From c8b5bf402d20077a73c15d55fc90c26e97119711 Mon Sep 17 00:00:00 2001 From: Beniamino Galvani Date: Fri, 8 May 2020 09:09:25 +0200 Subject: [PATCH] build: install a firewalld zone for shared mode Install a NM-specific firewalld zone to be used for interfaces that are used for connection sharing. The zone blocks all traffic to the local machine except some protocols (DHCP, DNS and ICMP) and allows all forwarded traffic. --- Makefile.am | 6 ++++++ config.h.meson | 3 +++ configure.ac | 13 +++++++++++++ data/meson.build | 7 +++++++ data/nm-shared.xml | 23 +++++++++++++++++++++++ meson.build | 4 ++++ meson_options.txt | 1 + 7 files changed, 57 insertions(+) create mode 100644 data/nm-shared.xml diff --git a/Makefile.am b/Makefile.am index d8cd32fab..ae3f1fc00 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4903,6 +4903,11 @@ data/server.conf: $(srcdir)/data/server.conf.in @$(MKDIR_P) data/ $(AM_V_GEN) $(data_edit) $< >$@ +if WITH_FIREWALLD_ZONE +firewalldzonedir = $(prefix)/lib/firewalld/zones +firewalldzone_DATA = data/nm-shared.xml +endif + EXTRA_DIST += \ data/84-nm-drivers.rules \ data/85-nm-unmanaged.rules \ @@ -4912,6 +4917,7 @@ EXTRA_DIST += \ data/NetworkManager-wait-online.service.in \ data/NetworkManager.service.in \ data/meson.build \ + data/nm-shared.xml \ data/server.conf.in \ $(NULL) diff --git a/config.h.meson b/config.h.meson index 009c635da..b421ee1e7 100644 --- a/config.h.meson +++ b/config.h.meson @@ -233,6 +233,9 @@ /* Define if you have iwd support */ #mesondefine WITH_IWD +/* Define if NetworkManager uses a custom zone for shared mode */ +#mesondefine WITH_FIREWALLD_ZONE + /* Define to 1 if on MINIX. */ #mesondefine _MINIX diff --git a/configure.ac b/configure.ac index 960f957af..5b11a13b7 100644 --- a/configure.ac +++ b/configure.ac @@ -673,6 +673,18 @@ else fi AC_SUBST(NM_MODIFY_SYSTEM_POLICY) +AC_ARG_ENABLE(firewalld-zone, + AS_HELP_STRING([--enable-firewalld-zone], [Install and use firewalld zone for shared mode]), + [enable_firewalld_zone=${enableval}], + [enable_firewalld_zone=yes]) + +if test "${enable_firewalld_zone}" = "yes"; then + AC_DEFINE(WITH_FIREWALLD_ZONE, 1, [Define if NetworkManager uses a custom zone for shared mode]) +else + AC_DEFINE(WITH_FIREWALLD_ZONE, 0, [Define if NetworkManager uses a custom zone for shared mode]) +fi +AM_CONDITIONAL(WITH_FIREWALLD_ZONE, test "${enable_firewalld_zone}" = "yes") + PKG_CHECK_MODULES(GNUTLS, [gnutls >= 2.12], [have_crypto_gnutls=yes], [have_crypto_gnutls=no]) PKG_CHECK_MODULES(NSS, [nss], [have_crypto_nss=yes], [have_crypto_nss=yes]) if test "${have_crypto_nss}" = "yes"; then @@ -1370,6 +1382,7 @@ echo "Miscellaneous:" echo " have introspection: $have_introspection" echo " build documentation and manpages: $build_docs" echo " install pregenerated documentation and manpages: $use_pregen_docs" +echo " install and use firewalld shared zone: $enable_firewalld_zone" echo " tests: $enable_tests" echo " more-asserts: $more_asserts" echo " more-logging: $enable_more_logging" diff --git a/data/meson.build b/data/meson.build index de08c91c6..b713a03c5 100644 --- a/data/meson.build +++ b/data/meson.build @@ -67,3 +67,10 @@ if enable_polkit install_dir: polkit_gobject_policydir, ) endif + +if enable_firewalld_zone + install_data( + 'nm-shared.xml', + install_dir: join_paths(nm_prefix, 'lib', 'firewalld', 'zones') + ) +endif diff --git a/data/nm-shared.xml b/data/nm-shared.xml new file mode 100644 index 000000000..0dea5dd6e --- /dev/null +++ b/data/nm-shared.xml @@ -0,0 +1,23 @@ + + + NetworkManager Shared + + + This zone is used internally by NetworkManager when activating a + profile that uses connection sharing and doesn't have an explicit + firewall zone set. + Block all traffic to the local machine except ICMP, ICMPv6, DHCP + and DNS. Allow all forwarded traffic. + Note that future package updates may change the definition of the + zone unless you overwrite it with your own definition. + + + + + + + + + + + diff --git a/meson.build b/meson.build index a2d925a7e..e2c83d2b5 100644 --- a/meson.build +++ b/meson.build @@ -550,6 +550,9 @@ endif dbus_interfaces_dir = dbus_dep.get_pkgconfig_variable('interfaces_dir', define_variable: ['datadir', nm_datadir]) dbus_system_bus_services_dir = dbus_dep.get_pkgconfig_variable('system_bus_services_dir', define_variable: ['datadir', nm_datadir]) +enable_firewalld_zone = get_option('firewalld_zone') +config_h.set10('WITH_FIREWALLD_ZONE', enable_firewalld_zone) + # pppd enable_ppp = get_option('ppp') if enable_ppp @@ -1028,6 +1031,7 @@ output += '\n' output += '\nMiscellaneous:\n' output += ' have introspection: ' + enable_introspection.to_string() + '\n' output += ' build documentation and manpages: ' + enable_docs.to_string() + '\n' +output += ' firewalld zone for shared mode: ' + enable_firewalld_zone.to_string() + '\n' # FIXME #output += ' install pregenerated documentation and manpages: no output += ' tests: ' + tests + '\n' diff --git a/meson_options.txt b/meson_options.txt index 041d9bfc3..a5c6a22fb 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -62,6 +62,7 @@ option('introspection', type: 'boolean', value: true, description: 'Enable intro option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings') option('docs', type: 'boolean', value: false, description: 'use to build documentation') option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests') +option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode') option('more_asserts', type: 'string', value: 'all', description: 'Enable more assertions for debugging (0 = none, 100 = all, default: all)') option('more_logging', type: 'boolean', value: true, description: 'Enable more debug logging') option('valgrind', type: 'array', value: ['no'], description: 'Use valgrind to memory-check the tests')