diff --git a/SOURCES/0123-feat-AllowZoneDrifting-config-option.patch b/SOURCES/0123-feat-AllowZoneDrifting-config-option.patch new file mode 100644 index 0000000..365625c --- /dev/null +++ b/SOURCES/0123-feat-AllowZoneDrifting-config-option.patch @@ -0,0 +1,291 @@ +From d43540044023331f053437c2b95fbef49592fcd6 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Sun, 19 Jan 2020 14:13:36 -0500 +Subject: [PATCH 123/127] feat: AllowZoneDrifting config option + +Older versions of firewalld had undocumented behavior known as "zone +drifting". This allowed packets to ingress multiple zones - this is a +violation of zone based firewalls. However, some users rely on this +behavior to have a "catch-all" zone, e.g. the default zone. You can +enable this if you desire such behavior. It's disabled by default for +security reasons. + +Note: If "yes" packets will only drift from source based zones to +interface based zones (including the default zone). Packets never drift +from interface based zones to other interfaces based zones (including +the default zone). + +(cherry picked from commit afadd377b09dc62b340d24bcf891d31f040d1a18) +(cherry picked from commit 3bbd15a5317b59e175e2a060d1a6ecf4c2129b32) +--- + config/firewalld.conf | 12 ++++++++++++ + doc/xml/firewalld.conf.xml | 19 +++++++++++++++++++ + doc/xml/firewalld.dbus.xml | 16 ++++++++++++++++ + src/firewall/config/__init__.py.in | 1 + + src/firewall/core/fw.py | 14 ++++++++++++++ + src/firewall/core/io/firewalld_conf.py | 13 +++++++++++-- + src/firewall/server/config.py | 20 +++++++++++++++++--- + src/tests/dbus/firewalld.conf.at | 3 +++ + 8 files changed, 93 insertions(+), 5 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index 63df409bf567..02be07b9b892 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -55,3 +55,15 @@ LogDenied=off + # will be used. Possible values are: yes, no and system. + # Default: system + AutomaticHelpers=system ++ ++# AllowZoneDrifting ++# Older versions of firewalld had undocumented behavior known as "zone ++# drifting". This allowed packets to ingress multiple zones - this is a ++# violation of zone based firewalls. However, some users rely on this behavior ++# to have a "catch-all" zone, e.g. the default zone. You can enable this if you ++# desire such behavior. It's disabled by default for security reasons. ++# Note: If "yes" packets will only drift from source based zones to interface ++# based zones (including the default zone). Packets never drift from interface ++# based zones to other interfaces based zones (including the default zone). ++# Possible values; "yes", "no". Defaults to "no". ++AllowZoneDrifting=no +diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml +index afb94b90937f..9d8017df3112 100644 +--- a/doc/xml/firewalld.conf.xml ++++ b/doc/xml/firewalld.conf.xml +@@ -144,6 +144,25 @@ + + + ++ ++ ++ ++ ++ Older versions of firewalld had undocumented behavior known ++ as "zone drifting". This allowed packets to ingress multiple ++ zones - this is a violation of zone based firewalls. However, ++ some users rely on this behavior to have a "catch-all" zone, ++ e.g. the default zone. You can enable this if you desire such ++ behavior. It's disabled by default for security reasons. ++ Note: If "yes" packets will only drift from source based zones ++ to interface based zones (including the default zone). Packets ++ never drift from interface based zones to other interfaces ++ based zones (including the default zone). ++ Valid values; "yes", "no". Defaults to "no". ++ ++ ++ ++ + + + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index ec82d4cad077..ea0be9cefd1c 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -2558,6 +2558,22 @@ + + Properties + ++ ++ AllowZoneDrifting - s - (rw) ++ ++ Older versions of firewalld had undocumented behavior known ++ as "zone drifting". This allowed packets to ingress multiple ++ zones - this is a violation of zone based firewalls. However, ++ some users rely on this behavior to have a "catch-all" zone, ++ e.g. the default zone. You can enable this if you desire such ++ behavior. It's disabled by default for security reasons. ++ Note: If "yes" packets will only drift from source based zones ++ to interface based zones (including the default zone). Packets ++ never drift from interface based zones to other interfaces ++ based zones (including the default zone). ++ Valid values; "yes", "no". Defaults to "no". ++ ++ + + AutomaticHelpers - s - (rw) + +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 1b2168bde44d..3926c8fdb3a3 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -128,3 +128,4 @@ FALLBACK_INDIVIDUAL_CALLS = False + FALLBACK_LOG_DENIED = "off" + FALLBACK_AUTOMATIC_HELPERS = "system" + FALLBACK_FIREWALL_BACKEND = "iptables" ++FALLBACK_ALLOW_ZONE_DRIFTING = False +diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py +index b1643a1ebff4..5d3cf6e6ce44 100644 +--- a/src/firewall/core/fw.py ++++ b/src/firewall/core/fw.py +@@ -114,6 +114,7 @@ class Firewall(object): + self._automatic_helpers = config.FALLBACK_AUTOMATIC_HELPERS + self._firewall_backend = config.FALLBACK_FIREWALL_BACKEND + self.nf_conntrack_helper_setting = 0 ++ self._allow_zone_drifting = config.FALLBACK_ALLOW_ZONE_DRIFTING + + def individual_calls(self): + return self._individual_calls +@@ -269,6 +270,19 @@ class Firewall(object): + log.debug1("AutomaticHelpers is set to '%s'", + self._automatic_helpers) + ++ if self._firewalld_conf.get("AllowZoneDrifting"): ++ value = self._firewalld_conf.get("AllowZoneDrifting") ++ if value.lower() in [ "no", "false" ]: ++ self._allow_zone_drifting = False ++ else: ++ self._allow_zone_drifting = True ++ log.warning("AllowZoneDrifting is enabled. This is considered " ++ "an insecure configuration option. It will be " ++ "removed in a future release. Please consider " ++ "disabling it now.") ++ log.debug1("AllowZoneDrifting is set to '%s'", ++ self._allow_zone_drifting) ++ + self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf)) + + self._select_firewall_backend(self._firewall_backend) +diff --git a/src/firewall/core/io/firewalld_conf.py b/src/firewall/core/io/firewalld_conf.py +index 9aee2dc6f9b7..a640d8e2f201 100644 +--- a/src/firewall/core/io/firewalld_conf.py ++++ b/src/firewall/core/io/firewalld_conf.py +@@ -28,9 +28,9 @@ from firewall import config + from firewall.core.logger import log + from firewall.functions import b2u, u2b, PY2 + +-valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", ++valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", + "IPv6_rpfilter", "IndividualCalls", "LogDenied", +- "AutomaticHelpers" ] ++ "AutomaticHelpers", "AllowZoneDrifting" ] + + class firewalld_conf(object): + def __init__(self, filename): +@@ -79,6 +79,7 @@ class firewalld_conf(object): + self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no") + self.set("LogDenied", config.FALLBACK_LOG_DENIED) + self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS) ++ self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no") + raise + + for line in f: +@@ -174,6 +175,14 @@ class firewalld_conf(object): + config.FALLBACK_AUTOMATIC_HELPERS) + self.set("AutomaticHelpers", str(config.FALLBACK_AUTOMATIC_HELPERS)) + ++ value = self.get("AllowZoneDrifting") ++ if not value or value.lower() not in [ "yes", "true", "no", "false" ]: ++ if value is not None: ++ log.warning("AllowZoneDrifting '%s' is not valid, using default " ++ "value %s", value if value else '', ++ config.FALLBACK_ALLOW_ZONE_DRIFTING) ++ self.set("AllowZoneDrifting", str(config.FALLBACK_ALLOW_ZONE_DRIFTING)) ++ + # save to self.filename if there