Sorry, forgot the attach the actual files.
diff --git a/src/firewall-applet b/src/firewall-applet index 52f4544f..a4ece273 100755 --- a/src/firewall-applet +++ b/src/firewall-applet @@ -1,4 +1,4 @@ -#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python +#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python # -*- coding: utf-8 -*- # # Copyright (C) 2010-2015 Red Hat, Inc. @@ -20,15 +20,21 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # -import sys -from PyQt5 import QtGui, QtCore, QtWidgets +try: + from PyQt6 import QtGui, QtCore, QtWidgets + from PyQt6.QtGui import QAction + from dbus.mainloop.pyqt6 import DBusQtMainLoop +except (ImportError, ModuleNotFoundError): + from PyQt5 import QtGui, QtCore, QtWidgets + from PyQt5.QtWidgets import QAction + from dbus.mainloop.pyqt5 import DBusQtMainLoop import gi gi.require_version('Notify', '0.7') from gi.repository import Notify +import sys import os -from dbus.mainloop.pyqt5 import DBusQtMainLoop import functools from firewall import config @@ -58,7 +64,9 @@ def search_app(app): return None NM_CONNECTION_EDITOR = "" -for binary in [ "/usr/bin/nm-connection-editor", +for binary in [ "/usr/bin/systemsettings", + "/bin/systemsettings", + "/usr/bin/nm-connection-editor", "/bin/nm-connection-editor", "/usr/bin/kde5-nm-connection-editor", "/bin/kde5-nm-connection-editor", @@ -102,9 +110,9 @@ class ZoneInterfaceEditor(QtWidgets.QDialog): self.fill_zone_combo() vbox.addWidget(self.combo) - buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok - | QtWidgets.QDialogButtonBox.Cancel) - self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok) + buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok + | QtWidgets.QDialogButtonBox.StandardButton.Cancel) + self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok) buttonBox.accepted.connect(self.ok) buttonBox.rejected.connect(self.hide) vbox.addWidget(buttonBox) @@ -252,9 +260,9 @@ class ShieldsEditor(QtWidgets.QDialog): vbox.addLayout(grid) - buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok - | QtWidgets.QDialogButtonBox.Cancel) - self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok) + buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok + | QtWidgets.QDialogButtonBox.StandardButton.Cancel) + self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok) buttonBox.accepted.connect(self.ok) buttonBox.rejected.connect(self.hide) vbox.addWidget(buttonBox) @@ -357,8 +365,8 @@ class AboutDialog(QtWidgets.QDialog): vbox2.addWidget(QtWidgets.QLabel(version)) label = QtWidgets.QLabel("<a href=\"%s\">%s</a>" % (url, url)) - label.setTextFormat(QtCore.Qt.RichText) - label.setTextInteractionFlags(QtCore.Qt.TextBrowserInteraction) + label.setTextFormat(QtCore.Qt.TextFormat.RichText) + label.setTextInteractionFlags(QtCore.Qt.TextInteractionFlag.TextBrowserInteraction) label.setOpenExternalLinks(True) vbox2.addWidget(label) @@ -394,7 +402,7 @@ class AboutDialog(QtWidgets.QDialog): vbox.addWidget(tabs) - buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Close) + buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Close) buttonBox.rejected.connect(self.hide) vbox.addWidget(buttonBox) @@ -452,47 +460,47 @@ class TrayApplet(QtWidgets.QSystemTrayIcon): # urgencies - self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.NoIcon, - "information": QtWidgets.QSystemTrayIcon.Information, - "warning": QtWidgets.QSystemTrayIcon.Warning, - "critical": QtWidgets.QSystemTrayIcon.Critical } + self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.MessageIcon.NoIcon, + "information": QtWidgets.QSystemTrayIcon.MessageIcon.Information, + "warning": QtWidgets.QSystemTrayIcon.MessageIcon.Warning, + "critical": QtWidgets.QSystemTrayIcon.MessageIcon.Critical } # actions - self.shieldsupAction = QtWidgets.QAction(escape(_("Shields Up")), + self.shieldsupAction = QAction(escape(_("Shields Up")), self) self.shieldsupAction.setCheckable(True) self.shieldsupAction.setChecked(False) self.shieldsupAction.triggered.connect(self.shieldsup_changed_cb) - self.notificationsAction = QtWidgets.QAction( + self.notificationsAction = QAction( escape(_("Enable Notifications")), self) self.notificationsAction.setCheckable(True) self.notificationsAction.setChecked(False) self.notificationsAction.triggered.connect(self.notification_changed_cb) - self.settingsAction = QtWidgets.QAction( + self.settingsAction = QAction( escape(_("Edit Firewall Settings...")), self) self.settingsAction.triggered.connect(self.configure_cb) - self.changeZonesAction = QtWidgets.QAction( + self.changeZonesAction = QAction( escape(_("Change Zones of Connections...")), self) self.changeZonesAction.triggered.connect(self.nm_connection_editor) - self.shieldsAction = QtWidgets.QAction( + self.shieldsAction = QAction( escape(_("Configure Shields UP/Down Zones...")), self) self.shieldsAction.triggered.connect(self.configure_shields) - self.panicAction = QtWidgets.QAction( + self.panicAction = QAction( escape(_("Block all network traffic")), self) self.panicAction.setCheckable(True) self.panicAction.setChecked(False) self.panicAction.triggered.connect(self.panic_mode_cb) - self.aboutAction = QtWidgets.QAction(escape(_("About")), self) - self.aboutAction.triggered.connect(self.about_dialog.exec_) + self.aboutAction = QAction(escape(_("About")), self) + self.aboutAction.triggered.connect(self.about_dialog.exec) - #self.quitAction = QtWidgets.QAction(escape(_("Quit")), self, + #self.quitAction = QAction(escape(_("Quit")), self, # triggered=self.quit) self.connectionsAction = QtWidgets.QWidgetAction(self) @@ -682,12 +690,12 @@ class TrayApplet(QtWidgets.QSystemTrayIcon): connection_name = connections[connection][1] if zone == "": _binding = _("{entry} (Default Zone: {default_zone})") - action = QtWidgets.QAction( + action = QAction( escape( _binding.format(default_zone=self.default_zone, entry=connection_name)), self) else: - action = QtWidgets.QAction( + action = QAction( escape(binding.format(zone=zone, entry=connection_name)), self) action.triggered.connect(functools.partial( self.zone_connection_editor, connection, connection_name, zone)) @@ -699,7 +707,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon): # add other interfaces for interface in sorted(interfaces): zone = interfaces[interface] - action = QtWidgets.QAction( + action = QAction( escape(binding.format(zone=zone, entry=interface)), self) action.triggered.connect(functools.partial( self.zone_interface_editor, interface, zone)) @@ -710,7 +718,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon): for source in sorted(sources): zone = sources[source] - action = QtWidgets.QAction( + action = QAction( escape(binding.format(zone=zone, entry=source)), self) action.triggered.connect(functools.partial( self.zone_source_editor, source, zone)) @@ -920,12 +928,17 @@ class TrayApplet(QtWidgets.QSystemTrayIcon): return if uuid: - if "kde-" in NM_CONNECTION_EDITOR: + if "systemsettings" in NM_CONNECTION_EDITOR: + os.system("%s kcm_networkmanagement --args Uuid=%s &" % (NM_CONNECTION_EDITOR, uuid)) + elif "kde-" in NM_CONNECTION_EDITOR: os.system("%s %s &" % (NM_CONNECTION_EDITOR, uuid)) else: os.system("%s --edit=%s &" % (NM_CONNECTION_EDITOR, uuid)) else: - os.system("%s &" % NM_CONNECTION_EDITOR) + if "systemsettings" in NM_CONNECTION_EDITOR: + os.system("%s kcm_networkmanagement &" % NM_CONNECTION_EDITOR) + else: + os.system("%s &" % NM_CONNECTION_EDITOR) def warning(self, text): QtWidgets.QMessageBox.warning(None, escape(self.name), text) @@ -1119,4 +1132,4 @@ app.setQuitOnLastWindowClosed(False) applet = TrayApplet() applet.show() -sys.exit(app.exec_()) +sys.exit(app.exec()) diff --git a/src/firewall-applet.in b/src/firewall-applet.in index 894ab05b..7176e1c0 100755 --- a/src/firewall-applet.in +++ b/src/firewall-applet.in @@ -20,15 +20,21 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # -import sys -from PyQt5 import QtGui, QtCore, QtWidgets +try: + from PyQt6 import QtGui, QtCore, QtWidgets + from PyQt6.QtGui import QAction + from dbus.mainloop.pyqt6 import DBusQtMainLoop +except (ImportError, ModuleNotFoundError): + from PyQt5 import QtGui, QtCore, QtWidgets + from PyQt5.QtWidgets import QAction + from dbus.mainloop.pyqt5 import DBusQtMainLoop import gi gi.require_version('Notify', '0.7') from gi.repository import Notify +import sys import os -from dbus.mainloop.pyqt5 import DBusQtMainLoop import functools from firewall import config @@ -58,7 +64,9 @@ def search_app(app): return None NM_CONNECTION_EDITOR = "" -for binary in [ "/usr/bin/nm-connection-editor", +for binary in [ "/usr/bin/systemsettings", + "/bin/systemsettings", + "/usr/bin/nm-connection-editor", "/bin/nm-connection-editor", "/usr/bin/kde5-nm-connection-editor", "/bin/kde5-nm-connection-editor", @@ -102,9 +110,9 @@ class ZoneInterfaceEditor(QtWidgets.QDialog): self.fill_zone_combo() vbox.addWidget(self.combo) - buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok - | QtWidgets.QDialogButtonBox.Cancel) - self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok) + buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok + | QtWidgets.QDialogButtonBox.StandardButton.Cancel) + self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok) buttonBox.accepted.connect(self.ok) buttonBox.rejected.connect(self.hide) vbox.addWidget(buttonBox) @@ -252,9 +260,9 @@ class ShieldsEditor(QtWidgets.QDialog): vbox.addLayout(grid) - buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Ok - | QtWidgets.QDialogButtonBox.Cancel) - self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.Ok) + buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Ok + | QtWidgets.QDialogButtonBox.StandardButton.Cancel) + self.ok_button = buttonBox.button(QtWidgets.QDialogButtonBox.StandardButton.Ok) buttonBox.accepted.connect(self.ok) buttonBox.rejected.connect(self.hide) vbox.addWidget(buttonBox) @@ -357,8 +365,8 @@ class AboutDialog(QtWidgets.QDialog): vbox2.addWidget(QtWidgets.QLabel(version)) label = QtWidgets.QLabel("<a href=\"%s\">%s</a>" % (url, url)) - label.setTextFormat(QtCore.Qt.RichText) - label.setTextInteractionFlags(QtCore.Qt.TextBrowserInteraction) + label.setTextFormat(QtCore.Qt.TextFormat.RichText) + label.setTextInteractionFlags(QtCore.Qt.TextInteractionFlag.TextBrowserInteraction) label.setOpenExternalLinks(True) vbox2.addWidget(label) @@ -394,7 +402,7 @@ class AboutDialog(QtWidgets.QDialog): vbox.addWidget(tabs) - buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.Close) + buttonBox = QtWidgets.QDialogButtonBox(QtWidgets.QDialogButtonBox.StandardButton.Close) buttonBox.rejected.connect(self.hide) vbox.addWidget(buttonBox) @@ -452,47 +460,47 @@ class TrayApplet(QtWidgets.QSystemTrayIcon): # urgencies - self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.NoIcon, - "information": QtWidgets.QSystemTrayIcon.Information, - "warning": QtWidgets.QSystemTrayIcon.Warning, - "critical": QtWidgets.QSystemTrayIcon.Critical } + self.urgencies = { "noicon": QtWidgets.QSystemTrayIcon.MessageIcon.NoIcon, + "information": QtWidgets.QSystemTrayIcon.MessageIcon.Information, + "warning": QtWidgets.QSystemTrayIcon.MessageIcon.Warning, + "critical": QtWidgets.QSystemTrayIcon.MessageIcon.Critical } # actions - self.shieldsupAction = QtWidgets.QAction(escape(_("Shields Up")), + self.shieldsupAction = QAction(escape(_("Shields