e2c Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 27 Aug 2020 15:30:45 -0400 +Subject: [PATCH 50/62] fix(icmptype): when applying rules get ict from perm + config + +Otherwise we may get runtime errors because the running kernel doesn't +support the ict. Use the permanent ict definition so we allow the case +where ip6tables is missing or not available. Explicit usage of an ict +not supported by the kernel will still fail to apply at runtime +(iptables complains), but if ip6tables is missing we don't attempt to +apply the ipv6 rules thus avoiding the issue. + +(cherry picked from commit fdc44800aef4ec166987d529ffaea51f13ff54c2) +(cherry picked from commit 0016ec8e4aefb6cf2a8986a91530eae25a28ead7) +--- + src/firewall/core/fw_zone.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index b9fe1f6aae97..9d8bcf620251 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1526,7 +1526,7 @@ class FirewallZone(object): + if rule.family: + ipvs = [ rule.family ] + elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)): +- ict = self._fw.icmptype.get_icmptype(rule.element.name) ++ ict = self._fw.config.get_icmptype(rule.element.name) + if ict.destination: + ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination] + +@@ -1698,7 +1698,7 @@ class FirewallZone(object): + # ICMP BLOCK and ICMP TYPE + elif type(rule.element) == Rich_IcmpBlock or \ + type(rule.element) == Rich_IcmpType: +- ict = self._fw.icmptype.get_icmptype(rule.element.name) ++ ict = self._fw.config.get_icmptype(rule.element.name) + + if type(rule.element) == Rich_IcmpBlock and \ + rule.action and type(rule.action) == Rich_Accept: +@@ -1862,7 +1862,7 @@ class FirewallZone(object): + transaction.add_rules(backend, rules) + + def _icmp_block(self, enable, zone, icmp, transaction): +- ict = self._fw.icmptype.get_icmptype(icmp) ++ ict = self._fw.config.get_icmptype(icmp) + + if enable: + transaction.add_chain(zone, "filter", "INPUT") +-- +2.28.0 + diff --git a/SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch b/SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch new file mode 100644 index 0000000..8d686b1 --- /dev/null +++ b/SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch @@ -0,0 +1,50 @@ +From 0b69b4e464f02ea6fec50522b587a93092040b4d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 27 Aug 2020 15:59:13 -0400 +Subject: [PATCH 51/62] fix(rich): clamp the IP families to those actually + enabled + +One scenario is if IPv6 is not available, but we specify an icmp-type +that is ipv6 only, then we'll still attempt to call the IPv6 backend. We +should not do that. + +(cherry picked from commit 4fcb27bdcf8be30d91d490ba2c0286af1cf299de) +(cherry picked from commit b8b0aeaaf853546f6990e8f635d7ea79233bbc79) +--- + src/firewall/core/fw_zone.py | 5 ++++- + src/tests/regression/rhbz1855140.at | 2 -- + 2 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 9d8bcf620251..bd026222dce5 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1542,7 +1542,10 @@ class FirewallZone(object): + ipvs = [ source_ipv ] + + if not ipvs: +- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)] ++ ipvs = ["ipv4", "ipv6"] ++ ++ # clamp ipvs to those that are actually enabled. ++ ipvs = [ipv for ipv in ipvs if self._fw.is_ipv_enabled(ipv)] + + # add an element to object to allow backends to know what ipvs this applies to + rule.ipvs = ipvs +diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at +index cea943e0bf24..8059e29fe71a 100644 +--- a/src/tests/regression/rhbz1855140.at ++++ b/src/tests/regression/rhbz1855140.at +@@ -2,9 +2,7 @@ FWD_START_TEST([rich rule icmptypes with one family]) + AT_KEYWORDS(rich icmp rhbz1855140) + + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore) +-IF_HOST_SUPPORTS_IPV6_RULES([ + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore) +-]) + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore) + FWD_RELOAD + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl +-- +2.28.0 + diff --git a/SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch b/SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch new file mode 100644 index 0000000..e60c327 --- /dev/null +++ b/SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch @@ -0,0 +1,62 @@ +From 5c18dbc41a2f59364fb495ef164dcc3c9147e408 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 28 Aug 2020 11:44:33 -0400 +Subject: [PATCH 52/62] fix(rich icmptype): verify rule and icmptype families + don't conflict + +Fixes: rhbz 1855140 +(cherry picked from commit 11aac7755d9c8e338f72b5350329255937efd8e8) +(cherry picked from commit b49a88095b05bcf1bce36e989d7003948f1ee6f7) +--- + src/firewall/core/fw_zone.py | 6 ++++++ + src/firewall/core/io/zone.py | 17 ++++++++++++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index bd026222dce5..129306b6f969 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1703,6 +1703,12 @@ class FirewallZone(object): + type(rule.element) == Rich_IcmpType: + ict = self._fw.config.get_icmptype(rule.element.name) + ++ if rule.family and ict.destination and \ ++ rule.family not in ict.destination: ++ raise FirewallError(errors.INVALID_ICMPTYPE, ++ "rich rule family '%s' conflicts with icmp type '%s'" % \ ++ (rule.family, rule.element.name)) ++ + if type(rule.element) == Rich_IcmpBlock and \ + rule.action and type(rule.action) == Rich_Accept: + # icmp block might have reject or drop action, but not accept +diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py +index 68b2a7c9567c..529b92c25b62 100644 +--- a/src/firewall/core/io/zone.py ++++ b/src/firewall/core/io/zone.py +@@ -232,7 +232,22 @@ class Zone(IO_Object): + raise FirewallError(errors.INVALID_ADDR, source) + elif item == "rules_str": + for rule in config: +- rich.Rich_Rule(rule_str=rule) ++ obj_rich = rich.Rich_Rule(rule_str=rule) ++ if self.fw_config and obj_rich.element and (isinstance(obj_rich.element, rich.Rich_IcmpBlock) or ++ isinstance(obj_rich.element, rich.Rich_IcmpType)): ++ existing_icmptypes = self.fw_config.get_icmptypes() ++ if obj_rich.element.name not in existing_icmptypes: ++ raise FirewallError(errors.INVALID_ICMPTYPE, ++ "'%s' not among existing icmp types" % \ ++ obj_rich.element.name) ++ ++ elif obj_rich.family: ++ ict = self.fw_config.get_icmptype(obj_rich.element.name) ++ if ict.destination and obj_rich.family not in ict.destination: ++ raise FirewallError(errors.INVALID_ICMPTYPE, ++ "rich rule family '%s' conflicts with icmp type '%s'" % \ ++ (obj_rich.family, obj_rich.element.name)) ++ + + def check_name(self, name): + super(Zone, self).check_name(name) +-- +2.28.0 + diff --git a/SOURCES/0053-fix-nftables-packet-marks-with-masks.patch b/SOURCES/0053-fix-nftables-packet-marks-with-masks.patch new file mode 100644 index 0000000..e743640 --- /dev/null +++ b/SOURCES/0053-fix-nftables-packet-marks-with-masks.patch @@ -0,0 +1,48 @@ +From 08cb6f0c7abca95fa898020bb9f3ba3f4bfbf148 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 28 Aug 2020 13:15:34 -0400 +Subject: [PATCH 53/62] fix(nftables): packet marks with masks + +(cherry picked from commit e296b926ae5dc4cbc277b6dd755d045e73ed4411) +(cherry picked from commit 371efe757f2bde20b4301a78ed3c48ec1d31bf5e) +--- + src/firewall/core/fw_zone.py | 2 ++ + src/firewall/core/nftables.py | 9 +++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 129306b6f969..6eaed4232405 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1719,6 +1719,8 @@ class FirewallZone(object): + if enable: + transaction.add_chain(zone, table, "INPUT") + transaction.add_chain(zone, table, "FORWARD_IN") ++ if enable and type(rule.action) == Rich_Mark: ++ transaction.add_chain(zone, "mangle", "PREROUTING") + + rules = backend.build_zone_icmp_block_rules(enable, zone, ict, rule) + transaction.add_rules(backend, rules) +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 0198200b2372..76668a60468f 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1043,8 +1043,13 @@ class nftables(object): + zone=zone) + table = "mangle" + chain = "%s_%s_%s" % (table, target, chain_suffix) +- rule_action = {"mangle": {"key": {"meta": {"key": "mark"}}, +- "value": rich_rule.action.set}} ++ value = rich_rule.action.set.split("/") ++ if len(value) > 1: ++ rule_action = {"mangle": {"key": {"meta": {"key": "mark"}}, ++ "value": {"^": [{"&": [{"meta": {"key": "mark"}}, value[1]]}, value[0]]}}} ++ else: ++ rule_action = {"mangle": {"key": {"meta": {"key": "mark"}}, ++ "value": value[0]}} + else: + raise FirewallError(INVALID_RULE, + "Unknown action %s" % type(rich_rule.action)) +-- +2.28.0 + diff --git a/SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch b/SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch new file mode 100644 index 0000000..e155098 --- /dev/null +++ b/SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch @@ -0,0 +1,27 @@ +From 603ca9c2dd16f212a8b2fb43a9e9599fe3dd3abf Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 28 Aug 2020 14:22:18 -0400 +Subject: [PATCH 54/62] fix(nftables): icmp types with code == 0 + +(cherry picked from commit 098e35168d6a15516cc76189a70df8db56bd1b13) +(cherry picked from commit 8dcfaa607329cd4c2bdaa3b101371a30a04ef858) +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 76668a60468f..daa7ace085a2 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -82,7 +82,7 @@ def _icmp_types_fragments(protocol, type, code=None): + fragments = [{"match": {"left": {"payload": {"protocol": protocol, "field": "type"}}, + "op": "==", + "right": type}}] +- if code: ++ if code is not None: + fragments.append({"match": {"left": {"payload": {"protocol": protocol, "field": "code"}}, + "op": "==", + "right": code}}) +-- +2.28.0 + diff --git a/SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch b/SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch new file mode 100644 index 0000000..fbfab5b --- /dev/null +++ b/SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch @@ -0,0 +1,35 @@ +From d4f35b11f2edb1cf680ed2081a14b599ef3f3b63 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 31 Aug 2020 15:38:34 -0400 +Subject: [PATCH 55/62] fix(ipXtables): rich: avoid duplicate rules for + icmp-type w/ mark action + +This is a stable only fix. It does not occur on master. + +(cherry picked from commit 9b7ba2fcedace408aae498fea1c973a988370808) +--- + src/firewall/core/ipXtables.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index b1d6c202fda7..c4535f2e5818 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -1240,8 +1240,13 @@ class ip4tables(object): + proto = [ "-p", "ipv6-icmp" ] + match = [ "-m", "icmp6", "--icmpv6-type", ict.name ] + ++ if rich_rule and rich_rule.action and isinstance(rich_rule.action, Rich_Mark): ++ chains = ["PREROUTING"] ++ else: ++ chains = ["INPUT", "FORWARD_IN"] ++ + rules = [] +- for chain in ["INPUT", "FORWARD_IN"]: ++ for chain in chains: + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], + zone=zone) + if self._fw.zone.query_icmp_block_inversion(zone): +-- +2.28.0 + diff --git a/SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch b/SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch new file mode 100644 index 0000000..19d348c --- /dev/null +++ b/SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch @@ -0,0 +1,66 @@ +From 08cc79942e820d9ce86c5c0bd0249ec4335955ce Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 28 Aug 2020 10:48:35 -0400 +Subject: [PATCH 56/62] test(regression/rhbz1855140): add negative tests + +(cherry picked from commit b50032185422f5538a8a6211cfa43cfaa2d67ec4) +(cherry picked from commit 264375df35124b5920b9d3e690944aaad1e4790c) +--- + src/tests/regression/rhbz1855140.at | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at +index 8059e29fe71a..fbb33a419c56 100644 +--- a/src/tests/regression/rhbz1855140.at ++++ b/src/tests/regression/rhbz1855140.at +@@ -4,7 +4,15 @@ AT_KEYWORDS(rich icmp rhbz1855140) + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore) + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore) + FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore) ++FWD_CHECK([--permanent --zone public --add-rich-rule 'rule icmp-type name=bad-header mark set=0x86/0x86'], 0, ignore) + FWD_RELOAD ++NFT_LIST_RULES([inet], [mangle_PRE_public_allow], 0, [dnl ++ table inet firewalld { ++ chain mangle_PRE_public_allow { ++ icmpv6 type parameter-problem icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086 ++ } ++ } ++]) + NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + table inet firewalld { + chain filter_IN_public_allow { +@@ -18,12 +26,17 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl + } + } + ]) ++IPTABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl ++]) + IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED + ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 + ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13 + ]) ++IP6TABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl ++ MARK icmpv6 ::/0 ::/0 ipv6-icmptype 4 code 0 MARK or 0x86 ++]) + IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED + ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED +@@ -32,4 +45,12 @@ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl + ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136 + ]) + +-FWD_END_TEST ++dnl verify bad icmptypes are rejected ++FWD_CHECK([--permanent --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore]) ++FWD_CHECK([ --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore]) ++FWD_CHECK([--permanent --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore]) ++IF_HOST_SUPPORTS_IPV6_RULES([ ++FWD_CHECK([ --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore]) ++]) ++ ++FWD_END_TEST([-e '/ERROR: INVALID_ICMPTYPE:/d']) +-- +2.28.0 + diff --git a/SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch b/SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch new file mode 100644 index 0000000..8f73132 --- /dev/null +++ b/SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch @@ -0,0 +1,80 @@ +From 0f94133731fa497b04744fa4a37cfa5fd5e45fab Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 26 Aug 2020 11:38:36 -0400 +Subject: [PATCH 57/62] fix(policy): cache rule_str for rich rules + +There are various areas that we use list comprehensions to convert +Rich_Rule to rule_str. This isn't cheap. Let's just cache the rule_str +and avoid the cost. + +Fixes: rhbz 1871298 +(cherry picked from commit 5402724221a3dddc9c139663d28ababed4057cc6) +(cherry picked from commit 763b07972fd80e7b2f28b29efe812b92f6dff1d1) +--- + src/firewall/core/io/zone.py | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py +index 529b92c25b62..ec81762be100 100644 +--- a/src/firewall/core/io/zone.py ++++ b/src/firewall/core/io/zone.py +@@ -120,6 +120,7 @@ class Zone(IO_Object): + self.sources = [ ] + self.fw_config = None # to be able to check services and a icmp_blocks + self.rules = [ ] ++ self.rules_str = [ ] + self.icmp_block_inversion = False + self.combined = False + self.applied = False +@@ -141,6 +142,7 @@ class Zone(IO_Object): + del self.sources[:] + self.fw_config = None # to be able to check services and a icmp_blocks + del self.rules[:] ++ del self.rules_str[:] + self.icmp_block_inversion = False + self.combined = False + self.applied = False +@@ -163,17 +165,13 @@ class Zone(IO_Object): + self.interfaces = [u2b_if_py2(i) for i in self.interfaces] + self.sources = [u2b_if_py2(s) for s in self.sources] + self.rules = [u2b_if_py2(s) for s in self.rules] +- +- def __getattr__(self, name): +- if name == "rules_str": +- rules_str = [str(rule) for rule in self.rules] +- return rules_str +- else: +- return getattr(super(Zone, self), name) ++ self.rules_str = [u2b_if_py2(s) for s in self.rules_str] + + def __setattr__(self, name, value): + if name == "rules_str": + self.rules = [rich.Rich_Rule(rule_str=s) for s in value] ++ # must convert back to string to get the canonical string. ++ super(Zone, self).__setattr__(name, [str(s) for s in self.rules]) + else: + super(Zone, self).__setattr__(name, value) + +@@ -307,6 +305,7 @@ class Zone(IO_Object): + self.source_ports.append(port) + for rule in zone.rules: + self.rules.append(rule) ++ self.rules_str.append(str(rule)) + if zone.icmp_block_inversion: + self.icmp_block_inversion = True + +@@ -687,9 +686,9 @@ class zone_ContentHandler(IO_Object_ContentHandler): + except Exception as e: + log.warning("%s: %s", e, str(self._rule)) + else: +- if str(self._rule) not in \ +- [ str(x) for x in self.item.rules ]: ++ if str(self._rule) not in self.item.rules_str: + self.item.rules.append(self._rule) ++ self.item.rules_str.append(str(self._rule)) + else: + log.warning("Rule '%s' already set, ignoring.", + str(self._rule)) +-- +2.28.0 + diff --git a/SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch b/SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch new file mode 100644 index 0000000..38e6d81 --- /dev/null +++ b/SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch @@ -0,0 +1,55 @@ +From ed42b8048e97040802da727f77cad4a1bb5ff42b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 26 Aug 2020 14:28:45 -0400 +Subject: [PATCH 58/62] test(zone): rich rule parsing bottleneck + +Coverage for rhbz 1871298. +Verify we can parse a large amount of rich rules in a reasonable time. + +This test took 3m before the fix and now takes 18s after the fix. +Considering it "failed" after 45s should give us plenty of headroom. + +(cherry picked from commit ece30971412eedb9032b0d87233ca21ef9154830) +(cherry picked from commit b21f071851ffec6d3a382b6e60eb88dcda7df467) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1871298.at | 18 ++++++++++++++++++ + 2 files changed, 19 insertions(+) + create mode 100644 src/tests/regression/rhbz1871298.