Created attachment 863732 [details] direct.patch Description of problem: If you add a permanent direct rule with complex iptables args, it can not be loaded when firewalld starts. Version-Release number of selected component (if applicable): 0.3.9.3-1 How reproducible: Stable Steps to Reproduce: 1. `sudo firewall-cmd --permanent --direct --add-rule ipv4 mangle PREROUTING 0 -p udp --sport 53 -m u32 --u32 "0&0x0F000000=0x05000000 && 22&0xFFFF@16=0x01020304" -j DROP` 2. Restart firewalld 3. `sudo iptables -t mangle -L` Actual results: There is no corresponding rules about u32. Expected results: There will be a u32 rule. Additional info: I just resolve the problem, here is the patch
Now i have some time to give details. There are two issues related to this bug: 1. When using firewall-cmd --permanent to write rules to direct.xml, the rule args are not escaped, so when args contain ampersand, it will become an invalid xml. So i use sax.saxutils.escape. 2. When firewalld read and parse direct.xml, it uses sax.handler.ContentHandler. When the value in a element is very long like in my case, method `characters()` will be called several times with chunks of the data, which overwrites self._element. So i use append in characters(), and add startElement() to reset self._element.
Thank you, commited as https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=d13881f7090f8c5de02d6de7db061d3b7c4a818f
If you're willing to help testing the fix, grab one of .repo files from https://copr.fedoraproject.org/coprs/jpopelka/FirewallD/ copy it into /etc/yum.repos.d/ and run 'yum update'. If you're not happy with the testing package, downgrade back with # yum distro-sync 'firewall*' In any case, I'll be glad if can leave a note here. Thanks !
I have just installed firewalld-0.3.9.3-1.140401git4ff31ab.fc20.3.noarch, it works under both cli and gui as expected. (In reply to Jiri Popelka from comment #3) > If you're willing to help testing the fix, grab one of .repo files from > https://copr.fedoraproject.org/coprs/jpopelka/FirewallD/ > copy it into /etc/yum.repos.d/ and run 'yum update'. > > If you're not happy with the testing package, downgrade back with > # yum distro-sync 'firewall*' > > In any case, I'll be glad if can leave a note here. > > Thanks !
firewalld-0.3.10-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/firewalld-0.3.10-1.fc20
Package firewalld-0.3.10-1.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing firewalld-0.3.10-1.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6834/firewalld-0.3.10-1.fc20 then log in and leave karma (feedback).
firewalld-0.3.10-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.