From fcff9a0adbc8042544372e1af5d84b48e6d52c93 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Mon, 13 May 2019 09:40:31 -0400 Subject: [PATCH 32/37] fix: avoid calling backends that aren't available We should operate just fine if some backend aren't available, e.g. ip6tables. This fixes some areas that broke that. Fixes: #491 (cherry picked from commit 3fdffa76be42ce88bff35ce2b84c2beda3c016a1) (cherry picked from commit 86d003dcdbd2eb20ac32858f7cfa3074169d5b5e) --- src/firewall/core/fw.py | 54 ++++++++++++++++++------------------ src/firewall/core/fw_zone.py | 4 ++- 2 files changed, 30 insertions(+), 28 deletions(-) diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py index abb25f0c3e72..998de99e9532 100644 --- a/src/firewall/core/fw.py +++ b/src/firewall/core/fw.py @@ -703,24 +703,24 @@ class Firewall(object): def get_backend_by_ipv(self, ipv): if self.nftables_enabled: return self.nftables_backend - if ipv == "ipv4": + if ipv == "ipv4" and self.ip4tables_enabled: return self.ip4tables_backend - elif ipv == "ipv6": + elif ipv == "ipv6" and self.ip6tables_enabled: return self.ip6tables_backend - elif ipv == "eb": + elif ipv == "eb" and self.ebtables_enabled: return self.ebtables_backend raise FirewallError(errors.INVALID_IPV, - "'%s' is not a valid backend" % ipv) + "'%s' is not a valid backend or is unavailable" % ipv) def get_direct_backend_by_ipv(self, ipv): - if ipv == "ipv4": + if ipv == "ipv4" and self.ip4tables_enabled: return self.ip4tables_backend - elif ipv == "ipv6": + elif ipv == "ipv6" and self.ip6tables_enabled: return self.ip6tables_backend - elif ipv == "eb": + elif ipv == "eb" and self.ebtables_enabled: return self.ebtables_backend raise FirewallError(errors.INVALID_IPV, - "'%s' is not a valid backend" % ipv) + "'%s' is not a valid backend or is unavailable" % ipv) def is_backend_enabled(self, name): if name == "ip4tables": @@ -791,29 +791,29 @@ class Firewall(object): rules = backend.build_default_rules(self._log_denied) transaction.add_rules(backend, rules) - ipv6_backend = self.get_backend_by_ipv("ipv6") - if self.ipv6_rpfilter_enabled and \ - "raw" in ipv6_backend.get_available_tables(): + if self.is_ipv_enabled("ipv6"): + ipv6_backend = self.get_backend_by_ipv("ipv6") + if self.ipv6_rpfilter_enabled and \ + "raw" in ipv6_backend.get_available_tables(): - # Execute existing transaction - transaction.execute(True) - # Start new transaction - transaction.clear() + # Execute existing transaction + transaction.execute(True) + # Start new transaction + transaction.clear() - rules = ipv6_backend.build_rpfilter_rules(self._log_denied) - transaction.add_rules(ipv6_backend, rules) + rules = ipv6_backend.build_rpfilter_rules(self._log_denied) + transaction.add_rules(ipv6_backend, rules) - # Execute ipv6_rpfilter transaction, it might fail - try: - transaction.execute(True) - except FirewallError as msg: - log.warning("Applying rules for ipv6_rpfilter failed: %s", msg) - # Start new transaction - transaction.clear() + # Execute ipv6_rpfilter transaction, it might fail + try: + transaction.execute(True) + except FirewallError as msg: + log.warning("Applying rules for ipv6_rpfilter failed: %s", msg) + # Start new transaction + transaction.clear() - else: - if use_transaction is None: - transaction.execute(True) + if use_transaction is None: + transaction.execute(True) # flush and policy diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py index d5eafb863439..31d7d6a168a8 100644 --- a/src/firewall/core/fw_zone.py +++ b/src/firewall/core/fw_zone.py @@ -1554,7 +1554,7 @@ class FirewallZone(object): if rule.family is not None: ipvs = [ rule.family ] else: - ipvs = [ "ipv4", "ipv6" ] + ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)] source_ipv = self._rule_source_ipv(rule.source) if source_ipv is not None and source_ipv != "": @@ -1804,6 +1804,8 @@ class FirewallZone(object): # backends_ipv = [] for ipv in ["ipv4", "ipv6"]: + if not self._fw.is_ipv_enabled(ipv): + continue backend = self._fw.get_backend_by_ipv(ipv) if len(svc.destination) > 0: if ipv in svc.destination: -- 2.20.1