diff --git a/SOURCES/0011-test-dbus-zone-verify-permanent-config-APIs.patch b/SOURCES/0011-test-dbus-zone-verify-permanent-config-APIs.patch new file mode 100644 index 0000000..ae11b5e --- /dev/null +++ b/SOURCES/0011-test-dbus-zone-verify-permanent-config-APIs.patch @@ -0,0 +1,390 @@ +From 3564be1c8a28ac59e8a7135a1ab2a82d2e8a3c90 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 9 Apr 2020 12:49:02 -0400 +Subject: [PATCH 11/45] test(dbus): zone: verify permanent config APIs + +(cherry picked from commit 64d5bf1b117bc29d09b4f30cbb1c87d8559eeac0) +(cherry picked from commit a972e90b522ba11e0bd65b8d0cd1a55e1d18f9cd) +--- + src/tests/dbus/dbus.at | 1 + + src/tests/dbus/zone_permanent_functional.at | 359 ++++++++++++++++++++ + 2 files changed, 360 insertions(+) + create mode 100644 src/tests/dbus/zone_permanent_functional.at + +diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at +index 377244460e7a..31c180dc3d3d 100644 +--- a/src/tests/dbus/dbus.at ++++ b/src/tests/dbus/dbus.at +@@ -3,3 +3,4 @@ m4_include([dbus/firewalld.conf.at]) + m4_include([dbus/service.at]) + m4_include([dbus/zone_permanent_signatures.at]) + m4_include([dbus/zone_runtime_signatures.at]) ++m4_include([dbus/zone_permanent_functional.at]) +diff --git a/src/tests/dbus/zone_permanent_functional.at b/src/tests/dbus/zone_permanent_functional.at +new file mode 100644 +index 000000000000..2261832e00a8 +--- /dev/null ++++ b/src/tests/dbus/zone_permanent_functional.at +@@ -0,0 +1,359 @@ ++FWD_START_TEST([dbus api - zone permanent functional]) ++AT_KEYWORDS(dbus zone gh586) ++ ++dnl #################### ++dnl Global APIs ++dnl #################### ++ ++DBUS_CHECK([config], [config.addZone], ++ ["foobar" dnl name ++ '("1.0", dnl version ++ "foobar", dnl short ++ "foobar zone", dnl description ++ false, dnl bogus/unused ++ "ACCEPT", dnl target ++ @<:@"ssh", "mdns"@:>@, dnl services ++ @<:@("1234", "tcp"), ("1234", "udp")@:>@, dnl ports ++ @<:@"echo-request"@:>@, dnl ICMP Blocks ++ true, dnl masquerade ++ @<:@("1234", "tcp", "4321", ""), ("1234", "udp", "4321", "10.10.10.10")@:>@, dnl forward ports ++ @<:@"dummy0", "dummy1"@:>@, dnl interfaces ++ @<:@"10.10.10.0/24"@:>@, dnl sources ++ @<:@"rule family=ipv4 source address=10.20.20.20 drop"@:>@, dnl rules_str ++ @<:@"icmp"@:>@, dnl protocols ++ @<:@("1234", "tcp"), ("1234", "udp")@:>@, dnl source ports ++ false dnl ICMP block inversion ++ )'dnl ++ ], 0, [stdout]) ++DBUS_FOOBAR_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)] ++export DBUS_FOOBAR_ZONE_OBJ ++ ++dnl Get Zones ++dnl ++DBUS_CHECK([config], [config.getZoneNames], [], 0, [dnl ++ [(['block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', 'public', 'trusted', 'work'],)] ++]) ++DBUS_CHECK([config], [config.listZones], [], 0, [stdout]) ++NS_CHECK([sed -e ["s/['][,]/'\n/g"] ./stdout |dnl ++ sed -e ["s/.*config\/zone\/\([^']\+\)['].*/\1/"] |dnl ++ while read LINE; do { echo "${LINE}" | grep ["^[0-9]\+$"] ; } || exit 1; done], 0, [ignore]) ++DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout]) ++NS_CHECK([sed -e ["s/.*config\/zone\/\([^']\+\)['].*/\1/"] ./stdout | grep ["^[0-9]\+$"]], 0, [ignore]) ++ ++dnl Interfaces ++FWD_CHECK([-q --permanent --zone public --add-interface dummy2]) ++DBUS_CHECK([config], [config.getZoneOfInterface], ["dummy2"], 0, [dnl ++ ('public',) ++]) ++FWD_CHECK([-q --permanent --zone public --remove-interface dummy2]) ++ ++dnl Sources ++FWD_CHECK([-q --permanent --zone public --add-source 10.20.20.0/24]) ++DBUS_CHECK([config], [config.getZoneOfSource], ["10.20.20.0/24"], 0, [dnl ++ ('public',) ++]) ++FWD_CHECK([-q --permanent --zone public --remove-source 10.20.20.0/24]) ++ ++dnl #################### ++dnl Zone object APIs ++dnl #################### ++ ++DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.getSettings], [], 0, [dnl ++ (('1.0', dnl version ++ 'foobar', dnl short ++ 'foobar zone', dnl description ++ false, dnl bogus/unused ++ 'ACCEPT', dnl target ++ @<:@'ssh', 'mdns'@:>@, dnl services ++ @<:@('1234', 'tcp'), ('1234', 'udp')@:>@, dnl ports ++ @<:@'echo-request'@:>@, dnl ICMP Blocks ++ true, dnl masquerade ++ @<:@('1234', 'tcp', '4321', ''), ('1234', 'udp', '4321', '10.10.10.10')@:>@, dnl forward ports ++ @<:@'dummy0', 'dummy1'@:>@, dnl interfaces ++ @<:@'10.10.10.0/24'@:>@, dnl sources ++ @<:@'rule family="ipv4" source address="10.20.20.20" drop'@:>@, dnl rules_str ++ @<:@'icmp'@:>@, dnl protocols ++ @<:@('1234', 'tcp'), ('1234', 'udp')@:>@, dnl source ports ++ false),) ++]) ++ ++dnl Verify update works ++dnl ++DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.update], [dnl ++ '("1.1", dnl version ++ "foobar v2", dnl short ++ "foobar zone updated", dnl description ++ false, dnl bogus/unused ++ "ACCEPT", dnl target ++ @<:@"ssh", "mdns", "samba"@:>@, dnl services ++ @<:@("1234", "tcp"), ("4444", "udp")@:>@, dnl ports ++ @<:@"echo-request", "echo-reply"@:>@, dnl ICMP Blocks ++ false, dnl masquerade ++ @<:@("1234", "tcp", "4321", "")@:>@, dnl forward ports ++ @<:@"dummy0", "dummy1", "dummy2"@:>@, dnl interfaces ++ @<:@"10.10.10.0/24", "10.20.0.0/16"@:>@, dnl sources ++ @<:@"rule family=ipv4 source address=10.20.20.20 reject"@:>@, dnl rules_str ++ @<:@"icmp", "ipv6-icmp"@:>@, dnl protocols ++ @<:@("1234", "tcp"), ("6666", "udp")@:>@, dnl source ports ++ true dnl ICMP block inversion ++ )'dnl ++ ], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.getSettings], [], 0, [dnl ++ (('1.1', dnl version ++ 'foobar v2', dnl short ++ 'foobar zone updated', dnl description ++ false, dnl bogus/unused ++ 'ACCEPT', dnl target ++ @<:@'ssh', 'mdns', 'samba'@:>@, dnl services ++ @<:@('1234', 'tcp'), ('4444', 'udp')@:>@, dnl ports ++ @<:@'echo-request', 'echo-reply'@:>@, dnl ICMP Blocks ++ false, dnl masquerade ++ @<:@('1234', 'tcp', '4321', '')@:>@, dnl forward ports ++ @<:@'dummy0', 'dummy1', 'dummy2'@:>@, dnl interfaces ++ @<:@'10.10.10.0/24', '10.20.0.0/16'@:>@, dnl sources ++ @<:@'rule family="ipv4" source address="10.20.20.20" reject'@:>@, dnl rules_str ++ @<:@'icmp', 'ipv6-icmp'@:>@, dnl protocols ++ @<:@('1234', 'tcp'), ('6666', 'udp')@:>@, dnl source ports ++ true),) ++]) ++ ++dnl Rename ++DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.rename], ["foobar-renamed"], 0, [ignore]) ++DBUS_CHECK([config], [config.getZoneByName], ["foobar-renamed"], 0, [ignore]) ++ ++dnl Remove ++DBUS_CHECK([config/zone/${DBUS_FOOBAR_ZONE_OBJ}], [config.zone.remove], [], 0, [ignore]) ++DBUS_CHECK([config], [config.getZoneByName], ["foobar-renamed"], 1, [ignore], [ignore]) ++ ++dnl Get a reference to the public zone. We'll use for the rest of the tests. ++DBUS_CHECK([config], [config.getZoneByName], ["public"], 0, [stdout]) ++DBUS_PUBLIC_ZONE_OBJ=[$(sed -e "s/.*config\/zone\/\([^']\+\)['].*/\1/" ./stdout)] ++export DBUS_PUBLIC_ZONE_OBJ ++ ++dnl loadDefaults ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.loadDefaults], [], 0, [ignore]) ++ ++dnl Version ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getVersion], [], 0, [dnl ++ ('',) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setVersion], ["1.1"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getVersion], [], 0, [dnl ++ ('1.1',) ++]) ++ ++dnl Short ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getShort], [], 0, [dnl ++ ('Public',) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setShort], ["Public updated"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getShort], [], 0, [dnl ++ ('Public updated',) ++]) ++ ++dnl Description ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getDescription], [], 0, [dnl ++ ('For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.',) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setDescription], ["A shorter description."], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getDescription], [], 0, [dnl ++ ('A shorter description.',) ++]) ++ ++dnl Target ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getTarget], [], 0, [dnl ++ ('default',) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setTarget], ["ACCEPT"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getTarget], [], 0, [dnl ++ ('ACCEPT',) ++]) ++ ++dnl Interfaces ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addInterface], ["dummy0"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryInterface], ["dummy0"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryInterface], ["dummy1"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setInterfaces], [['["dummy0", "dummy1"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getInterfaces], [], 0, [dnl ++ [(['dummy0', 'dummy1'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeInterface], ["dummy0"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getInterfaces], [], 0, [dnl ++ [(['dummy1'],)] ++]) ++ ++dnl Sources ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addSource], ["10.10.10.0/24"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySource], ["10.10.10.0/24"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySource], ["10.20.20.0/24"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setSources], [['["10.10.10.0/24", "10.20.20.0/24"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSources], [], 0, [dnl ++ [(['10.10.10.0/24', '10.20.20.0/24'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeSource], ["10.10.10.0/24"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSources], [], 0, [dnl ++ [(['10.20.20.0/24'],)] ++]) ++ ++dnl Services ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addService], ["samba"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryService], ["samba"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryService], ["https"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setServices], [['["samba", "https"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getServices], [], 0, [dnl ++ [(['samba', 'https'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeService], ["samba"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getServices], [], 0, [dnl ++ [(['https'],)] ++]) ++ ++dnl Ports ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addPort], ["1234" "tcp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryPort], ["1234" "tcp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryPort], ["4321" "udp"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setPorts], [['[("1234", "tcp"), ("4321", "udp")]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getPorts], [], 0, [dnl ++ [([('1234', 'tcp'), ('4321', 'udp')],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removePort], ["1234" "tcp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getPorts], [], 0, [dnl ++ [([('4321', 'udp')],)] ++]) ++ ++dnl Source Ports ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addSourcePort], ["1234" "tcp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySourcePort], ["1234" "tcp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.querySourcePort], ["4321" "udp"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setSourcePorts], [['[("1234", "tcp"), ("4321", "udp")]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSourcePorts], [], 0, [dnl ++ [([('1234', 'tcp'), ('4321', 'udp')],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeSourcePort], ["1234" "tcp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getSourcePorts], [], 0, [dnl ++ [([('4321', 'udp')],)] ++]) ++ ++dnl Forward Ports ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addForwardPort], ["1234" "tcp" "1111" ""], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryForwardPort], ["1234" "tcp" "1111" ""], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryForwardPort], ["4321" "udp" "4444" "10.10.10.10"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setForwardPorts], [['[("1234", "tcp", "1111", ""), ("4321", "udp", "4444", "10.10.10.10")]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getForwardPorts], [], 0, [dnl ++ [([('1234', 'tcp', '1111', ''), ('4321', 