Sorry, forgot the attach the actual files.
diff --git a/src/firewall-applet b/src/firewall-applet
index 52f4544f..a4ece273 100755
--- a/src/firewall-applet
+++ b/src/firewall-applet
@@ -1,4 +1,4 @@
-#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python
+#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2010-2015 Red Hat, Inc.
@@ -20,15 +20,21 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import sys
-from PyQt5 import QtGui, QtCore, QtWidgets
+try:
+ from PyQt6 import QtGui, QtCore, QtWidgets
+ from PyQt6.QtGui import QAction
+ from dbus.mainloop.pyqt6 import DBusQtMainLoop
+except (ImportError, ModuleNotFoundError):
+ from PyQt5 import QtGui, QtCore, QtWidgets
+ from PyQt5.QtWidgets import QAction
+ from dbus.mainloop.pyqt5 import DBusQtMainLoop
import gi
gi.require_version('Notify', '0.7')
from gi.repository import Notify
+import sys
import os
-from dbus.mainloop.pyqt5 import DBusQtMainLoop
import functools
from firewall import config
@@ -58,7 +64,9 @@ def search_app(app):
return None
NM_CONNECTION_EDITOR = ""
-for binary in [ "/usr/bin/nm-connection-editor",
+for binary in [ "/usr/bin/systemsettings",
+ "/bin/systemsettings",
+ "/usr/bin/nm-connection-editor",
"/bin/nm-connection-editor",
"/usr/bin/kde5-nm-connection-editor",
"/bin/kde5-nm-connection-editor",
@@ -102,9 +110,9 @@ class ZoneInterfaceEditor(QtWidgets.QDialog):
self.fill_zone_combo()
vbox.addWidget(self.combo)
- buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok
- | QtWidgets.QDialogButtonBox.Cancel)
- self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok)
+ buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok
+ | QtWidgets.QDialogButtonBox.StandardButton.Cancel)
+ self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok)
buttonBox.accepted.connect(self.ok)
buttonBox.rejected.connect(self.hide)
vbox.addWidget(buttonBox)
@@ -252,9 +260,9 @@ class ShieldsEditor(QtWidgets.QDialog):
vbox.addLayout(grid)
- buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok
- | QtWidgets.QDialogButtonBox.Cancel)
- self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok)
+ buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok
+ | QtWidgets.QDialogButtonBox.StandardButton.Cancel)
+ self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok)
buttonBox.accepted.connect(self.ok)
buttonBox.rejected.connect(self.hide)
vbox.addWidget(buttonBox)
@@ -357,8 +365,8 @@ class AboutDialog(QtWidgets.QDialog):
vbox2.addWidget(QtWidgets.QLabel(version))
label = QtWidgets.QLabel("<a href=\"%s\">%s</a>" % (url, url))
- label.setTextFormat(QtCore.Qt.RichText)
- label.setTextInteractionFlags(QtCore.Qt.TextBrowserInteraction)
+ label.setTextFormat(QtCore.Qt.TextFormat.RichText)
+ label.setTextInteractionFlags(QtCore.Qt.TextInteractionFlag.TextBrowserInteraction)
label.setOpenExternalLinks(True)
vbox2.addWidget(label)
@@ -394,7 +402,7 @@ class AboutDialog(QtWidgets.QDialog):
vbox.addWidget(tabs)
- buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Close)
+ buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Close)
buttonBox.rejected.connect(self.hide)
vbox.addWidget(buttonBox)
@@ -452,47 +460,47 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
# urgencies
- self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.NoIcon,
- "information": QtWidgets.QSystemTrayIcon.Information,
- "warning": QtWidgets.QSystemTrayIcon.Warning,
- "critical": QtWidgets.QSystemTrayIcon.Critical }
+ self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.MessageIcon.NoIcon,
+ "information": QtWidgets.QSystemTrayIcon.MessageIcon.Information,
+ "warning": QtWidgets.QSystemTrayIcon.MessageIcon.Warning,
+ "critical": QtWidgets.QSystemTrayIcon.MessageIcon.Critical }
# actions
- self.shieldsupAction = QtWidgets.QAction(escape(_("Shields Up")),
+ self.shieldsupAction = QAction(escape(_("Shields Up")),
self)
self.shieldsupAction.setCheckable(True)
