diff --git a/SOURCES/0032-fix-avoid-calling-backends-that-aren-t-available.patch b/SOURCES/0032-fix-avoid-calling-backends-that-aren-t-available.patch new file mode 100644 index 0000000..a67f970 --- /dev/null +++ b/SOURCES/0032-fix-avoid-calling-backends-that-aren-t-available.patch @@ -0,0 +1,127 @@ +From fcff9a0adbc8042544372e1af5d84b48e6d52c93 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 13 May 2019 09:40:31 -0400 +Subject: [PATCH 32/37] fix: avoid calling backends that aren't available + +We should operate just fine if some backend aren't available, e.g. +ip6tables. This fixes some areas that broke that. + +Fixes: #491 +(cherry picked from commit 3fdffa76be42ce88bff35ce2b84c2beda3c016a1) +(cherry picked from commit 86d003dcdbd2eb20ac32858f7cfa3074169d5b5e) +--- + src/firewall/core/fw.py | 54 ++++++++++++++++++------------------ + src/firewall/core/fw_zone.py | 4 ++- + 2 files changed, 30 insertions(+), 28 deletions(-) + +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index abb25f0c3e72..998de99e9532 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -703,24 +703,24 @@ class Firewall(object): + def get_backend_by_ipv(self, ipv): + if self.nftables_enabled: + return self.nftables_backend +- if ipv == "ipv4": ++ if ipv == "ipv4" and self.ip4tables_enabled: + return self.ip4tables_backend +- elif ipv == "ipv6": ++ elif ipv == "ipv6" and self.ip6tables_enabled: + return self.ip6tables_backend +- elif ipv == "eb": ++ elif ipv == "eb" and self.ebtables_enabled: + return self.ebtables_backend + raise FirewallError(errors.INVALID_IPV, +- "'%s' is not a valid backend" % ipv) ++ "'%s' is not a valid backend or is unavailable" % ipv) + + def get_direct_backend_by_ipv(self, ipv): +- if ipv == "ipv4": ++ if ipv == "ipv4" and self.ip4tables_enabled: + return self.ip4tables_backend +- elif ipv == "ipv6": ++ elif ipv == "ipv6" and self.ip6tables_enabled: + return self.ip6tables_backend +- elif ipv == "eb": ++ elif ipv == "eb" and self.ebtables_enabled: + return self.ebtables_backend + raise FirewallError(errors.INVALID_IPV, +- "'%s' is not a valid backend" % ipv) ++ "'%s' is not a valid backend or is unavailable" % ipv) + + def is_backend_enabled(self, name): + if name == "ip4tables": +@@ -791,29 +791,29 @@ class Firewall(object): + rules = backend.build_default_rules(self._log_denied) + transaction.add_rules(backend, rules) + +- ipv6_backend = self.get_backend_by_ipv("ipv6") +- if self.ipv6_rpfilter_enabled and \ +- "raw" in ipv6_backend.get_available_tables(): ++ if self.is_ipv_enabled("ipv6"): ++ ipv6_backend = self.get_backend_by_ipv("ipv6") ++ if self.ipv6_rpfilter_enabled and \ ++ "raw" in ipv6_backend.get_available_tables(): + +- # Execute existing transaction +- transaction.execute(True) +- # Start new transaction +- transaction.clear() ++ # Execute existing transaction ++ transaction.execute(True) ++ # Start new transaction ++ transaction.clear() + +- rules = ipv6_backend.build_rpfilter_rules(self._log_denied) +- transaction.add_rules(ipv6_backend, rules) ++ rules = ipv6_backend.build_rpfilter_rules(self._log_denied) ++ transaction.add_rules(ipv6_backend, rules) + +- # Execute ipv6_rpfilter transaction, it might fail +- try: +- transaction.execute(True) +- except FirewallError as msg: +- log.warning("Applying rules for ipv6_rpfilter failed: %s", msg) +- # Start new transaction +- transaction.clear() ++ # Execute ipv6_rpfilter transaction, it might fail ++ try: ++ transaction.execute(True) ++ except FirewallError as msg: ++ log.warning("Applying rules for ipv6_rpfilter failed: %s", msg) ++ # Start new transaction ++ transaction.clear() + +- else: +- if use_transaction is None: +- transaction.execute(True) ++ if use_transaction is None: ++ transaction.execute(True) + + # flush and policy + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index d5eafb863439..31d7d6a168a8 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1554,7 +1554,7 @@ class FirewallZone(object): + if rule.family is not None: + ipvs = [ rule.family ] + else: +- ipvs = [ "ipv4", "ipv6" ] ++ ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)] + + source_ipv = self._rule_source_ipv(rule.source) + if source_ipv is not None and source_ipv != "": +@@ -1804,6 +1804,8 @@ class FirewallZone(object): + # + backends_ipv = [] + for ipv in ["ipv4", "ipv6"]: ++ if not