Skip to content

Commit

Permalink
fix(core): fix exception while parsing invalid "tcp-mss-clamp" in policy
Browse files Browse the repository at this point in the history 
Otherwise, having a policy like

  <?xml version="1.0" encoding="utf-8"?>
  <policy priority="100" target="ACCEPT">
    <ingress-zone name="FedoraServer"/>
    <egress-zone name="external"/>
    <tcp-mss-clamp/>
  </policy>

results in a crash:

  Aug 08 14:22:27 7291245c7ebc firewalld[58363]: Traceback (most recent call last):
                                                   File "/usr/lib/python3.11/site-packages/firewall/server/decorators.py", line 64, in _impl
                                                     return func(*args, **kwargs)
                                                            ^^^^^^^^^^^^^^^^^^^^^
                                                   File "/usr/lib/python3.11/site-packages/firewall/server/firewalld.py", line 320, in reload
                                                     self.fw.reload()
                                                   File "/usr/lib/python3.11/site-packages/firewall/core/fw.py", line 1127, in reload
                                                     check_on_disk_config(self)
                                                   File "/usr/lib/python3.11/site-packages/firewall/core/io/functions.py", line 90, in check_on_disk_config
                                                     obj = readers[reader]["reader"](file, _dir)
                                                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                   File "/usr/lib/python3.11/site-packages/firewall/core/io/policy.py", line 1073, in policy_reader
                                                     parser.parse(source)
                                                   File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 111, in parse
                                                     xmlreader.IncrementalParser.parse(self, source)
                                                   File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 125, in parse
                                                     self.feed(buffer)
                                                   File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 217, in feed
                                                     self._parser.Parse(data, isFinal)
                                                   File "/builddir/build/BUILD/Python-3.11.4/Modules/pyexpat.c", line 416, in StartElement
                                                   File "/usr/lib64/python3.11/xml/sax/expatreader.py", line 333, in start_element
                                                     self._cont_handler.startElement(name, AttributesImpl(attrs))
                                                   File "/usr/lib/python3.11/site-packages/firewall/core/io/policy.py", line 991, in startElement
                                                     if common_startElement(self, name, attrs):
                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                                                   File "/usr/lib/python3.11/site-packages/firewall/core/io/policy.py", line 114, in common_startElement
                                                     attrs["value"])
                                                     ~~~~~^^^^^^^^^
                                                   File "/usr/lib64/python3.11/xml/sax/xmlreader.py", line 318, in __getitem__
                                                     return self._attrs[name]
                                                            ~~~~~~~~~~~^^^^^^
                                                 KeyError: 'value'
  Aug 08 14:22:29 7291245c7ebc firewalld[58363]: DEBUG1: Loading policy file '/usr/lib/firewalld/policies/allow-host-ipv6.xml'
  Aug 08 14:22:29 7291245c7ebc firewalld[58363]: ERROR: Failed to load policy file 'allow-host-ipv6.xml': 'value'

https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org/message/7J423T2P5R3Y6ASNCN4HDPVHZUVHSYGD/

Fixes: 3f93937 ('docs(rich): update docs to support tcp-mss-clamp')
(cherry picked from commit 0f31187)
  • Loading branch information
@thom311 @erig0
thom311 authored and erig0 committed Oct 2, 2023
1 parent c2b9586 commit f7bc46c
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions src/firewall/core/io/policy.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,8 +113,10 @@ def common_startElement(obj, name, attrs):
_value = attrs["value"]
obj._rule.element = rich.Rich_Tcp_Mss_Clamp(_value)
else:
log.warning("Invalid rule: tcp-mss-clamp '%s' outside of rule",
attrs["value"])
s = ""
if "value" in attrs:
s = f" (value='{attrs['value']})'"
log.warning("Invalid rule: tcp-mss-clamp%s outside of rule", s)

elif name == "icmp-block":
if obj._rule:
Expand Down

0 comments on commit f7bc46c

Please sign in to comment.