Up")), self) self.shieldsupAction.setCheckable(True) self.shieldsupAction.setChecked(False) self.shieldsupAction.triggered.connect(self.shieldsup_changed_cb) - self.notificationsAction = QtWidgets.QAction( + self.notificationsAction = QAction( escape(_("Enable Notifications")), self) self.notificationsAction.setCheckable(True) self.notificationsAction.setChecked(False) self.notificationsAction.triggered.connect(self.notification_changed_cb) - self.settingsAction = QtWidgets.QAction( + self.settingsAction = QAction( escape(_("Edit Firewall Settings...")), self) self.settingsAction.triggered.connect(self.configure_cb) - self.changeZonesAction = QtWidgets.QAction( + self.changeZonesAction = QAction( escape(_("Change Zones of Connections...")), self) self.changeZonesAction.triggered.connect(self.nm_connection_editor) - self.shieldsAction = QtWidgets.QAction( + self.shieldsAction = QAction( escape(_("Configure Shields UP/Down Zones...")), self) self.shieldsAction.triggered.connect(self.configure_shields) - self.panicAction = QtWidgets.QAction( + self.panicAction = QAction( escape(_("Block all network traffic")), self) self.panicAction.setCheckable(True) self.panicAction.setChecked(False) self.panicAction.triggered.connect(self.panic_mode_cb) - self.aboutAction = QtWidgets.QAction(escape(_("About")), self) - self.aboutAction.triggered.connect(self.about_dialog.exec_) + self.aboutAction = QAction(escape(_("About")), self) + self.aboutAction.triggered.connect(self.about_dialog.exec) - #self.quitAction = QtWidgets.QAction(escape(_("Quit")), self, + #self.quitAction = QAction(escape(_("Quit")), self, # triggered=self.quit) self.connectionsAction = QtWidgets.QWidgetAction(self) @@ -682,12 +690,12 @@ class TrayApplet(QtWidgets.QSystemTrayIcon): connection_name = connections[connection][1] if zone == "": _binding = _("{entry} (Default Zone: {default_zone})") - action = QtWidgets.QAction( + action = QAction( escape( _binding.format(default_zone=self.default_zone, entry=connection_name)), self) else: - action = QtWidgets.QAction( + action = QAction( escape(binding.format(zone=zone, entry=connection_name)), self) action.triggered.connect(functools.partial( self.zone_connection_editor, connection, connection_name, zone)) @@ -699,7 +707,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon): # add other interfaces for interface in sorted(interfaces): zone = interfaces[interface] - action = QtWidgets.QAction( + action = QAction( escape(binding.format(zone=zone, entry=interface)), self) action.triggered.connect(functools.partial( self.zone_interface_editor, interface, zone)) @@ -710,7 +718,7 @@ class TrayApplet(QtWidgets.QSystemTrayIcon): for source in sorted(sources): zone = sources[source] - action = QtWidgets.QAction( + action = QAction( escape(binding.format(zone=zone, entry=source)), self) action.triggered.connect(functools.partial( self.zone_source_editor, source, zone)) @@ -920,12 +928,17 @@ class TrayApplet(QtWidgets.QSystemTrayIcon): return if uuid: - if "kde-" in NM_CONNECTION_EDITOR: + if "systemsettings" in NM_CONNECTION_EDITOR: + os.system("%s kcm_networkmanagement --args Uuid=%s &" % (NM_CONNECTION_EDITOR, uuid)) + elif "kde-" in NM_CONNECTION_EDITOR: os.system("%s %s &" % (NM_CONNECTION_EDITOR, uuid)) else: os.system("%s --edit=%s &" % (NM_CONNECTION_EDITOR, uuid)) else: - os.system("%s &" % NM_CONNECTION_EDITOR) + if "systemsettings" in NM_CONNECTION_EDITOR: + os.system("%s kcm_networkmanagement &" % NM_CONNECTION_EDITOR) + else: + os.system("%s &" % NM_CONNECTION_EDITOR) def warning(self, text): QtWidgets.QMessageBox.warning(None, escape(self.name), text) @@ -1119,4 +1132,4 @@ app.setQuitOnLastWindowClosed(False) applet = TrayApplet() applet.show() -sys.exit(app.exec_()) +sys.exit(app.exec()) diff --git a/src/firewall-cmd b/src/firewall-cmd index 51b7badf..9e03a51c 100755 --- a/src/firewall-cmd +++ b/src/firewall-cmd @@ -1,4 +1,4 @@ -#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python +#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python # -*- coding: utf-8 -*- # # Copyright (C) 2009-2016 Red Hat, Inc. diff --git a/src/firewall-config b/src/firewall-config index b91d1f12..1fb26934 100755 --- a/src/firewall-config +++ b/src/firewall-config @@ -1,4 +1,4 @@ -#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python +#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python # -*- coding: utf-8 -*- # # Copyright (C) 2011-2015 Red Hat, Inc. @@ -3750,7 +3750,8 @@ class FirewallConfig(object): or self.richRuleDialogDestinationInvertCheck.get_active()): rule.destination = rich.Rich_Destination( self.richRuleDialogDestinationChooser.get_text(), - self.richRuleDialogDestinationInvertCheck.get_active()) + None, + invert=self.richRuleDialogDestinationInvertCheck.get_active()) # log if self.richRuleDialogLogCheck.is_sensitive() and \ diff --git a/src/firewall-config.in b/src/firewall-config.in index 29d4d667..8aa58394 100755 --- a/src/firewall-config.in +++ b/src/firewall-config.in @@ -3750,7 +3750,8 @@ class FirewallConfig(object): or self.richRuleDialogDestinationInvertCheck.get_active()): rule.destination = rich.Rich_Destination( self.richRuleDialogDestinationChooser.get_text(), - self.richRuleDialogDestinationInvertCheck.get_active()) + None, + invert=self.richRuleDialogDestinationInvertCheck.get_active()) # log if self.richRuleDialogLogCheck.is_sensitive() and \ diff --git a/src/firewall-offline-cmd b/src/firewall-offline-cmd index b333598a..1483aac5 100755 --- a/src/firewall-offline-cmd +++ b/src/firewall-offline-cmd @@ -1,4 +1,4 @@ -#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python +#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python # -*- coding: utf-8 -*- # # Copyright (C) 2009-2016 Red Hat, Inc. diff --git a/src/firewall/config/__init__.py b/src/firewall/config/__init__.py index 602b226a..8f709337 100644 --- a/src/firewall/config/__init__.py +++ b/src/firewall/config/__init__.py @@ -40,7 +40,7 @@ APPLET_NAME = 'firewall-applet' DATADIR = '/usr/share/' + DAEMON_NAME CONFIG_GLADE_NAME = CONFIG_NAME + '.glade' COPYRIGHT = '(C) 2010-2017 Red Hat, Inc.' -VERSION = '1.3.0' +VERSION = '1.3.3' AUTHORS = [ "Thomas Woerner <twoerner@redhat.com>", "Jiri Popelka <jpopelka@redhat.com>", diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py index 14180e45..e9db1c6f 100644 --- a/src/firewall/core/fw.py +++ b/src/firewall/core/fw.py @@ -1095,6 +1095,7 @@ class Firewall(object): _omit_native_ipset = self.ipset.omit_native_ipset() # must stash this. The value may change after _start() + old_firewall_backend = self._firewall_backend flush_all = self._flush_all_on_reload if not flush_all: @@ -1114,6 +1115,7 @@ class Firewall(object): self.set_policy("DROP") # stop + self.flush() self.cleanup() start_exception = None @@ -1196,6 +1198,19 @@ class Firewall(object): if not self._panic: self.set_policy("ACCEPT") + # If the FirewallBackend changed, then we must also cleanup the policy + # for the old backend that was set to DROP above. + if not self._panic and old_firewall_backend != self._firewall_backend: + if old_firewall_backend == "nftables": + for rule in self.nftables_backend.build_set_policy_rules("ACCEPT"): + self.nftables_backend.set_rule(rule, self._log_denied) + else: + for rule in self.ip4tables_backend.build_set_policy_rules("ACCEPT"): + self.ip4tables_backend.set_rule(rule, self._log_denied) + if self.ip6tables_enabled: + for rule in self.ip6tables_backend.build_set_policy_rules("ACCEPT"): + self.ip6tables_backend.set_rule(rule, self._log_denied) + if start_exception: self._state = "FAILED" raise start_exception diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py