Enhancement #2835

Firewall rules: preserve references to other DB records

Added by Davide Principi about 5 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.5
Resolution: NEEDINFO:No

Description

When a firewall rule refers to a DB record, it must exist.

Deleting a DB record referenced by a firewall rule must be forbidden, to avoid unexpected firewall configurations.

A firewall rule can point to records in the following DBs/record types:

  • hosts
    host-group, host, remote, local
  • networks
    zone, ethernet, bridge, vlan, alias, bond
  • fwservices
    fwservice

Related issues

Related to NethServer 6 - Feature #2705: Firewall: support custom objects CLOSED

Associated revisions

Revision e99c03b9
Added by Davide Principi about 5 years ago

Dhcp UI module: run host-* events detached. Refs #2835

This shows Shorewall errors, if it's installed.

Revision b122ecd5
Added by Davide Principi about 5 years ago

Hosts UI module: run host-* events detached. Refs #2835

This shows Shorewall errors, if it's installed.

Revision cfc57e1c
Added by Davide Principi about 5 years ago

host-delete system validator. Refs #2835

Defined empty, is extended by nethserver-firewall-base.

Revision c7421228
Added by Davide Principi about 5 years ago

FirewallObjects: check rules references integrity before delete. Refs #2835

  • Added getReferences() to NethServer::Firewall perl module.
  • Defined new system validators:
    • fwobject-host-group-delete
    • fwobject-host-delete
    • fwobject-zone-delete
    • fwobject-fwservice-delete

Revision 04af3eeb
Added by Davide Principi about 5 years ago

FirewallObjects: localization for system validators messages. Refs #2835

Revision e3b2b632
Added by Davide Principi about 5 years ago

FirewallRules: run firewall-adjust event as detached task. Refs #2835

Revision d6f6fe99
Added by Davide Principi about 5 years ago

nethserver-shorewall-restart: catch error messages and store into Tracker running state. Refs #2835

Revision 9f94429c
Added by Davide Principi about 5 years ago

host-create, host-modify events: reconfigure shorewall when host records change. Refs #2835

Revision 9e408fc9
Added by Davide Principi about 5 years ago

/etc/shorewall/rules: empty values replaced by "-", for column count consistency. Refs #2835

Revision 606ba34c
Added by Davide Principi about 5 years ago

Hosts/Dhcp module: trigger host-delete system validator. Refs #2835

Revision 2c51f317
Added by Davide Principi about 5 years ago

Hosts/Dns module: trigger host-delete validator. Refs #2835

Refactored Dns submodule by creating a specific Modify class.

Revision 49766190
Added by Davide Principi about 5 years ago

Merge branch 'b2835'. Refs #2835

History

#1 Updated by Davide Principi about 5 years ago

  • Related to Feature #2705: Firewall: support custom objects added

#2 Updated by Davide Principi about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

#3 Updated by Davide Principi about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case

  • Test DNS & DHCP page works correctly if nethserver-firewall-base is not installed:
    • create, edit, delete a DNS (remote) record
    • reserve, edit, delete a DHCP (local) record
Install modified nethserver-firewall-base package:
  • Check removal of a firewall object (host, host-group, zone, fwservice) is forbidden if a firewall rule references it.
  • The same applies to removal of DNS and DHCP records (remote, local record types).

The reference consistency is not enforced on Network page: references to an interface role can be broken. Verify an error message is shown.

#4 Updated by Davide Principi about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-hosts-1.0.7-3.0git2c51f317.ns6.noarch.rpm
nethserver-dnsmasq-1.1.1-2.0git606ba34c.ns6.noarch.rpm
nethserver-firewall-base-1.1.0-127.0git49766190.ns6.noarch.rpm

#5 Updated by Filippo Carletti about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Trying to remove a host used by a rules I had a red warning saying:
Could not delete xxx. The host group is used by firewall rules.

#6 Updated by Davide Principi about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.1.2-1.ns6.noarch.rpm
nethserver-hosts-1.0.8-1.ns6.noarch.rpm

Also available in: Atom PDF