diff --git a/SOURCES/0044-fix-direct-removeRules-was-mistakenly-removing-all-r.patch b/SOURCES/0044-fix-direct-removeRules-was-mistakenly-removing-all-r.patch new file mode 100644 index 0000000..afd1bb0 --- /dev/null +++ b/SOURCES/0044-fix-direct-removeRules-was-mistakenly-removing-all-r.patch @@ -0,0 +1,35 @@ +From 028e1c617b14cd67f025601f003aec63a75b3b1a Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 26 Jul 2019 13:32:44 -0400 +Subject: [PATCH 44/50] fix: direct: removeRules() was mistakenly removing all + rules + +Only remove the rules that match the specified criteria (ipv, table, +chain). + +Fixes: #385 +Fixes: rhbz 1723610 +(cherry picked from commit 174005b15059db054b2f8dcf3b35c23fcbaf44ec) +(cherry picked from commit 5b796871894bc2f4f973ef11dc9233b4d391dd63) +--- + src/firewall/server/config.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py +index 011052a9cabf..b2cebea9b4be 100644 +--- a/src/firewall/server/config.py ++++ b/src/firewall/server/config.py +@@ -1367,7 +1367,9 @@ class FirewallDConfig(slip.dbus.service.Object): + (ipv, table, chain, )) + self.accessCheck(sender) + settings = list(self.getSettings()) +- settings[1] = [] ++ for rule in settings[1]: ++ if (ipv, table, chain) == (rule[0], rule[1], rule[2]): ++ settings[1].remove(rule) + self.update(tuple(settings)) + + @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, +-- +2.23.0 + diff --git a/SOURCES/0045-test-coverage-for-rhbz-1723610-and-gh-385.patch b/SOURCES/0045-test-coverage-for-rhbz-1723610-and-gh-385.patch new file mode 100644 index 0000000..10975d5 --- /dev/null +++ b/SOURCES/0045-test-coverage-for-rhbz-1723610-and-gh-385.patch @@ -0,0 +1,61 @@ +From 396591e003cd912f6f614c56fc26410a1e97f568 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 26 Jul 2019 08:26:50 -0400 +Subject: [PATCH 45/50] test: coverage for rhbz 1723610 and gh #385 + +(cherry picked from commit 75fc4876dbfbdb1de09a67c48630fa8503ed152d) +(cherry picked from commit 9657d72ece2631aaab1aa1030658babe77c7f921) +--- + src/tests/regression.at | 1 + + src/tests/regression/rhbz1723610.at | 30 +++++++++++++++++++++++++++++ + 2 files changed, 31 insertions(+) + create mode 100644 src/tests/regression/rhbz1723610.at + +diff --git a/src/tests/regression.at b/src/tests/regression.at +index bbfcb65fe6e9..b2c8ba799d56 100644 +--- a/src/tests/regression.at ++++ b/src/tests/regression.at +@@ -17,3 +17,4 @@ m4_include([regression/rhbz1601610.at]) + m4_include([regression/gh303.at]) + m4_include([regression/gh335.at]) + m4_include([regression/rhbz1715977.at]) ++m4_include([regression/rhbz1723610.at]) +diff --git a/src/tests/regression/rhbz1723610.at b/src/tests/regression/rhbz1723610.at +new file mode 100644 +index 000000000000..f020141e1808 +--- /dev/null ++++ b/src/tests/regression/rhbz1723610.at +@@ -0,0 +1,30 @@ ++FWD_START_TEST([direct remove-rules per family]) ++AT_KEYWORDS(direct rhbz1723610 gh385) ++ ++FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT]) ++FWD_CHECK([--permanent --direct --get-all-rules], 0, [dnl ++ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT ++]) ++FWD_RELOAD ++FWD_CHECK([--direct --get-all-rules], 0, [dnl ++ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT ++]) ++ ++FWD_CHECK([-q --permanent --direct --remove-rules ipv6 filter input]) ++FWD_CHECK([-q --permanent --direct --remove-rules ipv4 filter INPUT]) ++FWD_CHECK([--permanent --direct --get-all-rules], 0, [dnl ++ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT ++]) ++FWD_RELOAD ++FWD_CHECK([--direct --get-all-rules], 0, [dnl ++ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT ++]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT]) ++FWD_CHECK([-q --direct --remove-rules ipv4 filter OUTPUT]) ++FWD_CHECK([--direct --get-all-rules], 0, [dnl ++ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT ++ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT ++]) ++ ++FWD_END_TEST +-- +2.23.0 + diff --git a/SOURCES/0046-fix-tests-regression-rhbz1723610-make-output-reliabl.patch b/SOURCES/0046-fix-tests-regression-rhbz1723610-make-output-reliabl.patch new file