are key/value changes + def write(self): + if len(self._config) < 1: +diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py +index cd640ba881ca..86b4e4428748 100644 +--- a/src/firewall/server/config.py ++++ b/src/firewall/server/config.py +@@ -105,6 +105,7 @@ class FirewallDConfig(slip.dbus.service.Object): + "IndividualCalls": "readwrite", + "LogDenied": "readwrite", + "AutomaticHelpers": "readwrite", ++ "AllowZoneDrifting": "readwrite", + }) + + @handle_exceptions +@@ -484,7 +485,7 @@ class FirewallDConfig(slip.dbus.service.Object): + def _get_property(self, prop): + if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit", + "Lockdown", "IPv6_rpfilter", "IndividualCalls", +- "LogDenied", "AutomaticHelpers" ]: ++ "LogDenied", "AutomaticHelpers", "AllowZoneDrifting"]: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.InvalidArgs: " + "Property '%s' does not exist" % prop) +@@ -525,6 +526,10 @@ class FirewallDConfig(slip.dbus.service.Object): + if value is None: + value = config.FALLBACK_AUTOMATIC_HELPERS + return dbus.String(value) ++ elif prop == "AllowZoneDrifting": ++ if value is None: ++ value = "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no" ++ return dbus.String(value) + + @dbus_handle_exceptions + def _get_dbus_property(self, prop): +@@ -544,6 +549,8 @@ class FirewallDConfig(slip.dbus.service.Object): + return dbus.String(self._get_property(prop)) + elif prop == "AutomaticHelpers": + return dbus.String(self._get_property(prop)) ++ elif prop == "AllowZoneDrifting": ++ return dbus.String(self._get_property(prop)) + else: + raise dbus.exceptions.DBusException( + "org.freedesktop.DBus.Error.InvalidArgs: " +@@ -583,7 +590,7 @@ class FirewallDConfig(slip.dbus.service.Object): + if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: + for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit", + "Lockdown", "IPv6_rpfilter", "IndividualCalls", +- "LogDenied", "AutomaticHelpers" ]: ++ "LogDenied", "AutomaticHelpers", "AllowZoneDrifting" ]: + ret[x] = self._get_property(x) + elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, + config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: +@@ -609,7 +616,8 @@ class FirewallDConfig(slip.dbus.service.Object): + if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: + if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown", + "IPv6_rpfilter", "IndividualCalls", +- "LogDenied", "AutomaticHelpers" ]: ++ "LogDenied", "AutomaticHelpers", ++ "AllowZoneDrifting" ]: + if property_name == "MinimalMark": + try: + int(new_value) +@@ -638,6 +646,12 @@ class FirewallDConfig(slip.dbus.service.Object): + raise FirewallError(errors.INVALID_VALUE, + "'%s' for %s" % \ + (new_value, property_name)) ++ if property_name == "AllowZoneDrifting": ++ if new_value.lower() not in ["yes", "true", "no", "false"]: ++ raise FirewallError(errors.INVALID_VALUE, ++ "'%s' for %s" % \ ++ (new_value, property_name)) ++ + self.config.get_firewalld_conf().set(property_name, new_value) + self.config.get_firewalld_conf().write() + self.PropertiesChanged(interface_name, +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 05eb3dd5f650..0884e21b6368 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -3,6 +3,7 @@ FWD_START_TEST([firewalld.conf]) + dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + IF_HOST_SUPPORTS_NFT_FIB([ + DBUS_GETALL([config], [config], 0, [dnl ++string "AllowZoneDrifting" : variant string "no" + string "AutomaticHelpers" : variant string "system" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +@@ -13,6 +14,7 @@ string "LogDenied" : variant string "off" + string "MinimalMark" : variant int32 100 + ])], [ + DBUS_GETALL([config], [config], 0, [dnl ++string "AllowZoneDrifting" : variant string "no" + string "AutomaticHelpers" : variant string "system" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +@@ -39,6 +41,7 @@ _helper([LogDenied], [string:"all"], [variant string "all"]) + _helper([IPv6_rpfilter], [string:"yes"], [variant string "yes"]) + _helper([IndividualCalls], [string:"yes"], [variant string "yes"]) + _helper([CleanupOnExit], [string:"yes"], [variant string "yes"]) ++_helper([AllowZoneDrifting], [string:"yes"], [variant string "yes"]) + dnl Note: DefaultZone is RO + m4_undefine([_helper]) + +-- +2.23.0 + diff --git a/SOURCES/0124-feat-nftables-support-AllowZoneDrifting-yes.patch b/SOURCES/0124-feat-nftables-support-AllowZoneDrifting-yes.patch new file mode 100644 index 0000000..4bbb413 --- /dev/null +++ b/SOURCES/0124-feat-nftables-support-AllowZoneDrifting-yes.patch @@ -0,0 +1,125 @@ +From 62f42ba84c51cd836619ee2c11bd61802d1ff064 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Sun, 19 Jan 2020 14:37:31 -0500 +Subject: [PATCH 124/127] feat: nftables: support AllowZoneDrifting=yes + +(cherry picked from commit 517a061c5886f2ebfb4aa7d73804aa7f3c5a3004) +(cherry picked from commit 618cd7e8612be216956aea278b798b32c067f933) +--- + src/firewall/core/nftables.py | 47 ++++++++++++++++++++++------------- + 1 file changed, 30 insertions(+), 17 deletions(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 0317d820389f..a559dc64c466 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -199,8 +199,11 @@ class nftables(object): + + index = zone_source_index_cache[family].index(zone_source) + else: +- index = len(zone_source_index_cache[family]) +- ++ if self._fw._allow_zone_drifting: ++ index = 0 ++ else: ++ index = len(zone_source_index_cache[family]) ++ + if index == 0: + rule[0] = "insert" + else: +@@ -411,9 +414,10 @@ class nftables(object): + IPTABLES_TO_NFT_HOOK["raw"][chain][0], + IPTABLES_TO_NFT_HOOK["raw"][chain][1])) + +- default_rules.append("add chain inet %s raw_%s_ZONES" % (TABLE_NAME, chain)) +- default_rules.append("add rule inet %s raw_%s jump raw_%s_ZONES" % (TABLE_NAME, chain, chain)) +- OUR_CHAINS["inet"]["raw"].update(set(["%s_ZONES" % chain])) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules.append("add chain inet %s raw_%s_%s" % (TABLE_NAME, chain, dispatch_suffix)) ++ default_rules.append("add rule inet %s raw_%s jump raw_%s_%s" % (TABLE_NAME, chain, chain, dispatch_suffix)) ++ OUR_CHAINS["inet"]["raw"].update(set(["%s_%s" % (chain, dispatch_suffix)])) + + OUR_CHAINS["inet"]["mangle"] = set() + for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys(): +@@ -422,9 +426,10 @@ class nftables(object): + IPTABLES_TO_NFT_HOOK["mangle"][chain][0], + IPTABLES_TO_NFT_HOOK["mangle"][chain][1])) + +- default_rules.append("add chain inet %s mangle_%s_ZONES" % (TABLE_NAME, chain)) +- default_rules.append("add rule inet %s mangle_%s jump mangle_%s_ZONES" % (TABLE_NAME, chain, chain)) +- OUR_CHAINS["inet"]["mangle"].update(set(["%s_ZONES" % chain])) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules.append("add chain inet %s mangle_%s_%s" % (TABLE_NAME, chain, dispatch_suffix)) ++ default_rules.append("add rule inet %s mangle_%s jump mangle_%s_%s" % (TABLE_NAME, chain, chain, dispatch_suffix)) ++ OUR_CHAINS["inet"]["mangle"].update(set(["%s_%s" % (chain, dispatch_suffix)])) + + OUR_CHAINS["ip"]["nat"] = set() + OUR_CHAINS["ip6"]["nat"] = set() +@@ -435,9 +440,10 @@ class nftables(object): + IPTABLES_TO_NFT_HOOK["nat"][chain][0], + IPTABLES_TO_NFT_HOOK["nat"][chain][1])) + +- default_rules.append("add chain %s %s nat_%s_ZONES" % (family, TABLE_NAME, chain)) +- default_rules.append("add rule %s %s nat_%s jump nat_%s_ZONES" % (family, TABLE_NAME, chain, chain)) +- OUR_CHAINS[family]["nat"].update(set(["%s_ZONES" % chain])) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules.append("add chain %s %s nat_%s_%s" % (family, TABLE_NAME, chain, dispatch_suffix)) ++ default_rules.append("add rule %s %s nat_%s jump nat_%s_%s" % (family, TABLE_NAME, chain, chain, dispatch_suffix)) ++ OUR_CHAINS[family]["nat"].update(set(["%s_%s" % (chain, dispatch_suffix)])) + + OUR_CHAINS["inet"]["filter"] = set() + for chain in IPTABLES_TO_NFT_HOOK["filter"].keys(): +@@ -447,10 +453,11 @@ class nftables(object): + IPTABLES_TO_NFT_HOOK["filter"][chain][1])) + + # filter, INPUT +- default_rules.append("add chain inet %s filter_%s_ZONES" % (TABLE_NAME, "INPUT")) + default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "INPUT")) + default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "INPUT")) +- default_rules.append("add rule inet %s filter_%s jump filter_%s_ZONES" % (TABLE_NAME, "INPUT", "INPUT")) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules.append("add chain inet %s filter_%s_%s" % (TABLE_NAME, "INPUT", dispatch_suffix)) ++ default_rules.append("add rule inet %s filter_%s jump filter_%s_%s" % (TABLE_NAME, "INPUT", "INPUT", dispatch_suffix)) + if log_denied != "off": + default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "INPUT")) + default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "INPUT")) +@@ -460,11 +467,12 @@ class nftables(object): + + # filter, FORWARD + default_rules.append("add chain inet %s filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD")) +- default_rules.append("add chain inet %s filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD")) + default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "FORWARD")) + default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "FORWARD")) +- default_rules.append("add rule inet %s filter_%s jump filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD")) +- default_rules.append("add rule inet %s filter_%s jump filter_%s_OUT_ZONES" % (TABLE_NAME, "FORWARD", "FORWARD")) ++ for direction in ["IN", "OUT"]: ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules.append("add chain inet %s filter_%s_%s_%s" % (TABLE_NAME, "FORWARD", direction, dispatch_suffix)) ++ default_rules.append("add rule inet %s filter_%s jump filter_%s_%s_%s" % (TABLE_NAME, "FORWARD", "FORWARD", direction, dispatch_suffix)) + if log_denied != "off": + default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "FORWARD")) + default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "FORWARD")) +@@ -566,6 +574,11 @@ class nftables(object): + "OUTPUT": "daddr", + }[chain] + ++ if self._fw._allow_zone_drifting: ++ zone_dispatch_chain = "%s_%s_ZONES_SOURCE" % (table, chain) ++ else: ++ zone_dispatch_chain = "%s_%s_ZONES" % (table, chain) ++ + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) + action = "goto" + +@@ -585,7 +598,7 @@ class nftables(object): + rule_family = "ip6" + + rule = [add_del, "rule", family, "%s" % TABLE_NAME, +- "%s_%s_ZONES" % (table, chain), ++ zone_dispatch_chain, + "%%ZONE_SOURCE%%", zone, + rule_family, opt, address, action, "%s_%s" % (table, target)] + return [rule] +-- +2.23.0 + diff --git a/SOURCES/0125-feat-ipXtables-support-AllowZoneDrifting-yes.patch b/SOURCES/0125-feat-ipXtables-support-AllowZoneDrifting-yes.patch new file mode 100644 index 0000000..daea599 --- /dev/null +++ b/SOURCES/0125-feat-ipXtables-support-AllowZoneDrifting-yes.patch @@ -0,0 +1,178 @@ +From 232d0b6547bcbc5c213741deb721ff453f5e9e8d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Sun, 19 Jan 2020 16:16:59 -0500 +Subject: [PATCH 125/127] feat: ipXtables: support AllowZoneDrifting=yes + +(cherry picked from commit 1f7b5ffcd40daf2a7f2ef1ec0cccb95080e74fb6) +(cherry picked from commit bc274c9bcf8b704338a1c597f580cf2c85f9fbac) +--- + src/firewall/core/ipXtables.py | 93 +++++++++++++++++++--------------- + 1 file changed, 51 insertions(+), 42 deletions(-) + +diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py +index b0a4c5e1c161..8f39fecc6132 100644 +--- a/src/firewall/core/ipXtables.py ++++ b/src/firewall/core/ipXtables.py +@@ -321,8 +321,11 @@ class ip4tables(object): + + index = zone_source_index_cache.index(zone_source) + else: +- index = len(zone_source_index_cache) +- ++ if self._fw._allow_zone_drifting: ++ index = 0 ++ else: ++ index = len(zone_source_index_cache) ++ + rule[0] = "-I" + rule.insert(2, "%d" % (index + 1)) + +@@ -577,9 +580,10 @@ class ip4tables(object): + self.our_chains["raw"].add("%s_direct" % chain) + + if chain == "PREROUTING": +- default_rules["raw"].append("-N %s_ZONES" % chain) +- default_rules["raw"].append("-A %s -j %s_ZONES" % (chain, chain)) +- self.our_chains["raw"].update(set(["%s_ZONES" % chain])) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules["raw"].append("-N %s_%s" % (chain, dispatch_suffix)) ++ default_rules["raw"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix)) ++ self.our_chains["raw"].update(set(["%s_%s" % (chain, dispatch_suffix)])) + + if self.get_available_tables("mangle"): + default_rules["mangle"] = [ ] +@@ -590,9 +594,10 @@ class ip4tables(object): + self.our_chains["mangle"].add("%s_direct" % chain) + + if chain == "PREROUTING": +- default_rules["mangle"].append("-N %s_ZONES" % chain) +- default_rules["mangle"].append("-A %s -j %s_ZONES" % (chain, chain)) +- self.our_chains["mangle"].update(set(["%s_ZONES" % chain])) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules["mangle"].append("-N %s_%s" % (chain, dispatch_suffix)) ++ default_rules["mangle"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix)) ++ self.our_chains["mangle"].update(set(["%s_%s" % (chain, dispatch_suffix)])) + + if self.get_available_tables("nat"): + default_rules["nat"] = [ ] +@@ -603,19 +608,22 @@ class ip4tables(object): + self.our_chains["nat"].add("%s_direct" % chain) + + if chain in [ "PREROUTING", "POSTROUTING" ]: +- default_rules["nat"].append("-N %s_ZONES" % chain) +- default_rules["nat"].append("-A %s -j %s_ZONES" % (chain, chain)) +- self.our_chains["nat"].update(set(["%s_ZONES" % chain])) +- +- default_rules["filter"] = [ +- "-N INPUT_direct", +- "-N INPUT_ZONES", +- +- "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT", +- "-A INPUT -i lo -j ACCEPT", +- "-A INPUT -j INPUT_direct", +- "-A INPUT -j INPUT_ZONES", +- ] ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules["nat"].append("-N %s_%s" % (chain, dispatch_suffix)) ++ default_rules["nat"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix)) ++ self.our_chains["nat"].update(set(["%s_%s" % (chain, dispatch_suffix)])) ++ ++ default_rules["filter"] = [] ++ self.our_chains["filter"] = set() ++ default_rules["filter"].append("-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") ++ default_rules["filter"].append("-A INPUT -i lo -j ACCEPT") ++ default_rules["filter"].append("-N INPUT_direct") ++ default_rules["filter"].append("-A INPUT -j INPUT_direct") ++ self.our_chains["filter"].update(set("INPUT_direct")) ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules["filter"].append("-N INPUT_%s" % (dispatch_suffix)) ++ default_rules["filter"].append("-A INPUT -j INPUT_%s" % (dispatch_suffix)) ++ self.our_chains["filter"].update(set("INPUT_%s" % (dispatch_suffix))) + if log_denied != "off": + default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '") + default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID -j DROP") +@@ -623,17 +631,16 @@ class ip4tables(object): + default_rules["filter"].append("-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '") + default_rules["filter"].append("-A INPUT -j %%REJECT%%") + +- default_rules["filter"] += [ +- "-N FORWARD_direct", +- "-N FORWARD_IN_ZONES", +- "-N FORWARD_OUT_ZONES", +- +- "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT", +- "-A FORWARD -i lo -j