'udp', '4444', '10.10.10.10')],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeForwardPort], ["1234" "tcp" "1111" ""], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getForwardPorts], [], 0, [dnl ++ [([('4321', 'udp', '4444', '10.10.10.10')],)] ++]) ++ ++dnl Protocols ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addProtocol], ["icmp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryProtocol], ["icmp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryProtocol], ["igmp"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setProtocols], [['["icmp", "igmp"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getProtocols], [], 0, [dnl ++ [(['icmp', 'igmp'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeProtocol], ["icmp"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getProtocols], [], 0, [dnl ++ [(['igmp'],)] ++]) ++ ++dnl Masquerade ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryMasquerade], [], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addMasquerade], [], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryMasquerade], [], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setMasquerade], [true], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getMasquerade], [], 0, [dnl ++ [(true,)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeMasquerade], [], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getMasquerade], [], 0, [dnl ++ [(false,)] ++]) ++ ++dnl ICMP Block ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addIcmpBlock], ["echo-reply"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlock], ["echo-reply"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlock], ["echo-request"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setIcmpBlocks], [['["echo-reply", "echo-request"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlocks], [], 0, [dnl ++ [(['echo-reply', 'echo-request'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeIcmpBlock], ["echo-reply"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlocks], [], 0, [dnl ++ [(['echo-request'],)] ++]) ++ ++dnl ICMP Block Inversion ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlockInversion], [], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addIcmpBlockInversion], [], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryIcmpBlockInversion], [], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setIcmpBlockInversion], [true], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlockInversion], [], 0, [dnl ++ [(true,)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeIcmpBlockInversion], [], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getIcmpBlockInversion], [], 0, [dnl ++ [(false,)] ++]) ++ ++dnl Rich Rules ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.addRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.queryRichRule], ["rule family=ipv4 source address=10.20.20.0/24 drop"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.setRichRules], [['["rule family=ipv4 source address=10.10.10.0/24 accept", "rule family=ipv4 source address=10.20.20.0/24 drop"]']], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getRichRules], [], 0, [dnl ++ [(['rule family="ipv4" source address="10.10.10.0/24" accept', 'rule family="ipv4" source address="10.20.20.0/24" drop'],)] ++]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.removeRichRule], ["rule family=ipv4 source address=10.10.10.0/24 accept"], 0, [ignore]) ++DBUS_CHECK([config/zone/${DBUS_PUBLIC_ZONE_OBJ}], [config.zone.getRichRules], [], 0, [dnl ++ [(['rule family="ipv4" source address="10.20.20.0/24" drop'],)] ++]) ++ ++FWD_END_TEST([-e '/ERROR: INVALID_ZONE: foobar-renamed/d']) +-- +2.27.0 + diff --git a/SOURCES/0012-test-dbus-zone-verify-runtime-config-APIs.patch b/SOURCES/0012-test-dbus-zone-verify-runtime-config-APIs.patch new file mode 100644 index 0000000..e242232 --- /dev/null +++ b/SOURCES/0012-test-dbus-zone-verify-runtime-config-APIs.patch @@ -0,0 +1,328 @@ +From 069fbf5bda85526cdae9cf684a61c49d6961c065 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 9 Apr 2020 14:03:48 -0400 +Subject: [PATCH 12/45] test(dbus): zone: verify runtime config APIs + +(cherry picked from commit b1e7a3843f7c6dfc31ac3ac38cc938bd8ece7c6c) +(cherry picked from commit 2bc363979f3223ed0b98f027c96d8af7c3d79211) +--- + src/tests/dbus/dbus.at | 1 + + src/tests/dbus/zone_runtime_functional.at | 297 ++++++++++++++++++++++ + 2 files changed, 298 insertions(+) + create mode 100644 src/tests/dbus/zone_runtime_functional.at + +diff --git a/src/tests/dbus/dbus.at b/src/tests/dbus/dbus.at +index 31c180dc3d3d..d9f7a2953131 100644 +--- a/src/tests/dbus/dbus.at ++++ b/src/tests/dbus/dbus.at +@@ -4,3 +4,4 @@ m4_include([dbus/service.at]) + m4_include([dbus/zone_permanent_signatures.at]) + m4_include([dbus/zone_runtime_signatures.at]) + m4_include([dbus/zone_permanent_functional.at]) ++m4_include([dbus/zone_runtime_functional.at]) +diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at +new file mode 100644 +index 000000000000..d0098dfdff65 +--- /dev/null ++++ b/src/tests/dbus/zone_runtime_functional.at +@@ -0,0 +1,297 @@ ++FWD_START_TEST([dbus api - zone permanent functional]) ++AT_KEYWORDS(dbus zone gh586) ++ ++dnl #################### ++dnl Global APIs ++dnl #################### ++ ++DBUS_CHECK([], [getZoneSettings], ["public"], 0, [dnl ++ (('', dnl version ++ 'Public', dnl short ++ 'For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.', dnl description ++ false, dnl bogus/unused ++ 'default', dnl target ++ @<:@'ssh', 'dhcpv6-client', 'cockpit'@:>@, dnl services ++ @a(ss) @<:@@:>@, dnl ports ++ @as @<:@@:>@, dnl ICMP Blocks ++ false, dnl masquerade ++ @a(ssss) @<:@@:>@, dnl forward ports ++ @as @<:@@:>@, dnl interfaces ++ @as @<:@@:>@, dnl sources ++ @as @<:@@:>@, dnl rules_str ++ @as @<:@@:>@, dnl protocols ++ @a(ss) @<:@@:>@, dnl source ports ++ false),) ++]) ++ ++dnl Default Zone ++DBUS_CHECK([], [getDefaultZone], [], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [setDefaultZone], ['drop'], 0, [dnl ++ () ++]) ++DBUS_CHECK([], [getDefaultZone], [], 0, [dnl ++ ('drop',) ++]) ++ ++dnl Fetching Zones ++DBUS_CHECK([], [zone.getZones], [], 0, [dnl ++ [(['block', 'dmz', 'drop', 'external', 'home', 'internal', 'public', 'trusted', 'work'],)] ++]) ++FWD_CHECK([-q --zone public --add-interface dummy0]) ++FWD_CHECK([-q --zone public --add-source 10.1.1.1]) ++DBUS_CHECK([], [zone.getActiveZones], [], 0, [dnl ++ ['public': {'interfaces': ['dummy0'], 'sources': ['10.1.1.1']}] ++]) ++FWD_CHECK([-q --zone public --remove-interface dummy0]) ++FWD_CHECK([-q --zone public --remove-source 10.1.1.1]) ++ ++dnl Interfaces/Sources ++FWD_CHECK([-q --zone public --add-interface dummy1]) ++DBUS_CHECK([], [zone.getZoneOfInterface], ["dummy1"], 0, [dnl ++ ('public',) ++]) ++FWD_CHECK([-q --zone public --remove-interface dummy1]) ++FWD_CHECK([-q --zone drop --add-source 10.10.10.0/24]) ++DBUS_CHECK([], [zone.getZoneOfSource], ["10.10.10.0/24"], 0, [dnl ++ ('drop',) ++]) ++FWD_CHECK([-q --zone drop --remove-source 10.10.10.0/24]) ++ ++dnl #################### ++dnl Zone Individual APIs ++dnl #################### ++ ++dnl isImmutable ++DBUS_CHECK([], [zone.isImmutable], ["public"], 0, [dnl ++ (false,) ++]) ++ ++dnl Interfaces ++DBUS_CHECK([], [zone.addInterface], ["public" "dummy0"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.changeZone], ["drop" "dummy0"], 0, [dnl ++ ('drop',) ++]) ++DBUS_CHECK([], [zone.queryInterface], ["public" "dummy0"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([], [zone.queryInterface], ["drop" "dummy0"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.changeZoneOfInterface], ["public" "dummy0"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryInterface], ["public" "dummy0"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.queryInterface], ["drop" "dummy0"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([], [zone.addInterface], ["public" "dummy1"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getInterfaces], ["public"], 0, [dnl ++ [(['dummy0', 'dummy1'],)] ++]) ++DBUS_CHECK([], [zone.removeInterface], ["public" "dummy0"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getInterfaces], ["public"], 0, [dnl ++ [(['dummy1'],)] ++]) ++ ++dnl Sources ++DBUS_CHECK([], [zone.addSource], ["public" "10.10.10.0/24"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.changeZoneOfSource], ["drop" "10.10.10.0/24"], 0, [dnl ++ ('drop',) ++]) ++DBUS_CHECK([], [zone.querySource], ["public" "10.10.10.0/24"], 0, [dnl ++ (false,) ++]) ++DBUS_CHECK([], [zone.querySource], ["drop" "10.10.10.0/24"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.changeZoneOfSource], ["public" "10.10.10.0/24"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.addSource], ["public" "10.20.0.0/16"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getSources], ["public"], 0, [dnl ++ [(['10.10.10.0/24', '10.20.0.0/16'],)] ++]) ++DBUS_CHECK([], [zone.removeSource], ["public" "10.10.10.0/24"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getSources], ["public"], 0, [dnl ++ [(['10.20.0.0/16'],)] ++]) ++ ++dnl Services ++DBUS_CHECK([], [zone.addService], ["public" "samba" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryService], ["public" "samba"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.getServices], ["public"], 0, [dnl ++ [(['ssh', 'dhcpv6-client', 'cockpit', 'samba'],)] ++]) ++DBUS_CHECK([], [zone.removeService], ["public" "samba"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryService], ["public" "samba"], 0, [dnl ++ (false,) ++]) ++ ++dnl Protocols ++DBUS_CHECK([], [zone.addProtocol], ["public" "icmp" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryProtocol], ["public" "icmp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.getProtocols], ["public"], 0, [dnl ++ [(['icmp'],)] ++]) ++DBUS_CHECK([], [zone.removeProtocol], ["public" "icmp"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryProtocol], ["public" "icmp"], 0, [dnl ++ (false,) ++]) ++ ++dnl Ports ++DBUS_CHECK([], [zone.addPort], ["public" "1234" "tcp" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryPort], ["public" "1234" "tcp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.addPort], ["public" "4321" "udp" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getPorts], ["public"], 0, [dnl ++ [([['1234', 'tcp'], ['4321', 'udp']],)] ++]) ++DBUS_CHECK([], [zone.removePort], ["public" "1234" "tcp"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryPort], ["public" "1234" "tcp"], 0, [dnl ++ (false,) ++]) ++ ++dnl Source Ports ++DBUS_CHECK([], [zone.addSourcePort], ["public" "1234" "tcp" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.querySourcePort], ["public" "1234" "tcp"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.addSourcePort], ["public" "4321" "udp" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getSourcePorts], ["public"], 0, [dnl ++ [([['1234', 'tcp'], ['4321', 'udp']],)] ++]) ++DBUS_CHECK([], [zone.removeSourcePort], ["public" "1234" "tcp"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.querySourcePort], ["public" "1234" "tcp"], 0, [dnl ++ (false,) ++]) ++ ++dnl Forward Ports ++DBUS_CHECK([], [zone.addForwardPort], ["public" "1234" "tcp" "1111" "" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.addForwardPort], ["public" "4321" "udp" "4444" "10.10.10.10" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getForwardPorts], ["public"], 0, [dnl ++ [([['1234', 'tcp', '1111', ''], ['4321', 'udp', '4444', '10.10.10.10']],)] ++]) ++DBUS_CHECK([], [zone.removeForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryForwardPort], ["public" "1234" "tcp" "1111" ""], 0, [dnl ++ (false,) ++]) ++ ++dnl Masquerade ++DBUS_CHECK([], [zone.addMasquerade], ["public" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryMasquerade], ["public"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.removeMasquerade], ["public"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryMasquerade], ["public"], 