self.shieldsupAction.setChecked(False)
self.shieldsupAction.triggered.connect(self.shieldsup_changed_cb)
- self.notificationsAction = QtWidgets.QAction(
+ self.notificationsAction = QAction(
escape(_("Enable Notifications")), self)
self.notificationsAction.setCheckable(True)
self.notificationsAction.setChecked(False)
self.notificationsAction.triggered.connect(self.notification_changed_cb)
- self.settingsAction = QtWidgets.QAction(
+ self.settingsAction = QAction(
escape(_("Edit Firewall Settings...")), self)
self.settingsAction.triggered.connect(self.configure_cb)
- self.changeZonesAction = QtWidgets.QAction(
+ self.changeZonesAction = QAction(
escape(_("Change Zones of Connections...")), self)
self.changeZonesAction.triggered.connect(self.nm_connection_editor)
- self.shieldsAction = QtWidgets.QAction(
+ self.shieldsAction = QAction(
escape(_("Configure Shields UP/Down Zones...")), self)
self.shieldsAction.triggered.connect(self.configure_shields)
- self.panicAction = QtWidgets.QAction(
+ self.panicAction = QAction(
escape(_("Block all network traffic")), self)
self.panicAction.setCheckable(True)
self.panicAction.setChecked(False)
self.panicAction.triggered.connect(self.panic_mode_cb)
- self.aboutAction = QtWidgets.QAction(escape(_("About")), self)
- self.aboutAction.triggered.connect(self.about_dialog.exec_)
+ self.aboutAction = QAction(escape(_("About")), self)
+ self.aboutAction.triggered.connect(self.about_dialog.exec)
- #self.quitAction = QtWidgets.QAction(escape(_("Quit")), self,
+ #self.quitAction = QAction(escape(_("Quit")), self,
# triggered=self.quit)
self.connectionsAction = QtWidgets.QWidgetAction(self)
@@ -682,12 +690,12 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
connection_name = connections[connection][1]
if zone == "":
_binding = _("{entry} (Default Zone: {default_zone})")
- action = QtWidgets.QAction(
+ action = QAction(
escape(
_binding.format(default_zone=self.default_zone,
entry=connection_name)), self)
else:
- action = QtWidgets.QAction(
+ action = QAction(
escape(binding.format(zone=zone, entry=connection_name)), self)
action.triggered.connect(functools.partial(
self.zone_connection_editor, connection, connection_name, zone))
@@ -699,7 +707,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
# add other interfaces
for interface in sorted(interfaces):
zone = interfaces[interface]
- action = QtWidgets.QAction(
+ action = QAction(
escape(binding.format(zone=zone, entry=interface)), self)
action.triggered.connect(functools.partial(
self.zone_interface_editor, interface, zone))
@@ -710,7 +718,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
for source in sorted(sources):
zone = sources[source]
- action = QtWidgets.QAction(
+ action = QAction(
escape(binding.format(zone=zone, entry=source)), self)
action.triggered.connect(functools.partial(
self.zone_source_editor, source, zone))
@@ -920,12 +928,17 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
return
if uuid:
- if "kde-" in NM_CONNECTION_EDITOR:
+ if "systemsettings" in NM_CONNECTION_EDITOR:
+ os.system("%s kcm_networkmanagement --args Uuid=%s &" % (NM_CONNECTION_EDITOR, uuid))
+ elif "kde-" in NM_CONNECTION_EDITOR:
os.system("%s %s &" % (NM_CONNECTION_EDITOR, uuid))
else:
os.system("%s --edit=%s &" % (NM_CONNECTION_EDITOR, uuid))
else:
- os.system("%s &" % NM_CONNECTION_EDITOR)
+ if "systemsettings" in NM_CONNECTION_EDITOR:
+ os.system("%s kcm_networkmanagement &" % NM_CONNECTION_EDITOR)
+ else:
+ os.system("%s &" % NM_CONNECTION_EDITOR)
def warning(self, text):
QtWidgets.QMessageBox.warning(None, escape(self.name), text)
@@ -1119,4 +1132,4 @@ app.setQuitOnLastWindowClosed(False)
applet = TrayApplet()
applet.show()
-sys.exit(app.exec_())
+sys.exit(app.exec())
diff --git a/src/firewall-applet.in b/src/firewall-applet.in
index 894ab05b..7176e1c0 100755
--- a/src/firewall-applet.in
+++ b/src/firewall-applet.in
@@ -20,15 +20,21 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import sys