ACCEPT", +- "-A FORWARD -j FORWARD_direct", +- "-A FORWARD -j FORWARD_IN_ZONES", +- "-A FORWARD -j FORWARD_OUT_ZONES", +- ] ++ default_rules["filter"].append("-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") ++ default_rules["filter"].append("-A FORWARD -i lo -j ACCEPT") ++ default_rules["filter"].append("-N FORWARD_direct") ++ default_rules["filter"].append("-A FORWARD -j FORWARD_direct") ++ self.our_chains["filter"].update(set("FORWARD_direct")) ++ for direction in ["IN", "OUT"]: ++ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: ++ default_rules["filter"].append("-N FORWARD_%s_%s" % (direction, dispatch_suffix)) ++ default_rules["filter"].append("-A FORWARD -j FORWARD_%s_%s" % (direction, dispatch_suffix)) ++ self.our_chains["filter"].update(set("FORWARD_%s_%s" % (direction, dispatch_suffix))) + if log_denied != "off": + default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '") + default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID -j DROP") +@@ -647,10 +654,7 @@ class ip4tables(object): + "-A OUTPUT -o lo -j ACCEPT", + "-A OUTPUT -j OUTPUT_direct", + ] +- +- self.our_chains["filter"] = set(["INPUT_direct", "INPUT_ZONES", +- "FORWARD_direct", "FORWARD_IN_ZONES", +- "FORWARD_OUT_ZONES", "OUTPUT_direct"]) ++ self.our_chains["filter"].update(set("OUTPUT_direct")) + + final_default_rules = [] + for table in default_rules: +@@ -717,6 +721,11 @@ class ip4tables(object): + "OUTPUT": "-d", + }[chain] + ++ if self._fw._allow_zone_drifting: ++ zone_dispatch_chain = "%s_ZONES_SOURCE" % (chain) ++ else: ++ zone_dispatch_chain = "%s_ZONES" % (chain) ++ + target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) + action = "-g" + +@@ -727,8 +736,8 @@ class ip4tables(object): + else: + opt = "src" + flags = ",".join([opt] * self._fw.ipset.get_dimension(name)) +- rule = [ add_del, +- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone, ++ rule = [ add_del, zone_dispatch_chain, ++ "%%ZONE_SOURCE%%", zone, + "-t", table, + "-m", "set", "--match-set", name, + flags, action, target ] +@@ -737,14 +746,14 @@ class ip4tables(object): + # outgoing can not be set + if opt == "-d": + return "" +- rule = [ add_del, +- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone, ++ rule = [ add_del, zone_dispatch_chain, ++ "%%ZONE_SOURCE%%", zone, + "-t", table, + "-m", "mac", "--mac-source", address.upper(), + action, target ] + else: +- rule = [ add_del, +- "%s_ZONES" % chain, "%%ZONE_SOURCE%%", zone, ++ rule = [ add_del, zone_dispatch_chain, ++ "%%ZONE_SOURCE%%", zone, + "-t", table, + opt, address, action, target ] + return [rule] +-- +2.23.0 + diff --git a/SOURCES/0126-test-verify-AllowZoneDrifting-yes.patch b/SOURCES/0126-test-verify-AllowZoneDrifting-yes.patch new file mode 100644 index 0000000..6f0295a --- /dev/null +++ b/SOURCES/0126-test-verify-AllowZoneDrifting-yes.patch @@ -0,0 +1,937 @@ +From b9224e74d5d06290827365bad8ca187c9d06fd49 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Sun, 19 Jan 2020 16:49:14 -0500 +Subject: [PATCH 126/127] test: verify AllowZoneDrifting=yes + +Verify the zone dispatch layout. + +(cherry picked from commit bca4e6af91fc4c6a55f7c2bce9e4fe7bcee526a1) +(cherry picked from commit cd257ae4604b1666136ffb1e12924a5c1f74095f) +--- + src/tests/regression/gh258.at | 532 +++++++++++++++++++++++++--- + src/tests/regression/rhbz1734765.at | 181 +++++++++- + 2 files changed, 668 insertions(+), 45 deletions(-) + +diff --git a/src/tests/regression/gh258.at b/src/tests/regression/gh258.at +index 5671c37ba432..5c5c8db0126f 100644 +--- a/src/tests/regression/gh258.at ++++ b/src/tests/regression/gh258.at +@@ -1,12 +1,15 @@ + FWD_START_TEST([zone dispatch layout]) +-AT_KEYWORDS(zone gh258 gh441 rhbz1713823) ++AT_KEYWORDS(zone gh258 gh441 rhbz1713823 rhbz1772208 rhbz1796055) + +-FWD_CHECK([--zone=work --add-source="1.2.3.0/24"], 0, ignore) ++FWD_CHECK([--permanent --zone=trusted --add-source="1.2.3.0/24"], 0, ignore) + IF_HOST_SUPPORTS_IPV6_RULES([ +-FWD_CHECK([--zone=public --add-source="dead:beef::/54"], 0, ignore) ++FWD_CHECK([--permanent --zone=public --add-source="dead:beef::/54"], 0, ignore) + ]) +-FWD_CHECK([--zone=work --add-interface=dummy0], 0, ignore) +-FWD_CHECK([--zone=public --add-interface=dummy1], 0, ignore) ++FWD_CHECK([--permanent --zone=trusted --add-interface=dummy0], 0, ignore) ++FWD_CHECK([--permanent --zone=public --add-interface=dummy1], 0, ignore) ++ ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD + + dnl verify layout of zone dispatch + m4_if(nftables, FIREWALL_BACKEND, [ +@@ -25,9 +28,9 @@ NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl + table inet firewalld { + chain filter_INPUT_ZONES { + ip6 saddr dead:beef::/54 goto filter_IN_public +- ip saddr 1.2.3.0/24 goto filter_IN_work ++ ip saddr 1.2.3.0/24 goto filter_IN_trusted ++ iifname "dummy0" goto filter_IN_trusted + iifname "dummy1" goto filter_IN_public +- iifname "dummy0" goto filter_IN_work + goto filter_IN_public + } + } +@@ -48,9 +51,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl + table inet firewalld { + chain filter_FORWARD_IN_ZONES { + ip6 saddr dead:beef::/54 goto filter_FWDI_public +- ip saddr 1.2.3.0/24 goto filter_FWDI_work ++ ip saddr 1.2.3.0/24 goto filter_FWDI_trusted ++ iifname "dummy0" goto filter_FWDI_trusted + iifname "dummy1" goto filter_FWDI_public +- iifname "dummy0" goto filter_FWDI_work + goto filter_FWDI_public + } + } +@@ -59,9 +62,9 @@ NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl + table inet firewalld { + chain filter_FORWARD_OUT_ZONES { + ip6 daddr dead:beef::/54 goto filter_FWDO_public +- ip daddr 1.2.3.0/24 goto filter_FWDO_work ++ ip daddr 1.2.3.0/24 goto filter_FWDO_trusted ++ oifname "dummy0" goto filter_FWDO_trusted + oifname "dummy1" goto filter_FWDO_public +- oifname "dummy0" goto filter_FWDO_work + goto filter_FWDO_public + } + } +@@ -89,9 +92,9 @@ NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl + table inet firewalld { + chain raw_PREROUTING_ZONES { + ip6 saddr dead:beef::/54 goto raw_PRE_public +- ip saddr 1.2.3.0/24 goto raw_PRE_work ++ ip saddr 1.2.3.0/24 goto raw_PRE_trusted ++ iifname "dummy0" goto raw_PRE_trusted + iifname "dummy1" goto raw_PRE_public +- iifname "dummy0" goto raw_PRE_work + goto raw_PRE_public + } + } +@@ -107,9 +110,9 @@ NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl + table inet firewalld { + chain mangle_PREROUTING_ZONES { + ip6 saddr dead:beef::/54 goto mangle_PRE_public +- ip saddr 1.2.3.0/24 goto mangle_PRE_work ++ ip saddr 1.2.3.0/24 goto mangle_PRE_trusted ++ iifname "dummy0" goto mangle_PRE_trusted + iifname "dummy1" goto mangle_PRE_public +- iifname "dummy0" goto mangle_PRE_work + goto mangle_PRE_public + } + } +@@ -124,9 +127,9 @@ NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl + NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl + table ip firewalld { + chain nat_PREROUTING_ZONES { +- ip saddr 1.2.3.0/24 goto nat_PRE_work ++ ip saddr 1.2.3.0/24 goto nat_PRE_trusted ++ iifname "dummy0" goto nat_PRE_trusted + iifname "dummy1" goto nat_PRE_public +- iifname "dummy0" goto nat_PRE_work + goto nat_PRE_public + } + } +@@ -141,9 +144,9 @@ NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl + NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl + table ip firewalld { + chain nat_POSTROUTING_ZONES { +- ip daddr 1.2.3.0/24 goto nat_POST_work ++ ip daddr 1.2.3.0/24 goto nat_POST_trusted ++ oifname "dummy0" goto nat_POST_trusted + oifname "dummy1" goto nat_POST_public +- oifname "dummy0" goto nat_POST_work + goto nat_POST_public + } + } +@@ -159,8 +162,8 @@ NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl + table ip6 firewalld { + chain nat_PREROUTING_ZONES { + ip6 saddr dead:beef::/54 goto nat_PRE_public ++ iifname "dummy0" goto nat_PRE_trusted + iifname "dummy1" goto nat_PRE_public +- iifname "dummy0" goto nat_PRE_work + goto nat_PRE_public + } + } +@@ -176,8 +179,8 @@ NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl + table ip6 firewalld { + chain nat_POSTROUTING_ZONES { + ip6 daddr dead:beef::/54 goto nat_POST_public ++ oifname "dummy0" goto nat_POST_trusted + oifname "dummy1" goto nat_POST_public +- oifname "dummy0" goto nat_POST_work + goto nat_POST_public + } + } +@@ -193,9 +196,9 @@ IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl + REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited + ]) + IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, +- [[IN_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- IN_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl +@@ -208,15 +211,15 @@ IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl + REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited + ]) + IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, +- [[FWDI_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- FWDI_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, +- [[FWDO_work all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++ [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++ FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- FWDO_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl +@@ -224,9 +227,9 @@ IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + ]) + IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, +- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl +@@ -234,9 +237,9 @@ IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + ]) + IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, +- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl +@@ -244,9 +247,9 @@ IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl + PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + ]) + IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, +- [[PRE_work all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++ PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- PRE_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl +@@ -254,9 +257,9 @@ IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl + POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 + ]) + IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, +- [[POST_work all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++ [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++ POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] +- POST_work all -- 0.0.0.0/0 0.0.0.0/0 [goto] + POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] + ]]) + +@@ -270,8 +273,8 @@ IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl + ]) + IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, + [[IN_public all dead:beef::/54 ::/0 [goto] ++ IN_trusted all ::/0 ::/0 [goto] + IN_public all ::/0 ::/0 [goto] +- IN_work all ::/0 ::/0 [goto] + IN_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl +@@ -285,14 +288,14 @@ IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl + ]) + IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, + [[FWDI_public all dead:beef::/54 ::/0 [goto] ++ FWDI_trusted all ::/0 ::/0 [goto] + FWDI_public all ::/0 ::/0 [goto] +- FWDI_work all ::/0 ::/0 [goto] + FWDI_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, + [[FWDO_public all ::/0 dead:beef::/54 [goto] ++ FWDO_trusted all ::/0 ::/0 [goto] + FWDO_public all ::/0 ::/0 [goto] +- FWDO_work all ::/0 ::/0 [goto] + FWDO_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl +@@ -304,8 +307,8 @@ IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl + ]) + IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] ++ PRE_trusted all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +- PRE_work all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl +@@ -314,8 +317,8 @@ IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl + ]) + IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] ++ PRE_trusted all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +- PRE_work all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl +@@ -324,8 +327,8 @@ IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl + ]) + IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, + [[PRE_public all dead:beef::/54 ::/0 [goto] ++ PRE_trusted all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] +- PRE_work all ::/0 ::/0 [goto] + PRE_public all ::/0 ::/0 [goto] + ]]) + IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl +@@ -334,10 +337,453 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl + ]) + IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, + [[POST_public all ::/0 dead:beef::/54 [goto] ++ POST_trusted all ::/0 ::/0 [goto] + POST_public all ::/0 ::/0 [goto] +- POST_work all ::/0 ::/0 [goto] + POST_public all ::/0 ::/0 [goto] + ]]) + ]) + +-FWD_END_TEST ++dnl ########################################################################## ++dnl ########################################################################## ++dnl We also support zone drifting in which source based zones fall through to ++dnl interface based zones (including default zone). ++dnl ########################################################################## ++dnl ########################################################################## ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf]) ++FWD_RELOAD ++ ++NFT_LIST_RULES([inet], [filter_INPUT], 0, [dnl ++ table inet firewalld { ++ chain filter_INPUT { ++ ct state established,related accept ++ iifname "lo" accept ++ jump filter_INPUT_ZONES_SOURCE ++ jump filter_INPUT_ZONES ++ ct state invalid drop ++ reject with icmpx type admin-prohibited ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain filter_INPUT_ZONES_SOURCE { ++ ip6 saddr dead:beef::/54 goto filter_IN_public ++ ip saddr 1.2.3.0/24 goto filter_IN_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl ++ table inet firewalld { ++ chain filter_INPUT_ZONES { ++ iifname "dummy0" goto filter_IN_trusted ++ iifname "dummy1" goto filter_IN_public ++ goto filter_IN_public ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_FORWARD], 0, [dnl ++ table inet firewalld { ++ chain filter_FORWARD { ++ ct state established,related accept ++ iifname "lo" accept ++ jump filter_FORWARD_IN_ZONES_SOURCE ++ jump filter_FORWARD_IN_ZONES ++ jump filter_FORWARD_OUT_ZONES_SOURCE ++ jump filter_FORWARD_OUT_ZONES ++ ct state invalid drop ++ reject with icmpx type admin-prohibited ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain filter_FORWARD_IN_ZONES_SOURCE { ++ ip6 saddr dead:beef::/54 goto filter_FWDI_public ++ ip saddr 1.2.3.0/24 goto filter_FWDI_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_FORWARD_IN_ZONES], 0, [dnl ++ table inet firewalld { ++ chain filter_FORWARD_IN_ZONES { ++ iifname "dummy0" goto filter_FWDI_trusted ++ iifname "dummy1" goto filter_FWDI_public ++ goto filter_FWDI_public ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain filter_FORWARD_OUT_ZONES_SOURCE { ++ ip6 daddr dead:beef::/54 goto filter_FWDO_public ++ ip daddr 1.2.3.0/24 goto filter_FWDO_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_FORWARD_OUT_ZONES], 0, [dnl ++ table inet firewalld { ++ chain filter_FORWARD_OUT_ZONES { ++ oifname "dummy0" goto filter_FWDO_trusted ++ oifname "dummy1" goto filter_FWDO_public ++ goto filter_FWDO_public ++ } ++ } ++]) ++IF_HOST_SUPPORTS_NFT_FIB([ ++ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl ++ table inet firewalld { ++ chain