diff --git a/SOURCES/0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch b/SOURCES/0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch new file mode 100644 index 0000000..52b94ea --- /dev/null +++ b/SOURCES/0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch @@ -0,0 +1,167 @@ +From 44dff592c200f81d74b64ba1c729ec8ec3b8612e Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 13 Apr 2021 14:35:31 -0400 +Subject: [PATCH 23/30] fix(direct): rule order with multiple address with + -s/-d + +Fixes: rhbz 1940928 +Fixes: rhbz 1949552 +(cherry picked from commit 2be50d366b9ba073e5f86edcd0b412ff48c3fed1) +(cherry picked from commit a545183d6916169cd16648707b9f876ea0833955) +--- + src/firewall/core/fw_direct.py | 53 +++++++++++++++++++++++++++++----- + src/firewall/core/ipXtables.py | 32 -------------------- + 2 files changed, 46 insertions(+), 39 deletions(-) + +diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py +index e53a72e3326a..76aeda9f19cb 100644 +--- a/src/firewall/core/fw_direct.py ++++ b/src/firewall/core/fw_direct.py +@@ -298,7 +298,7 @@ class FirewallDirect(object): + r.append((ipv, table, chain, priority, list(args))) + return r + +- def _register_rule(self, rule_id, chain_id, priority, enable): ++ def _register_rule(self, rule_id, chain_id, priority, enable, count): + if enable: + if chain_id not in self._rules: + self._rules[chain_id] = LastUpdatedOrderedDict() +@@ -307,14 +307,14 @@ class FirewallDirect(object): + self._rule_priority_positions[chain_id] = { } + + if priority in self._rule_priority_positions[chain_id]: +- self._rule_priority_positions[chain_id][priority] += 1 ++ self._rule_priority_positions[chain_id][priority] += count + else: +- self._rule_priority_positions[chain_id][priority] = 1 ++ self._rule_priority_positions[chain_id][priority] = count + else: + del self._rules[chain_id][rule_id] + if len(self._rules[chain_id]) == 0: + del self._rules[chain_id] +- self._rule_priority_positions[chain_id][priority] -= 1 ++ self._rule_priority_positions[chain_id][priority] -= count + + # DIRECT PASSTHROUGH (untracked) + +@@ -376,6 +376,34 @@ class FirewallDirect(object): + r.append(list(args)) + return r + ++ def split_value(self, rules, opts): ++ """Split values combined with commas for options in opts""" ++ ++ out_rules = [ ] ++ for rule in rules: ++ processed = False ++ for opt in opts: ++ try: ++ i = rule.index(opt) ++ except ValueError: ++ pass ++ else: ++ if len(rule) > i and "," in rule[i+1]: ++ # For all items in the comma separated list in index ++ # i of the rule, a new rule is created with a single ++ # item from this list ++ processed = True ++ items = rule[i+1].split(",") ++ for item in items: ++ _rule = rule[:] ++ _rule[i+1] = item ++ out_rules.append(_rule) ++ if not processed: ++ out_rules.append(rule) ++ ++ return out_rules ++ ++ + def _rule(self, enable, ipv, table, chain, priority, args, transaction): + self._check_ipv_table(ipv, table) + # Do not create zone chains if we're using nftables. Only allow direct +@@ -458,6 +486,7 @@ class FirewallDirect(object): + # has index 1. + + index = 1 ++ count = 0 + if chain_id in self._rule_priority_positions: + positions = sorted(self._rule_priority_positions[chain_id].keys()) + j = 0 +@@ -465,11 +494,21 @@ class FirewallDirect(object): + index += self._rule_priority_positions[chain_id][positions[j]] + j += 1 + +- transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, args)) ++ # split the direct rule in some cases as iptables-restore can't handle ++ # compound args. ++ # ++ args_list = [list(args)] ++ args_list = self.split_value(args_list, [ "-s", "--source" ]) ++ args_list = self.split_value(args_list, [ "-d", "--destination" ]) ++ ++ for _args in args_list: ++ transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, tuple(_args))) ++ index += 1 ++ count += 1 + +- self._register_rule(rule_id, chain_id, priority, enable) ++ self._register_rule(rule_id, chain_id, priority, enable, count) + transaction.add_fail(self._register_rule, +- rule_id, chain_id, priority, not enable) ++ rule_id, chain_id, priority, not enable, count) + + def _chain(self, add, ipv, table, chain, transaction): + self._check_ipv_table(ipv, table) +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index 968b75867849..818ce3f153d0 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -200,36 +200,6 @@ class ip4tables(object): + " ".join(_args), ret)) + return ret + +- def split_value(self, rules, opts=None): +- """Split values combined with commas for options in opts""" +- +- if opts is None: +- return rules +- +- out_rules = [ ] +- for rule in rules: +- processed = False +- for opt in opts: +- try: +- i = rule.index(opt) +- except ValueError: +- pass +- else: +- if len(rule) > i and "," in rule[i+1]: +- # For all items in the comma separated list in index +- # i of the rule, a new rule is created with a single +- # item from this list +- processed = True +- items = rule[i+1].split(",") +- for item in items: +- _rule = rule[:] +- _rule[i+1] = item +- out_rules.append(_rule) +- if not processed: +- out_rules.append(rule) +- +- return out_rules +- + def _rule_replace(self, rule, pattern, replacement): + try: + i = rule.index(pattern) +@@ -472,8 +442,6 @@ class ip4tables(object): + + for table in table_rules: + rules = table_rules[table] +- rules = self.split_value(rules, [ "-s", "--source" ]) +- rules = self.split_value(rules, [ "-d", "--destination" ]) + + temp_file.write("*%s\n" % table) + for rule in rules: +-- +2.27.0 + diff --git a/SOURCES/0024-test-direct-verify-rule-order-with-multiple-address-.patch b/SOURCES/0024-test-direct-verify-rule-order-with-multiple-address-.patch new file mode 100644 index 0000000..a86b378 --- /dev/null +++ b/SOURCES/0024-test-direct-verify-rule-order-with-multiple-address-.patch @@ -0,0 +1,86 @@ +From ed0b0a7f967f33729e4ec7472b4229f0317fd92d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 9 Apr 2021 13:34:31 -0400 +Subject: [PATCH 24/30] test(direct): verify rule order with multiple address + with -s/-d + +Coverage: rhbz 1940928 +Coverage: rhbz 1949552 +(cherry picked from commit 80c30dacc066af4d6d71d298b5e47625ecee5bdf) +(cherry picked from commit c1262441db90108eb8044053ae1b93f66f0c2839) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1940928.at | 52 +++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + create mode 100644 src/tests/regression/rhbz1940928.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index a49bb3b756e7..8156ee608189 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -39,3 +39,4 @@ m4_include([regression/rhbz1871298.at]) + m4_include([regression/rhbz1596304.at]) + m4_include([regression/gh703.at]) + m4_include([regression/ipset_netmask_allowed.at]) ++m4_include([regression/rhbz1940928.at]) +diff --git a/src/tests/regression/rhbz1940928.at b/src/tests/regression/rhbz1940928.at +new file mode 100644 +index 000000000000..0a4367080b5e +--- /dev/null ++++ b/src/tests/regression/rhbz1940928.at +@@ -0,0 +1,52 @@ ++FWD_START_TEST([direct -s/-d multiple addresses]) ++AT_KEYWORDS(direct rhbz1940928 rhbz1949552) ++CHECK_IPTABLES ++ ++dnl test triggers a limitation in iptables-restore ++dnl ++AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=no/' ./firewalld.conf]) ++FWD_RELOAD ++ ++FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore]) ++FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) ++FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) ++FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore]) ++ ++IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ++ ACCEPT tcp -- 0.0.0.0/0 10.0.0.0/8 ++ ACCEPT tcp -- 0.0.0.0/0 172.16.0.0/16 ++ ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/24 ++ ACCEPT udp -- 0.0.0.0/0 10.0.0.0/8 ++ ACCEPT udp -- 0.0.0.0/0 172.16.0.0/16 ++ ACCEPT udp -- 0.0.0.0/0 192.168.0.0/24 ++ DROP all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++ ++FWD_CHECK([--direct --add-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) ++ ++IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ++ ACCEPT sctp -- 0.0.0.0/0 10.0.0.0/8 ++ ACCEPT sctp -- 0.0.0.0/0 172.16.0.0/16 ++ ACCEPT sctp -- 0.0.0.0/0 192.168.0.0/24 ++ ACCEPT tcp -- 0.0.0.0/0 10.0.0.0/8 ++ ACCEPT tcp -- 0.0.0.0/0 172.16.0.0/16 ++ ACCEPT tcp -- 0.0.0.0/0 192.168.0.0/24 ++ ACCEPT udp -- 0.0.0.0/0 10.0.0.0/8 ++ ACCEPT udp -- 0.0.0.0/0 172.16.0.0/16 ++ ACCEPT udp -- 0.0.0.0/0 192.168.0.0/24 ++ DROP all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++ ++FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT], 0, [ignore], [ignore]) ++FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 1 -p sctp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) ++FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p tcp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) ++FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 2 -p udp -d 10.0.0.0/8,172.16.0.0/16,192.168.0.0/24 -j ACCEPT], 0, [ignore], [ignore]) ++FWD_CHECK([--direct --remove-rule ipv4 filter OUTPUT 9 -j DROP], 0, [ignore], [ignore]) ++ ++ ++IPTABLES_LIST_RULES_ALWAYS([filter], [m4_if(iptables, FIREWALL_BACKEND, [OUTPUT_direct], [OUTPUT])], 0, [dnl ++]) ++ ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0025-fix-ipset-fix-hash-net-net-functionality.patch b/SOURCES/0025-fix-ipset-fix-hash-net-net-functionality.patch new file mode 100644 index 0000000..2ad0bc0 --- /dev/null +++ b/SOURCES/0025-fix-ipset-fix-hash-net-net-functionality.patch @@ -0,0 +1,31 @@ +From 44442eace5a5a4330fb40d47cd9fb3c561d38c56 Mon Sep 17 00:00:00 2001 +From: Fabrizio D'Angelo +Date: Mon, 12 Apr 2021 13:56:00 -0400 +Subject: [PATCH 25/30] fix(ipset): fix hash:net,net functionality + +Fixes: rhbz 1936896 + +Signed-off-by: Fabrizio D'Angelo +(cherry picked from commit 36f3d50d729d3329ce99653d8227e3f52a02a43f) +(cherry picked from commit 3ea4779dc4a957f9c0eb795ab0b00e67d653b772) +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index e6907421e111..e3ae988bbdab 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1742,8 +1742,8 @@ class nftables(object): + "hash:ip,mark" : [ipv_addr[ipv], "mark"], + + "hash:net" : ipv_addr[ipv], ++ "hash:net,net" : [ipv_addr[ipv], ipv_addr[ipv]], + "hash:net,port" : [ipv_addr[ipv], "inet_proto", "inet_service"], +- "hash:net,port,ip" : [ipv_addr[ipv], "inet_proto", "inet_service", ipv_addr[ipv]], + "hash:net,port,net" : [ipv_addr[ipv], "inet_proto", "inet_service", ipv_addr[ipv]], + "hash:net,iface" : [ipv_addr[ipv], "ifname"], + +-- +2.27.0 + diff --git a/SOURCES/0026-test-ipset-add-test-to-verify-hash-net-net.patch b/SOURCES/0026-test-ipset-add-test-to-verify-hash-net-net.patch new file mode 100644 index 0000000..40c8dd7 --- /dev/null +++ b/SOURCES/0026-test-ipset-add-test-to-verify-hash-net-net.patch @@ -0,0 +1,64 @@ +From 6d19a0bdb26f0eeb08dfdd9957c184e90db8766e Mon Sep 17 00:00:00 2001 +From: Fabrizio D'Angelo +Date: Mon, 12 Apr 2021 14:05:36 -0400 +Subject: [PATCH 26/30] test(ipset): add test to verify hash:net,net + +Signed-off-by: Fabrizio D'Angelo +(cherry picked from commit f3bd1297f656217031957eee7cfb4b3ee5ef42f2) +(cherry picked from commit 690ad9abf26f8ec3486704553d891d7d2ce11a80) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1936896.at | 32 +++++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + create mode 100644 src/tests/regression/rhbz1936896.