0, [dnl ++ (false,) ++]) ++ ++dnl ICMP Block ++DBUS_CHECK([], [zone.addIcmpBlock], ["public" "echo-reply" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryIcmpBlock], ["public" "echo-reply"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.addIcmpBlock], ["public" "echo-request" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getIcmpBlocks], ["public"], 0, [dnl ++ [(['echo-reply', 'echo-request'],)] ++]) ++DBUS_CHECK([], [zone.removeIcmpBlock], ["public" "echo-reply"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryIcmpBlock], ["public" "echo-reply"], 0, [dnl ++ (false,) ++]) ++ ++dnl ICMP Block Inversion ++DBUS_CHECK([], [zone.addIcmpBlockInversion], ["public"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryIcmpBlockInversion], ["public"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.removeIcmpBlockInversion], ["public"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryIcmpBlockInversion], ["public"], 0, [dnl ++ (false,) ++]) ++ ++dnl Rich Rules ++DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl ++ (true,) ++]) ++DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept" 0], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl ++ [(['rule family="ipv4" source address="10.10.10.10" accept', 'rule family="ipv4" source address="20.20.20.20" accept'],)] ++]) ++DBUS_CHECK([], [zone.removeRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl ++ ('public',) ++]) ++DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl ++ (false,) ++]) ++ ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0013-fix-direct-rule-in-a-zone-chain.patch b/SOURCES/0013-fix-direct-rule-in-a-zone-chain.patch new file mode 100644 index 0000000..bc8d158 --- /dev/null +++ b/SOURCES/0013-fix-direct-rule-in-a-zone-chain.patch @@ -0,0 +1,45 @@ +From 54b9d3c0aab51a598162ccd58152861730b9cee7 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 29 Apr 2020 08:08:21 -0400 +Subject: [PATCH 13/45] fix(direct): rule in a zone chain + +Fixes: rhbz 1829104 +Fixes: 3c439c9008ad ("chore: eliminate FirewallZoneTransaction class") +(cherry picked from commit f2941a82592b2ac6e9001b0d0f6c321fcb704005) +(cherry picked from commit f1d8753487e99ed8b3b036df36bedb861db00e65) +--- + src/firewall/core/fw_zone.py | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 59c9401c1060..5677effab146 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -188,7 +188,7 @@ class FirewallZone(object): + if splits[1] not in self.get_zones(): + return None + if len(splits) == 2 or \ +- (len(splits) == 3 and splits[2] in [ "log", "deny", "allow" ]): ++ (len(splits) == 3 and splits[2] in [ "pre", "log", "deny", "allow", "post" ]): + return (splits[1], _chain) + return None + +@@ -200,14 +200,12 @@ class FirewallZone(object): + x = self.zone_from_chain(chain) + if x is not None: + (_zone, _chain) = x +- + if use_transaction is None: + transaction = self.new_transaction() + else: + transaction = use_transaction + +- self.gen_chain_rules(_zone, True, [(table, _chain)], +- transaction) ++ self.gen_chain_rules(_zone, True, table, _chain, transaction) + + if use_transaction is None: + transaction.execute(True) +-- +2.27.0 + diff --git a/SOURCES/0014-test-direct-rule-in-a-zone-chain.patch b/SOURCES/0014-test-direct-rule-in-a-zone-chain.patch new file mode 100644 index 0000000..adceeda --- /dev/null +++ b/SOURCES/0014-test-direct-rule-in-a-zone-chain.patch @@ -0,0 +1,88 @@ +From 162e697cf86947e7ff54a05570146b5b75321e97 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 29 Apr 2020 08:00:35 -0400 +Subject: [PATCH 14/45] test(direct): rule in a zone chain + +Coverage for rhbz 1829104. + +(cherry picked from commit f88617bb205c6891d4f9c1d5231ddf356a3bd59f) +(cherry picked from commit c9f519adea34ec29e262713a543f2b086fb9ffa7) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1829104.at | 55 +++++++++++++++++++++++++++++ + 2 files changed, 56 insertions(+) + create mode 100644 src/tests/regression/rhbz1829104.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 2528ddd3fede..c3a5706c6406 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -28,3 +28,4 @@ m4_include([regression/gh567.at]) + m4_include([regression/rhbz1779835.at]) + m4_include([regression/gh330.at]) + m4_include([regression/gh599.at]) ++m4_include([regression/rhbz1829104.at]) +diff --git a/src/tests/regression/rhbz1829104.at b/src/tests/regression/rhbz1829104.at +new file mode 100644 +index 000000000000..45659eb3c3df +--- /dev/null ++++ b/src/tests/regression/rhbz1829104.at +@@ -0,0 +1,55 @@ ++m4_if(iptables, FIREWALL_BACKEND, [ ++FWD_START_TEST([direct rule in zone chain]) ++AT_KEYWORDS(direct rhbz1829104) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 raw PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 mangle PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat PRE_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter IN_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDI_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter FWDO_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_pre 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_log 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_deny 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_allow 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 nat POST_public_post 0 -s 10.10.10.0/24 ! -d 10.0.0.0/8 -j ACCEPT]) ++ ++FWD_END_TEST ++]) +-- +2.27.0 + diff --git a/SOURCES/0015-fix-client-addService-needs-to-reduce-tuple-size.patch b/SOURCES/0015-fix-client-addService-needs-to-reduce-tuple-size.patch new file mode 100644 index 0000000..3d437f2 --- /dev/null +++ b/SOURCES/0015-fix-client-addService-needs-to-reduce-tuple-size.patch @@ -0,0 +1,36 @@ +From 1eb5d5c57edb6e35895fa4ae4314f652da423d92 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 24 Apr 2020 11:27:10 -0400 +Subject: [PATCH 15/45] fix(client): addService needs to reduce tuple size + +The dbus API only allows 8 elements. Reduce the tuple to the correct +size as it's common for clients to do + + settings = FirewallClientServiceSettings() + [..] + addService(settings.settings) + +(cherry picked from commit e2ab8a6e584e6ba2adb0a5e0a13fbb6d7eb39b0c) +(cherry picked from commit 3eae583907a953b71df16747bbabefd24fbdc3ab) +--- + src/firewall/client.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/client.py b/src/firewall/client.py +index efe5d7db1273..ea27c0186509 100644 +--- a/src/firewall/client.py ++++ b/src/firewall/client.py +@@ -2488,7 +2488,9 @@ class FirewallClientConfig(object): + elif type(settings) is dict: + path = self.fw_config.addService2(name, settings) + else: +- path = self.fw_config.addService(name, tuple(settings)) ++ # tuple based dbus API has 8 elements. Slice what we're given down ++ # to the expected size. ++ path = self.fw_config.addService(name, tuple(settings[:8])) + return FirewallClientConfigService(self.bus, path) + + # icmptype +-- +2.27.0 + diff --git a/SOURCES/0016-test-dbus-zone-fix-false-failure-due-to-list-order.patch b/SOURCES/0016-test-dbus-zone-fix-false-failure-due-to-list-order.patch new file mode 100644 index 0000000..64de7d7 --- /dev/null +++ b/SOURCES/0016-test-dbus-zone-fix-false-failure-due-to-list-order.patch @@ -0,0 +1,36 @@ +From c9fccec891a3cd454ad7179ee3871f630b635b47 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 20 Apr 2020 16:45:02 -0400 +Subject: [PATCH 16/45] test(dbus): zone: fix false failure due to list order + +Fixes: b1e7a3843f7c ("test(dbus): zone: verify runtime config APIs") +(cherry picked from commit 8ca79abf32fd609b10b88482c89ee0c9c9711718) +(cherry picked from commit 86feb18448794b58f2725484083ead9ddc0bc451) +--- + src/tests/dbus/zone_runtime_functional.at | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at +index d0098dfdff65..f48d97897cd9 100644 +--- a/src/tests/dbus/zone_runtime_functional.at ++++ b/src/tests/dbus/zone_runtime_functional.at +@@ -281,11 +281,14 @@ DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=10 + DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl + (true,) + ]) ++DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl ++ [(['rule family="ipv4" source address="10.10.10.10" accept'],)] ++]) + DBUS_CHECK([], [zone.addRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept" 0], 0, [dnl + ('public',) + ]) +-DBUS_CHECK([], [zone.getRichRules], ["public"], 0, [dnl +- [(['rule family="ipv4" source address="10.10.10.10" accept', 'rule family="ipv4" source address="20.20.20.20" accept'],)] ++DBUS_CHECK([], [zone.queryRichRule], ["public" "rule family=ipv4 source address=20.20.20.20 accept"], 0, [dnl ++ (true,) + ]) + DBUS_CHECK([], [zone.removeRichRule], ["public" "rule family=ipv4 source address=10.10.10.10 accept"], 0, [dnl + ('public',) +-- +2.27.0 + diff --git a/SOURCES/0017-test-dbus-zone-fix-zone-runtime-functional-test-titl.patch b/SOURCES/0017-test-dbus-zone-fix-zone-runtime-functional-test-titl.patch new file mode 100644 index 0000000..d68d668 --- /dev/null +++ b/SOURCES/0017-test-dbus-zone-fix-zone-runtime-functional-test-titl.patch @@ -0,0 +1,26 @@ +From 9bdee2d94d0fadde8c40d7742176089bed602213 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 24 Apr 2020 13:50:10 -0400 +Subject: [PATCH 17/45] test(dbus): zone: fix zone runtime functional test + title + +Fixes: b1e7a3843f7c ("test(dbus): zone: verify runtime config APIs") +(cherry picked from commit 72191394919d1d69a40e258227dbbc3ee3e0285e) +(cherry picked from commit d0713c7b04ac430adb4855078e91fa62b2c79486) +--- + src/tests/dbus/zone_runtime_functional.at | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at +index f48d97897cd9..bb0798abe7da 100644 +--- a/src/tests/dbus/zone_runtime_functional.at ++++ b/src/tests/dbus/zone_runtime_functional.at +@@ -1,4 +1,4 @@ +-FWD_START_TEST([dbus api - zone permanent functional]) ++FWD_START_TEST([dbus api - zone runtime functional]) + AT_KEYWORDS(dbus zone gh586) + + dnl #################### +-- +2.27.0 + diff --git a/SOURCES/0018-fix-doc-dbus-signatures-for-zone-tuple-based-APIs.patch b/SOURCES/0018-fix-doc-dbus-signatures-for-zone-tuple-based-APIs.patch new file mode 100644 index 0000000..a489d03 --- /dev/null +++ b/SOURCES/0018-fix-doc-dbus-signatures-for-zone-tuple-based-APIs.patch @@ -0,0 +1,55 @@ +From 6112ab6a515ac5813e8b4027976a6dc651647f07 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 16 Apr 2020 15:40:49 -0400 +Subject: [PATCH 18/45] fix(doc): dbus: signatures for zone tuple based APIs + +Fixes: 26e23b8cd945 ("firewall.core.io.zone: New icmp block inversion flag") +(cherry picked from commit 7fbc6f6204a342f5ae92f10923093d2381c9b0ac) +(cherry picked from commit 13edc3137fc3b9ed36207009621dda437a8f87df) +--- + doc/xml/firewalld.dbus.xml | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index 77ad77c01675..1625b9d50576 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -274,7 +274,7 @@ + + + +- getZoneSettings(s: zone) → (sssbsasa(ss)asba(ssss)asasasasa(ss)) ++ getZoneSettings(s: zone) → (sssbsasa(ss)asba(ssss)asasasasa(ss)b) + + + Return runtime settings of given zone. +@@ -2338,7 +2338,7 @@ + + + +- addZone(s: zone, (sssbsasa(ss)asba(ssss)asasasasa(ss)): settings) → o ++ addZone(s: zone, (sssbsasa(ss)asba(ssss)asasasasa(ss)b): settings) → o + + + Add zone with given settings into permanent configuration. +@@ -3810,7 +3810,7 @@ + + + +- getSettings() → (sssbsasa(ss)asba(ssss)asasasasa(ss)) ++ getSettings() → (sssbsasa(ss)asba(ssss)asasasasa(ss)b) + + + Return permanent settings of given zone. +@@ -4309,7 +4309,7 @@ + + + +- update((sssbsasa(ss)asba(ssss)asasasasa(ss)): settings) → Nothing ++ update((sssbsasa(ss)asba(ssss)asasasasa(ss)b): settings) → Nothing + + + Update settings of zone to settings. +-- +2.27.0 + diff --git a/SOURCES/0019-fix-config-bool-values-in-dict-based-import-export.patch b/SOURCES/0019-fix-config-bool-values-in-dict-based-import-export.patch new file mode 100644 index 0000000..9fc68d3 --- /dev/null +++ b/SOURCES/0019-fix-config-bool-values-in-dict-based-import-export.patch @@ -0,0 +1,29 @@ +From cc9d8ac3501b1dc64d6b48990792a06637d69314 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 17 Apr 2020 14:45:16 -0400 +Subject: [PATCH 19/45] fix(config): bool values in dict based import/export + +Always export bool values. + +(cherry picked from commit ae4b9b44ed8e9e62f47846f7032c19b559e3d7ad) +(cherry picked from commit 88016dc40ba2e119fe04e54724fb432404d7e8c1) +--- + src/firewall/core/io/service.