raw_PREROUTING { ++ icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept ++ meta nfproto ipv6 fib saddr . iif oif missing drop ++ jump raw_PREROUTING_ZONES_SOURCE ++ jump raw_PREROUTING_ZONES ++ } ++ } ++ ]) ++], [ ++ NFT_LIST_RULES([inet], [raw_PREROUTING], 0, [dnl ++ table inet firewalld { ++ chain raw_PREROUTING { ++ jump raw_PREROUTING_ZONES_SOURCE ++ jump raw_PREROUTING_ZONES ++ } ++ } ++ ]) ++]) ++NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain raw_PREROUTING_ZONES_SOURCE { ++ ip6 saddr dead:beef::/54 goto raw_PRE_public ++ ip saddr 1.2.3.0/24 goto raw_PRE_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [raw_PREROUTING_ZONES], 0, [dnl ++ table inet firewalld { ++ chain raw_PREROUTING_ZONES { ++ iifname "dummy0" goto raw_PRE_trusted ++ iifname "dummy1" goto raw_PRE_public ++ goto raw_PRE_public ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [mangle_PREROUTING], 0, [dnl ++ table inet firewalld { ++ chain mangle_PREROUTING { ++ jump mangle_PREROUTING_ZONES_SOURCE ++ jump mangle_PREROUTING_ZONES ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain mangle_PREROUTING_ZONES_SOURCE { ++ ip6 saddr dead:beef::/54 goto mangle_PRE_public ++ ip saddr 1.2.3.0/24 goto mangle_PRE_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [mangle_PREROUTING_ZONES], 0, [dnl ++ table inet firewalld { ++ chain mangle_PREROUTING_ZONES { ++ iifname "dummy0" goto mangle_PRE_trusted ++ iifname "dummy1" goto mangle_PRE_public ++ goto mangle_PRE_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_PREROUTING], 0, [dnl ++ table ip firewalld { ++ chain nat_PREROUTING { ++ jump nat_PREROUTING_ZONES_SOURCE ++ jump nat_PREROUTING_ZONES ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl ++ table ip firewalld { ++ chain nat_PREROUTING_ZONES_SOURCE { ++ ip saddr 1.2.3.0/24 goto nat_PRE_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_PREROUTING_ZONES], 0, [dnl ++ table ip firewalld { ++ chain nat_PREROUTING_ZONES { ++ iifname "dummy0" goto nat_PRE_trusted ++ iifname "dummy1" goto nat_PRE_public ++ goto nat_PRE_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_POSTROUTING], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING { ++ jump nat_POSTROUTING_ZONES_SOURCE ++ jump nat_POSTROUTING_ZONES ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING_ZONES_SOURCE { ++ ip daddr 1.2.3.0/24 goto nat_POST_trusted ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING_ZONES { ++ oifname "dummy0" goto nat_POST_trusted ++ oifname "dummy1" goto nat_POST_public ++ goto nat_POST_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_PREROUTING], 0, [dnl ++ table ip6 firewalld { ++ chain nat_PREROUTING { ++ jump nat_PREROUTING_ZONES_SOURCE ++ jump nat_PREROUTING_ZONES ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES_SOURCE], 0, [dnl ++ table ip6 firewalld { ++ chain nat_PREROUTING_ZONES_SOURCE { ++ ip6 saddr dead:beef::/54 goto nat_PRE_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_PREROUTING_ZONES], 0, [dnl ++ table ip6 firewalld { ++ chain nat_PREROUTING_ZONES { ++ iifname "dummy0" goto nat_PRE_trusted ++ iifname "dummy1" goto nat_PRE_public ++ goto nat_PRE_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING { ++ jump nat_POSTROUTING_ZONES_SOURCE ++ jump nat_POSTROUTING_ZONES ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING_ZONES_SOURCE { ++ ip6 daddr dead:beef::/54 goto nat_POST_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING_ZONES { ++ oifname "dummy0" goto nat_POST_trusted ++ oifname "dummy1" goto nat_POST_public ++ goto nat_POST_public ++ } ++ } ++]) ++ ++IPTABLES_LIST_RULES([filter], [INPUT], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ++ INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID ++ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ++]) ++IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, ++ [[IN_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, ++ [[IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [FORWARD], 0, [dnl ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ++ ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ++ FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++ FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++ DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID ++ REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited ++]) ++IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0, ++ [[FWDI_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, ++ [[FWDI_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0, ++ [[FWDO_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, ++ [[FWDO_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl ++ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl ++ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl ++ PREROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ PREROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_trusted all -- 1.2.3.0/24 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ PRE_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl ++ POSTROUTING_direct all -- 0.0.0.0/0 0.0.0.0/0 ++ POSTROUTING_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 ++ POSTROUTING_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ++]) ++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, ++ [[POST_trusted all -- 0.0.0.0/0 1.2.3.0/24 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, ++ [[POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++ ++IP6TABLES_LIST_RULES([filter], [INPUT], 0, [dnl ++ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ++ ACCEPT all ::/0 ::/0 ++ INPUT_direct all ::/0 ::/0 ++ INPUT_ZONES_SOURCE all ::/0 ::/0 ++ INPUT_ZONES all ::/0 ::/0 ++ DROP all ::/0 ::/0 ctstate INVALID ++ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited ++]) ++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, ++ [[IN_public all dead:beef::/54 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, ++ [[IN_trusted all ::/0 ::/0 [goto] ++ IN_public all ::/0 ::/0 [goto] ++ IN_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [FORWARD], 0, [dnl ++ ACCEPT all ::/0 ::/0 ctstate RELATED,ESTABLISHED ++ ACCEPT all ::/0 ::/0 ++ FORWARD_direct all ::/0 ::/0 ++ FORWARD_IN_ZONES_SOURCE all ::/0 ::/0 ++ FORWARD_IN_ZONES all ::/0 ::/0 ++ FORWARD_OUT_ZONES_SOURCE all ::/0 ::/0 ++ FORWARD_OUT_ZONES all ::/0 ::/0 ++ DROP all ::/0 ::/0 ctstate INVALID ++ REJECT all ::/0 ::/0 reject-with icmp6-adm-prohibited ++]) ++IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES_SOURCE], 0, ++ [[FWDI_public all dead:beef::/54 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [FORWARD_IN_ZONES], 0, ++ [[FWDI_trusted all ::/0 ::/0 [goto] ++ FWDI_public all ::/0 ::/0 [goto] ++ FWDI_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES_SOURCE], 0, ++ [[FWDO_public all ::/0 dead:beef::/54 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [FORWARD_OUT_ZONES], 0, ++ [[FWDO_trusted all ::/0 ::/0 [goto] ++ FWDO_public all ::/0 ::/0 [goto] ++ FWDO_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([raw], [PREROUTING], 0, [dnl ++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 134 ++ ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 135 ++ DROP all ::/0 ::/0 rpfilter invert ++ PREROUTING_direct all ::/0 ::/0 ++ PREROUTING_ZONES_SOURCE all ::/0 ::/0 ++ PREROUTING_ZONES all ::/0 ::/0 ++]) ++IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_public all dead:beef::/54 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([raw], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([mangle], [PREROUTING], 0, [dnl ++ PREROUTING_direct all ::/0 ::/0 ++ PREROUTING_ZONES_SOURCE