index 0e38dd47..9ff8f500 100644 --- a/src/firewall/core/fw_nm.py +++ b/src/firewall/core/fw_nm.py @@ -186,6 +186,22 @@ def nm_get_interfaces_in_zone(zone): return interfaces +def nm_get_device_by_ip_iface(interface): + """Get device from NM which has the given IP interface + @param interface name + @returns NM.Device instance or None + """ + check_nm_imported() + + for device in nm_get_client().get_devices(): + ip_iface = device.get_ip_iface() + if ip_iface is None: + continue + if ip_iface == interface: + return device + + return None + def nm_get_connection_of_interface(interface): """Get connection from NM that is using the interface @param interface name @@ -193,7 +209,7 @@ def nm_get_connection_of_interface(interface): """ check_nm_imported() - device = nm_get_client().get_device_by_iface(interface) + device = nm_get_device_by_ip_iface(interface) if device is None: return None diff --git a/src/firewall/core/fw_policy.py b/src/firewall/core/fw_policy.py index 0f86695d..ff6ac07a 100644 --- a/src/firewall/core/fw_policy.py +++ b/src/firewall/core/fw_policy.py @@ -1327,7 +1327,21 @@ class FirewallPolicy(object): "ipset '%s' with type '%s' not usable as source" % \ (name, _type)) - def _rule_prepare(self, enable, policy, rule, transaction): + def _rule_prepare(self, enable, policy, rule, transaction, included_services=None): + # First apply any services this service may include + if type(rule.element) == Rich_Service: + svc = self._fw.service.get_service(rule.element.name) + if included_services is None: + included_services = [rule.element.name] + for include in svc.includes: + if include in included_services: + continue + self.check_service(include) + included_services.append(include) + _rule = copy.deepcopy(rule) + _rule.element.name = include + self._rule_prepare(enable, policy, _rule, transaction, included_services=included_services) + ipvs = [] if rule.family: ipvs = [ rule.family ] @@ -1806,8 +1820,7 @@ class FirewallPolicy(object): elif "ANY" in obj.ingress_zones: # any --> zone return [("nat", "POSTROUTING")] - else: - return FirewallError("Invalid policy: %s" % (policy)) + raise FirewallError(errors.INVALID_POLICY, "Invalid policy: %s" % (policy)) def policy_base_chain_name(self, policy, table, policy_prefix, isSNAT=False): obj = self._fw.policy.get_policy(policy) @@ -1865,4 +1878,4 @@ class FirewallPolicy(object): return "PRE_" + suffix elif table in ["mangle", "raw"]: return "PRE_" + suffix - return FirewallError("Can't convert policy to chain name: %s, %s, %s" % (policy, table, isSNAT)) + raise FirewallError(errors.INVALID_POLICY, "Can't convert policy to chain name: %s, %s, %s" % (policy, table, isSNAT)) diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py index 0dfb3609..cdf08089 100644 --- a/src/firewall/core/fw_zone.py +++ b/src/firewall/core/fw_zone.py @@ -845,7 +845,7 @@ class FirewallZone(object): elif rule.element is None: return [self.policy_name_from_zones(zone, "HOST")] else: - raise FirewallError("Rich rule type (%s) not handled." % (type(rule.element))) + raise FirewallError(errors.INVALID_RULE, "Rich rule type (%s) not handled." % (type(rule.element))) def add_rule(self, zone, rule, timeout=0, sender=None): for p_name in self._rich_rule_to_policies(zone, rule): diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py index 66d4b9ec..0a24e0f6 100644 --- a/src/firewall/core/io/policy.py +++ b/src/firewall/core/io/policy.py @@ -109,7 +109,7 @@ def common_startElement(obj, name, attrs): obj._rule_error = True return True _value="pmtu" - if "value" in attrs: + if "value" in attrs and attrs["value"] not in [None, "None"]: _value = attrs["value"] obj._rule.element = rich.Rich_Tcp_Mss_Clamp(_value) else: @@ -591,7 +591,8 @@ def common_writer(obj, handler): attrs["value"] = rule.element.value