mode 100644 index 0000000..c73299d --- /dev/null +++ b/SOURCES/0046-fix-tests-regression-rhbz1723610-make-output-reliabl.patch @@ -0,0 +1,33 @@ +From bb91a06a2f009f469d455523ff4f133a3c724b64 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 26 Jul 2019 13:56:54 -0400 +Subject: [PATCH 46/50] fix: tests/regression/rhbz1723610: make output reliable + +The rule listing is unordered, so lets make it reliable. + +Fixes: 75fc4876dbfb ("test: coverage for rhbz 1723610 and gh #385") +(cherry picked from commit 645fc816c09d2d5f767fcecf4bea3d61219780e9) +(cherry picked from commit c8b851866fd7a5731c9f2ef66f0052ac5e7d0497) +--- + src/tests/regression/rhbz1723610.at | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/src/tests/regression/rhbz1723610.at b/src/tests/regression/rhbz1723610.at +index f020141e1808..3eccc0436ed7 100644 +--- a/src/tests/regression/rhbz1723610.at ++++ b/src/tests/regression/rhbz1723610.at +@@ -19,11 +19,9 @@ FWD_RELOAD + FWD_CHECK([--direct --get-all-rules], 0, [dnl + ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT + ]) +-FWD_CHECK([-q --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT]) + FWD_CHECK([-q --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT]) + FWD_CHECK([-q --direct --remove-rules ipv4 filter OUTPUT]) + FWD_CHECK([--direct --get-all-rules], 0, [dnl +-ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT + ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT + ]) + +-- +2.23.0 + diff --git a/SOURCES/0047-fix-tests-regression-rhbz1723610-avoid-calling-IPv6-.patch b/SOURCES/0047-fix-tests-regression-rhbz1723610-avoid-calling-IPv6-.patch new file mode 100644 index 0000000..7cc7cff --- /dev/null +++ b/SOURCES/0047-fix-tests-regression-rhbz1723610-avoid-calling-IPv6-.patch @@ -0,0 +1,36 @@ +From 1032f4e815b296a7d0aa17363bf2693926095ef3 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 26 Jul 2019 14:17:28 -0400 +Subject: [PATCH 47/50] fix: tests/regression/rhbz1723610: avoid calling IPv6 + backend + +We support running without IPv6, so calling the backend in the test +case. + +Fixes: 75fc4876dbfb ("test: coverage for rhbz 1723610 and gh #385") +(cherry picked from commit 38978bfde28a3fea9fb4cc61d2bb30ee5474e341) +(cherry picked from commit c4b3c7ef2d2136992cd745ef7157f20e0e385665) +--- + src/tests/regression/rhbz1723610.at | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tests/regression/rhbz1723610.at b/src/tests/regression/rhbz1723610.at +index 3eccc0436ed7..35feed2bda9f 100644 +--- a/src/tests/regression/rhbz1723610.at ++++ b/src/tests/regression/rhbz1723610.at +@@ -19,10 +19,10 @@ FWD_RELOAD + FWD_CHECK([--direct --get-all-rules], 0, [dnl + ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT + ]) +-FWD_CHECK([-q --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT]) ++FWD_CHECK([-q --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT]) + FWD_CHECK([-q --direct --remove-rules ipv4 filter OUTPUT]) + FWD_CHECK([--direct --get-all-rules], 0, [dnl +-ipv6 filter INPUT 0 -p tcp --dport 22 -j ACCEPT ++ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT + ]) + + FWD_END_TEST +-- +2.23.0 + diff --git a/SOURCES/0048-fix-direct-removeRules-not-removing-all-rules-in-cha.patch b/SOURCES/0048-fix-direct-removeRules-not-removing-all-rules-in-cha.patch new file mode 100644 index 0000000..5b4c0f7 --- /dev/null +++ b/SOURCES/0048-fix-direct-removeRules-not-removing-all-rules-in-cha.patch @@ -0,0 +1,29 @@ +From a4f15aab7bbc9e4ea19682fc88b43e3501df58c7 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 30 Aug 2019 14:09:11 -0400 +Subject: [PATCH 48/50] fix: direct: removeRules() not removing all rules in + chain + +Fixes: 174005b15059 ("fix: direct: removeRules() was mistakenly removing all rules") +(cherry picked from commit 083d6527ad9c60442e424172e223b65132bc6d17) +(cherry picked from commit 55a639aed7a8b5f2d77d39b26dd78f51b20100ed) +--- + src/firewall/server/config.