all ::/0 ::/0 ++ PREROUTING_ZONES all ::/0 ::/0 ++]) ++IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_public all dead:beef::/54 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([mangle], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [PREROUTING], 0, [dnl ++ PREROUTING_direct all ::/0 ::/0 ++ PREROUTING_ZONES_SOURCE all ::/0 ::/0 ++ PREROUTING_ZONES all ::/0 ::/0 ++]) ++IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES_SOURCE], 0, ++ [[PRE_public all dead:beef::/54 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [PREROUTING_ZONES], 0, ++ [[PRE_trusted all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++ PRE_public all ::/0 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [POSTROUTING], 0, [dnl ++ POSTROUTING_direct all ::/0 ::/0 ++ POSTROUTING_ZONES_SOURCE all ::/0 ::/0 ++ POSTROUTING_ZONES all ::/0 ::/0 ++]) ++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, ++ [[POST_public all ::/0 dead:beef::/54 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, ++ [[POST_trusted all ::/0 ::/0 [goto] ++ POST_public all ::/0 ::/0 [goto] ++ POST_public all ::/0 ::/0 [goto] ++]]) ++ ++FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d']) +diff --git a/src/tests/regression/rhbz1734765.at b/src/tests/regression/rhbz1734765.at +index 276c1e433025..60cd18a6a6ea 100644 +--- a/src/tests/regression/rhbz1734765.at ++++ b/src/tests/regression/rhbz1734765.at +@@ -1,9 +1,12 @@ + FWD_START_TEST([zone sources ordered by name]) +-AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545) ++AT_KEYWORDS(zone rhbz1734765 rhbz1421222 gh166 rhbz1738545 rhbz1772208 rhbz1796055) + dnl + dnl Users depend on firewalld ordering source-based zone dispatch by zone name. + dnl + ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD ++ + FWD_CHECK([-q --permanent --new-zone=foobar_00]) + FWD_CHECK([-q --permanent --new-zone=foobar_05]) + FWD_CHECK([-q --permanent --new-zone=foobar_02]) +@@ -199,4 +202,178 @@ IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, + ]]) + ]) + +-FWD_END_TEST ++dnl ########################################################################## ++dnl ########################################################################## ++dnl We also support zone drifting in which source based zones fall through to ++dnl interface based zones (including default zone). So make sure the zones are ++dnl sorted by name in this mode. ++dnl ########################################################################## ++dnl ########################################################################## ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=yes/' ./firewalld.conf]) ++FWD_RELOAD ++ ++FWD_CHECK([-q --zone=foobar_010 --add-source="10.10.10.10"]) ++FWD_CHECK([-q --zone=public --add-source="20.20.20.20"]) ++IF_HOST_SUPPORTS_IPV6_RULES([ ++FWD_CHECK([-q --zone=foobar_010 --add-source="1234:5678::10:10:10"]) ++FWD_CHECK([-q --zone=public --add-source="1234:5678::20:20:20"]) ++FWD_CHECK([-q --zone=foobar_012 --add-source ipset:ipsetv6]) ++]) ++FWD_CHECK([-q --zone=foobar_010 --add-interface=foobar2]) ++ ++NFT_LIST_RULES([inet], [filter_INPUT_ZONES_SOURCE], 0, [dnl ++ table inet firewalld { ++ chain filter_INPUT_ZONES_SOURCE { ++ ip saddr 10.1.1.1 goto filter_IN_foobar_00 ++ ip6 saddr 1234:5678::1:1:1 goto filter_IN_foobar_00 ++ ip saddr 10.1.1.0/24 goto filter_IN_foobar_01 ++ ip6 saddr 1234:5678::1:1:0/112 goto filter_IN_foobar_01 ++ ip saddr 10.10.10.10 goto filter_IN_foobar_010 ++ ip6 saddr 1234:5678::10:10:10 goto filter_IN_foobar_010 ++ ip saddr @ipsetv4 goto filter_IN_foobar_011 ++ ip6 saddr @ipsetv6 goto filter_IN_foobar_012 ++ ip saddr 10.1.0.0/16 goto filter_IN_foobar_02 ++ ip6 saddr 1234:5678::1:0:0/96 goto filter_IN_foobar_02 ++ ip saddr 10.2.2.0/24 goto filter_IN_foobar_03 ++ ip6 saddr 1234:5678::2:2:0/112 goto filter_IN_foobar_03 ++ ip saddr 10.2.0.0/16 goto filter_IN_foobar_04 ++ ip6 saddr 1234:5678::2:0:0/96 goto filter_IN_foobar_04 ++ ip saddr 10.0.0.0/8 goto filter_IN_foobar_05 ++ ip6 saddr 1234:5678::/80 goto filter_IN_foobar_05 ++ ip saddr 20.20.20.20 goto filter_IN_public ++ ip6 saddr 1234:5678::20:20:20 goto filter_IN_public ++ } ++ } ++]) ++NFT_LIST_RULES([inet], [filter_INPUT_ZONES], 0, [dnl ++ table inet firewalld { ++ chain filter_INPUT_ZONES { ++ iifname "foobar2" goto filter_IN_foobar_010 ++ iifname "foobar1" goto filter_IN_trusted ++ iifname "foobar0" goto filter_IN_internal ++ goto filter_IN_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING_ZONES_SOURCE { ++ ip daddr 10.1.1.1 goto nat_POST_foobar_00 ++ ip daddr 10.1.1.0/24 goto nat_POST_foobar_01 ++ ip daddr 10.10.10.10 goto nat_POST_foobar_010 ++ ip daddr @ipsetv4 goto nat_POST_foobar_011 ++ ip daddr 10.1.0.0/16 goto nat_POST_foobar_02 ++ ip daddr 10.2.2.0/24 goto nat_POST_foobar_03 ++ ip daddr 10.2.0.0/16 goto nat_POST_foobar_04 ++ ip daddr 10.0.0.0/8 goto nat_POST_foobar_05 ++ ip daddr 20.20.20.20 goto nat_POST_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES], 0, [dnl ++ table ip firewalld { ++ chain nat_POSTROUTING_ZONES { ++ oifname "foobar2" goto nat_POST_foobar_010 ++ oifname "foobar1" goto nat_POST_trusted ++ oifname "foobar0" goto nat_POST_internal ++ goto nat_POST_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING_ZONES_SOURCE { ++ ip6 daddr 1234:5678::1:1:1 goto nat_POST_foobar_00 ++ ip6 daddr 1234:5678::1:1:0/112 goto nat_POST_foobar_01 ++ ip6 daddr 1234:5678::10:10:10 goto nat_POST_foobar_010 ++ ip6 daddr @ipsetv6 goto nat_POST_foobar_012 ++ ip6 daddr 1234:5678::1:0:0/96 goto nat_POST_foobar_02 ++ ip6 daddr 1234:5678::2:2:0/112 goto nat_POST_foobar_03 ++ ip6 daddr 1234:5678::2:0:0/96 goto nat_POST_foobar_04 ++ ip6 daddr 1234:5678::/80 goto nat_POST_foobar_05 ++ ip6 daddr 1234:5678::20:20:20 goto nat_POST_public ++ } ++ } ++]) ++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES], 0, [dnl ++ table ip6 firewalld { ++ chain nat_POSTROUTING_ZONES { ++ oifname "foobar2" goto nat_POST_foobar_010 ++ oifname "foobar1" goto nat_POST_trusted ++ oifname "foobar0" goto nat_POST_internal ++ goto nat_POST_public ++ } ++ } ++]) ++ ++IPTABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, ++ [[IN_foobar_00 all -- 10.1.1.1 0.0.0.0/0 [goto] ++ IN_foobar_01 all -- 10.1.1.0/24 0.0.0.0/0 [goto] ++ IN_foobar_010 all -- 10.10.10.10 0.0.0.0/0 [goto] ++ IN_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 src ++ IN_foobar_02 all -- 10.1.0.0/16 0.0.0.0/0 [goto] ++ IN_foobar_03 all -- 10.2.2.0/24 0.0.0.0/0 [goto] ++ IN_foobar_04 all -- 10.2.0.0/16 0.0.0.0/0 [goto] ++ IN_foobar_05 all -- 10.0.0.0/8 0.0.0.0/0 [goto] ++ IN_public all -- 20.20.20.20 0.0.0.0/0 [goto] ++]]) ++IPTABLES_LIST_RULES([filter], [INPUT_ZONES], 0, ++ [[IN_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ IN_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ IN_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES_SOURCE], 0, ++ [[IN_foobar_00 all 1234:5678::1:1:1 ::/0 [goto] ++ IN_foobar_01 all 1234:5678::1:1:0/112 ::/0 [goto] ++ IN_foobar_010 all 1234:5678::10:10:10 ::/0 [goto] ++ IN_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 src ++ IN_foobar_02 all 1234:5678::1:0:0/96 ::/0 [goto] ++ IN_foobar_03 all 1234:5678::2:2:0/112 ::/0 [goto] ++ IN_foobar_04 all 1234:5678::2:0:0/96 ::/0 [goto] ++ IN_foobar_05 all 1234:5678::/80 ::/0 [goto] ++ IN_public all 1234:5678::20:20:20 ::/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([filter], [INPUT_ZONES], 0, ++ [[IN_foobar_010 all ::/0 ::/0 [goto] ++ IN_trusted all ::/0 ::/0 [goto] ++ IN_internal all ::/0 ::/0 [goto] ++ IN_public all ::/0 ::/0 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, ++ [[POST_foobar_00 