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/io/service.py b/src/firewall/core/io/service.py +index cf343fe0ce93..0387b6c798b0 100644 +--- a/src/firewall/core/io/service.py ++++ b/src/firewall/core/io/service.py +@@ -96,7 +96,7 @@ class Service(IO_Object): + conf = {} + type_formats = dict([(x[0], x[1]) for x in self.IMPORT_EXPORT_STRUCTURE]) + for key in type_formats: +- if getattr(self, key): ++ if getattr(self, key) or isinstance(getattr(self, key), bool): + conf[key] = copy.deepcopy(getattr(self, key)) + return conf + +-- +2.27.0 + diff --git a/SOURCES/0020-fix-dbus-service-don-t-cleanup-config-for-old-set-AP.patch b/SOURCES/0020-fix-dbus-service-don-t-cleanup-config-for-old-set-AP.patch new file mode 100644 index 0000000..7d1249c --- /dev/null +++ b/SOURCES/0020-fix-dbus-service-don-t-cleanup-config-for-old-set-AP.patch @@ -0,0 +1,39 @@ +From 8d48dfee165ad41ed2d235dc3772c5b588a75521 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 4 May 2020 10:48:10 -0400 +Subject: [PATCH 20/45] fix(dbus): service: don't cleanup config for old set + APIs + +This avoids them from unknowingly wiping away config that the old APIs +are unaware of. + +Fixes: 335a68c1bba5 ("fix: dbus: fix service API break") +(cherry picked from commit 11bd8742158b2b3c9b0412a9ca1cb9ada7fd6fd7) +(cherry picked from commit faa5822d8073336bed29e12b7cc73bedfa4811b7) +--- + src/firewall/core/fw_config.py | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/firewall/core/fw_config.py b/src/firewall/core/fw_config.py +index 8f29f0c416d2..35f623f2c8f1 100644 +--- a/src/firewall/core/fw_config.py ++++ b/src/firewall/core/fw_config.py +@@ -566,7 +566,6 @@ class FirewallConfig(object): + + if obj.builtin: + x = copy.copy(obj) +- x.cleanup() + x.import_config(conf_dict) + x.path = config.ETC_FIREWALLD_SERVICES + x.builtin = False +@@ -576,7 +575,6 @@ class FirewallConfig(object): + service_writer(x) + return x + else: +- obj.cleanup() + obj.import_config(conf_dict) + service_writer(obj) + return obj +-- +2.27.0 + diff --git a/SOURCES/0021-test-gh509-only-run-test-for-nftables-backend.patch b/SOURCES/0021-test-gh509-only-run-test-for-nftables-backend.patch new file mode 100644 index 0000000..8f05bb7 --- /dev/null +++ b/SOURCES/0021-test-gh509-only-run-test-for-nftables-backend.patch @@ -0,0 +1,33 @@ +From b33d40f277444f0af0f780b68389af4098ab639b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 6 Jan 2020 15:38:28 -0500 +Subject: [PATCH 21/45] test(gh509): only run test for nftables backend + +The test wipes the config and therefore restarts with defaults (e.g. +the nftables backend). Some hosts under test may not have nftables +available so the test will fail. Only use the test if FIREWALL_BACKEND +is nftables. + +(cherry picked from commit 61140a7ed9d6b26cd030d366eb7c9111a3ad45df) +(cherry picked from commit 4d3907862535298e6f8b6bc566bdce10a86647bc) +--- + src/tests/regression/gh509.at | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/tests/regression/gh509.at b/src/tests/regression/gh509.at +index 00cc51c9c51f..1c151066c2bb 100644 +--- a/src/tests/regression/gh509.at ++++ b/src/tests/regression/gh509.at +@@ -1,3 +1,4 @@ ++m4_if(nftables, FIREWALL_BACKEND, [ + FWD_START_TEST([missing firewalld.conf file]) + AT_KEYWORDS(gh509) + +@@ -12,3 +13,4 @@ FWD_RESTART + FWD_END_TEST([-e '/ERROR: Failed to load/d' dnl + -e '/WARNING:.*No such file or directory:.*/d' dnl + -e '/WARNING: Using fallback firewalld configuration settings/d']) ++]) +-- +2.27.0 + diff --git a/SOURCES/0022-test-ipv6-skip-square-bracket-address-tests-if-ipv6-.patch b/SOURCES/0022-test-ipv6-skip-square-bracket-address-tests-if-ipv6-.patch new file mode 100644 index 0000000..0e7b49b --- /dev/null +++ b/SOURCES/0022-test-ipv6-skip-square-bracket-address-tests-if-ipv6-.patch @@ -0,0 +1,29 @@ +From ab514ea71dcc69abd910790822d67e2854ad54c7 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 12 May 2020 09:12:46 -0400 +Subject: [PATCH 22/45] test(ipv6): skip square bracket address tests if ipv6 + not available + +Fixes: ff9cd7a4c618 ("test: ipset: coverage for ipv6 addresses with brackets") +(cherry picked from commit fc626b34171a71f500fac31b9f2929b009993b98) +(cherry picked from commit bd98ef1f5660dc83c5179d4c6204cf62ba985122) +--- + src/tests/regression/rhbz1779835.at | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/tests/regression/rhbz1779835.at b/src/tests/regression/rhbz1779835.at +index 37d1afc990ab..8de5c0353b6e 100644 +--- a/src/tests/regression/rhbz1779835.at ++++ b/src/tests/regression/rhbz1779835.at +@@ -1,6 +1,8 @@ + FWD_START_TEST([ipv6 address with brackets]) + AT_KEYWORDS(rhbz1779835 ipset zone forward_port rich) + ++IF_HOST_SUPPORTS_IPV6_RULES([], [AT_SKIP_IF([:])]) ++ + dnl ipset + FWD_CHECK([-q --permanent --new-ipset=foobar --type=hash:ip --family=inet6]) + FWD_CHECK([[-q --permanent --ipset foobar --add-entry='[1234::4321]']]) +-- +2.27.0 + diff --git a/SOURCES/0023-fix-ipset-flush-the-set-if-IndividiualCalls-yes.patch b/SOURCES/0023-fix-ipset-flush-the-set-if-IndividiualCalls-yes.patch new file mode 100644 index 0000000..be44967 --- /dev/null +++ b/SOURCES/0023-fix-ipset-flush-the-set-if-IndividiualCalls-yes.patch @@ -0,0 +1,34 @@ +From 4a94fcfa0450b653c579118678da409b0f449259 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 12 May 2020 09:34:12 -0400 +Subject: [PATCH 23/45] fix(ipset): flush the set if IndividiualCalls=yes + +Make sure we flush the set when creating. Otherwise a pre-existing set +may have stale entries. + +Fixes: 81d784f8c856 ("test: ipset: verify clean up on exit/reload") +(cherry picked from commit fab381045990f1c994d60c3f7c5813c576e60af1) +(cherry picked from commit a512e55190210ecba57f0ccfda88d39ac3151d13) +--- + src/firewall/core/fw_ipset.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py +index 68f016ba2222..90b24c6264c0 100644 +--- a/src/firewall/core/fw_ipset.py ++++ b/src/firewall/core/fw_ipset.py +@@ -117,6 +117,11 @@ class FirewallIPSet(object): + # no entries visible for ipsets with timeout + continue + ++ try: ++ backend.set_flush(obj.name) ++ except Exception as msg: ++ raise FirewallError(errors.COMMAND_FAILED, msg) ++ + for entry in obj.entries: + try: + backend.set_add(obj.name, entry) +-- +2.27.0 + diff --git a/SOURCES/0024-test-dbus-better-way-to-check-IPv6_rpfilter-expected.patch b/SOURCES/0024-test-dbus-better-way-to-check-IPv6_rpfilter-expected.patch new file mode 100644 index 0000000..4082a98 --- /dev/null +++ b/SOURCES/0024-test-dbus-better-way-to-check-IPv6_rpfilter-expected.patch @@ -0,0 +1,64 @@ +From 729936737ae3588d5b79c9f00760a2228586338b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 12 May 2020 08:25:07 -0400 +Subject: [PATCH 24/45] test(dbus): better way to check IPv6_rpfilter expected + value + +(cherry picked from commit 42e349f57a41305354871ca0c0d08fcf800a2fe3) +(cherry picked from commit a79695be7243802b49c5bdb131c231b1ef8a9350) +--- + src/tests/dbus/firewalld.conf.at | 24 +++++++----------------- + 1 file changed, 7 insertions(+), 17 deletions(-) + +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 4eefa3286f9f..1c957957b3da 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -1,8 +1,13 @@ + FWD_START_TEST([firewalld.conf]) + AT_KEYWORDS(dbus) + +-dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + IF_HOST_SUPPORTS_NFT_FIB([ ++ EXPECTED_IPV6_RPFILTER_VALUE=yes ++], [ ++ EXPECTED_IPV6_RPFILTER_VALUE=no ++]) ++ ++dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + DBUS_GETALL([config], [config], 0, [dnl + string "AllowZoneDrifting" : variant string "yes" + string "AutomaticHelpers" : variant string "no" +@@ -10,28 +15,13 @@ string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" + string "FirewallBackend" : variant string "nftables" + string "FlushAllOnReload" : variant string "yes" +-string "IPv6_rpfilter" : variant string "yes" +-string "IndividualCalls" : variant string "no" +-string "Lockdown" : variant string "no" +-string "LogDenied" : variant string "off" +-string "MinimalMark" : variant int32 100 +-string "RFC3964_IPv4" : variant string "yes" +-])], [ +-DBUS_GETALL([config], [config], 0, [dnl +-string "AllowZoneDrifting" : variant string "yes" +-string "AutomaticHelpers" : variant string "no" +-string "CleanupOnExit" : variant string "no" +-string "DefaultZone" : variant string "public" +-string "FirewallBackend" : variant string "nftables" +-string "FlushAllOnReload" : variant string "yes" +-string "IPv6_rpfilter" : variant string "no" ++string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"]) + string "IndividualCalls" : variant string "no" + string "Lockdown" : variant string "no" + string "LogDenied" : variant string "off" + string "MinimalMark" : variant int32 100 + string "RFC3964_IPv4" : variant string "yes" + ]) +-]) + + m4_define([_helper], [ + DBUS_SET([config], [config], [string:"$1" $2], 0, ignore) +-- +2.27.0 + diff --git a/SOURCES/0025-test-functions-add-macro-IF_HOST_SUPPORTS_NFT_RULE_I.patch b/SOURCES/0025-test-functions-add-macro-IF_HOST_SUPPORTS_NFT_RULE_I.patch new file mode 100644 index 0000000..ed68b54 --- /dev/null +++ b/SOURCES/0025-test-functions-add-macro-IF_HOST_SUPPORTS_NFT_RULE_I.patch @@ -0,0 +1,47 @@ +From 571c32c466f0516d0543926828ce49b004ce584f Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 11 May 2020 17:19:12 -0400 +Subject: [PATCH 25/45] test(functions): add macro + IF_HOST_SUPPORTS_NFT_RULE_INDEX + +(cherry picked from commit 735eb589b2a18129b2b8a9d4dfe8b9375757619a) +(cherry picked from commit cda25d11a9e333ee5cdd9d7e084e7075cb1550bb) +--- + src/tests/functions.at | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 8f5ceba4d3f2..f83720595d2f 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -598,3 +598,27 @@ m4_define([NMCLI_CHECK], [ + NS_CHECK([PIPESTATUS0([nmcli $1], [TRIM_WHITESPACE])], + [$2], [m4_strip([$3])], [m4_strip([$4])], [$5], [$6]) + ]) ++ ++m4_define([IF_HOST_SUPPORTS_NFT_RULE_INDEX], [ ++ m4_if(nftables, FIREWALL_BACKEND, [ ++ AT_DATA([./nft_rule_index.nft], [ ++ add table inet firewalld_check_rule_index ++ add chain inet firewalld_check_rule_index foobar { type filter hook input priority 0 ; } ++ add rule inet firewalld_check_rule_index foobar tcp dport 1234 accept ++ add rule inet firewalld_check_rule_index foobar accept ++ insert rule inet firewalld_check_rule_index foobar index 1 udp dport 4321 accept ++]) ++ NS_CHECK([nft -f ./nft_rule_index.nft]) ++ ++ if test "$( NS_CMD([nft list chain inet firewalld_check_rule_index foobar | head -n 5 |tail -n 1 | TRIM_WHITESPACE]) )" = "udp dport 4321 accept"; then ++ : ++ $1 ++ else ++ : ++ $2 ++ fi ++ ++ NS_CHECK([rm ./nft_rule_index.nft]) ++ NS_CHECK([nft delete table inet firewalld_check_rule_index]) ++ ], [$1]) ++]) +-- +2.27.0 + diff --git a/SOURCES/0026-test-functions-use-IndividualCalls-if-host-doesn-t-s.patch b/SOURCES/0026-test-functions-use-IndividualCalls-if-host-doesn-t-s.patch new file mode 100644 index 0000000..0c648f6 --- /dev/null +++ b/SOURCES/0026-test-functions-use-IndividualCalls-if-host-doesn-t-s.patch @@ -0,0 +1,57 @@ +From 5e35e5d183773984bc69ff035e7f0c69cc99b282 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 11 May 2020 17:22:39 -0400 +Subject: [PATCH 26/45] test(functions): use IndividualCalls if host doesn't + support nft rule index + +(cherry picked from commit 5418d89006665e90f7f742bbdc9a551d9d9a1ca7) +(cherry picked from commit 4224d86814ac6aa80fbc58c2b6f8e53a89adcaba) +--- + src/tests/dbus/firewalld.conf.at | 8 +++++++- + src/tests/functions.at | 4 ++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 1c957957b3da..14d87767a267 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -7,6 +7,12 @@ IF_HOST_SUPPORTS_NFT_FIB([ + EXPECTED_IPV6_RPFILTER_VALUE=no + ]) + ++IF_HOST_SUPPORTS_NFT_RULE_INDEX([ ++ EXPECTED_INDIVIDUAL_CALLS_VALUE=no ++], [ ++ EXPECTED_INDIVIDUAL_CALLS_VALUE=yes ++]) ++ + dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + DBUS_GETALL([config], [config], 0, [dnl + string "AllowZoneDrifting" : variant string "yes" +@@ -16,7 +22,7 @@ string "DefaultZone" : variant string "public" + string "FirewallBackend" : variant string "nftables" + string "FlushAllOnReload" : variant string "yes" + string "IPv6_rpfilter" : variant string m4_escape(["${EXPECTED_IPV6_RPFILTER_VALUE}"]) +-string "IndividualCalls" : variant string "no" ++string "IndividualCalls" : variant string m4_escape(["${EXPECTED_INDIVIDUAL_CALLS_VALUE}"]) + string "Lockdown" : variant string "no" + string "LogDenied" : variant string "off" + string "MinimalMark" : variant int32 100 +diff --git a/src/tests/functions.at b/src/tests/functions.at +index f83720595d2f..1cde4997f920 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -221,6 +221,10 @@ m4_define([FWD_START_TEST], [ + fi + echo "kill $DBUS_PID" >> ./cleanup_late + ++ IF_HOST_SUPPORTS_NFT_RULE_INDEX([], [ ++ AT_CHECK([sed -i 's/^IndividualCalls.