self._fw.is_ipv_enabled(ipv): ++ continue + backend = self._fw.get_backend_by_ipv(ipv) + if len(svc.destination) > 0: + if ipv in svc.destination: +-- +2.20.1 + diff --git a/SOURCES/0033-test-pass-IPTABLES-make-variables-down-to-autotest.patch b/SOURCES/0033-test-pass-IPTABLES-make-variables-down-to-autotest.patch new file mode 100644 index 0000000..0172150 --- /dev/null +++ b/SOURCES/0033-test-pass-IPTABLES-make-variables-down-to-autotest.patch @@ -0,0 +1,90 @@ +From 71e90d92c71d48f130e803f9b4de5224f774d84c Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 14 May 2019 08:58:37 -0400 +Subject: [PATCH 33/37] test: pass IPTABLES make variables down to autotest + +(cherry picked from commit 8533c488a30de680769d61a08bc5f404716b04ee) +(cherry picked from commit 9de0a22a6046a162389617fd775a8c4a79ea6afa) +--- + src/tests/Makefile.am | 7 ++++++- + src/tests/functions.at | 4 ++-- + src/tests/regression/icmp_block_in_forward_chain.at | 4 ++-- + src/tests/regression/rhbz1514043.at | 2 +- + 4 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index a30ce4d5d607..2a5645ba81d8 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -15,7 +15,11 @@ $(srcdir)/package.m4: $(top_srcdir)/configure.ac $(top_srcdir)/firewalld.spec + echo 'm4_define([AT_PACKAGE_VERSION],[$(PACKAGE_VERSION)])' && \ + echo 'm4_define([AT_PACKAGE_STRING],[$(PACKAGE_STRING)])' && \ + echo 'm4_define([AT_PACKAGE_URL],[http://firewalld.org/])' && \ +- echo 'm4_define([AT_PACKAGE_BUGREPORT],[https://github.com/firewalld/firewalld])'; \ ++ echo 'm4_define([AT_PACKAGE_BUGREPORT],[https://github.com/firewalld/firewalld])' && \ ++ echo 'm4_define([IPTABLES],[$(IPTABLES)])' && \ ++ echo 'm4_define([IPTABLES_RESTORE],[$(IPTABLES_RESTORE)])' && \ ++ echo 'm4_define([IP6TABLES],[$(IP6TABLES)])' && \ ++ echo 'm4_define([IP6TABLES_RESTORE],[$(IP6TABLES_RESTORE)])' ; \ + } > "$@" + + check-local: atconfig $(TESTSUITE) +@@ -31,6 +35,7 @@ installcheck-local: atconfig $(TESTSUITE) + + clean-local: + test ! -f '$(TESTSUITE)' || $(SHELL) '$(TESTSUITE)' --clean ++ -rm $(srcdir)/package.m4 + + AUTOM4TE = $(SHELL) $(top_srcdir)/missing --run autom4te + AUTOTEST = $(AUTOM4TE) --language=autotest +diff --git a/src/tests/functions.at b/src/tests/functions.at +index cf72e8f69ec4..70d5ec66590d 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -232,13 +232,13 @@ m4_define([EBTABLES_LIST_RULES], [ + + m4_define([IPTABLES_LIST_RULES], [ + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [ +- NS_CHECK([iptables -w -n -t $1 -L $2 | TRIM_WHITESPACE | tail -n +3], [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7]) ++ NS_CHECK([IPTABLES -w -n -t $1 -L $2 | TRIM_WHITESPACE | tail -n +3], [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7]) + ]) + ]) + + m4_define([IP6TABLES_LIST_RULES], [ + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [ +- NS_CHECK([ip6tables -w -n -t $1 -L $2 | TRIM_WHITESPACE | tail -n +3], [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7]) ++ NS_CHECK([IP6TABLES -w -n -t $1 -L $2 | TRIM_WHITESPACE | tail -n +3], [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7]) + ]) + ]) + +diff --git a/src/tests/regression/icmp_block_in_forward_chain.at b/src/tests/regression/icmp_block_in_forward_chain.at +index 77f3f274bc5a..3c8766a2b23b 100644 +--- a/src/tests/regression/icmp_block_in_forward_chain.at ++++ b/src/tests/regression/icmp_block_in_forward_chain.at +@@ -2,8 +2,8 @@ FWD_START_TEST([ICMP block present FORWARD chain]) + + FWD_CHECK([-q --zone=public --add-icmp-block=host-prohibited]) + m4_if(iptables, FIREWALL_BACKEND, [ +- NS_CHECK([iptables -L IN_public_deny | grep "host-prohibited"], 0, ignore) +- NS_CHECK([iptables -L FWDI_public_deny | grep "host-prohibited"], 0, ignore) ++ NS_CHECK([IPTABLES -L IN_public_deny | grep "host-prohibited"], 0, ignore) ++ NS_CHECK([IPTABLES -L FWDI_public_deny | grep "host-prohibited"], 0, ignore) + ], [ + NS_CHECK([nft list chain inet firewalld filter_IN_public_deny | grep "destination-unreachable" |grep "\(code 10\|host-prohibited\)"], 0, ignore) + NS_CHECK([nft list chain inet firewalld filter_FWDI_public_deny | grep "destination-unreachable" |grep "\(code 10\|host-prohibited\)"], 0, ignore) +diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at +index a7368dbd9eeb..a9750a584898 100644 +--- a/src/tests/regression/rhbz1514043.at ++++ b/src/tests/regression/rhbz1514043.at +@@ -7,7 +7,7 @@ services: dhcpv6-client samba ssh + ]) + dnl check that log denied actually took effect + m4_if(iptables, FIREWALL_BACKEND, [ +- NS_CHECK([iptables -t filter -L | grep "FINAL_REJECT:"], 0, ignore) ++ NS_CHECK([IPTABLES -t filter -L | grep "FINAL_REJECT:"], 0, ignore) + ], [ + NS_CHECK([nft list chain inet firewalld filter_INPUT | grep "FINAL_REJECT"], 0, ignore) + NS_CHECK([nft list chain inet firewalld filter_FORWARD | grep "FINAL_REJECT"], 0, ignore) +-- +2.20.1 + diff --git a/SOURCES/0034-test-add-macro-HOST_SUPPORTS_IP6TABLES.patch b/SOURCES/0034-test-add-macro-HOST_SUPPORTS_IP6TABLES.patch new file mode 100644 index 0000000..6990256 --- /dev/null +++ b/SOURCES/0034-test-add-macro-HOST_SUPPORTS_IP6TABLES.patch @@ -0,0 +1,41 @@ +From a565735cdf292e06d9530accee226beed0069368 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 13 May 2019 13:52:56 -0400 +Subject: [PATCH 34/37] test: add macro HOST_SUPPORTS_IP6TABLES + +(cherry picked from commit 4d5c3f190dc309ab03543dc7a65e45ee52858bd9) +(cherry picked from commit ada120045f6a1d387edf02772e889717da68050b) +--- + src/tests/functions.at | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 70d5ec66590d..da90f9ce549b 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -238,8 +238,10 @@ m4_define([IPTABLES_LIST_RULES], [ + + m4_define([IP6TABLES_LIST_RULES], [ + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [ ++ m4_if(yes, HOST_SUPPORTS_IP6TABLES, [ + NS_CHECK([IP6TABLES -w -n -t $1 -L $2 | TRIM_WHITESPACE | tail -n +3], [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7]) + ]) ++ ]) + ]) + + m4_define([NFT_LIST_RULES], [ +@@ -355,3 +357,11 @@ m4_ifnblank( + [m4_define([HOST_SUPPORTS_NFT_FIB], [yes])], + [m4_define([HOST_SUPPORTS_NFT_FIB], [no])] + ) ++ ++m4_define([HOST_SUPPORTS_IP6TABLES], [m4_esyscmd( ++ if IP6TABLES -L >/dev/null 2>&1; then ++ echo -n "yes" ++ else ++ echo -n "no" ++ fi ++)]) +-- +2.20.1 + diff --git a/SOURCES/0035-test-add-macro-IF_IPV6_SUPPORTED.patch b/SOURCES/0035-test-add-macro-IF_IPV6_SUPPORTED.patch new file mode 100644 index 0000000..10b4a03 --- /dev/null +++ b/SOURCES/0035-test-add-macro-IF_IPV6_SUPPORTED.patch @@ -0,0 +1,29 @@ +From 92fbe922bb4435a0cb48f8042e3ff33e8e1d0eaf Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 14 May 2019 18:30:12 -0400 +Subject: [PATCH 35/37] test: add macro IF_IPV6_SUPPORTED + +(cherry picked from commit d569d7239f23f443ac4c5dce843481223481ec96) +(cherry picked from commit 781fe1a49ab1d3fea3540742c38fe6633e65d700) +--- + src/tests/functions.at | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index da90f9ce549b..106c71ff9920 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -365,3 +365,10 @@ m4_define([HOST_SUPPORTS_IP6TABLES], [m4_esyscmd( + echo -n "no" + fi + )]) ++ ++m4_define([IF_IPV6_SUPPORTED], [ ++ m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [$1], [ ++ m4_if(nftables, FIREWALL_BACKEND, [$1], [ ++ m4_if(yes, HOST_SUPPORTS_IP6TABLES, [$1], [$2]) ++ ])]) ++]) +-- +2.20.1 + diff --git a/SOURCES/0036-fix-tests-functions-ignore-warnings-about-missing-ip.patch b/SOURCES/0036-fix-tests-functions-ignore-warnings-about-missing-ip.patch new file mode 100644 index 0000000..d9053b3 --- /dev/null +++ b/SOURCES/0036-fix-tests-functions-ignore-warnings-about-missing-ip.patch @@ -0,0 +1,32 @@ +From 77819612c5f96a899823063fb9a612eab7cf14cb Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 13 May 2019 10:27:07 -0400 +Subject: [PATCH 36/37] fix: tests/functions: ignore warnings about missing + ip6tables + +We allow running firewalld without ip6tables, as such it's not an error +for it to be missing during testsuite execution. + +(cherry picked from commit 3ac719c1908d4d86d344ebc7b1e105545471046a) +(cherry picked from commit 1e7e05ba07c78f6c21de818d1ab2f18d3c31534e) +--- + src/tests/functions.at | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 106c71ff9920..4c74c249f32e 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -132,6 +132,9 @@ m4_define([FWD_START_TEST], [ + + m4_define([FWD_END_TEST], [ + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [ ++ IF_IPV6_SUPPORTED([], [ ++ sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log ++ ]) + if test x"$1" != x"ignore"; then + if test -n "$1"; then + sed -i $1 ./firewalld.log +-- +2.20.1 + diff --git a/SOURCES/0037-fix-tests-guard-occurrences-of-IPv6.patch b/SOURCES/0037-fix-tests-guard-occurrences-of-IPv6.patch new file mode 100644 index 0000000..a40bd34 --- /dev/null +++ b/SOURCES/0037-fix-tests-guard-occurrences-of-IPv6.patch @@ -0,0 +1,242 @@ +From 2b76468d515858e27a1c50b9b27864adbb1bb96f Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 13 May 2019 14:00:21 -0400 +Subject: [PATCH 37/37] fix: tests: guard occurrences of IPv6 + +Since we can run without IPv6 support we need to skip test areas that +explicitly use IPv6. + +(cherry picked from commit bcb33e448abbf3a2a3a8721c257ad48bfc18dd9d) +(cherry picked from commit 9344ff8c7ce3e55a2296ca3d565b51d9a52065c4) +--- + src/tests/firewall-cmd.at | 30 +++++++++++++++++++++++++---- + src/tests/regression/gh335.at | 6 ++++++ + src/tests/regression/rhbz1594657.at | 2 ++ + 3 files changed, 34 insertions(+), 4 deletions(-) + +diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at +index bcbfe9639ef1..a3844151aeb3 100644 +--- a/src/tests/firewall-cmd.at ++++ b/src/tests/firewall-cmd.at +@@ -199,8 +199,10 @@ sources: $1 + + check_zone_source([1.2.3.4]) + check_zone_source([192.168.1.0/24]) ++ IF_IPV6_SUPPORTED([ + check_zone_source([3ffe:501:ffff::/64]) + check_zone_source([dead:beef::babe]) ++ ]) + + m4_undefine([check_zone_source]) + +@@ -292,10 +294,12 @@ FWD_START_TEST([user services]) + FWD_CHECK([--permanent --service=foobar --set-destination=ipv4:foo], 105, ignore, ignore) dnl bad address + FWD_CHECK([--permanent --service=foobar --set-destination=ipv4:1.2.3.4], 0, ignore) + FWD_CHECK([--permanent --service=foobar --remove-destination=ipv4], 0, ignore) ++ IF_IPV6_SUPPORTED([ + FWD_CHECK([--permanent --service=foobar --set-destination=ipv6:fd00:dead:beef:ff0::/64], 0, ignore) + FWD_CHECK([--permanent --service=foobar --query-destination=ipv6:fd00:dead:beef:ff0::/64], 0, ignore) + FWD_CHECK([--permanent --service=foobar --remove-destination=ipv6], 0, ignore) + FWD_CHECK([--permanent --service=foobar --query-destination=ipv6:fd00:dead:beef:ff0::/64], 1, ignore) ++ ]) + + FWD_CHECK([--permanent --zone=public --add-service=foobar], 0, ignore) + FWD_CHECK([--permanent --zone=public --list-services | grep foobar], 0, ignore) +@@ -447,10 +451,12 @@ FWD_START_TEST([forward ports]) + FWD_CHECK([--query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=public], 0, ignore) + FWD_CHECK([--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 0, ignore) + FWD_CHECK([--query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 1, ignore) ++ IF_IPV6_SUPPORTED([ + FWD_CHECK([--add-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore) + FWD_CHECK([--query-forward-port port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0:: --zone=public], 0, ignore) + FWD_CHECK([--remove-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore) + FWD_CHECK([--query-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 1, ignore) ++ ]) + FWD_CHECK([--add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200], 0, ignore) + FWD_CHECK([--query-forward-port=port=100:proto=tcp:toport=200], 0, ignore) + FWD_CHECK([--query-forward-port=port=88:proto=udp:toport=99 --zone=public], 0, ignore) +@@ -473,10 +479,12 @@ FWD_START_TEST([forward ports]) + FWD_CHECK([--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=7.7.7.7 --zone=public], 0, ignore) + FWD_CHECK([--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 0, ignore) + FWD_CHECK([--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=7.7.7.7], 1, ignore) ++ IF_IPV6_SUPPORTED([ + FWD_CHECK([--permanent --add-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore) + FWD_CHECK([--permanent --query-forward-port port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0:: --zone=public], 0, ignore) + FWD_CHECK([--permanent --remove-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 0, ignore) + FWD_CHECK([--permanent --query-forward-port=port=66:proto=sctp:toport=66:toaddr=fd00:dead:beef:ff0::], 1, ignore) ++ ]) + FWD_CHECK([--permanent --add-forward-port=port=88:proto=udp:toport=99 --add-forward-port port=100:proto=tcp:toport=200], 0, ignore) + FWD_CHECK([--permanent --query-forward-port=port=100:proto=tcp:toport=200], 0, ignore) + FWD_CHECK([--permanent --query-forward-port=port=88:proto=udp:toport=99 --zone=public], 0, ignore) +@@ -592,12 +600,14 @@ FWD_START_TEST([ipset]) + FWD_CHECK([--permanent --delete-ipset=foobar], 0, ignore) + FWD_RELOAD + ++ IF_IPV6_SUPPORTED([ + FWD_CHECK([--permanent --new-ipset=foobar --type=hash:mac], 0, ignore) + FWD_CHECK([--permanent --ipset=foobar --add-entry=12:34:56:78:90:ab], 0, ignore) + FWD_RELOAD + FWD_CHECK([--ipset=foobar --add-entry=12:34:56:78:90:ac], 0, ignore) + FWD_CHECK([--permanent --delete-ipset=foobar], 0, ignore) + FWD_RELOAD ++ ]) + FWD_END_TEST([-e '/ERROR: INVALID_ENTRY: invalid address/d']) + + FWD_START_TEST([user helpers]) +@@ -733,11 +743,13 @@ FWD_START_TEST([direct passthrough]) + FWD_CHECK([--direct --remove-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT], 0, ignore) + FWD_CHECK([--direct --query-passthrough ipv4 --table filter --append INPUT --in-interface dummy0 --protocol tcp --destination-port 67 --jump ACCEPT], 1, ignore, ignore) + ++ m4_if(yes, HOST_SUPPORTS_IP6TABLES, [dnl + FWD_CHECK([--direct --add-passthrough ipv6 --table filter --append FORWARD --destination fd00:dead:beef:ff0::/64 --in-interface dummy0 --out-interface dummy0 --jump ACCEPT], 0, ignore) + FWD_CHECK([--direct --get-passthroughs ipv6 | grep "fd00:dead:beef:ff0::/64"], 0, ignore) + FWD_CHECK([--direct --get-all-passthroughs | grep "fd00:dead:beef:ff0::/64"], 0, ignore) + FWD_CHECK([--direct --passthrough ipv6 -nvL | grep "fd00:dead:beef:ff0::/64"], 0, ignore) + FWD_CHECK([--direct --remove-passthrough ipv6 --table filter --delete FORWARD --destination fd00:dead:beef:ff0::/64 --in-interface dummy0 --out-interface dummy0 --jump ACCEPT], 0, ignore, ignore) ++ ]) + + FWD_CHECK([--direct --passthrough ipv5 -nvL], 111, ignore, ignore) + FWD_CHECK([--direct --passthrough ipv4], 2, ignore, ignore) +@@ -868,21 +880,25 @@ FWD_START_TEST([rich rules good]) + rich_rule_test([rule protocol value="sctp" log]) + rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp: " level="info" limit value="1/m" accept]) + rich_rule_test([rule family="ipv4" source not address="192.168.0.0/24" service name="dns" log prefix="dns: " level="info" limit value="2/m" drop]) ++ IF_IPV6_SUPPORTED([ + rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns -- " level="info" limit value="3/m" reject type="icmp6-addr-unreachable" limit value="20/m"]) + rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" port port="4011" protocol="tcp" log prefix="port 4011: " level="info" limit value="4/m" drop]) + rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" forward-port port="4011" protocol="tcp" to-port="4012" to-addr="1::2:3:4:7"]) ++ rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirected: " level="info" limit value="4/m"]) ++ rich_rule_test([rule family="ipv6" source address="1:2:3:4::/64" destination address="1:2:3:5::/64" accept]) ++ rich_rule_test([rule family="ipv6" masquerade]) ++ ]) + rich_rule_test([rule family="ipv4" destination address="1.2.3.4" forward-port port="4011" protocol="tcp" to-port="4012" to-addr="9.8.7.6"]) + rich_rule_test([rule family="ipv4" source address="192.168.0.0/24" icmp-block name="source-quench" log prefix="source-quench: " level="info" limit value="4/m"]) +- rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log prefix="redirected: " level="info" limit value="4/m"]) + rich_rule_test([rule family="ipv4" source address="192.168.1.0/24" masquerade]) + rich_rule_test([rule family="ipv4" source address="10.1.1.0/24" destination address="192.168.1.0/24" accept]) +- rich_rule_test([rule family="ipv6" source address="1:2:3:4::/64" destination address="1:2:3:5::/64" accept]) + rich_rule_test([rule family="ipv4" destination address="192.168.1.0/24" masquerade]) +- rich_rule_test([rule family="ipv6" masquerade]) + rich_rule_test([rule forward-port port="2222" to-port="22" to-addr="192.168.100.2" protocol="tcp" family="ipv4" source address="192.168.2.100"]) + rich_rule_test([rule forward-port port="66" to-port="666" to-addr="192.168.100.2" protocol="sctp" family="ipv4" source address="192.168.2.100"]) ++ IF_IPV6_SUPPORTED([ + rich_rule_test([rule forward-port port="99" to-port="999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"]) + rich_rule_test([rule forward-port port="99" to-port="10999" to-addr="1::2:3:4:7" protocol="dccp" family="ipv6" source address="1:2:3:4:6::"]) ++ ]) + rich_rule_test([rule family="ipv4" port port="222" protocol="tcp" mark set="0xff"]) + FWD_END_TEST + FWD_START_TEST([rich rules audit]) +@@ -897,7 +913,6 @@ FWD_START_TEST([rich rules bad]) + FWD_CHECK([--permanent --add-rich-rule='$1'], $2, ignore, ignore) + ]) + rich_rule_test([], 122) dnl empty +- rich_rule_test([family="ipv6" accept], 122) dnl no rule + rich_rule_test([name="dns" accept], 122) dnl no rule + rich_rule_test([protocol value="ah" reject], 122) dnl no rule + rich_rule_test([rule protocol value="ah" reject type="icmp-host-prohibited"], 122) dnl reject type needs specific family +@@ -911,8 +926,11 @@ FWD_START_TEST([rich rules bad]) + rich_rule_test([rule service name="radius" port port="4011" reject], 122) dnl service && port + rich_rule_test([rule service bad_attribute="dns"], 122) dnl bad attribute + rich_rule_test([rule protocol value="igmp" log level="eror"], 125) dnl bad log level ++ IF_IPV6_SUPPORTED([ ++ rich_rule_test([family="ipv6" accept], 122) dnl no rule + rich_rule_test([rule source address="1:2:3:4:6::" icmp-block name="redirect" log level="info" limit value="1/2m"], 207) dnl missing family + rich_rule_test([rule family="ipv6" source address="1:2:3:4:6::" icmp-block name="redirect" log level="info" limit value="1/2m"], 123) dnl bad limit ++ ]) + rich_rule_test([rule protocol value="esp"], 122) dnl no action/log/audit + rich_rule_test([rule family="ipv4" masquerade drop], 122) dnl masquerade & action + rich_rule_test([rule family="ipv4" icmp-block name="redirect" accept], 122) dnl icmp-block & action +@@ -1029,6 +1047,7 @@ WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90' + ]) + FWD_CHECK([--check-config], 111, ignore, ignore) + ++ IF_IPV6_SUPPORTED([ + AT_DATA([./helpers/foobar.xml], [dnl + + +@@ -1036,6 +1055,7 @@ WARNING: INVALID_ENTRY: invalid mac address '12:34:56:78:90' in '12:34:56:78:90' + + ]) + FWD_CHECK([--check-config], 103, ignore, ignore) ++ ]) + AT_CHECK([rm ./helpers/foobar.xml]) + + dnl icmptype +@@ -1278,6 +1298,7 @@ WARNING: Invalid rule: Invalid log level + ]) + FWD_CHECK([--check-config], 28, ignore, ignore) + ++ IF_IPV6_SUPPORTED([ + AT_DATA([./zones/foobar.xml], [dnl + + +@@ -1292,6 +1313,7 @@ m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [dnl + WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept + WARNING: INVALID_ADDR: 10.0.0.1/24: rule family="ipv6" source address="10.0.0.1/24" accept + ])]) ++ ]) + AT_CHECK([rm ./zones/foobar.xml]) + + FWD_END_TEST([-e '/ERROR:/d'dnl +diff --git a/src/tests/regression/gh335.at b/src/tests/regression/gh335.at +index 901e2fa04f69..54cc4c66e163 100644 +--- a/src/tests/regression/gh335.at ++++ b/src/tests/regression/gh335.at +@@ -7,12 +7,14 @@ NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignor + NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) + FWD_RELOAD + ++IF_IPV6_SUPPORTED([ + NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore]) + NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore]) + FWD_CHECK([-q --add-forward-port=port=12345:proto=tcp:toport=54321:toaddr="1234:5678::4321"]) + NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) + NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignore], [ignore]) + FWD_RELOAD ++]) + + NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore]) + NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore]) +@@ -21,12 +23,14 @@ NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignor + NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) + FWD_RELOAD + ++IF_IPV6_SUPPORTED([ + NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore]) + NS_CHECK([sysctl -w net.ipv6.conf.all.forwarding=0], 0, [ignore], [ignore]) + FWD_CHECK([-q --add-rich-rule='rule family=ipv6 forward-port port="12345" protocol="tcp" to-port="54321" to-addr="1234:5678::4321"']) + NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) + NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 0, [ignore], [ignore]) + FWD_RELOAD ++]) + + dnl following tests should _not_ enable IP forwarding + NS_CHECK([sysctl -w net.ipv4.conf.all.forwarding=0], 0, [ignore], [ignore]) +@@ -40,8 +44,10 @@ FWD_CHECK([-q --add-rich-rule='rule family=ipv4 forward-port port="12345" protoc + NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) + NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) + ++IF_IPV6_SUPPORTED([ + FWD_CHECK([-q --add-rich-rule='rule family=ipv6 forward-port port="12345" protocol="tcp" to-port="54321"']) + NS_CHECK([[sysctl -a |grep "net.ipv4.