-from PyQt5 import QtGui, QtCore, QtWidgets
+try:
+ from PyQt6 import QtGui, QtCore, QtWidgets
+ from PyQt6.QtGui import QAction
+ from dbus.mainloop.pyqt6 import DBusQtMainLoop
+except (ImportError, ModuleNotFoundError):
+ from PyQt5 import QtGui, QtCore, QtWidgets
+ from PyQt5.QtWidgets import QAction
+ from dbus.mainloop.pyqt5 import DBusQtMainLoop
import gi
gi.require_version('Notify', '0.7')
from gi.repository import Notify
+import sys
import os
-from dbus.mainloop.pyqt5 import DBusQtMainLoop
import functools
from firewall import config
@@ -58,7 +64,9 @@ def search_app(app):
return None
NM_CONNECTION_EDITOR = ""
-for binary in [ "/usr/bin/nm-connection-editor",
+for binary in [ "/usr/bin/systemsettings",
+ "/bin/systemsettings",
+ "/usr/bin/nm-connection-editor",
"/bin/nm-connection-editor",
"/usr/bin/kde5-nm-connection-editor",
"/bin/kde5-nm-connection-editor",
@@ -102,9 +110,9 @@ class ZoneInterfaceEditor(QtWidgets.QDialog):
self.fill_zone_combo()
vbox.addWidget(self.combo)
- buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok
- | QtWidgets.QDialogButtonBox.Cancel)
- self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok)
+ buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok
+ | QtWidgets.QDialogButtonBox.StandardButton.Cancel)
+ self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok)
buttonBox.accepted.connect(self.ok)
buttonBox.rejected.connect(self.hide)
vbox.addWidget(buttonBox)
@@ -252,9 +260,9 @@ class ShieldsEditor(QtWidgets.QDialog):
vbox.addLayout(grid)
- buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok
- | QtWidgets.QDialogButtonBox.Cancel)
- self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok)
+ buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok
+ | QtWidgets.QDialogButtonBox.StandardButton.Cancel)
+ self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok)
buttonBox.accepted.connect(self.ok)
buttonBox.rejected.connect(self.hide)
vbox.addWidget(buttonBox)
@@ -357,8 +365,8 @@ class AboutDialog(QtWidgets.QDialog):
vbox2.addWidget(QtWidgets.QLabel(version))
label = QtWidgets.QLabel("<a href=\"%s\">%s</a>" % (url, url))
- label.setTextFormat(QtCore.Qt.RichText)
- label.setTextInteractionFlags(QtCore.Qt.TextBrowserInteraction)
+ label.setTextFormat(QtCore.Qt.TextFormat.RichText)
+ label.setTextInteractionFlags(QtCore.Qt.TextInteractionFlag.TextBrowserInteraction)
label.setOpenExternalLinks(True)
vbox2.addWidget(label)
@@ -394,7 +402,7 @@ class AboutDialog(QtWidgets.QDialog):
vbox.addWidget(tabs)
- buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Close)
+ buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Close)
buttonBox.rejected.connect(self.hide)
vbox.addWidget(buttonBox)
@@ -452,47 +460,47 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
# urgencies
- self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.NoIcon,
- "information": QtWidgets.QSystemTrayIcon.Information,
- "warning": QtWidgets.QSystemTrayIcon.Warning,
- "critical": QtWidgets.QSystemTrayIcon.Critical }
+ self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.MessageIcon.NoIcon,
+ "information": QtWidgets.QSystemTrayIcon.MessageIcon.Information,
+ "warning": QtWidgets.QSystemTrayIcon.MessageIcon.Warning,
+ "critical": QtWidgets.QSystemTrayIcon.MessageIcon.Critical }
# actions
- self.shieldsupAction = QtWidgets.QAction(escape(_("Shields Up")),
+ self.shieldsupAction = QAction(escape(_("Shields Up")),
self)
self.shieldsupAction.setCheckable(True)
self.shieldsupAction.setChecked(False)
self.shieldsupAction.triggered.connect(self.shieldsup_changed_cb)
- self.notificationsAction = QtWidgets.QAction(
+ self.notificationsAction = QAction(
escape(_("Enable Notifications")), self)
self.notificationsAction.setCheckable(True)
self.notificationsAction.setChecked(False)
self.notificationsAction.triggered.connect(self.notification_changed_cb)