all -- 0.0.0.0/0 10.1.1.1 [goto] ++ POST_foobar_01 all -- 0.0.0.0/0 10.1.1.0/24 [goto] ++ POST_foobar_010 all -- 0.0.0.0/0 10.10.10.10 [goto] ++ POST_foobar_011 all -- 0.0.0.0/0 0.0.0.0/0 [goto] match-set ipsetv4 dst ++ POST_foobar_02 all -- 0.0.0.0/0 10.1.0.0/16 [goto] ++ POST_foobar_03 all -- 0.0.0.0/0 10.2.2.0/24 [goto] ++ POST_foobar_04 all -- 0.0.0.0/0 10.2.0.0/16 [goto] ++ POST_foobar_05 all -- 0.0.0.0/0 10.0.0.0/8 [goto] ++ POST_public all -- 0.0.0.0/0 20.20.20.20 [goto] ++]]) ++IPTABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, ++ [[POST_foobar_010 all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ POST_trusted all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ POST_internal all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++ POST_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES_SOURCE], 0, ++ [[POST_foobar_00 all ::/0 1234:5678::1:1:1 [goto] ++ POST_foobar_01 all ::/0 1234:5678::1:1:0/112 [goto] ++ POST_foobar_010 all ::/0 1234:5678::10:10:10 [goto] ++ POST_foobar_012 all ::/0 ::/0 [goto] match-set ipsetv6 dst ++ POST_foobar_02 all ::/0 1234:5678::1:0:0/96 [goto] ++ POST_foobar_03 all ::/0 1234:5678::2:2:0/112 [goto] ++ POST_foobar_04 all ::/0 1234:5678::2:0:0/96 [goto] ++ POST_foobar_05 all ::/0 1234:5678::/80 [goto] ++ POST_public all ::/0 1234:5678::20:20:20 [goto] ++]]) ++IP6TABLES_LIST_RULES([nat], [POSTROUTING_ZONES], 0, ++ [[POST_foobar_010 all ::/0 ::/0 [goto] ++ POST_trusted all ::/0 ::/0 [goto] ++ POST_internal all ::/0 ::/0 [goto] ++ POST_public all ::/0 ::/0 [goto] ++]]) ++ ++FWD_END_TEST([-e '/WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now./d' dnl ++ -e '/WARNING: ZONE_ALREADY_SET:/d']) +-- +2.23.0 + diff --git a/SOURCES/0127-RHEL-only-default-to-AllowZoneDrifting-yes.patch b/SOURCES/0127-RHEL-only-default-to-AllowZoneDrifting-yes.patch new file mode 100644 index 0000000..79e0220 --- /dev/null +++ b/SOURCES/0127-RHEL-only-default-to-AllowZoneDrifting-yes.patch @@ -0,0 +1,114 @@ +From 1a751e61031808fb05ec0d01ae6db03eea9ddee4 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 4 Feb 2020 09:12:17 -0500 +Subject: [PATCH 127/127] RHEL only: default to AllowZoneDrifting=yes + +--- + config/firewalld.conf | 4 ++-- + doc/xml/firewalld.conf.xml | 2 +- + doc/xml/firewalld.dbus.xml | 2 +- + src/firewall/config/__init__.py.in | 2 +- + src/tests/dbus/firewalld.conf.at | 4 ++-- + src/tests/functions.at | 1 + + src/tests/regression/rhbz1514043.at | 5 +++++ + 7 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index 02be07b9b892..1854f3795e0a 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -65,5 +65,5 @@ AutomaticHelpers=system + # Note: If "yes" packets will only drift from source based zones to interface + # based zones (including the default zone). Packets never drift from interface + # based zones to other interfaces based zones (including the default zone). +-# Possible values; "yes", "no". Defaults to "no". +-AllowZoneDrifting=no ++# Possible values; "yes", "no". Defaults to "yes". ++AllowZoneDrifting=yes +diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml +index 9d8017df3112..8dff74152cd1 100644 +--- a/doc/xml/firewalld.conf.xml ++++ b/doc/xml/firewalld.conf.xml +@@ -158,7 +158,7 @@ + to interface based zones (including the default zone). Packets + never drift from interface based zones to other interfaces + based zones (including the default zone). +- Valid values; "yes", "no". Defaults to "no". ++ Valid values; "yes", "no". Defaults to "yes". + + + +diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml +index ea0be9cefd1c..afd2c7bba401 100644 +--- a/doc/xml/firewalld.dbus.xml ++++ b/doc/xml/firewalld.dbus.xml +@@ -2571,7 +2571,7 @@ + to interface based zones (including the default zone). Packets + never drift from interface based zones to other interfaces + based zones (including the default zone). +- Valid values; "yes", "no". Defaults to "no". ++ Valid values; "yes", "no". Defaults to "yes". + + + +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 3926c8fdb3a3..561ea3f34325 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -128,4 +128,4 @@ FALLBACK_INDIVIDUAL_CALLS = False + FALLBACK_LOG_DENIED = "off" + FALLBACK_AUTOMATIC_HELPERS = "system" + FALLBACK_FIREWALL_BACKEND = "iptables" +-FALLBACK_ALLOW_ZONE_DRIFTING = False ++FALLBACK_ALLOW_ZONE_DRIFTING = True +diff --git a/src/tests/dbus/firewalld.conf.at b/src/tests/dbus/firewalld.conf.at +index 0884e21b6368..8ed00f84e158 100644 +--- a/src/tests/dbus/firewalld.conf.at ++++ b/src/tests/dbus/firewalld.conf.at +@@ -3,7 +3,7 @@ FWD_START_TEST([firewalld.conf]) + dnl Verify defaults over dbus. Should be inline with default firewalld.conf. + IF_HOST_SUPPORTS_NFT_FIB([ + DBUS_GETALL([config], [config], 0, [dnl +-string "AllowZoneDrifting" : variant string "no" ++string "AllowZoneDrifting" : variant string "yes" + string "AutomaticHelpers" : variant string "system" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +@@ -14,7 +14,7 @@ string "LogDenied" : variant string "off" + string "MinimalMark" : variant int32 100 + ])], [ + DBUS_GETALL([config], [config], 0, [dnl +-string "AllowZoneDrifting" : variant string "no" ++string "AllowZoneDrifting" : variant string "yes" + string "AutomaticHelpers" : variant string "system" + string "CleanupOnExit" : variant string "no" + string "DefaultZone" : variant string "public" +diff --git a/src/tests/functions.at b/src/tests/functions.at +index d663716cb138..b9e44cea8d49 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -144,6 +144,7 @@ m4_define([FWD_END_TEST], [ + sed -i "/WARNING: ip6tables not usable, disabling IPv6 firewall/d" ./firewalld.log + ]) + sed -i "/modprobe: ERROR:/d" ./firewalld.log ++ sed -i "/WARNING: AllowZoneDrifting is enabled./d" ./firewalld.log + if test x"$1" != x"ignore"; then + if test -n "$1"; then + sed -i $1 ./firewalld.log +diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at +index ff2ede2ece71..7f061d86c2f1 100644 +--- a/src/tests/regression/rhbz1514043.at ++++ b/src/tests/regression/rhbz1514043.at +@@ -1,4 +1,9 @@ + FWD_START_TEST([--set-log-denied does not zero config]) ++ ++dnl Expected test results assume this is set to "no" ++AT_CHECK([sed -i 's/^AllowZoneDrifting.*/AllowZoneDrifting=no/' ./firewalld.conf]) ++FWD_RELOAD ++ + FWD_CHECK([-q --set-log-denied=all]) + FWD_CHECK([-q --permanent --zone=public --add-service=samba]) + FWD_RELOAD +-- +2.23.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index c66783f..81d4eb4 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -8,7 +8,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.6.3 -Release: 8%{?dist} +Release: 8%{?dist}.1 URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -133,6 +133,11 @@ Patch119: 0119-fix-tests-convert-probe-of-nft-numeric-args-to-runti.patch Patch120: 0120-fix-tests-convert-ip6tables-checks-to-runtime.patch Patch121: 0121-fix-tests-convert-host-ipv6-checks-to-runtime.patch Patch122: 0122-chore-tests-rename-IF_IPV6_SUPPORTED-to-IF_HOST_SUPP.patch +Patch123: 0123-feat-AllowZoneDrifting-config-option.patch +Patch124: 0124-feat-nftables-support-AllowZoneDrifting-yes.patch +Patch125: 0125-feat-ipXtables-support-AllowZoneDrifting-yes.patch +Patch126: 0126-test-verify-AllowZoneDrifting-yes.patch +Patch127: 0127-RHEL-only-default-to-AllowZoneDrifting-yes.patch BuildArch: noarch BuildRequires: desktop-file-utils @@ -433,6 +438,9 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Thu Feb 13 2020 Eric Garver - 0.6.3-8.el7_8.1 +- fix: firewalld not falling back to interface zone + * Fri Nov 08 2019 Eric Garver - 0.6.3-8 - fix: failure to load modules no longer fatal