- Fixed ipset overloading, dropped applied check in get_ipset (issue#206)

This commit is contained in:
Thomas Woerner 2017-02-21 02:29:24 +01:00
parent 21021781ec
commit 3f2143f4aa
2 changed files with 97 additions and 1 deletions

View File

@ -0,0 +1,91 @@
commit 7e7be5658c2b1a8aa130480ad8e1a7314c83bba9
Author: Thomas Woerner <twoerner@redhat.com>
Date: Wed Feb 15 11:11:40 2017 +0100
firewall.core.fw_ipset: get_ipset may not ckeck if set is applied by default
This breaks the ipset overloading from /etc/firewalld/ipsets.
Fixes: #206
diff --git a/src/firewall/core/fw_ipset.py b/src/firewall/core/fw_ipset.py
index bbbc8eb..952d122 100644
--- a/src/firewall/core/fw_ipset.py
+++ b/src/firewall/core/fw_ipset.py
@@ -55,10 +55,11 @@ class FirewallIPSet(object):
def has_ipsets(self):
return len(self._ipsets) > 0
- def get_ipset(self, name):
+ def get_ipset(self, name, applied=False):
self.check_ipset(name)
obj = self._ipsets[name]
- self.check_applied_obj(obj)
+ if applied:
+ self.check_applied_obj(obj)
return obj
def _error2warning(self, f, name, *args):
@@ -141,11 +142,11 @@ class FirewallIPSet(object):
# TYPE
def get_type(self, name):
- return self.get_ipset(name).type
+ return self.get_ipset(name, applied=True).type
# DIMENSION
def get_dimension(self, name):
- return len(self.get_ipset(name).type.split(","))
+ return len(self.get_ipset(name, applied=True).type.split(","))
# APPLIED
@@ -164,7 +165,7 @@ class FirewallIPSet(object):
# OPTIONS
def get_family(self, name):
- obj = self.get_ipset(name)
+ obj = self.get_ipset(name, applied=True)
if "family" in obj.options:
if obj.options["family"] == "inet6":
return "ipv6"
@@ -179,7 +180,7 @@ class FirewallIPSet(object):
pass
def add_entry(self, name, entry):
- obj = self.get_ipset(name)
+ obj = self.get_ipset(name, applied=True)
if "timeout" in obj.options and obj.options["timeout"] != "0":
# no entries visible for ipsets with timeout
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
@@ -201,7 +202,7 @@ class FirewallIPSet(object):
obj.entries.append(entry)
def remove_entry(self, name, entry):
- obj = self.get_ipset(name)
+ obj = self.get_ipset(name, applied=True)
if "timeout" in obj.options and obj.options["timeout"] != "0":
# no entries visible for ipsets with timeout
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
@@ -222,7 +223,7 @@ class FirewallIPSet(object):
obj.entries.remove(entry)
def query_entry(self, name, entry):
- obj = self.get_ipset(name)
+ obj = self.get_ipset(name, applied=True)
if "timeout" in obj.options and obj.options["timeout"] != "0":
# no entries visible for ipsets with timeout
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
@@ -230,11 +231,11 @@ class FirewallIPSet(object):
return entry in obj.entries
def get_entries(self, name):
- obj = self.get_ipset(name)
+ obj = self.get_ipset(name, applied=True)
return obj.entries
def set_entries(self, name, entries):
- obj = self.get_ipset(name)
+ obj = self.get_ipset(name, applied=True)
if "timeout" in obj.options and obj.options["timeout"] != "0":
# no entries visible for ipsets with timeout
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)

View File

@ -8,7 +8,7 @@
Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
Name: firewalld
Version: 0.4.4.3
Release: 1%{?dist}
Release: 2%{?dist}
URL: http://www.firewalld.org
License: GPLv2+
Source0: https://fedorahosted.org/released/firewalld/%{name}-%{version}.tar.bz2
@ -19,6 +19,7 @@ Source2: FedoraWorkstation.xml
%if 0%{?fedora}
Patch0: firewalld-0.2.6-MDNS-default.patch
%endif
Patch1: firewalld-0.4.4.3-get_ipset_no_applied_check.patch
BuildArch: noarch
BuildRequires: desktop-file-utils
BuildRequires: gettext
@ -154,6 +155,7 @@ firewalld.
%if 0%{?fedora}
%patch0 -p1
%endif
%patch1 -p1 -b .get_ipset_no_applied_check
%if 0%{?with_python3}
rm -rf %{py3dir}
@ -412,6 +414,9 @@ fi
%{_mandir}/man1/firewall-config*.1*
%changelog
* Tue Feb 21 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.3-2
- Fixed ipset overloading, dropped applied check in get_ipset (issue#206)
* Fri Feb 10 2017 Thomas Woerner <twoerner@redhat.com> - 0.4.4.3-1
- Rebase to firewalld-0.4.4.3
http://www.firewalld.org/2017/02/firewalld-0-4-4-3-release