- self.settingsAction = QtWidgets.QAction(
+ self.settingsAction = QAction(
escape(_("Edit Firewall Settings...")), self)
self.settingsAction.triggered.connect(self.configure_cb)
- self.changeZonesAction = QtWidgets.QAction(
+ self.changeZonesAction = QAction(
escape(_("Change Zones of Connections...")), self)
self.changeZonesAction.triggered.connect(self.nm_connection_editor)
- self.shieldsAction = QtWidgets.QAction(
+ self.shieldsAction = QAction(
escape(_("Configure Shields UP/Down Zones...")), self)
self.shieldsAction.triggered.connect(self.configure_shields)
- self.panicAction = QtWidgets.QAction(
+ self.panicAction = QAction(
escape(_("Block all network traffic")), self)
self.panicAction.setCheckable(True)
self.panicAction.setChecked(False)
self.panicAction.triggered.connect(self.panic_mode_cb)
- self.aboutAction = QtWidgets.QAction(escape(_("About")), self)
- self.aboutAction.triggered.connect(self.about_dialog.exec_)
+ self.aboutAction = QAction(escape(_("About")), self)
+ self.aboutAction.triggered.connect(self.about_dialog.exec)
- #self.quitAction = QtWidgets.QAction(escape(_("Quit")), self,
+ #self.quitAction = QAction(escape(_("Quit")), self,
# triggered=self.quit)
self.connectionsAction = QtWidgets.QWidgetAction(self)
@@ -682,12 +690,12 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
connection_name = connections[connection][1]
if zone == "":
_binding = _("{entry} (Default Zone: {default_zone})")
- action = QtWidgets.QAction(
+ action = QAction(
escape(
_binding.format(default_zone=self.default_zone,
entry=connection_name)), self)
else:
- action = QtWidgets.QAction(
+ action = QAction(
escape(binding.format(zone=zone, entry=connection_name)), self)
action.triggered.connect(functools.partial(
self.zone_connection_editor, connection, connection_name, zone))
@@ -699,7 +707,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
# add other interfaces
for interface in sorted(interfaces):
zone = interfaces[interface]
- action = QtWidgets.QAction(
+ action = QAction(
escape(binding.format(zone=zone, entry=interface)), self)
action.triggered.connect(functools.partial(
self.zone_interface_editor, interface, zone))
@@ -710,7 +718,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
for source in sorted(sources):
zone = sources[source]
- action = QtWidgets.QAction(
+ action = QAction(
escape(binding.format(zone=zone, entry=source)), self)
action.triggered.connect(functools.partial(
self.zone_source_editor, source, zone))
@@ -920,12 +928,17 @@ class TrayApplet(QtWidgets.QSystemTrayIcon):
return
if uuid:
- if "kde-" in NM_CONNECTION_EDITOR:
+ if "systemsettings" in NM_CONNECTION_EDITOR:
+ os.system("%s kcm_networkmanagement --args Uuid=%s &" % (NM_CONNECTION_EDITOR, uuid))
+ elif "kde-" in NM_CONNECTION_EDITOR:
os.system("%s %s &" % (NM_CONNECTION_EDITOR, uuid))
else:
os.system("%s --edit=%s &" % (NM_CONNECTION_EDITOR, uuid))
else:
- os.system("%s &" % NM_CONNECTION_EDITOR)
+ if "systemsettings" in NM_CONNECTION_EDITOR:
+ os.system("%s kcm_networkmanagement &" % NM_CONNECTION_EDITOR)
+ else:
+ os.system("%s &" % NM_CONNECTION_EDITOR)
def warning(self, text):
QtWidgets.QMessageBox.warning(None, escape(self.name), text)
@@ -1119,4 +1132,4 @@ app.setQuitOnLastWindowClosed(False)
applet = TrayApplet()
applet.show()
-sys.exit(app.exec_())
+sys.exit(app.exec())
diff --git a/src/firewall-cmd b/src/firewall-cmd
index 51b7badf..9e03a51c 100755
--- a/src/firewall-cmd
+++ b/src/firewall-cmd
@@ -1,4 +1,4 @@
-#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python
+#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2009-2016 Red Hat, Inc.
diff --git a/src/firewall-config b/src/firewall-config
index b91d1f12..1fb26934 100755
--- a/src/firewall-config
+++ b/src/firewall-config
@@ -1,4 +1,4 @@
-#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python
+#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2011-2015 Red Hat, Inc.