elif type(rule.element) == rich.Rich_Tcp_Mss_Clamp: element = "tcp-mss-clamp" - attrs["value"] = rule.element.value + if rule.element.value and rule.element.value != "pmtu": + attrs["value"] = rule.element.value elif type(rule.element) == rich.Rich_Masquerade: element = "masquerade" elif type(rule.element) == rich.Rich_IcmpBlock: diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py index 08f611a5..ef894971 100644 --- a/src/firewall/core/nftables.py +++ b/src/firewall/core/nftables.py @@ -772,6 +772,15 @@ class nftables(object): egress_fragments.append(self._rule_addr_fragment("daddr", dst)) def _generate_policy_dispatch_rule(ingress_fragment, egress_fragment): + if ingress_fragment and egress_fragment: + # The IP families must be the same + # + if "payload" in ingress_fragment["match"]["left"] and \ + "payload" in egress_fragment["match"]["left"] and \ + ingress_fragment["match"]["left"]["payload"]["protocol"] != \ + egress_fragment["match"]["left"]["payload"]["protocol"]: + return None + expr_fragments = [] if ingress_fragment: expr_fragments.append(ingress_fragment) @@ -1100,8 +1109,8 @@ class nftables(object): "table": TABLE_NAME, "chain": "%s_%s_%s" % (table, _policy, chain_suffix), "expr": expr_fragments + - [{"log": log_options}, - self._rich_rule_limit_fragment(rich_rule.log.limit)]} + [self._rich_rule_limit_fragment(rich_rule.log.limit), + {"log": log_options}]} rule.update(self._rich_rule_priority_fragment(rich_rule)) return {add_del: {"rule": rule}} @@ -1118,8 +1127,8 @@ class nftables(object): "table": TABLE_NAME, "chain": "%s_%s_%s" % (table, _policy, chain_suffix), "expr": expr_fragments + - [{"log": {"level": "audit"}}, - self._rich_rule_limit_fragment(rich_rule.audit.limit)]} + [self._rich_rule_limit_fragment(rich_rule.audit.limit), + {"log": {"level": "audit"}}]} rule.update(self._rich_rule_priority_fragment(rich_rule)) return {add_del: {"rule": rule}} @@ -1748,7 +1757,7 @@ class nftables(object): elif format == "mark": fragments.append({"meta": {"key": "mark"}}) else: - raise FirewallError("Unsupported ipset type for match fragment: %s" % (format)) + raise FirewallError(INVALID_TYPE, "Unsupported ipset type for match fragment: %s" % (format)) return {"match": {"left": {"concat": fragments} if len(type_format) > 1 else fragments[0], "op": "!=" if invert else "==", @@ -1851,6 +1860,15 @@ class nftables(object): rules = [] rules.extend(self.build_set_create_rules(set_name, type_name, create_options)) rules.extend(self.build_set_flush_rules(set_name)) + + # avoid large memory usage by chunking the entries + chunk = 0 for entry in entries: rules.extend(self.build_set_add_rules(set_name, entry)) - self.set_rules(rules, self._fw.get_log_denied()) + chunk += 1 + if chunk >= 1000: + self.set_rules(rules, self._fw.get_log_denied()) + rules.clear() + chunk = 0 + else: + self.set_rules(rules, self._fw.get_log_denied()) diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py index 574a23d3..211c094d 100644 --- a/src/firewall/core/rich.py +++ b/src/firewall/core/rich.py @@ -136,7 +136,10 @@ class Rich_Tcp_Mss_Clamp(object): self.value = value def __str__(self): - return 'tcp-mss-clamp value="%s"' % (self.value) + if self.value: + return 'tcp-mss-clamp value="%s"' % (self.value) + else: + return 'tcp-mss-clamp' class Rich_ForwardPort(object): def __init__(self, port, protocol, to_port, to_address): diff --git a/src/firewalld b/src/firewalld index 5cbf0894..79f5d442 100755 --- a/src/firewalld +++ b/src/firewalld @@ -1,4 +1,4 @@ -#!/opt/hostedtoolcache/Python/3.7.15/x64/bin/python +#!/opt/hostedtoolcache/Python/3.7.16/x64/bin/python # -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc.
Attachment:
firewalld.debdiff.gz
Description: application/gzip
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature