Enhancement #2835
Firewall rules: preserve references to other DB records
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.5 | |||
Resolution: | NEEDINFO: | No |
Description
When a firewall rule refers to a DB record, it must exist.
Deleting a DB record referenced by a firewall rule must be forbidden, to avoid unexpected firewall configurations.
A firewall rule can point to records in the following DBs/record types:
hosts
host-group, host, remote, localnetworks
zone, ethernet, bridge, vlan, alias, bondfwservices
fwservice
Related issues
Associated revisions
Dhcp UI module: run host-* events detached. Refs #2835
This shows Shorewall errors, if it's installed.
Hosts UI module: run host-* events detached. Refs #2835
This shows Shorewall errors, if it's installed.
host-delete system validator. Refs #2835
Defined empty, is extended by nethserver-firewall-base.
FirewallObjects: check rules references integrity before delete. Refs #2835
- Added getReferences() to NethServer::Firewall perl module.
- Defined new system validators:
- fwobject-host-group-delete
- fwobject-host-delete
- fwobject-zone-delete
- fwobject-fwservice-delete
FirewallObjects: localization for system validators messages. Refs #2835
FirewallRules: run firewall-adjust event as detached task. Refs #2835
nethserver-shorewall-restart: catch error messages and store into Tracker running state. Refs #2835
host-create, host-modify events: reconfigure shorewall when host records change. Refs #2835
/etc/shorewall/rules: empty values replaced by "-", for column count consistency. Refs #2835
Hosts/Dhcp module: trigger host-delete system validator. Refs #2835
Hosts/Dns module: trigger host-delete validator. Refs #2835
Refactored Dns submodule by creating a specific Modify class.
Merge branch 'b2835'. Refs #2835
History
#1 Updated by Davide Principi about 7 years ago
- Related to Feature #2705: Firewall: support custom objects added
#2 Updated by Davide Principi about 7 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#3 Updated by Davide Principi about 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
Test case
- Test DNS & DHCP page works correctly if
nethserver-firewall-base
is not installed:- create, edit, delete a DNS (remote) record
- reserve, edit, delete a DHCP (local) record
nethserver-firewall-base
package:
- Check removal of a firewall object (host, host-group, zone, fwservice) is forbidden if a firewall rule references it.
- The same applies to removal of DNS and DHCP records (remote, local record types).
The reference consistency is not enforced on Network page: references to an interface role can be broken. Verify an error message is shown.
#4 Updated by Davide Principi about 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-hosts-1.0.7-3.0git2c51f317.ns6.noarch.rpm
nethserver-dnsmasq-1.1.1-2.0git606ba34c.ns6.noarch.rpm
nethserver-firewall-base-1.1.0-127.0git49766190.ns6.noarch.rpm
#5 Updated by Filippo Carletti almost 7 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Trying to remove a host used by a rules I had a red warning saying:
Could not delete xxx. The host group is used by firewall rules.
#6 Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm
nethserver-dnsmasq-1.1.2-1.ns6.noarch.rpm
nethserver-hosts-1.0.8-1.ns6.noarch.rpm