@@ -3750,7 +3750,8 @@ class FirewallConfig(object):
or self.richRuleDialogDestinationInvertCheck.get_active()):
rule.destination = rich.Rich_Destination(
self.richRuleDialogDestinationChooser.get_text(),
- self.richRuleDialogDestinationInvertCheck.get_active())
+ None,
+ invert=self.richRuleDialogDestinationInvertCheck.get_active())
# log
if self.richRuleDialogLogCheck.is_sensitive() and \
diff --git a/src/firewall-config.in b/src/firewall-config.in
index 29d4d667..8aa58394 100755
--- a/src/firewall-config.in
+++ b/src/firewall-config.in
@@ -3750,7 +3750,8 @@ class FirewallConfig(object):
or self.richRuleDialogDestinationInvertCheck.get_active()):
rule.destination = rich.Rich_Destination(
self.richRuleDialogDestinationChooser.get_text(),
- self.richRuleDialogDestinationInvertCheck.get_active())
+ None,
+ invert=self.richRuleDialogDestinationInvertCheck.get_active())
# log
if self.richRuleDialogLogCheck.is_sensitive() and \
diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd
index b333598a..1483aac5 100755
--- a/src/firewall-offline-cmd
+++ b/src/firewall-offline-cmd
@@ -1,4 +1,4 @@
-#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python
+#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2009-2016 Red Hat, Inc.
diff --git a/src/firewall/config/__init__.py b/src/firewall/config/__init__.py
index 602b226a..8f709337 100644
--- a/src/firewall/config/__init__.py
+++ b/src/firewall/config/__init__.py
@@ -40,7 +40,7 @@ APPLET_NAME = 'firewall-applet'
DATADIR = '/usr/share/' + DAEMON_NAME
CONFIG_GLADE_NAME = CONFIG_NAME + '.glade'
COPYRIGHT = '(C) 2010-2017 Red Hat, Inc.'
-VERSION = '1.3.0'
+VERSION = '1.3.3'
AUTHORS = [
"Thomas Woerner <twoerner@redhat.com>",
"Jiri Popelka <jpopelka@redhat.com>",
diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
index 14180e45..e9db1c6f 100644
--- a/src/firewall/core/fw.py
+++ b/src/firewall/core/fw.py
@@ -1095,6 +1095,7 @@ class Firewall(object):
_omit_native_ipset = self.ipset.omit_native_ipset()
# must stash this. The value may change after _start()
+ old_firewall_backend = self._firewall_backend
flush_all = self._flush_all_on_reload
if not flush_all:
@@ -1114,6 +1115,7 @@ class Firewall(object):
self.set_policy("DROP")
# stop
+ self.flush()
self.cleanup()
start_exception = None
@@ -1196,6 +1198,19 @@ class Firewall(object):
if not self._panic:
self.set_policy("ACCEPT")
+ # If the FirewallBackend changed, then we must also cleanup the policy
+ # for the old backend that was set to DROP above.
