From d409a3c2301497b2d77dd737f27e495f6a087783 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Mon, 2 Aug 2021 09:14:10 +0200 Subject: [PATCH] firewalld: listen to Reloaded signal and reconfigure firewall zones During reload, firewalld drops the current runtime configuration. NetworkManager should listen to that, and reconfigure the zones that it cares about. (cherry picked from commit 0f100abd851bf36769adaded9b079a925b97a7c6) --- src/core/nm-firewalld-manager.c | 48 ++++++++++++++++++++++++++++----- src/core/nm-firewalld-manager.h | 6 +++++ src/core/nm-policy.c | 13 ++++----- 3 files changed, 55 insertions(+), 12 deletions(-) diff --git a/src/core/nm-firewalld-manager.c b/src/core/nm-firewalld-manager.c index ec6fcca5b2..43ab278ad8 100644 --- a/src/core/nm-firewalld-manager.c +++ b/src/core/nm-firewalld-manager.c @@ -15,6 +15,7 @@ #define FIREWALL_DBUS_SERVICE "org.fedoraproject.FirewallD1" #define FIREWALL_DBUS_PATH "/org/fedoraproject/FirewallD1" +#define FIREWALL_DBUS_INTERFACE "org.fedoraproject.FirewallD1" #define FIREWALL_DBUS_INTERFACE_ZONE "org.fedoraproject.FirewallD1.zone" /*****************************************************************************/ @@ -32,6 +33,7 @@ typedef struct { char *name_owner; + guint reloaded_id; guint name_owner_changed_id; bool dbus_inited : 1; @@ -148,9 +150,9 @@ _ops_type_to_string(OpsType ops_type) /*****************************************************************************/ static void -_signal_emit_state_changed(NMFirewalldManager *self, gboolean initialized_now) +_signal_emit_state_changed(NMFirewalldManager *self, NMFirewalldManagerStateChangedType signal_type) { - g_signal_emit(self, signals[STATE_CHANGED], 0, initialized_now); + g_signal_emit(self, signals[STATE_CHANGED], 0, (int) signal_type); } /*****************************************************************************/ @@ -521,8 +523,30 @@ name_owner_changed(NMFirewalldManager *self, const char *owner) } } - if (was_running != now_running || name_owner_changed) - _signal_emit_state_changed(self, just_initied); + if (just_initied) + _signal_emit_state_changed(self, NM_FIREWALLD_MANAGER_STATE_CHANGED_TYPE_INITIALIZED); + else if (was_running != now_running || name_owner_changed) + _signal_emit_state_changed(self, + NM_FIREWALLD_MANAGER_STATE_CHANGED_TYPE_NAME_OWNER_CHANGED); +} + +static void +reloaded_cb(GDBusConnection *connection, + const char * sender_name, + const char * object_path, + const char * interface_name, + const char * signal_name, + GVariant * parameters, + gpointer user_data) +{ + NMFirewalldManager * self = user_data; + NMFirewalldManagerPrivate *priv = NM_FIREWALLD_MANAGER_GET_PRIVATE(self); + + if (!nm_streq0(sender_name, priv->name_owner)) + return; + + _LOGT(NULL, "reloaded signal received"); + _signal_emit_state_changed(self, NM_FIREWALLD_MANAGER_STATE_CHANGED_TYPE_RELOADED); } static void @@ -578,6 +602,17 @@ nm_firewalld_manager_init(NMFirewalldManager *self) return; } + priv->reloaded_id = g_dbus_connection_signal_subscribe(priv->dbus_connection, + FIREWALL_DBUS_SERVICE, + FIREWALL_DBUS_INTERFACE, + "Reloaded", + FIREWALL_DBUS_PATH, + NULL, + G_DBUS_SIGNAL_FLAGS_NONE, + reloaded_cb, + self, + NULL); + priv->name_owner_changed_id = nm_dbus_connection_signal_subscribe_name_owner_changed(priv->dbus_connection, FIREWALL_DBUS_SERVICE, @@ -604,6 +639,7 @@ dispose(GObject *object) * we don't expect pending operations at this point. */ nm_assert(c_list_is_empty(&priv->pending_calls)); + nm_clear_g_dbus_connection_signal(priv->dbus_connection, &priv->reloaded_id); nm_clear_g_dbus_connection_signal(priv->dbus_connection, &priv->name_owner_changed_id); nm_clear_g_cancellable(&priv->get_name_owner_cancellable); @@ -626,8 +662,8 @@ nm_firewalld_manager_class_init(NMFirewalldManagerClass *klass) 0, NULL, NULL, - g_cclosure_marshal_VOID__BOOLEAN, + g_cclosure_marshal_VOID__INT, G_TYPE_NONE, 1, - G_TYPE_BOOLEAN /* initialized_now */); + G_TYPE_INT /* signal-type */); } diff --git a/src/core/nm-firewalld-manager.h b/src/core/nm-firewalld-manager.h index febb9bac48..1f76bebaa4 100644 --- a/src/core/nm-firewalld-manager.h +++ b/src/core/nm-firewalld-manager.h @@ -19,6 +19,12 @@ #define NM_FIREWALLD_MANAGER_STATE_CHANGED "state-changed" +typedef enum { + NM_FIREWALLD_MANAGER_STATE_CHANGED_TYPE_INITIALIZED, + NM_FIREWALLD_MANAGER_STATE_CHANGED_TYPE_NAME_OWNER_CHANGED, + NM_FIREWALLD_MANAGER_STATE_CHANGED_TYPE_RELOADED, +} NMFirewalldManagerStateChangedType; + typedef struct _NMFirewalldManagerCallId NMFirewalldManagerCallId; typedef struct _NMFirewalldManager NMFirewalldManager; diff --git a/src/core/nm-policy.c b/src/core/nm-policy.c index e4914acfb5..e147e5047c 100644 --- a/src/core/nm-policy.c +++ b/src/core/nm-policy.c @@ -2519,14 +2519,15 @@ connection_added(NMSettings *settings, NMSettingsConnection *connection, gpointe } static void -firewall_state_changed(NMFirewalldManager *manager, gboolean initialized_now, gpointer user_data) +firewall_state_changed(NMFirewalldManager *manager, int signal_type_i, gpointer user_data) { - NMPolicy * self = (NMPolicy *) user_data; - NMPolicyPrivate *priv = NM_POLICY_GET_PRIVATE(self); - const CList * tmp_lst; - NMDevice * device; + const NMFirewalldManagerStateChangedType signal_type = signal_type_i; + NMPolicy * self = user_data; + NMPolicyPrivate * priv = NM_POLICY_GET_PRIVATE(self); + const CList * tmp_lst; + NMDevice * device; - if (initialized_now) { + if (signal_type == NM_FIREWALLD_MANAGER_STATE_CHANGED_TYPE_INITIALIZED) { /* the firewall manager was initializing, but all requests * so fare were queued and are already sent. No need to * re-update the firewall zone of the devices. */