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) + NS_CHECK([[sysctl -a |grep "net.ipv6.conf.all.forwarding[ ]*=[ ]*1"]], 1, [ignore], [ignore]) ++]) + + FWD_END_TEST +diff --git a/src/tests/regression/rhbz1594657.at b/src/tests/regression/rhbz1594657.at +index c01a34012875..33b7bafe6b08 100644 +--- a/src/tests/regression/rhbz1594657.at ++++ b/src/tests/regression/rhbz1594657.at +@@ -6,7 +6,9 @@ FWD_CHECK([--direct --passthrough ipv4 -t filter -C dummy_chain -j ACCEPT], 13, + FWD_CHECK([--direct --passthrough ipv4 -t filter -L dummy_chain], 13, [ignore], [ignore]) + FWD_CHECK([--direct --passthrough ipv4 -t filter -L INPUT], 0, [ignore]) + ++m4_if(yes, HOST_SUPPORTS_IP6TABLES, [dnl + FWD_CHECK([--direct --passthrough ipv6 -t filter -C dummy_chain -j ACCEPT], 13, [ignore], [ignore]) + FWD_CHECK([--direct --passthrough ipv6 -t filter -L dummy_chain], 13, [ignore], [ignore]) + FWD_CHECK([--direct --passthrough ipv6 -t filter -L INPUT], 0, [ignore]) ++]) + FWD_END_TEST +-- +2.20.1 + diff --git a/SOURCES/0038-fix-tests-update-package.m4-if-makefile-changed.patch b/SOURCES/0038-fix-tests-update-package.m4-if-makefile-changed.patch new file mode 100644 index 0000000..b142d3b --- /dev/null +++ b/SOURCES/0038-fix-tests-update-package.m4-if-makefile-changed.patch @@ -0,0 +1,29 @@ +From 55ada411c884734d097c295f14d70e543c136a73 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 30 May 2019 09:45:07 -0400 +Subject: [PATCH 38/39] fix: tests: update package.m4 if makefile changed + +A common case is if we've done another ./configure and changed variables +that get passed down via package.m4. + +(cherry picked from commit b2c98d9aadc3c4bc7306240381f1750a36850d09) +--- + src/tests/Makefile.am | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am +index 2a5645ba81d8..7a644ca915c1 100644 +--- a/src/tests/Makefile.am ++++ b/src/tests/Makefile.am +@@ -9,7 +9,7 @@ EXTRA_DIST = \ + $(TESTSUITE_FILES) \ + $(srcdir)/package.m4 + +-$(srcdir)/package.m4: $(top_srcdir)/configure.ac $(top_srcdir)/firewalld.spec ++$(srcdir)/package.m4: $(top_srcdir)/configure.ac $(top_srcdir)/firewalld.spec $(srcdir)/Makefile + :;{ \ + echo 'm4_define([AT_PACKAGE_NAME],[$(PACKAGE_NAME)])' && \ + echo 'm4_define([AT_PACKAGE_VERSION],[$(PACKAGE_VERSION)])' && \ +-- +2.20.1 + diff --git a/SOURCES/0039-fix-tests-functions-define-HOST_SUPPORTS_IP6TABLES-v.patch b/SOURCES/0039-fix-tests-functions-define-HOST_SUPPORTS_IP6TABLES-v.patch new file mode 100644 index 0000000..d1d39ba --- /dev/null +++ b/SOURCES/0039-fix-tests-functions-define-HOST_SUPPORTS_IP6TABLES-v.patch @@ -0,0 +1,34 @@ +From edb4469374232d11b4f390ede726683ef5d3dbe7 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Thu, 30 May 2019 09:45:59 -0400 +Subject: [PATCH 39/39] fix: tests/functions: define HOST_SUPPORTS_IP6TABLES + value immediately + +(cherry picked from commit 6644eddbb219d83f4cb59523bfa873b4b1869e78) +--- + src/tests/functions.at | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index c21831839662..fae1a78f6005 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -361,13 +361,13 @@ m4_ifnblank( + [m4_define([HOST_SUPPORTS_NFT_FIB], [no])] + ) + +-m4_define([HOST_SUPPORTS_IP6TABLES], [m4_esyscmd( ++m4_define([HOST_SUPPORTS_IP6TABLES], m4_esyscmd( + if IP6TABLES -L >/dev/null 2>&1; then + echo -n "yes" + else + echo -n "no" + fi +-)]) ++)) + + m4_define([IF_IPV6_SUPPORTED], [ + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [$1], [ +-- +2.20.1 + diff --git a/SOURCES/RHEL-only-remove-ability-to-use-nftables-backend.patch b/SOURCES/RHEL-only-remove-ability-to-use-nftables-backend.patch index a0aae2c..d5ed454 100644 --- a/SOURCES/RHEL-only-remove-ability-to-use-nftables-backend.patch +++ b/SOURCES/RHEL-only-remove-ability-to-use-nftables-backend.patch @@ -1,7 +1,7 @@ -From 2361184479832ac8f2754822e1e5d4de55c4898c Mon Sep 17 00:00:00 2001 +From c517bae24deb45ee3c75e5a7ae9927a82217dccb Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Wed, 14 Nov 2018 11:42:17 -0500 -Subject: [PATCH 1/4] remove ability to use nftables backend +Subject: [PATCH] remove ability to use nftables backend --- config/firewalld.conf | 7 ------- @@ -12,10 +12,10 @@ Subject: [PATCH 1/4] remove ability to use nftables backend src/firewall/core/fw.py | 5 ----- src/firewall/core/io/firewalld_conf.py | 11 +---------- src/firewall/server/config.py | 19 +++---------------- - src/tests/dbus/firewalld.conf.at | 2 -- - src/tests/functions.at | 3 --- + src/tests/dbus/firewalld.conf.at | 6 +----- + src/tests/functions.at | 5 +---- src/tests/testsuite.at | 2 +- - 11 files changed, 6 insertions(+), 80 deletions(-) + 11 files changed, 8 insertions(+), 84 deletions(-) diff --git a/config/firewalld.conf b/config/firewalld.conf index b53c0aa50c53..63df409bf567 100644 @@ -242,18 +242,22 @@ index dfc562b537eb..011052a9cabf 100644 self.config.get_firewalld_conf().write() self.PropertiesChanged(interface_name, diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at -index 473210de10af..3887d7ee4a7d 100644 +index 473210de10af..741b1e6f417f 100644 --- a/src/tests/dbus/firewalld.conf.at +++ b/src/tests/dbus/firewalld.conf.at -@@ -5,7 +5,6 @@ DBUS_GETALL([config], [config], 0, [dnl +@@ -5,10 +5,7 @@ DBUS_GETALL([config], [config], 0, [dnl string "AutomaticHelpers" : variant string "system" string "CleanupOnExit" : variant string "no" string "DefaultZone" : variant string "public" -string "FirewallBackend" : variant string "nftables" - m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl - string "IPv6_rpfilter" : variant string "no"],[dnl - string "IPv6_rpfilter" : variant string "yes"]) -@@ -29,7 +28,6 @@ _helper([Lockdown], [string:"yes"], [variant string "yes"]) +-m4_if(no, HOST_SUPPORTS_NFT_FIB, [dnl +-string "IPv6_rpfilter" : variant string "no"],[dnl +-string "IPv6_rpfilter" : variant string "yes"]) ++string "IPv6_rpfilter" : variant string "yes" + string "IndividualCalls" : variant string "no" + string "Lockdown" : variant string "no" + string "LogDenied" : variant string "off" +@@ -29,7 +26,6 @@ _helper([Lockdown], [string:"yes"], [variant string "yes"]) _helper([LogDenied], [string:"all"], [variant string "all"]) _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"]) _helper([IndividualCalls], [string:"yes"], [variant string "yes"]) @@ -262,10 +266,16 @@ index 473210de10af..3887d7ee4a7d 100644 dnl Note: DefaultZone is RO m4_undefine([_helper]) diff --git a/src/tests/functions.at b/src/tests/functions.at -index f8ab929118e5..b95324847e5c 100644 +index bae43faed410..3841df4264d7 100644 --- a/src/tests/functions.at +++ b/src/tests/functions.at -@@ -70,9 +70,6 @@ m4_define([FWD_START_TEST], [ +@@ -58,14 +58,11 @@ m4_define([FWD_START_TEST], [ + fi + + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [ +- m4_define_default([FIREWALL_BACKEND], [nftables]) ++ m4_define_default([FIREWALL_BACKEND], [iptables]) + dnl don't unload modules or bother cleaning up, the namespace will be deleted AT_CHECK([sed -i 's/^CleanupOnExit.*/CleanupOnExit=no/' ./firewalld.conf]) @@ -289,5 +299,5 @@ index 2943d7460919..68d18c9018b8 100644 m4_include([regression.at]) m4_include([python.at]) -- -2.18.0 +2.20.1 diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index f21cc0d..1655a1e 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -8,7 +8,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.6.3 -Release: 2%{?dist} +Release: 2%{?dist}.1 URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -43,6 +43,14 @@ Patch28: 0020-doc-note-that-forward-port-may-enable-IP-forwarding.patch Patch29: 0021-doc-note-that-masquerade-will-enable-IP-forwarding.patch Patch30: 0022-fw_zone-forward-ports-only-enable-IP-forwarding-if-t.patch Patch31: 0023-tests-regression-coverage-for-enabling-IP-forwarding.patch +Patch32: 0032-fix-avoid-calling-backends-that-aren-t-available.patch +Patch33: 0033-test-pass-IPTABLES-make-variables-down-to-autotest.patch +Patch34: 0034-test-add-macro-HOST_SUPPORTS_IP6TABLES.patch +Patch35: 0035-test-add-macro-IF_IPV6_SUPPORTED.patch +Patch36: 0036-fix-tests-functions-ignore-warnings-about-missing-ip.patch +Patch37: 0037-fix-tests-guard-occurrences-of-IPv6.patch +Patch38: 0038-fix-tests-update-package.m4-if-makefile-changed.patch +Patch39: 0039-fix-tests-functions-define-HOST_SUPPORTS_IP6TABLES-v.patch BuildArch: noarch BuildRequires: desktop-file-utils @@ -343,6 +351,9 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Wed Aug 21 2019 Eric Garver - 0.6.3-2.el7_7.1 +- backport fix to allow disabling IPv6 + * Tue Mar 19 2019 Eric Garver - 0.6.3-2 - backport recent upstream stable fixes - backport fix to enable IP forwarding only if toaddr specified