File 0003-firewall-cmd-For-non-permanent-interface-c... of Package firewalld

Overview Repositories Revisions Requests Users Attributes Meta

File 0003-firewall-cmd-For-non-permanent-interface-changes-don.patch of Package firewalld

From 65fba5ff49ffae7d0ae60a959eaf923b918a6ea1 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Wed, 18 Jul 2018 11:45:37 -0400
Subject: [PATCH 3/8] firewall-cmd: For non-permanent interface changes don't
 involve NM

Only permanent interface to zone assignments should be forwarded to
NetworkManager. This prevents non-permanent configuration from becoming
permanent due to the libnm API.

Fixes: rhbz 1551078
(cherry picked from commit d74304e2ff6162b1739cbc4b2ffd014ddb280ce2)
---
 src/firewall-cmd                 |  9 +++------
 src/firewall/server/firewalld.py | 13 ++++++++++++-
 2 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/src/firewall-cmd b/src/firewall-cmd
index 778a880f..ca899321 100755
--- a/src/firewall-cmd
+++ b/src/firewall-cmd
@@ -2370,22 +2370,19 @@ elif a.get_zone_of_interface:
 elif a.add_interface:
     interfaces = [ ]
     for interface in a.add_interface:
-        if not try_set_zone_of_interface(zone, interface):
-            interfaces.append(interface)
+        interfaces.append(interface)
     cmd.x_add_sequence(zone, interfaces, fw.addInterface,
                        fw.queryInterface, None, "'%s'")
 elif a.change_interface:
     interfaces = [ ]
     for interface in a.change_interface:
-        if not try_set_zone_of_interface(zone, interface):
-            interfaces.append(interface)
+        interfaces.append(interface)
     cmd.x_add_sequence(zone, interfaces, fw.changeZoneOfInterface,
                        fw.queryInterface, None, "'%s'")
 elif a.remove_interface:
     interfaces = [ ]
     for interface in a.remove_interface:
-        if not try_set_zone_of_interface("", interface):
-            interfaces.append(interface)
+        interfaces.append(interface)
     cmd.x_remove_sequence(zone, interfaces, fw.removeInterface,
                           fw.queryInterface, None, "'%s'")
 elif a.query_interface:
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index 6f1331b2..b2a2453e 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -48,7 +48,8 @@ from firewall.core.io.ipset import IPSet
 from firewall.core.io.service import Service
 from firewall.core.io.icmptype import IcmpType
 from firewall.core.io.helper import Helper
-from firewall.core.fw_nm import nm_get_bus_name
+from firewall.core.fw_nm import nm_get_bus_name, nm_get_connection_of_interface, \
+                                nm_set_zone_of_connection
 from firewall import errors
 from firewall.errors import FirewallError
 
@@ -444,6 +445,16 @@ class FirewallD(slip.dbus.service.Object):
                         log.debug1("Zone '%s': interface binding for '%s' has been added by NM, ignoring." % (name, interface))
                         settings.removeInterface(interface)
                         changed = True
+                # For the remaining interfaces, attempt to let NM manage them
+                for interface in settings.getInterfaces():
+                    try:
+                        connection = nm_get_connection_of_interface(interface)
+                        if connection and nm_set_zone_of_connection(name, connection):
+                            settings.removeInterface(interface)
+                            changed = True
+                    except Exception:
+                        pass
+
                 if changed:
                     del conf
                     conf = settings.settings
-- 
2.19.0

Places

File 0003-firewall-cmd-For-non-permanent-interface-changes-don.patch of Package firewalld

Places