+ if not self._panic and old_firewall_backend != self._firewall_backend:
+ if old_firewall_backend == "nftables":
+ for rule in self.nftables_backend.build_set_policy_rules("ACCEPT"):
+ self.nftables_backend.set_rule(rule, self._log_denied)
+ else:
+ for rule in self.ip4tables_backend.build_set_policy_rules("ACCEPT"):
+ self.ip4tables_backend.set_rule(rule, self._log_denied)
+ if self.ip6tables_enabled:
+ for rule in self.ip6tables_backend.build_set_policy_rules("ACCEPT"):
+ self.ip6tables_backend.set_rule(rule, self._log_denied)
+
if start_exception:
self._state = "FAILED"
raise start_exception
diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py
index 0e38dd47..9ff8f500 100644
--- a/src/firewall/core/fw_nm.py
+++ b/src/firewall/core/fw_nm.py
@@ -186,6 +186,22 @@ def nm_get_interfaces_in_zone(zone):
return interfaces
+def nm_get_device_by_ip_iface(interface):
+ """Get device from NM which has the given IP interface
+ @param interface name
+ @returns NM.Device instance or None
+ """
+ check_nm_imported()
+
+ for device in nm_get_client().get_devices():
+ ip_iface = device.get_ip_iface()
+ if ip_iface is None:
+ continue
+ if ip_iface == interface:
+ return device
+
+ return None
+
def nm_get_connection_of_interface(interface):
"""Get connection from NM that is using the interface
@param interface name
@@ -193,7 +209,7 @@ def nm_get_connection_of_interface(interface):
"""
check_nm_imported()
- device = nm_get_client().get_device_by_iface(interface)
+ device = nm_get_device_by_ip_iface(interface)
if device is None:
return None
diff --git a/src/firewall/core/fw_policy.py b/src/firewall/core/fw_policy.py
index 0f86695d..ff6ac07a 100644
--- a/src/firewall/core/fw_policy.py
+++ b/src/firewall/core/fw_policy.py
@@ -1327,7 +1327,21 @@ class FirewallPolicy(object):
"ipset '%s' with type '%s' not usable as source" % \
(name, _type))
- def _rule_prepare(self, enable, policy, rule, transaction):
+ def _rule_prepare(self, enable, policy, rule, transaction, included_services=None):
+ # First apply any services this service may include
+ if type(rule.element) == Rich_Service:
+ svc = self._fw.service.get_service(rule.element.name)
+ if included_services is None:
+ included_services = [rule.element.name]
+ for include in svc.includes:
+ if include in included_services:
+ continue
+ self.check_service(include)
+ included_services.append(include)
+ _rule = copy.deepcopy(rule)
+ _rule.element.name = include
+ self._rule_prepare(enable, policy, _rule, transaction, included_services=included_services)
+
ipvs = []
if rule.family:
ipvs = [ rule.family ]
@@ -1806,8 +1820,7 @@ class FirewallPolicy(object):
elif "ANY" in obj.ingress_zones:
# any --> zone
return [("nat", "POSTROUTING")]
- else:
- return FirewallError("Invalid policy: %s" % (policy))
+ raise FirewallError(errors.INVALID_POLICY, "Invalid policy: %s" % (policy))
def policy_base_chain_name(self, policy, table, policy_prefix, isSNAT=False):
obj = self._fw.policy.get_policy(policy)
@@ -1865,4 +1878,4 @@ class FirewallPolicy(object):
return "PRE_" + suffix
elif table in ["mangle", "raw"]:
return "PRE_" + suffix
- return FirewallError("Can't convert policy to chain name: %s, %s, %s" % (policy, table, isSNAT))
+ raise FirewallError(errors.INVALID_POLICY, "Can't convert policy to chain name: %s, %s, %s" % (policy, table, isSNAT))
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 0dfb3609..cdf08089 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -845,7 +845,7 @@ class FirewallZone(object):
elif rule.element is None:
return [self.policy_name_from_zones(zone, "HOST")]
else:
- raise FirewallError("Rich rule type (%s) not handled." % (type(rule.element)))
+ raise FirewallError(errors.INVALID_RULE, "Rich rule type (%s) not handled." % (type(rule.element)))
def add_rule(self, zone, rule, timeout=0, sender=None):
for p_name in self._rich_rule_to_policies(zone, rule):
diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py
index 66d4b9ec..0a24e0f6 100644
--- a/src/firewall/core/io/policy.py
+++ b/src/firewall/core/io/policy.py
@@ -109,7 +109,7 @@ def common_startElement(obj, name, attrs):