*/IndividualCalls=yes/' ./firewalld.conf]) ++ ]) ++ + FWD_START_FIREWALLD + ]) + ]) +-- +2.27.0 + diff --git a/SOURCES/0027-test-check-container-add-support-for-centos8-stream.patch b/SOURCES/0027-test-check-container-add-support-for-centos8-stream.patch new file mode 100644 index 0000000..992a86b --- /dev/null +++ b/SOURCES/0027-test-check-container-add-support-for-centos8-stream.patch @@ -0,0 +1,57 @@ +From 4c90b4a07d2b3f935f5ea8b4607a77f12b66d855 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 10 Dec 2019 10:34:16 -0500 +Subject: [PATCH 27/45] test(check-container): add support for centos8 stream + +(cherry picked from commit 47be9c516344243750b68d570c69e7a5c4022805) +(cherry picked from commit fdf7eb8c8d7b82e68c6488e4755568fd0a5442a1) +--- + src/tests/Makefile.am | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index 6be678146b99..b7556b30ecc8 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -48,7 +48,7 @@ $(TESTSUITE) $(TESTSUITE_INTEGRATION): $(TESTSUITE_FILES) $(srcdir)/package.m4 + $(AUTOTEST) -I '$(srcdir)' -o $@.tmp $@.at + mv $@.tmp $@ + +-CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide ++CONTAINER_TARGETS = check-container-debian-sid check-container-fedora-rawhide check-container-centos8-stream + + check-container-debian-sid-image: check-container-%-image: + (cd $(abs_top_srcdir) && { \ +@@ -76,11 +76,28 @@ check-container-fedora-rawhide-image: check-container-%-image: + echo "COPY . /tmp/firewalld"; \ + } | $(PODMAN) build -t firewalld-testsuite-$* -f - . ) + ++check-container-centos8-stream-image: check-container-%-image: ++ (cd $(abs_top_srcdir) && { \ ++ echo "FROM centos:8" && \ ++ echo "RUN dnf -y makecache" && \ ++ echo "RUN dnf -y install centos-release-stream" && \ ++ echo "RUN dnf -y install autoconf automake conntrack-tools desktop-file-utils \ ++ docbook-style-xsl file gettext glib2-devel intltool ipset \ ++ iptables iptables-ebtables nftables libtool libxml2 \ ++ libxslt make nftables python3-nftables python3-slip-dbus \ ++ python3-gobject-base diffutils procps-ng iproute which dbus-daemon \ ++ NetworkManager" && \ ++ echo "COPY . /tmp/firewalld"; \ ++ } | $(PODMAN) build -t firewalld-testsuite-$* -f - . ) ++ ++check-container-debian-sid: PYTHON=/usr/bin/python3 ++check-container-fedora-rawhide: PYTHON=/usr/bin/python3 ++check-container-centos8-stream: PYTHON=/usr/libexec/platform-python + $(CONTAINER_TARGETS): check-container-%: check-container-%-image + $(PODMAN) run -i --rm --privileged firewalld-testsuite-$* bash -c " \ + cd /tmp/firewalld && \ + ./autogen.sh && \ +- ./configure PYTHON=/usr/bin/python3 && \ ++ ./configure PYTHON=\"${PYTHON}\" && \ + make && \ + { make -C src/tests check-local TESTSUITEFLAGS=\"$(TESTSUITEFLAGS)\" || \ + make -C src/tests check-local TESTSUITEFLAGS=\"--recheck --errexit --verbose\" ; } && \ +-- +2.27.0 + diff --git a/SOURCES/0028-fix-firewall-offline-cmd-remove-instances-of-P-in-he.patch b/SOURCES/0028-fix-firewall-offline-cmd-remove-instances-of-P-in-he.patch new file mode 100644 index 0000000..1ec83d5 --- /dev/null +++ b/SOURCES/0028-fix-firewall-offline-cmd-remove-instances-of-P-in-he.patch @@ -0,0 +1,33 @@ +From fe902f0be61bb0fe25418e5e13f7aa0131e042db Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 19 May 2020 13:24:25 -0400 +Subject: [PATCH 28/45] fix(firewall-offline-cmd): remove instances of "[P]" in + help text + +All commands are permanent. The "[P]" tag is unnecessary. + +(cherry picked from commit 32f7ea86eaf86705d8f52eeb1195e7549653fdce) +(cherry picked from commit 1a22a093088eb7cc23f3b6c4b4ba6fb3323902aa) +--- + src/firewall-offline-cmd.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/firewall-offline-cmd.in b/src/firewall-offline-cmd.in +index 98ca3e81ad7b..c0ad9ec8f64e 100755 +--- a/src/firewall-offline-cmd.in ++++ b/src/firewall-offline-cmd.in +@@ -168,9 +168,9 @@ IPSet Options + --ipset= --get-entries + List entries of an ipset + --ipset= --add-entries-from-file= +- Add a new entries to an ipset [P] ++ Add a new entries to an ipset + --ipset= --remove-entries-from-file= +- Remove entries from an ipset [P] ++ Remove entries from an ipset + + IcmpType Options + --new-icmptype= +-- +2.27.0 + diff --git a/SOURCES/0029-fix-rich-source-mac-with-nftables-backend.patch b/SOURCES/0029-fix-rich-source-mac-with-nftables-backend.patch new file mode 100644 index 0000000..a5d83b6 --- /dev/null +++ b/SOURCES/0029-fix-rich-source-mac-with-nftables-backend.patch @@ -0,0 +1,30 @@ +From 53e62b6640c2d52ca6385120e3215b18d4ea70bf Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 8 Jun 2020 14:58:50 -0400 +Subject: [PATCH 29/45] fix(rich): source mac with nftables backend + +Fixes: #643 +Fixes: rhbz 1843398 +Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface") +(cherry picked from commit e255e7357358b5fe1593225e6bd995850421825a) +(cherry picked from commit d78607ca4862a7b20551a98387ff285499d73440) +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 69ee63b32f8b..97b1cd9f7f1e 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1064,7 +1064,7 @@ class nftables(object): + if addr_field == "daddr": + raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__)) + family = "ether" +- if check_single_address("ipv4", address): ++ elif check_single_address("ipv4", address): + family = "ip" + elif check_address("ipv4", address): + family = "ip" +-- +2.27.0 + diff --git a/SOURCES/0030-test-rich-source-mac-with-nftables-backend.patch b/SOURCES/0030-test-rich-source-mac-with-nftables-backend.patch new file mode 100644 index 0000000..cbc1f06 --- /dev/null +++ b/SOURCES/0030-test-rich-source-mac-with-nftables-backend.patch @@ -0,0 +1,42 @@ +From 8058fda3072600ce65851b43cd3422fe0acdecb4 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 8 Jun 2020 14:11:27 -0400 +Subject: [PATCH 30/45] test(rich): source mac with nftables backend + +With the nftables backend firewalld fails to add a rule that matches the +source mac address. + +(cherry picked from commit ef555fa1538b8df414fecaf400653fb0a95322db) +(cherry picked from commit a1fe0b082aec4ea5f175854412cd7ab4eef4e294) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1843398.at | 8 ++++++++ + 2 files changed, 9 insertions(+) + create mode 100644 src/tests/regression/rhbz1843398.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index c3a5706c6406..984d299bfd4e 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -29,3 +29,4 @@ m4_include([regression/rhbz1779835.at]) + m4_include([regression/gh330.at]) + m4_include([regression/gh599.at]) + m4_include([regression/rhbz1829104.at]) ++m4_include([regression/rhbz1843398.at]) +diff --git a/src/tests/regression/rhbz1843398.at b/src/tests/regression/rhbz1843398.at +new file mode 100644 +index 000000000000..4606e8497223 +--- /dev/null ++++ b/src/tests/regression/rhbz1843398.at +@@ -0,0 +1,8 @@ ++FWD_START_TEST([rich rule source mac]) ++AT_KEYWORDS(rich rhbz1843398 gh643) ++ ++FWD_CHECK([--permanent --add-rich-rule='rule source mac="11:22:33:44:55:66" reject'], 0, [ignore]) ++FWD_CHECK([ --add-rich-rule='rule source mac="11:22:33:44:55:66" reject'], 0, [ignore]) ++FWD_RELOAD ++ ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0031-docs-README-add-libxslt-for-doc-generation.patch b/SOURCES/0031-docs-README-add-libxslt-for-doc-generation.patch new file mode 100644 index 0000000..32aaf12 --- /dev/null +++ b/SOURCES/0031-docs-README-add-libxslt-for-doc-generation.patch @@ -0,0 +1,27 @@ +From 944b49770943ec485212f2ca50d73231b7495d65 Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Wed, 10 Jun 2020 17:55:54 -0400 +Subject: [PATCH 31/45] docs(README): add libxslt for doc generation + +(cherry picked from commit 1e9638b07a9c740a4ab5128708f9a40acc2d4668) +(cherry picked from commit 32c7f4c7eeafa4298ca403f45db8fda49f01ed2e) +--- + README | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/README b/README +index 120543588540..7c00c3094949 100644 +--- a/README ++++ b/README +@@ -58,7 +58,7 @@ For use with Python 2: + To be able to create man pages and documentation from docbook files: + + docbook-style-xsl +- ++ libxslt + + Use the usual autoconf/automake incantation to generate makefiles + +-- +2.27.0 + diff --git a/SOURCES/0032-docs-replace-occurrences-of-the-term-blacklist-with-.patch b/SOURCES/0032-docs-replace-occurrences-of-the-term-blacklist-with-.patch new file mode 100644 index 0000000..3ecd0dc --- /dev/null +++ b/SOURCES/0032-docs-replace-occurrences-of-the-term-blacklist-with-.patch @@ -0,0 +1,56 @@ +From d48ffab0a49db8c937bbd62b0b8b755b3dbca4a8 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 23 Jun 2020 13:39:49 -0400 +Subject: [PATCH 32/45] docs: replace occurrences of the term blacklist with + denylist + +(cherry picked from commit af3f7cd074f737c584a42cf1028f18e6fa597204) +(cherry picked from commit 621916b2dbb4cb04da4a0babc3b741202fd709b4) +--- + doc/xml/firewalld.direct.xml | 12 ++++++------ + src/firewall-config.glade | 2 +- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/doc/xml/firewalld.direct.xml b/doc/xml/firewalld.direct.xml +index de7b5973dd7f..d65b66f74513 100644 +--- a/doc/xml/firewalld.direct.xml ++++ b/doc/xml/firewalld.direct.xml +@@ -273,16 +273,16 @@ + Example + + +- Blacklisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with logging and dropping early in the raw table: ++ Denylisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with logging and dropping early in the raw table: + + + <?xml version="1.0" encoding="utf-8"?> + <direct> +- <chain ipv="ipv4" table="raw" chain="blacklist"/> +- <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-s 192.168.1.0/24 -j blacklist</rule> +- <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1">-s 192.168.5.0/24 -j blacklist</rule> +- <rule ipv="ipv4" table="raw" chain="blacklist" priority="0">-m limit --limit 1/min -j LOG --log-prefix "blacklisted: "</rule> +- <rule ipv="ipv4" table="raw" chain="blacklist" priority="1">-j DROP</rule> ++ <chain ipv="ipv4" table="raw" chain="denylist"/> ++ <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-s 192.168.1.0/24 -j denylist</rule> ++ <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1">-s 192.168.5.0/24 -j denylist</rule> ++ <rule ipv="ipv4" table="raw" chain="denylist" priority="0">-m limit --limit 1/min -j LOG --log-prefix "denylisted: "</rule> ++ <rule ipv="ipv4" table="raw" chain="denylist" priority="1">-j DROP</rule> + </direct> + + +diff --git a/src/firewall-config.glade b/src/firewall-config.glade +index 689433c47eca..6c057f66f401 100644 +--- a/src/firewall-config.glade ++++ b/src/firewall-config.glade +@@ -9761,7 +9761,7 @@ + + False + start +- For host or network white or blacklisting deactivate the element. ++ For host or network allow or denylisting deactivate the element. + True + 0 + 0 +-- +2.27.0 + diff --git a/SOURCES/0033-fix-update-dynamic-DCE-RPC-ports-in-freeipa-trust-se.patch b/SOURCES/0033-fix-update-dynamic-DCE-RPC-ports-in-freeipa-trust-se.patch new file mode 100644 index 0000000..b684962 --- /dev/null +++ b/SOURCES/0033-fix-update-dynamic-DCE-RPC-ports-in-freeipa-trust-se.patch @@ -0,0 +1,31 @@ +From 542e44f2ba257b7f643770c9e2eedcf9a9f87c9c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 24 Jun 2020 11:08:58 +0300 +Subject: [PATCH 33/45] fix: update dynamic DCE RPC ports in freeipa-trust + service + +Samba did change DCE RPC dynamic port range to 49152-65535 with version +4.7. + +Signed-off-by: Alexander Bokovoy +(cherry picked from commit 0753d6e653b804779f7301737809767f0d5cf9af) +(cherry picked from commit 88bbe05e5bdd510cc2544f2fb201186ef2abb8bb) +--- + config/services/freeipa-trust.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/config/services/freeipa-trust.xml b/config/services/freeipa-trust.xml +index 100cab614abe..315f69cce150 100644 +--- a/config/services/freeipa-trust.xml ++++ b/config/services/freeipa-trust.xml +@@ -9,6 +9,6 @@ + + + +- ++ + + +-- +2.27.0 + diff --git a/SOURCES/0034-fix-core-rich-Catch-ValueError-on-non-numeric-priori.patch b/SOURCES/0034-fix-core-rich-Catch-ValueError-on-non-numeric-priori.patch new file mode 100644 index 0000000..cc97cef --- /dev/null +++ b/SOURCES/0034-fix-core-rich-Catch-ValueError-on-non-numeric-priori.patch @@ -0,0 +1,70 @@ +From 4b2fecb2288fdd345f98890f9c801b1e4e2a5474 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 25 Jun 2020 16:42:36 +0200 +Subject: [PATCH 34/45] fix: core: rich: Catch ValueError on non-numeric + priority values + +Be a bit more user-friendly by printing: + +| Error: INVALID_RULE: invalid 'priority' attribute value 'ab'. + +instead of Python's default, which is: + +| Error: invalid literal for int() with base 10: 'ab' + +Fixes: rhbz 1689429 +(cherry picked from commit 3a0e79b1cfe4344d21d30eb47c038252d728cc44) +(cherry picked from commit fa21382cc513cc0dba56ba085782a3e23c863afc) +--- + src/firewall/core/rich.py | 5 ++++- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1689429.at | 12 ++++++++++++ + 3 files changed, 17 insertions(+), 1 deletion(-) + create mode 100644 src/tests/regression/rhbz1689429.at + +diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py +index dacaeb9c0b70..eb4a2d2d9669 100644 +--- a/src/firewall/core/rich.py ++++ b/src/firewall/core/rich.py +@@ -379,7 +379,10 @@ class Rich_Rule(object): + raise FirewallError(errors.INVALID_RULE, "'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead." % attr_value) + self.family = attr_value + elif attr_name == 'priority': +- self.priority = int(attr_value) ++ try: ++ self.priority = int(attr_value) ++ except ValueError: ++ raise FirewallError(errors.INVALID_RULE, "invalid 'priority' attribute value '%s'." % attr_value) + elif attr_name: + if attr_name == 'protocol': + err_msg = "wrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'." +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 984d299bfd4e..1c8f76afa87a 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -30,3 +30,4 @@ m4_include([regression/gh330.at]) + m4_include([regression/gh599.at]) + m4_include([regression/rhbz1829104.at]) + m4_include([regression/rhbz1843398.at]) ++m4_include([regression/rhbz1689429.at]) +diff --git a/src/tests/regression/rhbz1689429.at b/src/tests/regression/rhbz1689429.at +new file mode 100644 +index 000000000000..5701607d660f +--- /dev/null ++++ b/src/tests/regression/rhbz1689429.at +@@ -0,0 +1,12 @@ ++FWD_START_TEST([rich rule invalid priority]) ++AT_KEYWORDS(rich rhbz1689429) ++ ++FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 122, [], ++ [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'. ++]) ++FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 122, [], ++ [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'. ++]) ++FWD_RELOAD ++ ++FWD_END_TEST([ignore]) +-- +2.27.0 + diff --git a/SOURCES/0035-fix-cli-add-zone-is-an-invalid-option-with-direct.patch b/SOURCES/0035-fix-cli-add-zone-is-an-invalid-option-with-direct.patch new file mode 100644 index 0000000..43519c9 --- /dev/null +++ b/SOURCES/0035-fix-cli-add-zone-is-an-invalid-option-with-direct.patch @@ -0,0 +1,55 @@ +From 040621b36e72f63482cce6c4e4daefd8b982387c Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Tue, 23 Jun 2020 20:01:17 -0400 +Subject: [PATCH 35/45] fix(cli): add --zone is an invalid option with --direct + +Fixes: rhbz 1483921 +(cherry picked from commit 303f85fc35d230f6e1980996020011dd8c0c2041) +(cherry picked from commit e946d8c8f4717d269b9ca785cf124d83de7b723e) +--- + src/firewall-cmd.in | 3 +++ + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1483921.at | 8 ++++++++ + 3 files changed, 12 insertions(+) + create mode 100644 src/tests/regression/rhbz1483921.at + +diff --git a/src/firewall-cmd.in b/src/firewall-cmd.in +index 317da5eab6e4..014f3884d64b 100755 +--- a/src/firewall-cmd.in ++++ b/src/firewall-cmd.in +@@ -962,6 +962,9 @@ if (a.direct and not options_direct) or (options_direct and not a.direct): + cmd.fail(parser.format_usage() + + "Wrong usage of 'direct' options.") + ++if a.zone and a.direct: ++ cmd.fail(parser.format_usage() + "--zone is an invalid option with --direct") ++ + if a.name and not (a.new_zone_from_file or a.new_service_from_file or \ + a.new_ipset_from_file or a.new_icmptype_from_file or \ + a.new_helper_from_file): +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 1c8f76afa87a..5241a11a830d 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -31,3 +31,4 @@ m4_include([regression/gh599.at]) + m4_include([regression/rhbz1829104.at]) + m4_include([regression/rhbz1843398.at]) + m4_include([regression/rhbz1689429.at]) ++m4_include([regression/rhbz1483921.at]) +diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at +new file mode 100644 +index 000000000000..d3dd60bc8faf +--- /dev/null ++++ b/src/tests/regression/rhbz1483921.at +@@ -0,0 +1,8 @@ ++FWD_START_TEST([direct zone]) ++ AT_KEYWORDS(direct rhbz1483921) ++ ++ FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) ++ ++ FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) ++FWD_END_TEST ++ +-- +2.27.0 + diff --git a/SOURCES/0036-test-rhbz1483921-better-test-name.patch b/SOURCES/0036-test-rhbz1483921-better-test-name.patch new file mode 100644 index 0000000..8535140 --- /dev/null +++ b/SOURCES/0036-test-rhbz1483921-better-test-name.patch @@ -0,0 +1,29 @@ +From 23a0df223fdcb52b96aa0c68d5faabc5d645682d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 29 Jun 2020 14:48:00 -0400 +Subject: [PATCH 36/45] test(rhbz1483921): better test name + +Fixes: 303f85fc35d2 ("fix(cli): add --zone is an invalid option with --direct") +(cherry picked from commit a844f985f2d160b921ad65c87d91e795ef9a45cb) +(cherry picked from commit 48a97e77452dff84b542006f7e3a64434a993a48) +--- + src/tests/regression/rhbz1483921.at | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at +index d3dd60bc8faf..97939919f9af 100644 +--- a/src/tests/regression/rhbz1483921.at ++++ b/src/tests/regression/rhbz1483921.at +@@ -1,8 +1,7 @@ +-FWD_START_TEST([direct zone]) ++FWD_START_TEST([direct and zone mutually exclusive]) + AT_KEYWORDS(direct rhbz1483921) + + FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) + + FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) + FWD_END_TEST +- +-- +2.27.0 + diff --git a/SOURCES/0037-fix-cli-add-ipset-type-hash-mac-is-incompatible-with.patch b/SOURCES/0037-fix-cli-add-ipset-type-hash-mac-is-incompatible-with.patch new file mode 100644 index 0000000..b6fb921 --- /dev/null +++ b/SOURCES/0037-fix-cli-add-ipset-type-hash-mac-is-incompatible-with.patch @@ -0,0 +1,71 @@ +From 09b9f5a18dbe01d0d3ab9b0db721eadab5e38b35 Mon Sep 17 00:00:00 2001 +From: Vrinda Punj +Date: Mon, 29 Jun 2020 17:34:46 -0400 +Subject: [PATCH 37/45] fix(cli): add ipset type hash:mac is incompatible with + the family parameter Fixes: rhbz1541077 + +(cherry picked from commit dddba7b9c276e9c58f6c2bc554c82252fa084eaf) +(cherry picked from commit 15f5691f0dbffcc1d4c1f42e77e79c6600db0d77) +--- + src/firewall-cmd.in | 3 +++ + src/firewall-offline-cmd.in | 3 +++ + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1541077.at | 9 +++++++++ + 4 files changed, 16 insertions(+) + create mode 100644 src/tests/regression/rhbz1541077.at + +diff --git a/src/firewall-cmd.in b/src/firewall-cmd.in +index 014f3884d64b..b6c2f84f5a9e 100755 +--- a/src/firewall-cmd.in ++++ b/src/firewall-cmd.in +@@ -1074,6 +1074,9 @@ if a.permanent: + if not a.type: + cmd.fail(parser.format_usage() + "No type specified.") + ++ if a.type=='hash:mac' and a.family: ++ cmd.fail(parser.format_usage()+ "--family is not compatible with the hash:mac type") ++ + settings = FirewallClientIPSetSettings() + settings.setType(a.type) + if a.option: +diff --git a/src/firewall-offline-cmd.in b/src/firewall-offline-cmd.in +index c0ad9ec8f64e..98c00548e3e5 100755 +--- a/src/firewall-offline-cmd.in ++++ b/src/firewall-offline-cmd.in +@@ -1577,6 +1577,9 @@ try: + if not a.type: + cmd.fail(parser.format_usage() + "No type specified.") + ++ if a.type=='hash:mac' and a.family: ++ cmd.fail(parser.format_usage() + "--family is not compatible with the hash:mac type") ++ + settings = FirewallClientIPSetSettings() + settings.setType(a.type) + if a.option: +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 5241a11a830d..5c8aae7e64d3 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -32,3 +32,4 @@ m4_include([regression/rhbz1829104.at]) + m4_include([regression/rhbz1843398.at]) + m4_include([regression/rhbz1689429.at]) + m4_include([regression/rhbz1483921.at]) ++m4_include([regression/rhbz1541077.at]) +diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at +new file mode 100644 +index 000000000000..765ab0c6290b +--- /dev/null ++++ b/src/tests/regression/rhbz1541077.at +@@ -0,0 +1,9 @@ ++FWD_START_TEST([hash:mac and family mutually exclusive]) ++ AT_KEYWORDS(ipset rhbz1541077) ++ ++ FWD_CHECK([firewall-cmd --permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) ++ ++ FWD_CHECK([firewall-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) ++ ++ FWD_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0038-fix-cli-unify-indentation-for-forward-ports-and-rich.patch b/SOURCES/0038-fix-cli-unify-indentation-for-forward-ports-and-rich.patch new file mode 100644 index 0000000..a3083f7 --- /dev/null +++ b/SOURCES/0038-fix-cli-unify-indentation-for-forward-ports-and-rich.patch @@ -0,0 +1,42 @@ +From 15989f86b18c99d79b342e78a2c3bd26c4973868 Mon Sep 17 00:00:00 2001 +From: Vladislav Grigoryev <20725816+vgaetera@users.noreply.github.com> +Date: Tue, 23 Jun 2020 13:34:40 +0300 +Subject: [PATCH 38/45] fix(cli): unify indentation for forward-ports and rich + rules + +Unify indentation for forward-ports and rich rules in the CLI zone listing. +Do not insert redundant newlines when there are no forward-ports or rich rules. + +(cherry picked from commit 41df4088cd98f35adb3ac836143e7be34bb07a21) +(cherry picked from commit 809fc4b61321cd459dde65559af3dfbd73f4ce1e) +--- + src/firewall/command.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/command.py b/src/firewall/command.py +index c371dc23584c..8dee63bdda8f 100644 +--- a/src/firewall/command.py ++++ b/src/firewall/command.py +@@ -428,7 +428,7 @@ class FirewallCommand(object): + for port in ports])) + self.print_msg(" protocols: " + " ".join(sorted(protocols))) + self.print_msg(" masquerade: %s" % ("yes" if masquerade else "no")) +- self.print_msg(" forward-ports: " + ++ self.print_msg(" forward-ports: " + ("\n\t" if forward_ports else "") + + "\n\t".