build: install a firewalld zone for shared mode

Install a NM-specific firewalld zone to be used for interfaces that
are used for connection sharing. The zone blocks all traffic to the
local machine except some protocols (DHCP, DNS and ICMP) and allows
all forwarded traffic.
This commit is contained in:
Beniamino Galvani
2020-05-08 09:09:25 +02:00
parent fb0d59689c
commit c8b5bf402d
7 changed files with 57 additions and 0 deletions

View File

@@ -4903,6 +4903,11 @@ data/server.conf: $(srcdir)/data/server.conf.in
@$(MKDIR_P) data/ @$(MKDIR_P) data/
$(AM_V_GEN) $(data_edit) $< >$@ $(AM_V_GEN) $(data_edit) $< >$@
if WITH_FIREWALLD_ZONE
firewalldzonedir = $(prefix)/lib/firewalld/zones
firewalldzone_DATA = data/nm-shared.xml
endif
EXTRA_DIST += \ EXTRA_DIST += \
data/84-nm-drivers.rules \ data/84-nm-drivers.rules \
data/85-nm-unmanaged.rules \ data/85-nm-unmanaged.rules \
@@ -4912,6 +4917,7 @@ EXTRA_DIST += \
data/NetworkManager-wait-online.service.in \ data/NetworkManager-wait-online.service.in \
data/NetworkManager.service.in \ data/NetworkManager.service.in \
data/meson.build \ data/meson.build \
data/nm-shared.xml \
data/server.conf.in \ data/server.conf.in \
$(NULL) $(NULL)

View File

@@ -233,6 +233,9 @@
/* Define if you have iwd support */ /* Define if you have iwd support */
#mesondefine WITH_IWD #mesondefine WITH_IWD
/* Define if NetworkManager uses a custom zone for shared mode */
#mesondefine WITH_FIREWALLD_ZONE
/* Define to 1 if on MINIX. */ /* Define to 1 if on MINIX. */
#mesondefine _MINIX #mesondefine _MINIX

View File

@@ -673,6 +673,18 @@ else
fi fi
AC_SUBST(NM_MODIFY_SYSTEM_POLICY) AC_SUBST(NM_MODIFY_SYSTEM_POLICY)
AC_ARG_ENABLE(firewalld-zone,
AS_HELP_STRING([--enable-firewalld-zone], [Install and use firewalld zone for shared mode]),
[enable_firewalld_zone=${enableval}],
[enable_firewalld_zone=yes])
if test "${enable_firewalld_zone}" = "yes"; then
AC_DEFINE(WITH_FIREWALLD_ZONE, 1, [Define if NetworkManager uses a custom zone for shared mode])
else
AC_DEFINE(WITH_FIREWALLD_ZONE, 0, [Define if NetworkManager uses a custom zone for shared mode])
fi
AM_CONDITIONAL(WITH_FIREWALLD_ZONE, test "${enable_firewalld_zone}" = "yes")
PKG_CHECK_MODULES(GNUTLS, [gnutls >= 2.12], [have_crypto_gnutls=yes], [have_crypto_gnutls=no]) PKG_CHECK_MODULES(GNUTLS, [gnutls >= 2.12], [have_crypto_gnutls=yes], [have_crypto_gnutls=no])
PKG_CHECK_MODULES(NSS, [nss], [have_crypto_nss=yes], [have_crypto_nss=yes]) PKG_CHECK_MODULES(NSS, [nss], [have_crypto_nss=yes], [have_crypto_nss=yes])
if test "${have_crypto_nss}" = "yes"; then if test "${have_crypto_nss}" = "yes"; then
@@ -1370,6 +1382,7 @@ echo "Miscellaneous:"
echo " have introspection: $have_introspection" echo " have introspection: $have_introspection"
echo " build documentation and manpages: $build_docs" echo " build documentation and manpages: $build_docs"
echo " install pregenerated documentation and manpages: $use_pregen_docs" echo " install pregenerated documentation and manpages: $use_pregen_docs"
echo " install and use firewalld shared zone: $enable_firewalld_zone"
echo " tests: $enable_tests" echo " tests: $enable_tests"
echo " more-asserts: $more_asserts" echo " more-asserts: $more_asserts"
echo " more-logging: $enable_more_logging" echo " more-logging: $enable_more_logging"