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 8156ee608189..2a5ad9ef995a 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -40,3 +40,4 @@ m4_include([regression/rhbz1596304.at]) + m4_include([regression/gh703.at]) + m4_include([regression/ipset_netmask_allowed.at]) + m4_include([regression/rhbz1940928.at]) ++m4_include([regression/rhbz1936896.at]) +diff --git a/src/tests/regression/rhbz1936896.at b/src/tests/regression/rhbz1936896.at +new file mode 100644 +index 000000000000..911db0bc448d +--- /dev/null ++++ b/src/tests/regression/rhbz1936896.at +@@ -0,0 +1,32 @@ ++FWD_START_TEST([ipset type hash:net,net]) ++AT_KEYWORDS(rhbz1936896) ++CHECK_IPSET ++ ++FWD_CHECK([-q --permanent --new-ipset testset --type hash:net,net]) ++FWD_CHECK([--permanent --ipset=testset --add-entry=192.168.0.0/24,10.0.1.0/24], 0, ignore) ++FWD_RELOAD ++FWD_CHECK([--permanent --info-ipset=testset | TRIM_WHITESPACE], 0, [m4_strip([dnl ++ testset ++ type: hash:net,net ++ options: ++ entries: 192.168.0.0/24,10.0.1.0/24 ++])]) ++ ++IPSET_LIST_SET([testset], 0, [dnl ++ Name: testset ++ Type: hash:net,net ++ Members: ++ 192.168.0.0/24,10.0.1.0/24 ++]) ++ ++NFT_LIST_SET([testset], 0, [dnl ++ table inet firewalld { ++ set testset { ++ type ipv4_addr . ipv4_addr ++ flags interval ++ elements = { 192.168.0.0/24 . 10.0.1.0/24 } ++ } ++ } ++]) ++ ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch b/SOURCES/0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch new file mode 100644 index 0000000..dd50e1b --- /dev/null +++ b/SOURCES/0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch @@ -0,0 +1,45 @@ +From 1cbe39d4260c633da4b7110d6e2e7722b8454af4 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 27 Apr 2021 08:56:13 -0400 +Subject: [PATCH 27/30] fix(nm): reload: only consider NM connections with a + real interface + +Where real interface means linux interface capable of having an IP +address and does not exceed IFNAMSIZ. + +Fixes: rhbz 1928860 +(cherry picked from commit f18f1cc96503fbc5d42f30ecdc6f0da4c56aac4d) +(cherry picked from commit 7e9c4a5072ee3fd1aaf4162ef6ef1bf84b8a82eb) +--- + src/firewall/core/fw_nm.py | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py +index 37282a1a7711..0e38dd47e927 100644 +--- a/src/firewall/core/fw_nm.py ++++ b/src/firewall/core/fw_nm.py +@@ -141,7 +141,9 @@ def nm_get_connections(connections, connections_name): + + connections_name[uuid] = name + for dev in devices: +- connections[dev.get_iface()] = uuid ++ ip_iface = dev.get_ip_iface() ++ if ip_iface: ++ connections[ip_iface] = uuid + + def nm_get_interfaces(): + """Get active interfaces from NM +@@ -169,7 +171,9 @@ def nm_get_interfaces(): + continue + + for dev in active_con.get_devices(): +- active_interfaces.append(dev.get_iface()) ++ ip_iface = dev.get_ip_iface() ++ if ip_iface: ++ active_interfaces.append(ip_iface) + + return active_interfaces + +-- +2.27.0 + diff --git a/SOURCES/0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch b/SOURCES/0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch new file mode 100644 index 0000000..205968a --- /dev/null +++ b/SOURCES/0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch @@ -0,0 +1,81 @@ +From 1a2c50e5cf165a5392764ff435b7183a6d6610a7 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 27 Apr 2021 09:06:22 -0400 +Subject: [PATCH 28/30] test(nm): reload: only consider NM connections with a + real interface + +Coverage: rhbz 1928860 +(cherry picked from commit 7566d3dc5664955064b14314b3d3ef20bcebd6e4) +(cherry picked from commit e936e005898e18caa628b5b61d7589c2bbc461cb) +--- + src/tests/Makefile.am | 4 ++-- + src/tests/integration/networkmanager.at | 1 + + src/tests/integration/rhbz1928860.at | 26 +++++++++++++++++++++++++ + 3 files changed, 29 insertions(+), 2 deletions(-) + create mode 100644 src/tests/integration/rhbz1928860.at + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index b7556b30ecc8..e936454faf6a 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -71,7 +71,7 @@ check-container-fedora-rawhide-image: check-container-%-image: + iptables iptables-nft libtool libxml2 libxslt make nftables \ + python3-nftables python3-slip-dbus python3-gobject-base \ + diffutils procps-ng iproute which dbus-daemon \ +- NetworkManager" && \ ++ NetworkManager NetworkManager-ovs" && \ + echo "RUN alternatives --set ebtables /usr/sbin/ebtables-nft" && \ + echo "COPY . /tmp/firewalld"; \ + } | $(PODMAN) build -t firewalld-testsuite-$* -f - . ) +@@ -86,7 +86,7 @@ check-container-centos8-stream-image: check-container-%-image: + iptables iptables-ebtables nftables libtool libxml2 \ + libxslt make nftables python3-nftables python3-slip-dbus \ + python3-gobject-base diffutils procps-ng iproute which dbus-daemon \ +- NetworkManager" && \ ++ NetworkManager NetworkManager-ovs" && \ + echo "COPY . /tmp/firewalld"; \ + } | $(PODMAN) build -t firewalld-testsuite-$* -f - . ) + +diff --git a/src/tests/integration/networkmanager.at b/src/tests/integration/networkmanager.at +index 08cf6d28451a..0b20adce0462 100644 +--- a/src/tests/integration/networkmanager.at ++++ b/src/tests/integration/networkmanager.at +@@ -1,2 +1,3 @@ + AT_BANNER([NetworkManager (FIREWALL_BACKEND)]) + m4_include([integration/rhbz1773809.at]) ++m4_include([integration/rhbz1928860.at]) +diff --git a/src/tests/integration/rhbz1928860.at b/src/tests/integration/rhbz1928860.at +new file mode 100644 +index 000000000000..8ef2a1dcbd01 +--- /dev/null ++++ b/src/tests/integration/rhbz1928860.at +@@ -0,0 +1,26 @@ ++FWD_START_TEST([reload don't consider non IP capable interfaces]) ++AT_KEYWORDS(reload rhbz1928860) ++ ++START_NETWORKMANAGER ++ ++dnl OVS bridge and port ++NMCLI_CHECK([connection add type ovs-bridge conn.interface ovs-br con-name ovs-br], 0, [ignore]) ++NMCLI_CHECK([connection add type ovs-port conn.interface ovs-interface-port master ovs-br con-name ovs-interface-port], 0, [ignore]) ++echo NS_CMD([nmcli connection delete ovs-br]) >> ./cleanup ++echo NS_CMD([nmcli connection delete ovs-interface-port]) >> ./cleanup ++ ++dnl Up them ++NMCLI_CHECK([connection up ovs-br], 0, [ignore]) ++NMCLI_CHECK([connection up ovs-interface-port], 0, [ignore]) ++ ++dnl Omit the actual linux interface because it requires the OVS daemon to be ++dnl running. The bug is reproducible without it. ++dnl ++dnl NMCLI_CHECK([connection add type ovs-interface slave-type ovs-port conn.interface ovs-br master ovs-interface-port con-name ovs-interface ipv4.method disabled ipv6.method disabled], 0, [ignore]) ++dnl echo NS_CMD([nmcli connection delete ovs-interface]) >> ./cleanup ++dnl NMCLI_CHECK([connection up ovs-interface], 0, [ignore]) ++ ++dnl just need to verify reload ++FWD_RELOAD ++ ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch b/SOURCES/0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch new file mode 100644 index 0000000..faa8d8e --- /dev/null +++ b/SOURCES/0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch @@ -0,0 +1,36 @@ +From 6e97c635d2bfe9ef73f72aa165443cfcefc6c82c Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 17 May 2021 15:43:13 -0400 +Subject: [PATCH 29/30] docs(conf): note that IPv6_rpfilter has a performance + penalty + +Fixes: rhbz 1871860 +(cherry picked from commit aad59154e16f669bf85e9894e7e0e19061d370d4) +(cherry picked from commit 5391c26d3e730f283d1f00f7ac1869aeb2251837) +--- + doc/xml/firewalld.conf.xml | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml +index c21ef87813bc..0bf4c2d4d011 100644 +--- a/doc/xml/firewalld.conf.xml ++++ b/doc/xml/firewalld.conf.xml +@@ -114,6 +114,15 @@ + If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped. + For IPv4 the rp_filter is controlled using sysctl. + ++ ++ Note: This feature has a performance ++ impact. In most cases the impact is not enough to cause a noticeable ++ difference. It requires route lookups and its execution occurs before ++ the established connections fast path. As such it can have a ++ significant performance impact if there is a lot of traffic. It's ++ enabled by default for security, but can be disabled if performance is ++ a concern. ++ + + + +-- +2.27.0 + diff --git a/SOURCES/0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch b/SOURCES/0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch new file mode 100644 index 0000000..0dcb24d --- /dev/null +++ b/SOURCES/0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch @@ -0,0 +1,28 @@ +From 60e4181ca9ac8dbd1acb6baf85b42b0666aa56b7 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 19 May 2021 12:52:52 -0400 +Subject: [PATCH 30/30] improvement(conf): note that IPv6_rpfilter has a + performance penalty + +(cherry picked from commit cf8e0df944322f1ad283946c64bf7f933c25340d) +(cherry picked from commit 1a8bb7e5dcee3bcd691219104427daf39ead1f82) +--- + config/firewalld.conf | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index f791b2358ab8..a0556c0bbf5b 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -23,6 +23,8 @@ Lockdown=no + # packet would be sent via the same interface that the packet arrived on, the + # packet will match and be accepted, otherwise dropped. + # The rp_filter for IPv4 is controlled using sysctl. ++# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5) ++# for details. + # Default: yes + IPv6_rpfilter=yes + +-- +2.27.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index 629e207..715e981 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.9.3 -Release: 1%{?dist} +Release: 5%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz @@ -27,6 +27,14 @@ Patch19: 0019-fix-fw-when-checking-tables-make-sure-to-check-the-a.patch Patch20: 0020-fix-ipset-nftables-use-interval-flag-for-ip-types.patch Patch21: 0021-test-ipset-verify-ipset-netmask-allowed-for-hash-ip.patch Patch22: 0022-test-offline-always-allow-ipset-tests.patch +Patch23: 0023-fix-direct-rule-order-with-multiple-address-with-s-d.patch +Patch24: 0024-test-direct-verify-rule-order-with-multiple-address-.patch +Patch25: 0025-fix-ipset-fix-hash-net-net-functionality.patch +Patch26: 0026-test-ipset-add-test-to-verify-hash-net-net.patch +Patch27: 0027-fix-nm-reload-only-consider-NM-connections-with-a-re.patch +Patch28: 0028-test-nm-reload-only-consider-NM-connections-with-a-r.patch +Patch29: 0029-docs-conf-note-that-IPv6_rpfilter-has-a-performance-.patch +Patch30: 0030-improvement-conf-note-that-IPv6_rpfilter-has-a-perfo.patch BuildArch: noarch BuildRequires: autoconf @@ -228,6 +236,18 @@ desktop-file-install --delete-original \ %{_mandir}/man1/firewall-config*.1* %changelog +* Wed May 19 2021 Eric Garver - 0.9.3-5 +- docs(conf): note that IPv6_rpfilter has a performance penalty + +* Wed May 19 2021 Eric Garver - 0.9.3-4 +- fix(nm): reload: only consider NM connections with a real interface + +* Wed May 19 2021 Eric Garver - 0.9.3-3 +- fix(ipset): fix hash:net,net functionality + +* Wed May 19 2021 Eric Garver - 0.9.3-2 +- fix(direct): rule order with multiple address with -s/-d + * Thu Feb 25 2021 Eric Garver - 0.9.3-1 - rebase to v0.9.3 - fixes from upstream branch stable-0.9