From d31326a93b0dc1e203f4696aca4a7c0f8118d2e8 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Tue, 4 Feb 2020 09:12:17 -0500 Subject: [PATCH 39/39] RHEL only: default to AllowZoneDrifting=yes --- config/firewalld.conf | 4 ++-- doc/xml/firewalld.conf.xml | 2 +- doc/xml/firewalld.dbus.xml | 2 +- src/firewall/config/__init__.py.in | 2 +- src/tests/cli/firewall-cmd.at | 4 ++++ src/tests/dbus/firewalld.conf.at | 4 ++-- src/tests/features/rfc3964_ipv4.at | 4 ++++ src/tests/functions.at | 1 + src/tests/regression/rhbz1514043.at | 4 ++++ 9 files changed, 20 insertions(+), 7 deletions(-) diff --git a/config/firewalld.conf b/config/firewalld.conf index 532f0452212e..f791b2358ab8 100644 --- a/config/firewalld.conf +++ b/config/firewalld.conf @@ -71,5 +71,5 @@ RFC3964_IPv4=yes # Note: If "yes" packets will only drift from source based zones to interface # based zones (including the default zone). Packets never drift from interface # based zones to other interfaces based zones (including the default zone). -# Possible values; "yes", "no". Defaults to "no". -AllowZoneDrifting=no +# Possible values; "yes", "no". Defaults to "yes". +AllowZoneDrifting=yes diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml index fcfbfd2b68c1..c21ef87813bc 100644 --- a/doc/xml/firewalld.conf.xml +++ b/doc/xml/firewalld.conf.xml @@ -197,7 +197,7 @@ to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone). - Valid values; "yes", "no". Defaults to "no". + Valid values; "yes", "no". Defaults to "yes". diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml index 5d77af976443..77ad77c01675 100644 --- a/doc/xml/firewalld.dbus.xml +++ b/doc/xml/firewalld.dbus.xml @@ -2591,7 +2591,7 @@ to interface based zones (including the default zone). Packets never drift from interface based zones to other interfaces based zones (including the default zone). - Valid values; "yes", "no". Defaults to "no". + Valid values; "yes", "no". Defaults to "yes". diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in index 481eb8de758d..645c76b66c8d 100644 --- a/src/firewall/config/__init__.py.in +++ b/src/firewall/config/__init__.py.in @@ -130,4 +130,4 @@ FALLBACK_AUTOMATIC_HELPERS = "no" FALLBACK_FIREWALL_BACKEND = "nftables" FALLBACK_FLUSH_ALL_ON_RELOAD = True FALLBACK_RFC3964_IPV4 = True -FALLBACK_ALLOW_ZONE_DRIFTING = False +FALLBACK_ALLOW_ZONE_DRIFTING = True diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at index 51b367e7a0f0..3590cb23d600 100644 --- a/src/tests/cli/firewall-cmd.at +++ b/src/tests/cli/firewall-cmd.at @@ -1054,6 +1054,10 @@ FWD_START_TEST([rich rules priority]) CHECK_LOG_AUDIT + dnl Expected test results assume this is set to "no" + AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) + FWD_RELOAD + dnl Verify generic layout of zone NFT_LIST_RULES([inet], [filter_IN_public], 0, [dnl table inet firewalld { diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at index 35aead759a9c..4eefa3286f9f 100644 --- a/src/tests/dbus/firewalld.conf.at +++ b/src/tests/dbus/firewalld.conf.at @@ -4,7 +4,7 @@ AT_KEYWORDS(dbus) dnl Verify defaults over dbus. Should be inline with default firewalld.conf. IF_HOST_SUPPORTS_NFT_FIB([ DBUS_GETALL([config], [config], 0, [dnl -string "AllowZoneDrifting" : variant string "no" +string "AllowZoneDrifting" : variant string "yes" string "AutomaticHelpers" : variant string "no" string "CleanupOnExit" : variant string "no" string "DefaultZone" : variant string "public" @@ -18,7 +18,7 @@ string "MinimalMark" : variant int32 100 string "RFC3964_IPv4" : variant string "yes" ])], [ DBUS_GETALL([config], [config], 0, [dnl -string "AllowZoneDrifting" : variant string "no" +string "AllowZoneDrifting" : variant string "yes" string "AutomaticHelpers" : variant string "no" string "CleanupOnExit" : variant string "no" string "DefaultZone" : variant string "public" diff --git a/src/tests/features/rfc3964_ipv4.at b/src/tests/features/rfc3964_ipv4.at index 54f5f756270b..15fef52612cc 100644 --- a/src/tests/features/rfc3964_ipv4.at +++ b/src/tests/features/rfc3964_ipv4.at @@ -1,6 +1,10 @@ FWD_START_TEST([RFC3964_IPv4]) AT_KEYWORDS(rfc3964_ipv4) +dnl Expected test results assume this is set to "no" +AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) +FWD_RELOAD + AT_CHECK([sed -i 's/^LogDenied.*/LogDenied=all/' ./firewalld.conf]) AT_CHECK([sed -i 's/^RFC3964_IPv4.*/RFC3964_IPv4=yes/' ./firewalld.conf]) FWD_RELOAD diff --git a/src/tests/functions.at b/src/tests/functions.at index cd4e31c7f9d4..0e28420d7123 100644 --- a/src/tests/functions.at +++ b/src/tests/functions.at @@ -230,6 +230,7 @@ m4_define([FWD_END_TEST], [ IF_HOST_SUPPORTS_IP6TABLES([], [ sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log ]) + sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log if test x"$1" != x"ignore"; then if test -n "$1"; then sed -i $1 ./firewalld.log diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at index 241cf547f7f3..8e4846a078b8 100644 --- a/src/tests/regression/rhbz1514043.at +++ b/src/tests/regression/rhbz1514043.at @@ -1,6 +1,10 @@ FWD_START_TEST([--set-log-denied does not zero config]) AT_KEYWORDS(log_denied rhbz1514043) +dnl Expected test results assume this is set to "no" +AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) +FWD_RELOAD + FWD_CHECK([-q --set-log-denied=all]) FWD_CHECK([-q --permanent --zone=public --add-service=samba]) FWD_RELOAD -- 2.23.0