diff --git a/backport-fix-icmp-fix-check_icmpv6_name-to-use-correct-IPv6-n.patch b/backport-fix-icmp-fix-check_icmpv6_name-to-use-correct-IPv6-n.patch new file mode 100644 index 0000000000000000000000000000000000000000..9d2ab9742d5cd507c92aa2143b36f30da4dc7350 --- /dev/null +++ b/backport-fix-icmp-fix-check_icmpv6_name-to-use-correct-IPv6-n.patch @@ -0,0 +1,33 @@ +From d2fa474c1422f43dad6218f607831a0077618e83 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Tue, 4 Jul 2023 09:56:39 +0200 +Subject: [PATCH] fix(icmp): fix check_icmpv6_name() to use correct IPv6 names + +This was only called from IPSet.check_entry() to validate the input. +Also, some of the IPv4 names are the same as for IPv6. Overall, the +impact of this was probably low. + +Fixes: 11567b74317e ('New firewall.core.icmp providing names and types for icmp and icmpv6 values') + +Conflict:NA +Reference:https://github.com/firewalld/firewalld/commit/d2fa474c1422f43dad6218f607831a0077618e83 +--- + src/firewall/core/icmp.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/icmp.py b/src/firewall/core/icmp.py +index ed030026..c293098d 100644 +--- a/src/firewall/core/icmp.py ++++ b/src/firewall/core/icmp.py +@@ -94,7 +94,7 @@ def check_icmp_type(_type): + return False + + def check_icmpv6_name(_name): +- if _name in ICMP_TYPES: ++ if _name in ICMPV6_TYPES: + return True + return False + +-- +2.43.0 + diff --git a/backport-fix-ipset-fix-configuring-IP-range-for-ipsets-with-n.patch b/backport-fix-ipset-fix-configuring-IP-range-for-ipsets-with-n.patch new file mode 100644 index 0000000000000000000000000000000000000000..490e7ff0279cbe888c75d8724cfd71abd0366d7b --- /dev/null +++ b/backport-fix-ipset-fix-configuring-IP-range-for-ipsets-with-n.patch @@ -0,0 +1,139 @@ +From 4db89e316f2d60f3cf856a7025a96a61e40b1e5a Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Tue, 11 Jul 2023 15:26:56 +0200 +Subject: [PATCH] fix(ipset): fix configuring IP range for ipsets with nftables + +Setting an IP range with nftables did not work: + + firewall-cmd --permanent --delete-ipset=testipset || : + firewall-cmd --permanent --delete-zone=testzone || : + + ENTRY=1.1.1.1-1.1.1.10 + + firewall-cmd --permanent --new-ipset=testipset --type=hash:ip + firewall-cmd --permanent --ipset=testipset --add-entry="$ENTRY" + firewall-cmd --permanent --info-ipset=testipset + firewall-cmd --permanent --new-zone=testzone + firewall-cmd --permanent --zone=testzone --add-rich-rule='rule family="ipv4" source ipset="testipset" service name="ssh" accept' + + firewall-cmd --reload & + +This would generate the following JSON request: + + { + "add": { + "element": { + "family": "inet", + "table": "firewalld", + "name": "testipset", + "elem": [ + "1.1.1.1-1.1.1.10" + ] + } + } + } + +libnftables will try to resolve "1.1.1.1-1.1.1.10" via getaddrinfo(). Calling +getaddrinfo() to resolve names is bound to fail, and it blocks the process for +a very long time. libnftables should not block the calling process ([1]). + +We need to generate the correct JSON request, which is + + { + "add": { + "element": { + "family": "inet", + "table": "firewalld", + "name": "testipset", + "elem": [ + { + "range": [ + "1.1.1.1", + "1.1.1.10" + ] + } + ] + } + } + } + +This is an ugly fix, because the parsing of ipset entries is duplicated +and inconsistent. A better solution for that shall follow. + +[1] https://marc.info/?l=netfilter-devel&m=168901121103612 + +https://bugzilla.redhat.com/show_bug.cgi?id=2028748 + +Fixes: 1582c5dd736a ('feat: nftables: convert to libnftables JSON interface') + +Conflict:context adapt +Reference:https://github.com/firewalld/firewalld/commit/4db89e316f2d60f3cf856a7025a96a61e40b1e5a +--- + src/firewall/core/nftables.py | 27 +++++++++++++++------------ + src/tests/cli/firewall-cmd.at | 4 ++-- + 2 files changed, 17 insertions(+), 14 deletions(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 8e455d23..3bbc1028 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1690,19 +1690,22 @@ def _set_enrty_fragment(self, name, entry): + fragment.append({"range": [port_str[:index], port_str[index+1:]]}) + + elif type_format[i] in ["ip", "net"]: +- try: +- index = entry_tokens[i].index("/") +- except ValueError: +- addr = entry_tokens[i] +- if "family" in obj.options and obj.options["family"] == "inet6": +- addr = normalizeIP6(addr) +- fragment.append(addr) ++ if '-' in entry_tokens[i]: ++ fragment.append({"range": entry_tokens[i].split('-') }) + else: +- addr = entry_tokens[i][:index] +- if "family" in obj.options and obj.options["family"] == "inet6": +- addr = normalizeIP6(addr) +- fragment.append({"prefix": {"addr": addr, +- "len": int(entry_tokens[i][index+1:])}}) ++ try: ++ index = entry_tokens[i].index("/") ++ except ValueError: ++ addr = entry_tokens[i] ++ if "family" in obj.options and obj.options["family"] == "inet6": ++ addr = normalizeIP6(addr) ++ fragment.append(addr) ++ else: ++ addr = entry_tokens[i][:index] ++ if "family" in obj.options and obj.options["family"] == "inet6": ++ addr = normalizeIP6(addr) ++ fragment.append({"prefix": {"addr": addr, ++ "len": int(entry_tokens[i][index+1:])}}) + else: + fragment.append(entry_tokens[i]) + return [{"concat": fragment}] if len(type_format) > 1 else fragment +diff --git a/src/tests/cli/firewall-cmd.at b/src/tests/cli/firewall-cmd.at +index 9da0c3df..09dfb1f4 100644 +--- a/src/tests/cli/firewall-cmd.at ++++ b/src/tests/cli/firewall-cmd.at +@@ -880,7 +880,7 @@ FWD_START_TEST([ipset]) + + dnl multi dimensional sets + FWD_CHECK([--permanent --new-ipset=foobar --type=hash:ip,port], 0, ignore) +- FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,1234], 0, ignore) ++ FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10-10.10.10.12,1234], 0, ignore) + FWD_CHECK([--permanent --ipset=foobar --add-entry=10.10.10.10,2000-2100], 0, ignore) + FWD_RELOAD + NFT_LIST_SET([foobar], 0, [dnl +@@ -888,7 +888,7 @@ FWD_START_TEST([ipset]) + set foobar { + type ipv4_addr . inet_proto . inet_service + flags interval +- elements = { 10.10.10.10 . tcp . 1234, ++ elements = { 10.10.10.10-10.10.10.12 . tcp . 1234, + 10.10.10.10 . tcp . 2000-2100 } + } + } +-- +2.43.0 + diff --git a/backport-fix-ipset-fix-configuring-timeout-maxelem-values-for.patch b/backport-fix-ipset-fix-configuring-timeout-maxelem-values-for.patch new file mode 100644 index 0000000000000000000000000000000000000000..951d00033c727afd7b62fbd6cc6b29d0cc59643c --- /dev/null +++ b/backport-fix-ipset-fix-configuring-timeout-maxelem-values-for.patch @@ -0,0 +1,108 @@ +From ed93b047c8dd845d0b9434fd68fab7cf2435278c Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Wed, 12 Jul 2023 14:17:38 +0200 +Subject: [PATCH] fix(ipset): fix configuring "timeout","maxelem" values for + ipsets with nftables + +With + + firewall-cmd --permanent --delete-ipset=testipset || : + firewall-cmd --permanent --new-ipset=testipset --type=hash:ip --option=maxelem=65536 --option=family=inet --option=hashsize=4096 --option=timeout=14400 + firewall-cmd --reload + +firewalld would send the JSON request + + { + "add": { + "set": { + "family": "inet", + "table": "firewalld", + "name": "testipset", + "type": "ipv4_addr", + "flags": [ + "interval" + ], + "timeout": "14400", + "size": "65536" + } + } + }, + +But the "timeout","size" keys are NUMBER types in libnftables-json. They are +silently ignored otherwise ([1]). The fix is to pass them as numbers. + +Try also: + + nft delete table inet testtable &>/dev/null || : + nft add table inet testtable + echo ' + { + "nftables": [ + { + "metainfo": { + "json_schema_version": 1 + } + }, + { + "add": { + "set": { + "family": "inet", + "table": "testtable", + "name": "testipset", + "type": "ipv4_addr", + "flags": [ + "interval" + ], + "timeout": "14400", + "size": "65536" + } + } + }, + { + "flush": { + "set": { + "family": "inet", + "table": "testtable", + "name": "testipset" + } + } + } + ] + } + ' | nft -j -f - + nft list ruleset | grep -C6 testipset + +[1] https://git.netfilter.org/nftables/tree/src/parser_json.c?id=1335ade24e55199069b8ae79e34746a59ae48c01#n1440 + +https://github.com/firewalld/firewalld/issues/699 +https://github.com/firewalld/firewalld/issues/908 +https://bugzilla.redhat.com/show_bug.cgi?id=2055330 + +Fixes: #699 +Fixes: 1582c5dd736a ('feat: nftables: convert to libnftables JSON interface') + +Conflict:remove test rhbz1506742.at which has no context of change +Reference:https://github.com/firewalld/firewalld/commit/ed93b047c8dd845d0b9434fd68fab7cf2435278c +--- + src/firewall/core/nftables.py | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index d4b018db..f269afa9 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1618,9 +1618,9 @@ def build_set_create_rules(self, name, type, options=None): + + if options: + if "timeout" in options: +- set_dict["timeout"] = options["timeout"] ++ set_dict["timeout"] = int(options["timeout"]) + if "maxelem" in options: +- set_dict["size"] = options["maxelem"] ++ set_dict["size"] = int(options["maxelem"]) + + return [{"add": {"set": set_dict}}] + +-- +2.43.0 + diff --git a/backport-fix-nftables-use-current-pkttype-keywords.patch b/backport-fix-nftables-use-current-pkttype-keywords.patch new file mode 100644 index 0000000000000000000000000000000000000000..d881631f9637b4921d61dc0d5436d3be103bbca8 --- /dev/null +++ b/backport-fix-nftables-use-current-pkttype-keywords.patch @@ -0,0 +1,33 @@ +From 78ef25fbcb5506f0a554f5a7e6bbc0388edaf5c4 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 29 Oct 2025 10:41:09 -0400 +Subject: [PATCH] fix(nftables): use current pkttype keywords + +Since nftables 8a7f6de53640 ("meta: fix pkttype name and add 'other' +symbol") the "unicast" keyword is actually equivalent to "host". + +Note: nftables also supports "other", but that's only relevant for L2 +and interfaces in promiscuous mode. + +Conflict:context adapt +Reference:https://github.com/firewalld/firewalld/commit/78ef25fbcb5506f0a554f5a7e6bbc0388edaf5c4 +--- + src/firewall/core/nftables.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 6e47670c..e668347c 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -1626,7 +1626,7 @@ class nftables: + elif pkttype in ["unicast", "broadcast", "multicast"]: + return {"match": {"left": {"meta": {"key": "pkttype"}}, + "op": "==", +- "right": pkttype}} ++ "right": "host" if pkttype == "unicast" else pkttype}} + + raise FirewallError(INVALID_RULE, "Invalid pkttype \"%s\"", pkttype) + +-- +2.43.0 + diff --git a/backport-fix-rich-fix-range-check-for-large-rule-limit.patch b/backport-fix-rich-fix-range-check-for-large-rule-limit.patch new file mode 100644 index 0000000000000000000000000000000000000000..9f2b44a377f0c0b63e60573c91af112ce24fd6b3 --- /dev/null +++ b/backport-fix-rich-fix-range-check-for-large-rule-limit.patch @@ -0,0 +1,30 @@ +From e790c64ebb5760e8d8f8afd1b978baab891d5933 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Mon, 5 Feb 2024 13:24:25 +0100 +Subject: [PATCH] fix(rich): fix range check for large rule limit + +Fixes: 555ae1307a3e ('New rich language usable in zones') + +Conflict:context adapt +remove test src/tests/unit/test_rich_rule.py which not exist +Reference:https://github.com/firewalld/firewalld/commit/e790c64ebb5760e8d8f8afd1b978baab891d5933 +--- + src/firewall/core/rich.py | 2 +- + 1 files changed, 1 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py +index 6c445c5c..d1618a4a 100644 +--- a/src/firewall/core/rich.py ++++ b/src/firewall/core/rich.py +@@ -458,7 +458,7 @@ def check(self, family=None): + elif duration == "d": + mult = 24*60*60 + +- if 10000 * mult / rate == 0: ++ if 10000 * mult // rate == 0: + raise FirewallError(errors.INVALID_LIMIT, + "%s too fast" % self.value) + +-- +2.43.0 + diff --git a/backport-fix-rich-validate-service-name-of-rich-rule.patch b/backport-fix-rich-validate-service-name-of-rich-rule.patch new file mode 100644 index 0000000000000000000000000000000000000000..e093e766cd9d74f82171e9fa9c5c31f5f589173c --- /dev/null +++ b/backport-fix-rich-validate-service-name-of-rich-rule.patch @@ -0,0 +1,73 @@ +From fbcdddd3e38c31a7b8325bf02764b84344c216b0 Mon Sep 17 00:00:00 2001 +From: Thomas Haller +Date: Tue, 12 Dec 2023 14:58:07 +0100 +Subject: [PATCH] fix(rich): validate service name of rich rule + +Previously, validation of valid service names was not done. +That meant: + + $ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent + success + $ firewall-cmd --reload + Error: INVALID_SERVICE: listen + +which left firewalld in a bad state. + +Now: + + $ firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="listen" accept' --permanent + Error: INVALID_SERVICE: Zone 'public': 'listen' not among existing services + +https://issues.redhat.com/browse/RHEL-5790 + +Conflict:context adapt +Reference:https://github.com/firewalld/firewalld/commit/fbcdddd3e38c31a7b8325bf02764b84344c216b0 +--- + src/firewall/core/io/policy.py | 8 ++++++++ + src/tests/features/rich_rules.at | 7 ++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/firewall/core/io/policy.py b/src/firewall/core/io/policy.py +index 36982097..a99a7855 100644 +--- a/src/firewall/core/io/policy.py ++++ b/src/firewall/core/io/policy.py +@@ -570,6 +570,14 @@ def common_check_config(obj, config, item, all_config, all_io_objects): + log.debug1("{} (unsupported)".format(ex)) + else: + raise ex ++ elif isinstance(obj_rich.element, rich.Rich_Service): ++ if obj_rich.element.name not in all_io_objects["services"]: ++ raise FirewallError( ++ errors.INVALID_SERVICE, ++ "{} '{}': '{}' not among existing services".format( ++ obj_type, obj.name, obj_rich.element.name ++ ), ++ ) + + def common_writer(obj, handler): + # short +diff --git a/src/tests/features/rich_rules.at b/src/tests/features/rich_rules.at +index aadc76da..f7d1a1d0 100644 +--- a/src/tests/features/rich_rules.at ++++ b/src/tests/features/rich_rules.at +@@ -46,6 +46,10 @@ FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priorit + FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=0 source address=10.10.10.13 drop'], 0, ignore) + FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=-1 source address=10.10.10.14 accept'], 0, ignore) + FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule family=ipv4 priority=1 source address=10.10.10.15 accept'], 0, ignore) ++ ++dnl Invalid service name is rejected. ++FWD_CHECK([--permanent --policy foobar --add-rich-rule='rule priority="-100" family="ipv4" source address="10.0.0.10" service name="bogusservice" accept'], 101, ignore, ignore) ++ + FWD_RELOAD + NFT_LIST_RULES([inet], [filter_IN_policy_foobar_pre], 0, [dnl + table inet firewalld { +@@ -319,4 +323,5 @@ IP6TABLES_LIST_RULES([filter], [IN_foobar_post], 0, [dnl + ACCEPT all ::/0 ::/0 + ]) + +-FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d']) ++FWD_END_TEST([-e '/ERROR: INVALID_ZONE:/d' dnl ++ -e "/ERROR: INVALID_SERVICE: Policy 'foobar': 'bogusservice' not among existing services/d"]) +-- +2.43.0 + diff --git a/firewalld.spec b/firewalld.spec index 50eb532ea99d7eddcc3bc8524d8383ff5c77ba24..2c8d0db0cd0f787bee356fc43e2933aade065a5e 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,6 +1,6 @@ Name: firewalld Version: 1.2.6 -Release: 7 +Release: 8 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall License: GPLv2+ URL: http://www.firewalld.org @@ -14,6 +14,12 @@ Patch4: backport-chore-nftables-add-delete-table-helper.patch Patch5: backport-fix-nftables-always-flush-main-table-on-start.patch Patch6: backport-fix-service-update-highest-port-number-for-ceph.patch Patch7: backport-fix-nm-release-NM-client-after-a-timeout.patch +Patch8: backport-fix-icmp-fix-check_icmpv6_name-to-use-correct-IPv6-n.patch +Patch9: backport-fix-ipset-fix-configuring-IP-range-for-ipsets-with-n.patch +Patch10: backport-fix-ipset-fix-configuring-timeout-maxelem-values-for.patch +Patch11: backport-fix-rich-validate-service-name-of-rich-rule.patch +Patch12: backport-fix-rich-fix-range-check-for-large-rule-limit.patch +Patch13: backport-fix-nftables-use-current-pkttype-keywords.patch BuildArch: noarch BuildRequires: autoconf automake desktop-file-utils gettext intltool glib2 glib2-devel systemd-units docbook-style-xsl @@ -249,6 +255,17 @@ sed -i "s/CleanupModulesOnExit=no/CleanupModulesOnExit=yes/g" %{_sysconfdir}/fir %{_datadir}/firewalld/testsuite/python/firewalld_test.py %changelog +* Thu Nov 27 2025 zhouyihang - 1.2.6-8 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:fix(icmp): fix check_icmpv6_name() to use correct IPv6 names + fix(ipset): fix configuring IP range for ipsets with nftables + fix(ipset): fix configuring "timeout","maxelem" values for + fix(rich): validate service name of rich rule + fix(rich): fix range check for large rule limit + fix(nftables): use current pkttype keywords + * Wed Aug 28 2024 zhouyihang - 1.2.6-7 - Type:bugfix - CVE:NA