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % \ + (port, proto, toport, toaddr) + for (port, proto, toport, toaddr) in \ +@@ -437,8 +437,8 @@ class FirewallCommand(object): + " ".join(["%s/%s" % (port[0], port[1]) + for port in source_ports])) + self.print_msg(" icmp-blocks: " + " ".join(icmp_blocks)) +- self.print_msg(" rich rules: \n\t" + "\n\t".join( +- sorted(rules, key=rich_rule_sorted_key))) ++ self.print_msg(" rich rules: " + ("\n\t" if rules else "") + ++ "\n\t".join(sorted(rules, key=rich_rule_sorted_key))) + + def print_service_info(self, service, settings): + ports = settings.getPorts() +-- +2.27.0 + diff --git a/SOURCES/0039-improvement-service-IPsec-Update-description-and-add.patch b/SOURCES/0039-improvement-service-IPsec-Update-description-and-add.patch new file mode 100644 index 0000000..3db21b8 --- /dev/null +++ b/SOURCES/0039-improvement-service-IPsec-Update-description-and-add.patch @@ -0,0 +1,40 @@ +From 13442af85c144da1eff00cf193db118eb9afb498 Mon Sep 17 00:00:00 2001 +From: Paul Wouters +Date: Mon, 6 Jul 2020 20:43:05 -0400 +Subject: [PATCH 39/45] improvement(service): IPsec: Update description and add + TCP port 4500 + +IKE and IPsec over TCP is defined in RFC 8229. It specifically mentions +no ports to allow administrators to configure any port to prevent being +blocked by networks. + +However, most IKE/IPsec blocking seems to come from unwanted accidental +UDP blocks, so any TCP would usually ensures IPsec can still work on +such networks. The default is therefor to pick the same TCP port as IKE +and IPsec over UDP uses, port 4500. + +(cherry picked from commit 8c4fb4f658719cfb58bacae9e6e82c8e82c3465d) +(cherry picked from commit 0e2733a5b052a4a1d5e1f6f34bca1ff3760948f1) +--- + config/services/ipsec.xml | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/config/services/ipsec.xml b/config/services/ipsec.xml +index 9e70acb40003..824f1f3e539f 100644 +--- a/config/services/ipsec.xml ++++ b/config/services/ipsec.xml +@@ -1,9 +1,10 @@ + + + IPsec +- Internet Protocol Security (IPsec) incorporates security for network transmissions directly into the Internet Protocol (IP). IPsec provides methods for both encrypting data and authentication for the host or network it sends to. If you plan to use a vpnc server or FreeS/WAN, do not disable this option. ++ Internet Protocol Security (IPsec) is the standarized IETF VPN architecture defined in RFC 4301. IPsec is negotiated using the IKEv1 (RFC 2409) or IKEv2 (RFC 7296) protocol, which in itself uses encryption and authentication. IPsec provides Internet Protocol (IP) packet encryption and authentication. Both IKE and IPsec can be encapsulated in UDP (RFC 3948) or TCP (RFC 8229 to make it easier to traverse NAT. Enabling this service will enable IKE, IPsec and their encapsulation protocols and ports. Note that IKE and IPsec can also be configured to use non-default ports, but this is not common practise. + + + + ++ + +-- +2.27.0 + diff --git a/SOURCES/0040-fix-rich-nftables-log-level-warning.patch b/SOURCES/0040-fix-rich-nftables-log-level-warning.patch new file mode 100644 index 0000000..78a8859 --- /dev/null +++ b/SOURCES/0040-fix-rich-nftables-log-level-warning.patch @@ -0,0 +1,30 @@ +From f32a3617acd884f0a1af8e648fe09fa17ac24193 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 21 Jul 2020 15:33:37 -0400 +Subject: [PATCH 40/45] fix(rich): nftables: log level "warning" + +nftables wants the "warn" keyword not "warning". + +(cherry picked from commit f622e65783c4d9f6969701a799d13cb8486d1c0f) +(cherry picked from commit 995cde22cced261c558ecad523befe62eb878d05) +--- + src/firewall/core/nftables.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 97b1cd9f7f1e..85c790b5b51e 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -993,7 +993,8 @@ class nftables(object): + if rich_rule.log.prefix: + log_options["prefix"] = "%s" % rich_rule.log.prefix + if rich_rule.log.level: +- log_options["level"] = "%s" % rich_rule.log.level ++ level = "warn" if "warning" == rich_rule.log.level else rich_rule.log.level ++ log_options["level"] = "%s" % level + + rule = {"family": "inet", + "table": TABLE_NAME, +-- +2.27.0 + diff --git a/SOURCES/0041-fix-rich-icmptypes-with-one-family.patch b/SOURCES/0041-fix-rich-icmptypes-with-one-family.patch new file mode 100644 index 0000000..fd13a1a --- /dev/null +++ b/SOURCES/0041-fix-rich-icmptypes-with-one-family.patch @@ -0,0 +1,85 @@ +From 5acbdc31a56f4b680323ba7aa92383da9e9f25fa Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 22 Jul 2020 09:18:42 -0400 +Subject: [PATCH 41/45] fix(rich): icmptypes with one family + +They were mistakenly being added to both families which fails. + +Fixes: rhbz 1855140 +(cherry picked from commit 0112e36c4e225504b15a1feef3d453a757a00b21) +(cherry picked from commit bd61af7db6f92d48a79fb1e84405aef4f522ffbf) +--- + src/firewall/core/fw_zone.py | 26 +++++++++++--------------- + src/firewall/core/nftables.py | 2 +- + 2 files changed, 12 insertions(+), 16 deletions(-) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 5677effab146..b9fe1f6aae97 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1522,14 +1522,17 @@ class FirewallZone(object): + transaction.add_rules(backend, rules) + + def _rule_prepare(self, enable, zone, rule, transaction): +- if rule.family is not None: ++ ipvs = [] ++ if rule.family: + ipvs = [ rule.family ] +- else: +- ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)] ++ elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)): ++ ict = self._fw.icmptype.get_icmptype(rule.element.name) ++ if ict.destination: ++ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination] + + source_ipv = self._rule_source_ipv(rule.source) +- if source_ipv is not None and source_ipv != "": +- if rule.family is not None: ++ if source_ipv: ++ if rule.family: + # rule family is defined by user, no way to change it + if rule.family != source_ipv: + raise FirewallError(errors.INVALID_RULE, +@@ -1538,6 +1541,9 @@ class FirewallZone(object): + # use the source family as rule family + ipvs = [ source_ipv ] + ++ if not ipvs: ++ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)] ++ + # add an element to object to allow backends to know what ipvs this applies to + rule.ipvs = ipvs + +@@ -1699,16 +1705,6 @@ class FirewallZone(object): + # icmp block might have reject or drop action, but not accept + raise FirewallError(errors.INVALID_RULE, + "IcmpBlock not usable with accept action") +- if ict.destination: +- for ipv in ipvs: +- if ipv in ict.destination \ +- and not backend.is_ipv_supported(ipv): +- raise FirewallError( +- errors.INVALID_RULE, +- "Icmp%s %s not usable with %s" % \ +- ("Block" if type(rule.element) == \ +- Rich_IcmpBlock else "Type", +- rule.element.name, backend.name)) + + table = "filter" + if enable: +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 85c790b5b51e..0198200b2372 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1383,7 +1383,7 @@ class nftables(object): + return ICMP_TYPES_FRAGMENTS[ipv][icmp_type] + else: + raise FirewallError(INVALID_ICMPTYPE, +- "ICMP type '%s' not supported by %s" % (icmp_type, self.name)) ++ "ICMP type '%s' not supported by %s for %s" % (icmp_type, self.name, ipv)) + + def build_zone_icmp_block_rules(self, enable, zone, ict, rich_rule=None): + table = "filter" +-- +2.27.0 + diff --git a/SOURCES/0042-test-rich-icmptypes-with-one-family.patch b/SOURCES/0042-test-rich-icmptypes-with-one-family.patch new file mode 100644 index 0000000..dce2fb1 --- /dev/null +++ b/SOURCES/0042-test-rich-icmptypes-with-one-family.patch @@ -0,0 +1,68 @@ +From 210a2580e405a852b5b64da99e6fead6a0d9e069 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Aug 2020 11:59:04 -0400 +Subject: [PATCH 42/45] test(rich): icmptypes with one family + +Coverage for rhbz 1855140. + +(cherry picked from commit 87ec14dddd742ff5fd8cce04e68c8bf9db8237e9) +(cherry picked from commit d5e74f5c4feb4a6ce060c2ded30f67a0fbe44865) +--- + src/tests/regression/regression.at | 1 + + src/tests/regression/rhbz1855140.at | 35 +++++++++++++++++++++++++++++ + 2 files changed, 36 insertions(+) + create mode 100644 src/tests/regression/rhbz1855140.at + +diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at +index 5c8aae7e64d3..d7b4d56239d1 100644 +--- a/src/tests/regression/regression.at ++++ b/src/tests/regression/regression.at +@@ -33,3 +33,4 @@ m4_include([regression/rhbz1843398.at]) + m4_include([regression/rhbz1689429.at]) + m4_include([regression/rhbz1483921.at]) + m4_include([regression/rhbz1541077.at]) ++m4_include([regression/rhbz1855140.at]) +diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at +new file mode 100644 +index 000000000000..8059e29fe71a +--- /dev/null ++++ b/src/tests/regression/rhbz1855140.at +@@ -0,0 +1,35 @@ ++FWD_START_TEST([rich rule icmptypes with one family]) ++AT_KEYWORDS(rich icmp rhbz1855140) ++ ++FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore) ++FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore) ++FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore) ++FWD_RELOAD ++NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl ++ table inet firewalld { ++ chain filter_IN_public_allow { ++ tcp dport 22 ct state new,untracked accept ++ ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept ++ tcp dport 9090 ct state new,untracked accept ++ icmp type echo-request accept ++ icmpv6 type echo-request accept ++ icmpv6 type nd-neighbor-advert accept ++ icmp type timestamp-request accept ++ } ++ } ++]) ++IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ++ ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13 ++]) ++IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl ++ ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED ++ ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED ++ ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED ++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128 ++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136 ++]) ++ ++FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0043-fix-LastUpdatedOrderedDict-__getitem__-fetch-from-li.patch b/SOURCES/0043-fix-LastUpdatedOrderedDict-__getitem__-fetch-from-li.patch new file mode 100644 index 0000000..2767cf2 --- /dev/null +++ b/SOURCES/0043-fix-LastUpdatedOrderedDict-__getitem__-fetch-from-li.patch @@ -0,0 +1,59 @@ +From d76d54277bc51398f7aa20b3dce0863e3520810b Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 29 Jul 2020 15:18:38 -0400 +Subject: [PATCH 43/45] fix(LastUpdatedOrderedDict): __getitem__(): fetch from + list if int + +If the LastUpdatedOrderedDict contains a boolean key, e.g. + + myLastUpdatedOrderedDict = LastUpdatedOrderedDict() + myLastUpdatedOrderedDic[True] = "true" + +then + + myLastUpdatedOrderedDic[1] + +yields "true". As such, using the LastUpdatedOrderedDict as an iterable +e.g. + + for foo in myLastUpdatedOrderedDict: + ... + +would mean that the for loop tries integer indexes 0 (returns key True), +and then 1 (also returns key True). This caused duplicate walks of a key +True if it was the first key in the LastUpdatedOrderedDict. + +This occurs because + + >>> True == 1 + True + >>> False == 0 + True + +(cherry picked from commit 55754b65be6eaa697382992679e6673346e39f78) +(cherry picked from commit 1561dbc6c2b8f8f7f27b89810a8dda9b869b1923) +--- + src/firewall/fw_types.py | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/firewall/fw_types.py b/src/firewall/fw_types.py +index 07c69c61702f..3d90c1812aec 100644 +--- a/src/firewall/fw_types.py ++++ b/src/firewall/fw_types.py +@@ -54,10 +54,10 @@ class LastUpdatedOrderedDict(object): + self._dict[key] = value + + def __getitem__(self, key): +- if key in self._dict: +- return self._dict[key] +- else: ++ if type(key) == int: + return self._list[key] ++ else: ++ return self._dict[key] + + def __len__(self): + return len(self._list) +-- +2.27.0 + diff --git a/SOURCES/0044-test-regression-rhbz1483921-correctly-use-macros.patch b/SOURCES/0044-test-regression-rhbz1483921-correctly-use-macros.patch new file mode 100644 index 0000000..3d91816 --- /dev/null +++ b/SOURCES/0044-test-regression-rhbz1483921-correctly-use-macros.patch @@ -0,0 +1,35 @@ +From 38eec50b2a48b586b4dcceb03f119be967690c79 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Aug 2020 12:07:24 -0400 +Subject: [PATCH 44/45] test(regression/rhbz1483921): correctly use macros + +"firewall-cmd" is implicit in the macro. Specifying it will result in +CLI parse failure. + +Fixes: 303f85fc35d2 ("fix(cli): add --zone is an invalid option with --direct") +(cherry picked from commit 0b8a2554463cfb96e17fbd31b8cbf4f6235e8625) +(cherry picked from commit bf6e1b8c1943166c60b9df25ae424e635ba23253) +--- + src/tests/regression/rhbz1483921.at | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/src/tests/regression/rhbz1483921.at b/src/tests/regression/rhbz1483921.at +index 97939919f9af..4536615318eb 100644 +--- a/src/tests/regression/rhbz1483921.at ++++ b/src/tests/regression/rhbz1483921.at +@@ -1,7 +1,8 @@ + FWD_START_TEST([direct and zone mutually exclusive]) +- AT_KEYWORDS(direct rhbz1483921) ++AT_KEYWORDS(direct rhbz1483921) ++ ++FWD_CHECK([--zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, [ignore], [ignore]) ++ ++FWD_CHECK([--zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, [ignore], [ignore]) + +- FWD_CHECK([firewall-cmd --zone=public --permanent --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) +- +- FWD_CHECK([firewall-cmd --zone=public --direct --add-rule ipv4 nat OUTPUT 1 -p tcp --dport 8443 -j DNAT --to-port 9443], 2, ignore,ignore) + FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0045-test-regression-rhbz1541077-correctly-use-macros.patch b/SOURCES/0045-test-regression-rhbz1541077-correctly-use-macros.patch new file mode 100644 index 0000000..fdf01ea --- /dev/null +++ b/SOURCES/0045-test-regression-rhbz1541077-correctly-use-macros.patch @@ -0,0 +1,37 @@ +From 025b24b137cfe8c9ef7145848764f0051084df71 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Aug 2020 12:11:16 -0400 +Subject: [PATCH 45/45] test(regression/rhbz1541077): correctly use macros + +"firewall-cmd" is implicit in the macro. Specifying it will result in +CLI parse failure. + +Fixes: dddba7b9c276 ("fix(cli): add ipset type hash:mac is incompatible with the family parameter") +(cherry picked from commit 6e279ef6517a1ee4e2f9ac60922e8ddac8b096b7) +(cherry picked from commit a9976e7165a5b88eedc30357250add8e690210f1) +--- + src/tests/regression/rhbz1541077.at | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at +index 765ab0c6290b..692ca8ecc892 100644 +--- a/src/tests/regression/rhbz1541077.at ++++ b/src/tests/regression/rhbz1541077.at +@@ -1,9 +1,9 @@ + FWD_START_TEST([hash:mac and family mutually exclusive]) +- AT_KEYWORDS(ipset rhbz1541077) ++AT_KEYWORDS(ipset rhbz1541077) + +- FWD_CHECK([firewall-cmd --permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) +- +- FWD_CHECK([firewall-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) ++FWD_CHECK([--permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) ++FWD_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) ++ ++AT_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore]) + +- FWD_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, ignore,ignore) + FWD_END_TEST +-- +2.27.0 + diff --git a/SOURCES/0046-fix-rich-use-correct-error-code-for-invalid-priority.patch b/SOURCES/0046-fix-rich-use-correct-error-code-for-invalid-priority.patch new file mode 100644 index 0000000..f3ae903 --- /dev/null +++ b/SOURCES/0046-fix-rich-use-correct-error-code-for-invalid-priority.patch @@ -0,0 +1,49 @@ +From 32de2767e869970877c19c8919e37de375351bc1 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 6 Aug 2020 08:24:02 -0400 +Subject: [PATCH] fix(rich): use correct error code for invalid priority + +Fixes: 3a0e79b1cfe4 ("fix: core: rich: Catch ValueError on non-numeric priority values") +(cherry picked from commit e1562ba92caec988c7cf397b2fa77b8d41592c7e) +(cherry picked from commit 5a4e35317a32422dec4acffc845a6651f65680da) +--- + src/firewall/core/rich.py | 2 +- + src/tests/regression/rhbz1689429.at | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py +index eb4a2d2d9669..86c0c998a478 100644 +--- a/src/firewall/core/rich.py ++++ b/src/firewall/core/rich.py +@@ -382,7 +382,7 @@ class Rich_Rule(object): + try: + self.priority = int(attr_value) + except ValueError: +- raise FirewallError(errors.INVALID_RULE, "invalid 'priority' attribute value '%s'." % attr_value) ++ raise FirewallError(errors.INVALID_PRIORITY, "invalid 'priority' attribute value '%s'." % attr_value) + elif attr_name: + if attr_name == 'protocol': + err_msg = "wrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'." +diff --git a/src/tests/regression/rhbz1689429.at b/src/tests/regression/rhbz1689429.at +index 5701607d660f..9157c9544ffc 100644 +--- a/src/tests/regression/rhbz1689429.at ++++ b/src/tests/regression/rhbz1689429.at +@@ -1,11 +1,11 @@ + FWD_START_TEST([rich rule invalid priority]) + AT_KEYWORDS(rich rhbz1689429) + +-FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 122, [], +- [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'. ++FWD_CHECK([--add-rich-rule='rule priority=foo accept'], 139, [], ++ [Error: INVALID_PRIORITY: invalid 'priority' attribute value 'foo'. + ]) +-FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 122, [], +- [Error: INVALID_RULE: invalid 'priority' attribute value 'foo'. ++FWD_CHECK([--permanent --add-rich-rule='rule priority=foo accept'], 139, [], ++ [Error: INVALID_PRIORITY: invalid 'priority' attribute value 'foo'. + ]) + FWD_RELOAD + +-- +2.27.0 + diff --git a/SOURCES/0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch b/SOURCES/0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch new file mode 100644 index 0000000..e867f13 --- /dev/null +++ b/SOURCES/0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch @@ -0,0 +1,55 @@ +From cd284a0cacb0e9c1b75a7651b83848dd51e52ffd Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 7 Aug 2020 07:42:00 -0400 +Subject: [PATCH] test(dbus): zone: add nm-shared to expected output if it + exists + +newer networkmanager ships with this zone. as such, if nm is installed +the expected "get zones" output changes. + +(cherry picked from commit a609c15657e68bacbc05d87cb71f366148cb8ced) +(cherry picked from commit 9f8f9390ef0a1631c07cae37be2ab27f29d0f34d) +--- + src/tests/dbus/zone_permanent_functional.at | 6 +++++- + src/tests/dbus/zone_runtime_functional.at | 6 +++++- + 2 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/tests/dbus/zone_permanent_functional.at b/src/tests/dbus/zone_permanent_functional.at +index 2261832e00a8..75645983dbf7 100644 +--- a/src/tests/dbus/zone_permanent_functional.at ++++ b/src/tests/dbus/zone_permanent_functional.at +@@ -30,8 +30,12 @@ export DBUS_FOOBAR_ZONE_OBJ + + dnl Get Zones + dnl ++if NS_CMD([firewall-cmd --get-zones |grep "nm-shared" >/dev/null]); then ++ NM_SHARED="'nm-shared', " ++ export NM_SHARED ++fi + DBUS_CHECK([config], [config.getZoneNames], [], 0, [dnl +- [(['block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', 'public', 'trusted', 'work'],)] ++ (@<:@'block', 'dmz', 'drop', 'external', 'foobar', 'home', 'internal', m4_escape([${NM_SHARED}])'public', 'trusted', 'work'@:>@,) + ]) + DBUS_CHECK([config], [config.listZones], [], 0, [stdout]) + NS_CHECK([sed -e ["s/['][,]/'\n/g"] ./stdout |dnl +diff --git a/src/tests/dbus/zone_runtime_functional.at b/src/tests/dbus/zone_runtime_functional.at +index bb0798abe7da..b5799b9b1ca3 100644 +--- a/src/tests/dbus/zone_runtime_functional.at ++++ b/src/tests/dbus/zone_runtime_functional.at +@@ -36,8 +36,12 @@ DBUS_CHECK([], [getDefaultZone], [], 0, [dnl + ]) + + dnl Fetching Zones ++if NS_CMD([firewall-cmd --get-zones |grep "nm-shared" >/dev/null]); then ++ NM_SHARED="'nm-shared', " ++ export NM_SHARED ++fi + DBUS_CHECK([], [zone.getZones], [], 0, [dnl +- [(['block', 'dmz', 'drop', 'external', 'home', 'internal', 'public', 'trusted', 'work'],)] ++ (@<:@'block', 'dmz', 'drop', 'external', 'home', 'internal', m4_escape([${NM_SHARED}])'public', 'trusted', 'work'@:>@,) + ]) + FWD_CHECK([-q --zone public --add-interface dummy0]) + FWD_CHECK([-q --zone public --add-source 10.1.1.1]) +-- +2.27.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index 716222c..7cf2529 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.8.2 -Release: 1%{?dist} +Release: 2%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz @@ -15,6 +15,43 @@ Patch7: 0007-test-dbus-zone-verify-permanent-config-API-signature.patch Patch8: 0008-test-dbus-zone-verify-runtime-config-API-signatures.patch Patch9: 0009-fix-test-regression-gh599-use-expr-to-be-more-portab.patch Patch10: 0010-fix-systemd-Conflict-with-nftables.service.patch +Patch11: 0011-test-dbus-zone-verify-permanent-config-APIs.patch +Patch12: 0012-test-dbus-zone-verify-runtime-config-APIs.patch +Patch13: 0013-fix-direct-rule-in-a-zone-chain.patch +Patch14: 0014-test-direct-rule-in-a-zone-chain.patch +Patch15: 0015-fix-client-addService-needs-to-reduce-tuple-size.patch +Patch16: 0016-test-dbus-zone-fix-false-failure-due-to-list-order.patch +Patch17: 0017-test-dbus-zone-fix-zone-runtime-functional-test-titl.patch +Patch18: 0018-fix-doc-dbus-signatures-for-zone-tuple-based-APIs.patch +Patch19: 0019-fix-config-bool-values-in-dict-based-import-export.patch +Patch20: 0020-fix-dbus-service-don-t-cleanup-config-for-old-set-AP.patch +Patch21: 0021-test-gh509-only-run-test-for-nftables-backend.patch +Patch22: 0022-test-ipv6-skip-square-bracket-address-tests-if-ipv6-.patch +Patch23: 0023-fix-ipset-flush-the-set-if-IndividiualCalls-yes.patch +Patch24: 0024-test-dbus-better-way-to-check-IPv6_rpfilter-expected.patch +Patch25: 0025-test-functions-add-macro-IF_HOST_SUPPORTS_NFT_RULE_I.patch +Patch26: 0026-test-functions-use-IndividualCalls-if-host-doesn-t-s.patch +Patch27: 0027-test-check-container-add-support-for-centos8-stream.patch +Patch28: 0028-fix-firewall-offline-cmd-remove-instances-of-P-in-he.patch +Patch29: 0029-fix-rich-source-mac-with-nftables-backend.patch +Patch30: 0030-test-rich-source-mac-with-nftables-backend.patch +Patch31: 0031-docs-README-add-libxslt-for-doc-generation.patch +Patch32: 0032-docs-replace-occurrences-of-the-term-blacklist-with-.patch +Patch33: 0033-fix-update-dynamic-DCE-RPC-ports-in-freeipa-trust-se.patch +Patch34: 0034-fix-core-rich-Catch-ValueError-on-non-numeric-priori.patch +Patch35: 0035-fix-cli-add-zone-is-an-invalid-option-with-direct.patch +Patch36: 0036-test-rhbz1483921-better-test-name.patch +Patch37: 0037-fix-cli-add-ipset-type-hash-mac-is-incompatible-with.patch +Patch38: 0038-fix-cli-unify-indentation-for-forward-ports-and-rich.patch +Patch39: 0039-improvement-service-IPsec-Update-description-and-add.patch +Patch40: 0040-fix-rich-nftables-log-level-warning.patch +Patch41: 0041-fix-rich-icmptypes-with-one-family.patch +Patch42: 0042-test-rich-icmptypes-with-one-family.patch +Patch43: 0043-fix-LastUpdatedOrderedDict-__getitem__-fetch-from-li.patch +Patch44: 0044-test-regression-rhbz1483921-correctly-use-macros.patch +Patch45: 0045-test-regression-rhbz1541077-correctly-use-macros.patch +Patch46: 0046-fix-rich-use-correct-error-code-for-invalid-priority.patch +Patch47: 0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch BuildArch: noarch BuildRequires: autoconf @@ -213,6 +250,15 @@ desktop-file-install --delete-original \ %{_mandir}/man1/firewall-config*.1* %changelog +* Tue Aug 04 2020 Eric Garver - 0.8.2-2 +- fix(cli): add ipset type hash:mac is incompatible with the family parameter +- fix(cli): add --zone is an invalid option with --direct +- fix: update dynamic DCE RPC ports in freeipa-trust service +- fix: core: rich: Catch ValueError on non-numeric priority values +- fix(rich): icmptypes with one family +- fix(direct): rule in a zone chain +- plus additional upstream stable fixes + * Mon Apr 06 2020 Eric Garver - 0.8.2-1 - rebase to v0.8.2