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/server/config.py b/src/firewall/server/config.py +index b2cebea9b4be..cd640ba881ca 100644 +--- a/src/firewall/server/config.py ++++ b/src/firewall/server/config.py +@@ -1367,7 +1367,7 @@ class FirewallDConfig(slip.dbus.service.Object): + (ipv, table, chain, )) + self.accessCheck(sender) + settings = list(self.getSettings()) +- for rule in settings[1]: ++ for rule in settings[1][:]: + if (ipv, table, chain) == (rule[0], rule[1], rule[2]): + settings[1].remove(rule) + self.update(tuple(settings)) +-- +2.23.0 + diff --git a/SOURCES/0049-fix-tests-regression-rhbz1723610-better-coverage.patch b/SOURCES/0049-fix-tests-regression-rhbz1723610-better-coverage.patch new file mode 100644 index 0000000..315b53a --- /dev/null +++ b/SOURCES/0049-fix-tests-regression-rhbz1723610-better-coverage.patch @@ -0,0 +1,43 @@ +From 2c7f33521ce980647978e46e490cb776befc27c3 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Fri, 30 Aug 2019 13:58:54 -0400 +Subject: [PATCH 49/50] fix: tests/regression/rhbz1723610: better coverage + +Add more coverage to make sure all rules in the given chain are deleted. + +(cherry picked from commit 0220c8584512328104bfc816c2daaee2059f6a21) +(cherry picked from commit a40aa5094387e457cfd4a789ef805dac46132b6e) +--- + src/tests/regression/rhbz1723610.at | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/tests/regression/rhbz1723610.at b/src/tests/regression/rhbz1723610.at +index 35feed2bda9f..70eb226cb6df 100644 +--- a/src/tests/regression/rhbz1723610.at ++++ b/src/tests/regression/rhbz1723610.at +@@ -2,15 +2,21 @@ FWD_START_TEST([direct remove-rules per family]) + AT_KEYWORDS(direct rhbz1723610 gh385) + + FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT]) ++FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT]) ++FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT]) + FWD_CHECK([--permanent --direct --get-all-rules], 0, [dnl + ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT ++ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT ++ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT + ]) + FWD_RELOAD + FWD_CHECK([--direct --get-all-rules], 0, [dnl + ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT ++ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT ++ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT + ]) + +-FWD_CHECK([-q --permanent --direct --remove-rules ipv6 filter input]) ++FWD_CHECK([-q --permanent --direct --remove-rules ipv6 filter INPUT]) + FWD_CHECK([-q --permanent --direct --remove-rules ipv4 filter INPUT]) + FWD_CHECK([--permanent --direct --get-all-rules], 0, [dnl + ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT +-- +2.23.0 + diff --git a/SOURCES/0050-fix-tests-regression-rhbz1723610-make-deterministic.patch b/SOURCES/0050-fix-tests-regression-rhbz1723610-make-deterministic.patch new file mode 100644 index 0000000..306bee6 --- /dev/null +++ b/SOURCES/0050-fix-tests-regression-rhbz1723610-make-deterministic.patch @@ -0,0 +1,70 @@ +From 7c06edce03bcf408a4aa6a9d64b17dafcb951224 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 3 Sep 2019 12:57:29 -0400 +Subject: [PATCH 50/50] fix: tests/regression/rhbz1723610: make deterministic + +Use --query-rule. The --get-all-rules output is not necessarily in any +defined order. + +Fixes: 0220c8584512 ("fix: tests/regression/rhbz1723610: better coverage") +(cherry picked from commit 441a4ef405b869b4c68bbbac21f001814578df08) +(cherry picked from commit 3a634eb266f60bc8419f5e3d37abd425e2d4dff5) +--- + src/tests/regression/rhbz1723610.at | 35 +++++++++++++---------------- + 1 file changed, 16 insertions(+), 19 deletions(-) + +diff --git a/src/tests/regression/rhbz1723610.at b/src/tests/regression/rhbz1723610.at +index 70eb226cb6df..0d0810cc8623 100644 +--- a/src/tests/regression/rhbz1723610.at ++++ b/src/tests/regression/rhbz1723610.at +@@ -4,31 +4,28 @@ AT_KEYWORDS(direct rhbz1723610 gh385) + FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT]) + FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT]) + FWD_CHECK([-q --permanent --direct --add-rule ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT]) +-FWD_CHECK([--permanent --direct --get-all-rules], 0, [dnl +-ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT +-ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT +-ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT +-]) ++FWD_CHECK([-q --permanent --direct --query-rule ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT], 0) ++FWD_CHECK([-q --permanent --direct --query-rule ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT], 0) ++FWD_CHECK([-q --permanent --direct --query-rule ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT], 0) + FWD_RELOAD +-FWD_CHECK([--direct --get-all-rules], 0, [dnl +-ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT +-ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT +-ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT +-]) ++FWD_CHECK([-q --direct --query-rule ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT], 0) ++FWD_CHECK([-q --direct --query-rule ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT], 0) ++FWD_CHECK([-q --direct --query-rule ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT], 0) + + FWD_CHECK([-q --permanent --direct --remove-rules ipv6 filter INPUT]) + FWD_CHECK([-q --permanent --direct --remove-rules ipv4 filter INPUT]) +-FWD_CHECK([--permanent --direct --get-all-rules], 0, [dnl +-ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT +-]) ++FWD_CHECK([-q --permanent --direct --query-rule ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT], 0) ++FWD_CHECK([-q --permanent --direct --query-rule ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT], 1) ++FWD_CHECK([-q --permanent --direct --query-rule ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT], 1) + FWD_RELOAD +-FWD_CHECK([--direct --get-all-rules], 0, [dnl +-ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT +-]) ++FWD_CHECK([-q --direct --query-rule ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT], 0) ++FWD_CHECK([-q --direct --query-rule ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT], 1) ++FWD_CHECK([-q --direct --query-rule ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT], 1) + FWD_CHECK([-q --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT]) + FWD_CHECK([-q --direct --remove-rules ipv4 filter OUTPUT]) +-FWD_CHECK([--direct --get-all-rules], 0, [dnl +-ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT +-]) ++FWD_CHECK([-q --direct --query-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j ACCEPT], 0) ++FWD_CHECK([-q --direct --query-rule ipv4 filter OUTPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT], 1) ++FWD_CHECK([-q --direct --query-rule ipv4 filter INPUT 0 -d 127.0.0.1 -p tcp --dport 22 -j ACCEPT], 1) ++FWD_CHECK([-q --direct --query-rule ipv4 filter INPUT 0 -d 127.0.0.2 -p tcp --dport 22 -j ACCEPT], 1) + + FWD_END_TEST +-- +2.23.0 + diff --git a/SPECS/firewalld.spec b/SPECS/firewalld.spec index 8756e09..e5e74f9 100644 --- a/SPECS/firewalld.spec +++ b/SPECS/firewalld.spec @@ -8,7 +8,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 0.6.3 -Release: 2%{?dist}.3 +Release: 2%{?dist}.4 URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -55,6 +55,13 @@ Patch40: 0040-fix-Revert-ebtables-drop-support-for-broute-table.patch Patch41: 0041-fix-ebtables-don-t-use-tables-that-aren-t-available.patch Patch42: 0042-fix-rich-rule-destination-with-services.patch Patch43: 0043-test-coverage-for-rhbz-1715977.patch +Patch44: 0044-fix-direct-removeRules-was-mistakenly-removing-all-r.patch +Patch45: 0045-test-coverage-for-rhbz-1723610-and-gh-385.patch +Patch46: 0046-fix-tests-regression-rhbz1723610-make-output-reliabl.patch +Patch47: 0047-fix-tests-regression-rhbz1723610-avoid-calling-IPv6-.patch +Patch48: 0048-fix-direct-removeRules-not-removing-all-rules-in-cha.patch +Patch49: 0049-fix-tests-regression-rhbz1723610-better-coverage.patch +Patch50: 0050-fix-tests-regression-rhbz1723610-make-deterministic.patch BuildArch: noarch BuildRequires: desktop-file-utils @@ -355,6 +362,9 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Tue Jan 28 2020 Eric Garver - 0.6.3-2.el7_7.4 +- fix: direct: removeRules() was mistakenly removing all rules + * Thu Jan 16 2020 Eric Garver - 0.6.3-2.el7_7.3 - fix: rich rule destination with services