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index d7b4d56239d1..65540840f50e 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -34,3 +34,4 @@ m4_include([regression/rhbz1689429.at]) + m4_include([regression/rhbz1483921.at]) + m4_include([regression/rhbz1541077.at]) + m4_include([regression/rhbz1855140.at]) ++m4_include([regression/rhbz1871298.at]) +diff --git a/src/tests/regression/rhbz1871298.at b/src/tests/regression/rhbz1871298.at +new file mode 100644 +index 000000000000..0689399d85ec +--- /dev/null ++++ b/src/tests/regression/rhbz1871298.at +@@ -0,0 +1,18 @@ ++FWD_START_TEST([rich rule parsing bottleneck]) ++AT_KEYWORDS(rich offline rhbz1871298) ++ ++AT_SKIP_IF([! NS_CMD([which timeout >/dev/null 2>&1])]) ++ ++NS_CHECK([mkdir -p ./zones]) ++NS_CHECK([echo '' > ./zones/foobar.xml]) ++NS_CHECK([echo "" >> ./zones/foobar.xml]) ++NS_CHECK([echo "foobar" >> ./zones/foobar.xml]) ++NS_CHECK([sh -c 'for I in $(seq 10000); do echo "" >> ./zones/foobar.xml; done']) ++NS_CHECK([echo "" >> ./zones/foobar.xml]) ++ ++if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then ++ FIREWALL_OFFLINE_CMD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}" ++fi ++NS_CHECK([timeout 45 firewall-offline-cmd --system-config ./ $FIREWALL_OFFLINE_CMD_ARGS --check-config], 0, [ignore]) ++ ++FWD_END_TEST +-- +2.28.0 + diff --git a/SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch b/SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch new file mode 100644 index 0000000..8a0d031 --- /dev/null +++ b/SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch @@ -0,0 +1,158 @@ +From 244d1bfe190f2cc32c10d0fecaf81536761ecc09 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 1 Sep 2020 13:16:23 -0400 +Subject: [PATCH 59/62] fix(icmptype): nftables: runtimeToPermanent if + ip6tables not available + +We were not filling the runtime ipv6 icmptypes list if the active +backend was nftables and ip6tables wasn't available. This caused "ipv6" +to be dropped from the supported ipvs/destinations for the icmptype. +This also caused runtimeToPermanent to fail because the runtime +icmptypes definition dropped "ipv6" causing runtimeToPermanent to copy +the runtime icmptype to permanent because they were different... this +caused sanity checks on the permanent configuration to fail. + +(cherry picked from commit c92d43dcdf5622e82e28454652acd6a981b015f9) +(cherry picked from commit 6f23f727be818f356625e39682fb226a81925647) +--- + src/firewall/core/fw.py | 24 ++++++++++++++---------- + src/firewall/core/fw_icmptype.py | 8 ++++---- + src/firewall/core/ipXtables.py | 2 +- + src/firewall/core/nftables.py | 6 +++--- + src/firewall/server/firewalld.py | 4 ++-- + 5 files changed, 24 insertions(+), 20 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index c767f416f3d2..1df916efb10f 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -76,10 +76,10 @@ class Firewall(object): + else: + self.ip4tables_backend = ipXtables.ip4tables(self) + self.ip4tables_enabled = True +- self.ip4tables_supported_icmp_types = [ ] ++ self.ipv4_supported_icmp_types = [ ] + self.ip6tables_backend = ipXtables.ip6tables(self) + self.ip6tables_enabled = True +- self.ip6tables_supported_icmp_types = [ ] ++ self.ipv6_supported_icmp_types = [ ] + self.ebtables_backend = ebtables.ebtables() + self.ebtables_enabled = True + self.ipset_backend = ipset.ipset() +@@ -172,11 +172,13 @@ class Firewall(object): + log.warning("iptables-restore and iptables are missing, " + "disabling IPv4 firewall.") + self.ip4tables_enabled = False +- if self.ip4tables_enabled: +- self.ip4tables_supported_icmp_types = \ +- self.ip4tables_backend.supported_icmp_types() ++ if self.nftables_enabled: ++ self.ipv4_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv4") + else: +- self.ip4tables_supported_icmp_types = [ ] ++ if self.ip4tables_enabled: ++ self.ipv4_supported_icmp_types = self.ip4tables_backend.supported_icmp_types() ++ else: ++ self.ipv4_supported_icmp_types = [ ] + self.ip6tables_backend.fill_exists() + if not self.ip6tables_backend.restore_command_exists: + if self.ip6tables_backend.command_exists: +@@ -186,11 +188,13 @@ class Firewall(object): + log.warning("ip6tables-restore and ip6tables are missing, " + "disabling IPv6 firewall.") + self.ip6tables_enabled = False +- if self.ip6tables_enabled: +- self.ip6tables_supported_icmp_types = \ +- self.ip6tables_backend.supported_icmp_types() ++ if self.nftables_enabled: ++ self.ipv6_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv6") + else: +- self.ip6tables_supported_icmp_types = [ ] ++ if self.ip6tables_enabled: ++ self.ipv6_supported_icmp_types = self.ip6tables_backend.supported_icmp_types() ++ else: ++ self.ipv6_supported_icmp_types = [ ] + self.ebtables_backend.fill_exists() + if not self.ebtables_backend.restore_command_exists: + if self.ebtables_backend.command_exists: +diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py +index afe9f91d6bf6..a565bb6d8733 100644 +--- a/src/firewall/core/fw_icmptype.py ++++ b/src/firewall/core/fw_icmptype.py +@@ -57,13 +57,13 @@ class FirewallIcmpType(object): + ipvs = orig_ipvs[:] + for ipv in orig_ipvs: + if ipv == "ipv4": +- if not self._fw.ip4tables_enabled: ++ if not self._fw.ip4tables_enabled and not self._fw.nftables_enabled: + continue +- supported_icmps = self._fw.ip4tables_supported_icmp_types ++ supported_icmps = self._fw.ipv4_supported_icmp_types + elif ipv == "ipv6": +- if not self._fw.ip6tables_enabled: ++ if not self._fw.ip6tables_enabled and not self._fw.nftables_enabled: + continue +- supported_icmps = self._fw.ip6tables_supported_icmp_types ++ supported_icmps = self._fw.ipv6_supported_icmp_types + else: + supported_icmps = [ ] + if obj.name.lower() not in supported_icmps: +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index c4535f2e5818..450e427c08b5 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -612,7 +612,7 @@ class ip4tables(object): + rules.append(["-t", table, "-P", chain, _policy]) + return rules + +- def supported_icmp_types(self): ++ def supported_icmp_types(self, ipv=None): + """Return ICMP types that are supported by the iptables/ip6tables command and kernel""" + ret = [ ] + output = "" +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index daa7ace085a2..0a73c2c2669d 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -480,13 +480,13 @@ class nftables(object): + + return rules + +- def supported_icmp_types(self): ++ def supported_icmp_types(self, ipv=None): + # nftables supports any icmp_type via arbitrary type/code matching. + # We just need a translation for it in ICMP_TYPES_FRAGMENTS. + supported = set() + +- for ipv in ICMP_TYPES_FRAGMENTS.keys(): +- supported.update(ICMP_TYPES_FRAGMENTS[ipv].keys()) ++ for _ipv in [ipv] if ipv else ICMP_TYPES_FRAGMENTS.keys(): ++ supported.update(ICMP_TYPES_FRAGMENTS[_ipv].keys()) + + return list(supported) + +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 10b085d48660..949f577053cc 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -162,7 +162,7 @@ class FirewallD(slip.dbus.service.Object): + return dbus.Boolean(self.fw.ip4tables_enabled) + + elif prop == "IPv4ICMPTypes": +- return dbus.Array(self.fw.ip4tables_supported_icmp_types, "s") ++ return dbus.Array(self.fw.ipv4_supported_icmp_types, "s") + + elif prop == "IPv6": + return dbus.Boolean(self.fw.ip6tables_enabled) +@@ -171,7 +171,7 @@ class FirewallD(slip.dbus.service.Object): + return dbus.Boolean(self.fw.ipv6_rpfilter_enabled) + + elif prop == "IPv6ICMPTypes": +- return dbus.Array(self.fw.ip6tables_supported_icmp_types, "s") ++ return dbus.Array(self.fw.ipv6_supported_icmp_types, "s") + + elif prop == "BRIDGE": + return dbus.Boolean(self.fw.ebtables_enabled) +-- +2.28.0 + diff --git a/SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch b/SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch new file mode 100644 index 0000000..27f1bea --- /dev/null +++ b/SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch @@ -0,0 +1,29 @@ +From 8a520d8343ab1567f0f3df39e4fc45dbaf9c6f77 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 24 Sep 2020 15:24:41 -0400 +Subject: [PATCH 60/62] docs(firewall-cmd): clarify lockdown whitelist command + paths + +Reported-by: D. Hugh Redelmeier +(cherry picked from commit a7b12b8eb87dd3bd2bb342cf5d74bf089cf3b9a6) +(cherry picked from commit 7e9b1a02cc7aa12f9c499b2acad584dbabf9a518) +--- + doc/xml/firewall-cmd.xml.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in +index 8bc389acae6c..702c549ab9d9 100644 +--- a/doc/xml/firewall-cmd.xml.in ++++ b/doc/xml/firewall-cmd.xml.in +@@ -2104,7 +2104,7 @@ For interfaces that are not under control of NetworkManager, firewalld tries to + If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match. + + +- Commands for user root and others is not always the same. Example: As root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd is be used on Fedora. ++ Command paths for users are not always the same and depends on the users PATH. Some distributions symlink /bin to /usr/bin in which case it depends on the order they appear in the PATH environment variable. + + + The context is the security (SELinux) context of a running application or service. To get the context of a running application use ps -e --context. +-- +2.28.0 + diff --git a/SOURCES/0061-docs-dbus-fix-invalid-method-names.patch b/SOURCES/0061-docs-dbus-fix-invalid-method-names.patch new file mode 100644 index 0000000..7e71c90 --- /dev/null +++ b/SOURCES/0061-docs-dbus-fix-invalid-method-names.patch @@ -0,0 +1,39 @@ +From b82e2cf588916624c5f45c10e7c929f24ff84e9a Mon Sep 17 00:00:00 2001 +From: Donald Yandt <10255876+TorontoMedia@users.noreply.github.com> +Date: Sun, 27 Sep 2020 20:19:35 -0400 +Subject: [PATCH 61/62] docs(dbus): fix invalid method names + +Replace invalid method names for both 'queryEntry' and 'queryIPSet'. + +Fixes: #693 +(cherry picked from commit 6fc82d2d34b436a1f1921b36930169c965f3ff4b) +(cherry picked from commit 24fb2b2424107cd88e331b8f8edae0dc1671c504) +--- + doc/xml/firewalld.dbus.xml | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index 1625b9d50576..3bf4f53b108d 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -579,7 +579,7 @@ + + + +- queryService(s: ipset, s: entry) → b ++ queryEntry(s: ipset, s: entry) → b + + + Return whether entry has been added to ipset. +@@ -591,7 +591,7 @@ + + + +- queryService(s: ipset) → b ++ queryIPSet(s: ipset) → b + + + Return whether ipset is defined in runtime configuration. +-- +2.28.0 + diff --git a/SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch b/SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch new file mode 100644 index 0000000..cf91047 --- /dev/null +++ b/SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch @@ -0,0 +1,27 @@ +From cd158a2880734c5da329e9a5c9c075ba5bceced6 Mon Sep 17 00:00:00 2001 +From: diegoe +Date: Wed, 21 Oct 2020 21:19:52 -0500 +Subject: [PATCH 62/62] docs(firewall-cmd): small description grammar fix + +(cherry picked from commit 9ae97bb2b65fbafa0ed5c0bfd9ebd5945bc6bea9) +(cherry picked from commit 9b4664fca4d3551dbb758a53b212a5aab043ccd9) +--- + doc/xml/firewall-cmd.xml.