obj._rule_error = True
return True
_value="pmtu"
- if "value" in attrs:
+ if "value" in attrs and attrs["value"] not in [None, "None"]:
_value = attrs["value"]
obj._rule.element = rich.Rich_Tcp_Mss_Clamp(_value)
else:
@@ -591,7 +591,8 @@ def common_writer(obj, handler):
attrs["value"] = rule.element.value
elif type(rule.element) == rich.Rich_Tcp_Mss_Clamp:
element = "tcp-mss-clamp"
- attrs["value"] = rule.element.value
+ if rule.element.value and rule.element.value != "pmtu":
+ attrs["value"] = rule.element.value
elif type(rule.element) == rich.Rich_Masquerade:
element = "masquerade"
elif type(rule.element) == rich.Rich_IcmpBlock:
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
index 08f611a5..ef894971 100644
--- a/src/firewall/core/nftables.py
+++ b/src/firewall/core/nftables.py
@@ -772,6 +772,15 @@ class nftables(object):
egress_fragments.append(self._rule_addr_fragment("daddr", dst))
def _generate_policy_dispatch_rule(ingress_fragment, egress_fragment):
+ if ingress_fragment and egress_fragment:
+ # The IP families must be the same
+ #
+ if "payload" in ingress_fragment["match"]["left"] and \
+ "payload" in egress_fragment["match"]["left"] and \
+ ingress_fragment["match"]["left"]["payload"]["protocol"] != \
+ egress_fragment["match"]["left"]["payload"]["protocol"]:
+ return None
+
expr_fragments = []
if ingress_fragment:
expr_fragments.append(ingress_fragment)
@@ -1100,8 +1109,8 @@ class nftables(object):
"table": TABLE_NAME,
"chain": "%s_%s_%s" % (table, _policy, chain_suffix),
"expr": expr_fragments +
- [{"log": log_options},
- self._rich_rule_limit_fragment(rich_rule.log.limit)]}
+ [self._rich_rule_limit_fragment(rich_rule.log.limit),
+ {"log": log_options}]}
rule.update(self._rich_rule_priority_fragment(rich_rule))
return {add_del: {"rule": rule}}
@@ -1118,8 +1127,8 @@ class nftables(object):
"table": TABLE_NAME,
"chain": "%s_%s_%s" % (table, _policy, chain_suffix),
"expr": expr_fragments +
- [{"log": {"level": "audit"}},
- self._rich_rule_limit_fragment(rich_rule.audit.limit)]}
+ [self._rich_rule_limit_fragment(rich_rule.audit.limit),
+ {"log": {"level": "audit"}}]}
rule.update(self._rich_rule_priority_fragment(rich_rule))
return {add_del: {"rule": rule}}
@@ -1748,7 +1757,7 @@ class nftables(object):
elif format == "mark":
fragments.append({"meta": {"key": "mark"}})
else:
- raise FirewallError("Unsupported ipset type for match fragment: %s" % (format))
+ raise FirewallError(INVALID_TYPE, "Unsupported ipset type for match fragment: %s" % (format))
return {"match": {"left": {"concat": fragments} if len(type_format) > 1 else fragments[0],
"op": "!=" if invert else "==",
@@ -1851,6 +1860,15 @@ class nftables(object):
rules = []
rules.extend(self.build_set_create_rules(set_name, type_name, create_options))
rules.extend(self.build_set_flush_rules(set_name))
+
+ # avoid large memory usage by chunking the entries
+ chunk = 0
for entry in entries:
rules.extend(self.build_set_add_rules(set_name, entry))
- self.set_rules(rules, self._fw.get_log_denied())
+ chunk += 1
+ if chunk >= 1000:
+ self.set_rules(rules, self._fw.get_log_denied())
+ rules.clear()
+ chunk = 0
+ else:
+ self.set_rules(rules, self._fw.get_log_denied())
diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
index 574a23d3..211c094d 100644
--- a/src/firewall/core/rich.py
+++ b/src/firewall/core/rich.py
@@ -136,7 +136,10 @@ class Rich_Tcp_Mss_Clamp(object):
self.value = value
def __str__(self):
- return 'tcp-mss-clamp value="%s"' % (self.value)
+ if self.value:
+ return 'tcp-mss-clamp value="%s"' % (self.value)
+ else:
+ return 'tcp-mss-clamp'
class Rich_ForwardPort(object):
def __init__(self, port, protocol, to_port, to_address):
diff --git a/src/firewalld b/src/firewalld
index 5cbf0894..79f5d442 100755
--- a/src/firewalld
+++ b/src/firewalld
@@ -1,4 +1,4 @@
-#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python
+#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2010-2016 Red Hat, Inc.
Attachment:
firewalld.debdiff.gz
Description: application/gzip
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature