core: merge branch 'bg/shared-mode-firewall-rh1829637'

https://bugzilla.redhat.com/show_bug.cgi?id=1829637
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/498

Makefile.am

@@ -4903,6 +4903,11 @@ data/server.conf: $(srcdir)/data/server.conf.in
 	@$(MKDIR_P) data/
 	$(AM_V_GEN) $(data_edit) $< >$@
 
+if WITH_FIREWALLD_ZONE
+firewalldzonedir = $(prefix)/lib/firewalld/zones
+firewalldzone_DATA = data/nm-shared.xml
+endif
+
 EXTRA_DIST += \
 	data/84-nm-drivers.rules \
 	data/85-nm-unmanaged.rules \
@@ -4912,6 +4917,7 @@ EXTRA_DIST += \
 	data/NetworkManager-wait-online.service.in \
 	data/NetworkManager.service.in \
 	data/meson.build \
+	data/nm-shared.xml \
 	data/server.conf.in \
 	$(NULL)
 

NEWS

@@ -8,6 +8,14 @@ The API is subject to change and not guaranteed to be compatible
 with the later release.
 USE AT YOUR OWN RISK.  NOT RECOMMENDED FOR PRODUCTION USE!
 
+* Add a new build option 'firewalld-zone'; when enabled,
+  NetworkManager installs a firewalld zone for connection sharing and
+  puts interfaces using IPv4 or IPv6 shared mode in this zone during
+  activation. The option is enabled by default.
+  Note that NetworkManager still calls to iptables to enable
+  masquerading and open needed ports for DHCP and DNS. The new option
+  is useful on systems using firewalld with the nftables backend,
+  where the iptables rules would not be sufficient.
 * Add MUD URL property for connection profiles (RFC 8520) and set it
   for DHCP and DHCPv6 requests.
 * IPv6 SLAAC: improved the reaction of IPv6 SLAAC to renumbering events:

config.h.meson

@@ -233,6 +233,9 @@
 /* Define if you have iwd support */
 #mesondefine WITH_IWD
 
+/* Define if NetworkManager uses a custom zone for shared mode */
+#mesondefine WITH_FIREWALLD_ZONE
+
 /* Define to 1 if on MINIX. */
 #mesondefine _MINIX
 

configure.ac

@@ -673,6 +673,18 @@ else
 fi
 AC_SUBST(NM_MODIFY_SYSTEM_POLICY)
 
+AC_ARG_ENABLE(firewalld-zone,
+              AS_HELP_STRING([--enable-firewalld-zone], [Install and use firewalld zone for shared mode]),
+              [enable_firewalld_zone=${enableval}],
+              [enable_firewalld_zone=yes])
+
+if test "${enable_firewalld_zone}" = "yes"; then
+	AC_DEFINE(WITH_FIREWALLD_ZONE, 1, [Define if NetworkManager uses a custom zone for shared mode])
+else
+	AC_DEFINE(WITH_FIREWALLD_ZONE, 0, [Define if NetworkManager uses a custom zone for shared mode])
+fi
+AM_CONDITIONAL(WITH_FIREWALLD_ZONE, test "${enable_firewalld_zone}" = "yes")
+
 PKG_CHECK_MODULES(GNUTLS, [gnutls >= 2.12], [have_crypto_gnutls=yes], [have_crypto_gnutls=no])
 PKG_CHECK_MODULES(NSS, [nss], [have_crypto_nss=yes], [have_crypto_nss=yes])
 if test "${have_crypto_nss}" = "yes"; then
@@ -1370,6 +1382,7 @@ echo "Miscellaneous:"
 echo "  have introspection: $have_introspection"
 echo "  build documentation and manpages: $build_docs"
 echo "  install pregenerated documentation and manpages: $use_pregen_docs"
+echo "  install and use firewalld shared zone: $enable_firewalld_zone"
 echo "  tests: $enable_tests"
 echo "  more-asserts: $more_asserts"
 echo "  more-logging: $enable_more_logging"

contrib/fedora/REQUIRED_PACKAGES

@@ -47,6 +47,7 @@ install \
     dbus-devel \
     dbus-x11 \
     dhclient \
+    firewalld-filesystem \
     gcc-c++ \
     gettext-devel \
     git \

contrib/fedora/rpm/NetworkManager.spec

@@ -81,6 +81,11 @@
 %else
 %bcond_without iwd
 %endif
+%if 0%{?fedora} > 31 || 0%{?rhel} > 7
+%bcond_without firewalld_zone
+%else
+%bcond_with firewalld_zone
+%endif
 
 ###############################################################################
 
@@ -242,6 +247,9 @@ BuildRequires: libasan
 BuildRequires: libubsan
 %endif
 %endif
+%if %{with firewalld_zone}
+BuildRequires: firewalld-filesystem
+%endif
 
 Provides: %{name}-dispatcher%{?_isa} = %{epoch}:%{version}-%{release}
 
@@ -608,6 +616,11 @@ This tool is still experimental.
 %if %{with ppp}
 	-Dpppd_plugin_dir=%{_libdir}/pppd/%{ppp_version} \
 	-Dppp=true \
+%endif
+%if %{with firewalld_zone}
+	-Dfirewalld_zone=true \
+%else
+	-Dfirewalld_zone=false \
 %endif        
 	-Ddist_version=%{version}-%{release} \
 	-Dconfig_plugins_default=%{config_plugins_default} \
@@ -741,6 +754,11 @@ intltoolize --automake --copy --force
 %if %{with ppp}
 	--with-pppd-plugin-dir=%{_libdir}/pppd/%{ppp_version} \
 	--enable-ppp=yes \
+%endif
+%if %{with firewalld_zone}
+	--enable-firewalld-zone \
+%else
+	--disable-firewalld-zone \
 %endif        
 	--with-dist-version=%{version}-%{release} \
 	--with-config-plugins-default=%{config_plugins_default} \
@@ -824,6 +842,9 @@ fi
 %post
 /usr/bin/udevadm control --reload-rules || :
 /usr/bin/udevadm trigger --subsystem-match=net || :
+%if %{with firewalld_zone}
+%firewalld_reload
+%endif
 
 %systemd_post %{systemd_units}
 
@@ -865,6 +886,9 @@ fi
 %postun
 /usr/bin/udevadm control --reload-rules || :
 /usr/bin/udevadm trigger --subsystem-match=net || :
+%if %{with firewalld_zone}
+%firewalld_reload
+%endif
 
 %systemd_postun %{systemd_units}
 
@@ -930,6 +954,9 @@ fi
 %{_datadir}/dbus-1/system-services/org.freedesktop.nm_dispatcher.service
 %{_datadir}/polkit-1/actions/*.policy
 %{_prefix}/lib/udev/rules.d/*.rules
+%if %{with firewalld_zone}
+%{_prefix}/lib/firewalld/zones/nm-shared.xml
+%endif
 # systemd stuff
 %{systemd_dir}/NetworkManager.service
 %{systemd_dir}/NetworkManager-wait-online.service

data/meson.build

@@ -67,3 +67,10 @@ if enable_polkit
     install_dir: polkit_gobject_policydir,
   )
 endif
+
+if enable_firewalld_zone
+  install_data(
+    'nm-shared.xml',
+    install_dir: join_paths(nm_prefix, 'lib', 'firewalld', 'zones')
+  )
+endif

data/nm-shared.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone target="ACCEPT">
+  <short>NetworkManager Shared</short>
+
+  <description>
+    This zone is used internally by NetworkManager when activating a
+    profile that uses connection sharing and doesn't have an explicit
+    firewall zone set.
+    Block all traffic to the local machine except ICMP, ICMPv6, DHCP
+    and DNS. Allow all forwarded traffic.
+    Note that future package updates may change the definition of the
+    zone unless you overwrite it with your own definition.
+  </description>
+
+  <rule priority='32767'>
+    <reject/>
+  </rule>
+
+  <protocol value='icmp'/>
+  <protocol value='ipv6-icmp'/>
+  <service name="dhcp"/>
+  <service name="dns"/>
+</zone>

meson.build

@@ -550,6 +550,9 @@ endif
 dbus_interfaces_dir = dbus_dep.get_pkgconfig_variable('interfaces_dir',  define_variable: ['datadir', nm_datadir])
 dbus_system_bus_services_dir = dbus_dep.get_pkgconfig_variable('system_bus_services_dir', define_variable: ['datadir', nm_datadir])
 
+enable_firewalld_zone = get_option('firewalld_zone')
+config_h.set10('WITH_FIREWALLD_ZONE', enable_firewalld_zone)
+
 # pppd
 enable_ppp = get_option('ppp')
 if enable_ppp
@@ -1028,6 +1031,7 @@ output += '\n'
 output += '\nMiscellaneous:\n'
 output += '  have introspection: ' + enable_introspection.to_string() + '\n'
 output += '  build documentation and manpages: ' + enable_docs.to_string() + '\n'
+output += '  firewalld zone for shared mode: ' + enable_firewalld_zone.to_string() + '\n'
 # FIXME
 #output += '  install pregenerated documentation and manpages: no
 output += '  tests: ' + tests + '\n'

meson_options.txt

@@ -62,6 +62,7 @@ option('introspection', type: 'boolean', value: true, description: 'Enable intro
 option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings')
 option('docs', type: 'boolean', value: false, description: 'use to build documentation')
 option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests')
+option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode')
 option('more_asserts', type: 'string', value: 'all', description: 'Enable more assertions for debugging (0 = none, 100 = all, default: all)')
 option('more_logging', type: 'boolean', value: true, description: 'Enable more debug logging')
 option('valgrind', type: 'array', value: ['no'], description: 'Use valgrind to memory-check the tests')

src/devices/nm-device.c

@@ -11156,6 +11156,7 @@ fw_change_zone (NMDevice *self)
 	NMDevicePrivate *priv = NM_DEVICE_GET_PRIVATE (self);
 	NMConnection *applied_connection;
 	NMSettingConnection *s_con;
+	const char *zone;
 
 	nm_assert (priv->fw_state >= FIREWALL_STATE_INITIALIZED);
 
@@ -11173,9 +11174,19 @@ fw_change_zone (NMDevice *self)
 	if (G_UNLIKELY (!priv->fw_mgr))
 		priv->fw_mgr = g_object_ref (nm_firewall_manager_get ());
 
+	zone = nm_setting_connection_get_zone (s_con);
+#if WITH_FIREWALLD_ZONE
+	if (!zone || zone[0] == '\0') {
+		if (   nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET),
+		                  NM_SETTING_IP4_CONFIG_METHOD_SHARED)
+		    || nm_streq0 (nm_device_get_effective_ip_config_method (self, AF_INET6),
+		                  NM_SETTING_IP6_CONFIG_METHOD_SHARED))
+			zone = "nm-shared";
+	}
+#endif
 	priv->fw_call = nm_firewall_manager_add_or_change_zone (priv->fw_mgr,
 	                                                        nm_device_get_ip_iface (self),
-	                                                        nm_setting_connection_get_zone (s_con),
+	                                                        zone,
 	                                                        FALSE, /* change zone */
 	                                                        fw_change_zone_cb,
 	                                                        self);