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in +index 702c549ab9d9..1789f513d8ee 100644 +--- a/doc/xml/firewall-cmd.xml.in ++++ b/doc/xml/firewall-cmd.xml.in +@@ -56,7 +56,7 @@ + Description + + +- firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration. ++ firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the runtime and permanent configurations. + + + +-- +2.28.0 + diff --git a/SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch b/SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch new file mode 100644 index 0000000..2e00d5b --- /dev/null +++ b/SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch @@ -0,0 +1,107 @@ +From dbce20e28a898c394274109904d471d84cfa7fea Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Fri, 13 Nov 2020 10:40:51 -0500 +Subject: [PATCH 65/66] fix(rich): non-printable characters removed from rich + rules + +Fixes: rhbz 1596304 +Fixes: #480 + +(cherry picked from commit ac5960856991a00ddf7a558e31fd3248c8279a1f) +(cherry picked from commit a55416ea5f79f1a7cb1a97b6ee39524a542a8663) +--- + src/firewall/core/rich.py | 2 ++ + src/firewall/functions.py | 9 ++++++++- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1596304.at | 23 +++++++++++++++++++++++ + 4 files changed, 34 insertions(+), 1 deletion(-) + create mode 100644 src/tests/regression/rhbz1596304.at + +diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py +index 86c0c998a478..03bc194c2b28 100644 +--- a/src/firewall/core/rich.py ++++ b/src/firewall/core/rich.py +@@ -307,6 +307,8 @@ class Rich_Rule(object): + if not rule_str: + raise FirewallError(errors.INVALID_RULE, 'empty rule') + ++ rule_str = functions.stripNonPrintableCharacters(rule_str) ++ + self.priority = 0 + self.family = None + self.source = None +diff --git a/src/firewall/functions.py b/src/firewall/functions.py +index 6af220619f17..d20b702e047e 100644 +--- a/src/firewall/functions.py ++++ b/src/firewall/functions.py +@@ -27,7 +27,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName", + "check_single_address", "check_mac", "uniqify", "ppid_of_pid", + "max_zone_name_len", "checkUser", "checkUid", "checkCommand", + "checkContext", "joinArgs", "splitArgs", +- "b2u", "u2b", "u2b_if_py2" ] ++ "b2u", "u2b", "u2b_if_py2", "stripNonPrintableCharacters"] + + import socket + import os +@@ -42,6 +42,10 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE + + PY2 = sys.version < '3' + ++NOPRINT_TRANS_TABLE = { ++ i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable() ++} ++ + def getPortID(port): + """ Check and Get port id from port string or port id using socket.getservbyname + +@@ -226,6 +230,9 @@ def checkIPnMask(ip): + return False + return True + ++def stripNonPrintableCharacters(rule_str): ++ return rule_str.translate(NOPRINT_TRANS_TABLE) ++ + def checkIP6nMask(ip): + if "/" in ip: + addr = ip[:ip.index("/")] +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 65540840f50e..c1e8620ee700 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -35,3 +35,4 @@ m4_include([regression/rhbz1483921.at]) + m4_include([regression/rhbz1541077.at]) + m4_include([regression/rhbz1855140.at]) + m4_include([regression/rhbz1871298.at]) ++m4_include([regression/rhbz1596304.at]) +diff --git a/src/tests/regression/rhbz1596304.at b/src/tests/regression/rhbz1596304.at +new file mode 100644 +index 000000000000..98a33934e271 +--- /dev/null ++++ b/src/tests/regression/rhbz1596304.at +@@ -0,0 +1,23 @@ ++FWD_START_TEST([rich rules strip non-printable characters]) ++AT_KEYWORDS(rich rhbz1596304) ++ ++dnl source address contains a tab character ++FWD_CHECK([--permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="104.243.250.0/22 " port port=80 protocol=tcp accept'],0,ignore) ++FWD_RELOAD ++FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl ++ public ++ target: default ++ icmp-block-inversion: no ++ interfaces: ++ sources: ++ services: cockpit dhcpv6-client ssh ++ ports: ++ protocols: ++ masquerade: no ++ forward-ports: ++ source-ports: ++ icmp-blocks: ++ rich rules: ++ rule family="ipv4" source address="104.243.250.0/22" port port="80" protocol="tcp" accept ++ ])]) ++FWD_END_TEST +-- +2.28.0 + diff --git a/SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch b/SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch new file mode 100644 index 0000000..793cc5e --- /dev/null +++ b/SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch @@ -0,0 +1,38 @@ +From ff6e65737413d54b6f6964f72827a92fdbecc182 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 8 Jan 2021 13:38:15 -0500 +Subject: [PATCH 68/68] fix(rich): limit table to strip non-printables to C0 + and C1 + +Generating the table was taking an unreasonable amount of memory. +Stripping C0 and C1 should cover most scenarios while limiting memory +usage. + +Fixes: ac5960856991 ("fix(rich): non-printable characters removed from rich rules") +(cherry picked from commit 015704b44f81d535a868fe28368f977cefd28638) +(cherry picked from commit 629a53ef027146f8e4e486c40c8bde04cda830d3) +--- + src/firewall/functions.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/functions.py b/src/firewall/functions.py +index d20b702e047e..1ea9f4309234 100644 +--- a/src/firewall/functions.py ++++ b/src/firewall/functions.py +@@ -43,7 +43,12 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE + PY2 = sys.version < '3' + + NOPRINT_TRANS_TABLE = { +- i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable() ++ # Limit to C0 and C1 code points. Building entries for all unicode code ++ # points requires too much memory. ++ # C0 = [0, 31] ++ # C1 = [127, 159] ++ # ++ i: None for i in range(0, 160) if not (i > 31 and i < 127) + } + + def getPortID(port): +-- +2.27.0 + diff --git a/SOURCES/0067-fix-zone-add-source-with-mac-address.patch b/SOURCES/0067-fix-zone-add-source-with-mac-address.patch new file mode 100644 index 0000000..b3762c1 --- /dev/null +++ b/SOURCES/0067-fix-zone-add-source-with-mac-address.patch @@ -0,0 +1,93 @@ +From 2871abfceceba37c6ba38aa0ef25e23a059294ec Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Wed, 18 Nov 2020 13:14:44 -0500 +Subject: [PATCH 67/68] fix(zone): add source with mac address + +nftables supports matching the destination MAC, but iptables does not. +As such, lift the restriction from nftables. For iptables, gracefully +ignore the scenarios in which we attempt to match destination MAC. + +Fixes: #703 +Fixes: df4aefcbe7b7 ("improvement(ipXtables): add utility function match sources") +Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface") + +Co-authored-by: Eric Garver +(cherry picked from commit 20151fbb5c5104e3d4dbc4ea938b9a68bdbcf225) +(cherry picked from commit 79bb113a2a108ce1c69dc7bc7af60297b8ec2ad0) +--- + src/firewall/core/ipXtables.py | 4 ++++ + src/firewall/core/nftables.py | 2 -- + src/tests/regression/gh703.at | 23 +++++++++++++++++++++++ + src/tests/regression/regression.at | 1 + + 4 files changed, 28 insertions(+), 2 deletions(-) + create mode 100644 src/tests/regression/gh703.at + +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index 450e427c08b5..b28146edd060 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -814,6 +814,10 @@ class ip4tables(object): + else: + zone_dispatch_chain = "%s_ZONES" % (chain) + ++ # iptables can not match destination MAC ++ if check_mac(address) and chain in ["POSTROUTING", "FORWARD_OUT", "OUTPUT"]: ++ return [] ++ + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) + action = "-g" + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 0a73c2c2669d..a0a899dd3eef 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1067,8 +1067,6 @@ class nftables(object): + return self._set_match_fragment(address[len("ipset:"):], True if "daddr" == addr_field else False, invert) + else: + if check_mac(address): +- if addr_field == "daddr": +- raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__)) + family = "ether" + elif check_single_address("ipv4", address): + family = "ip" +diff --git a/src/tests/regression/gh703.at b/src/tests/regression/gh703.at +new file mode 100644 +index 000000000000..af724a7713a7 +--- /dev/null ++++ b/src/tests/regression/gh703.at +@@ -0,0 +1,23 @@ ++FWD_START_TEST([add source with mac address]) ++AT_KEYWORDS(gh703) ++ ++FWD_CHECK([--zone=home --add-source=34:7e:5c:3a:4c:32], 0, [ignore]) ++ ++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING_ZONES_SOURCE { ++ ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING_ZONES_SOURCE { ++ ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home ++ } ++ } ++]) ++ ++dnl NOTE: iptables does _not_ support matching mac destination. ++ ++FWD_END_TEST +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index c1e8620ee700..7597a458076c 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -36,3 +36,4 @@ m4_include([regression/rhbz1541077.at]) + m4_include([regression/rhbz1855140.at]) + m4_include([regression/rhbz1871298.at]) + m4_include([regression/rhbz1596304.at]) ++m4_include([regression/gh703.at]) +-- +2.27.0 + diff --git a/SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch b/SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch new file mode 100644 index 0000000..b0d7f92 --- /dev/null +++ b/SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch @@ -0,0 +1,52 @@ +From 4aa1e421dae3ece1de075ef538f709d6388f8811 Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Wed, 10 Jun 2020 16:14:43 -0400 +Subject: [PATCH 63/64] feat(service): add collectd service Fixes: rhbz 1837368 + +(cherry picked from commit 8b974e75d9100b17568a55c4962dfe09d34f03dc) +--- + config/Makefile.am | 1 + + config/services/collectd.xml | 6 ++++++ + po/POTFILES.in | 1 + + 3 files changed, 8 insertions(+) + create mode 100644 config/services/collectd.xml + +diff --git a/config/Makefile.am b/config/Makefile.am +index 702592e6a685..5f44678841f3 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -134,6 +134,7 @@ CONFIG_FILES = \ + services/ceph.xml \ + services/cfengine.xml \ + services/cockpit.xml \ ++ services/collectd.xml \ + services/condor-collector.xml \ + services/ctdb.xml \ + services/dhcpv6-client.xml \ +diff --git a/config/services/collectd.xml b/config/services/collectd.xml +new file mode 100644 +index 000000000000..fb2483e0e716 +--- /dev/null ++++ b/config/services/collectd.xml +@@ -0,0 +1,6 @@ ++ ++ ++ Collectd ++ Collectd is a monitoring system that allows metrics to be sent over the network. This rule allows incoming collectd traffic from remote boxes. ++ ++ +diff --git a/po/POTFILES.in b/po/POTFILES.in +index 918f6f0986ae..92323b03fc17 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -67,6 +67,7 @@ config/services/ceph.xml + config/services/cfengine.xml + config/services/cockpit.xml + config/services/condor-collector.xml ++config/services/collectd.xml + config/services/ctdb.xml + config/services/dhcpv6-client.xml + config/services/dhcpv6.xml +-- +2.28.0 + diff --git a/SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch b/SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch new file mode 100644 index 0000000..85482a5 --- /dev/null +++ b/SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch @@ -0,0 +1,54 @@ +From 7edc99c9aca9c1416a05c117ab65598dc3095c35 Mon Sep 17 00:00:00 2001 +From: Kenneth D'souza +Date: Tue, 16 Jun 2020 01:14:52 +0530 +Subject: [PATCH 64/64] feat(service): Add rpc-rquotad.service + +Signed-off-by: Kenneth D'souza +(cherry picked from commit 35e58d6fca6fbf44c34629dc058f3f1f727e7783) +--- + config/Makefile.am | 1 + + config/services/rquotad.xml | 7 +++++++ + po/POTFILES.in | 1 + + 3 files changed, 9 insertions(+) + create mode 100644 config/services/rquotad.xml + +diff --git a/config/Makefile.am b/config/Makefile.am +index 5f44678841f3..178c2358b117 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -233,6 +233,7 @@ CONFIG_FILES = \ + services/redis.xml \ + services/RH-Satellite-6.xml \ + services/rpc-bind.xml \ ++ services/rquotad.xml \ + services/rsh.xml \ + services/rsyncd.xml \ + services/rtsp.xml \ +diff --git a/config/services/rquotad.xml b/config/services/rquotad.xml +new file mode 100644 +index 000000000000..adcd233ebd4d +--- /dev/null ++++ b/config/services/rquotad.xml +@@ -0,0 +1,7 @@ ++ ++ ++ rquotad ++ Remote Quota Server Daemon ++ ++ ++ +diff --git a/po/POTFILES.in b/po/POTFILES.in +index 92323b03fc17..8552b8eca4ab 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -166,6 +166,7 @@ config/services/redis-sentinel.xml + config/services/redis.xml + config/services/RH-Satellite-6.xml + config/services/rpc-bind.xml ++config/services/rquotad.xml + config/services/rsh.xml + config/services/rsyncd.xml + config/services/rtsp.xml +-- +2.28.0 + diff --git a/SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch b/SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch new file mode 100644 index 0000000..0fa86fe --- /dev/null +++ b/SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch @@ -0,0 +1,55 @@ +From 8d0823923302da39bb1f28e55b907db29b03f664 Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Tue, 1 Dec 2020 11:58:19 -0500 +Subject: [PATCH 66/66] feat(service): add galera service Fixes: rhbz1696260 + +(cherry picked from commit 11632147677464cb7121d17526ead242e68be041) +--- + config/Makefile.am | 1 + + config/services/galera.xml | 9 +++++++++ + po/POTFILES.in | 1 + + 3 files changed, 11 insertions(+) + create mode 100644 config/services/galera.xml + +diff --git a/config/Makefile.am b/config/Makefile.am +index 178c2358b117..4b849bd54e32 100644 +--- a/config/Makefile.am ++++ b/config/Makefile.am +@@ -156,6 +156,7 @@ CONFIG_FILES = \ + services/freeipa-replication.xml \ + services/freeipa-trust.xml \ + services/ftp.xml \ ++ services/galera.xml \ + services/ganglia-client.xml \ + services/ganglia-master.xml \ + services/git.xml \ +diff --git a/config/services/galera.xml b/config/services/galera.xml +new file mode 100644 +index 000000000000..2305713fbcab +--- /dev/null ++++ b/config/services/galera.xml +@@ -0,0 +1,9 @@ ++ ++ ++ Galera ++ MariaDB-Galera Database Server ++ ++ ++ ++ ++ +diff --git a/po/POTFILES.in b/po/POTFILES.in +index 8552b8eca4ab..27003c5ce1ef 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -88,6 +88,7 @@ config/services/freeipa-ldap.xml + config/services/freeipa-replication.xml + config/services/freeipa-trust.xml + config/services/ftp.xml ++config/services/galera.xml + config/services/ganglia-client.xml + config/services/ganglia-master.xml + config/services/git.xml +-- +2.28.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index 7cf2529..5dbf1cc 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.8.2 -Release: 2%{?dist} +Release: 6%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz @@ -52,6 +52,27 @@ Patch44: 0044-test-regression-rhbz1483921-correctly-use-macros.patch Patch45: 0045-test-regression-rhbz1541077-correctly-use-macros.patch Patch46: 0046-fix-rich-use-correct-error-code-for-invalid-priority.patch Patch47: 0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch +Patch48: 0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch +Patch49: 0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch +Patch50: 0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch +Patch51: 0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch +Patch52: 0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch +Patch53: 0053-fix-nftables-packet-marks-with-masks.patch +Patch54: 0054-fix-nftables-icmp-types-with-code-0.patch +Patch55: 0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch +Patch56: 0056-test-regression-rhbz1855140-add-negative-tests.patch +Patch57: 0057-fix-policy-cache-rule_str-for-rich-rules.patch +Patch58: 0058-test-zone-rich-rule-parsing-bottleneck.patch +Patch59: 0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch +Patch60: 0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch +Patch61: 0061-docs-dbus-fix-invalid-method-names.patch +Patch62: 0062-docs-firewall-cmd-small-description-grammar-fix.patch +Patch63: v0.9.0-0063-feat-service-add-collectd-service.patch +Patch64: v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch +Patch65: 0065-fix-rich-non-printable-characters-removed-from-rich-.patch +Patch66: 0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch +Patch67: 0067-fix-zone-add-source-with-mac-address.patch +Patch68: v1.0.0-0068-feat-service-add-galera-service.patch BuildArch: noarch BuildRequires: autoconf @@ -250,6 +271,24 @@ desktop-file-install --delete-original \ %{_mandir}/man1/firewall-config*.1* %changelog +* Fri Jan 29 2021 Eric Garver - 0.8.2-6 +- feat(service): add galera service + +* Fri Jan 29 2021 Eric Garver - 0.8.2-5 +- fix(zone): add source with mac address + +* Fri Jan 29 2021 Eric Garver - 0.8.2-4 +- fix(rich): non-printable characters removed from rich + +* Mon Oct 26 2020 Eric Garver - 0.8.2-3 +- fix(nftables): packet marks with masks +- fix(nftables): icmp types with code == 0 +- fix(rich icmptype): verify rule and icmptype families +- fix(zone): cache rule_str for rich rules +- improvement(service): IPsec: Update description and add TCP port 4500 +- feat(service): add collectd service +- feat(service): Add rpc-rquotad.service + * Tue Aug 04 2020 Eric Garver - 0.8.2-2 - fix(cli): add ipset type hash:mac is incompatible with the family parameter - fix(cli): add --zone is an invalid option with --direct