View File

@@ -67,3 +67,10 @@ if enable_polkit
install_dir: polkit_gobject_policydir, install_dir: polkit_gobject_policydir,
) )
endif endif
if enable_firewalld_zone
install_data(
'nm-shared.xml',
install_dir: join_paths(nm_prefix, 'lib', 'firewalld', 'zones')
)
endif

23
data/nm-shared.xml Normal file
View File

@@ -0,0 +1,23 @@
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
<short>NetworkManager Shared</short>
<description>
This zone is used internally by NetworkManager when activating a
profile that uses connection sharing and doesn't have an explicit
firewall zone set.
Block all traffic to the local machine except ICMP, ICMPv6, DHCP
and DNS. Allow all forwarded traffic.
Note that future package updates may change the definition of the
zone unless you overwrite it with your own definition.
</description>
<rule priority='32767'>
<reject/>
</rule>
<protocol value='icmp'/>
<protocol value='ipv6-icmp'/>
<service name="dhcp"/>
<service name="dns"/>
</zone>

View File

@@ -550,6 +550,9 @@ endif
dbus_interfaces_dir = dbus_dep.get_pkgconfig_variable('interfaces_dir', define_variable: ['datadir', nm_datadir]) dbus_interfaces_dir = dbus_dep.get_pkgconfig_variable('interfaces_dir', define_variable: ['datadir', nm_datadir])
dbus_system_bus_services_dir = dbus_dep.get_pkgconfig_variable('system_bus_services_dir', define_variable: ['datadir', nm_datadir]) dbus_system_bus_services_dir = dbus_dep.get_pkgconfig_variable('system_bus_services_dir', define_variable: ['datadir', nm_datadir])
enable_firewalld_zone = get_option('firewalld_zone')
config_h.set10('WITH_FIREWALLD_ZONE', enable_firewalld_zone)
# pppd # pppd
enable_ppp = get_option('ppp') enable_ppp = get_option('ppp')
if enable_ppp if enable_ppp
@@ -1028,6 +1031,7 @@ output += '\n'
output += '\nMiscellaneous:\n' output += '\nMiscellaneous:\n'
output += ' have introspection: ' + enable_introspection.to_string() + '\n' output += ' have introspection: ' + enable_introspection.to_string() + '\n'
output += ' build documentation and manpages: ' + enable_docs.to_string() + '\n' output += ' build documentation and manpages: ' + enable_docs.to_string() + '\n'
output += ' firewalld zone for shared mode: ' + enable_firewalld_zone.to_string() + '\n'
# FIXME # FIXME
#output += ' install pregenerated documentation and manpages: no #output += ' install pregenerated documentation and manpages: no
output += ' tests: ' + tests + '\n' output += ' tests: ' + tests + '\n'

View File

@@ -62,6 +62,7 @@ option('introspection', type: 'boolean', value: true, description: 'Enable intro
option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings') option('vapi', type : 'combo', choices : ['auto', 'true', 'false'], description: 'build Vala bindings')
option('docs', type: 'boolean', value: false, description: 'use to build documentation') option('docs', type: 'boolean', value: false, description: 'use to build documentation')
option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests') option('tests', type: 'combo', choices: ['yes', 'no', 'root'], value: 'yes', description: 'Build NetworkManager tests')
option('firewalld_zone', type: 'boolean', value: true, description: 'Install and use firewalld zone for shared mode')
option('more_asserts', type: 'string', value: 'all', description: 'Enable more assertions for debugging (0 = none, 100 = all, default: all)') option('more_asserts', type: 'string', value: 'all', description: 'Enable more assertions for debugging (0 = none, 100 = all, default: all)')
option('more_logging', type: 'boolean', value: true, description: 'Enable more debug logging') option('more_logging', type: 'boolean', value: true, description: 'Enable more debug logging')
option('valgrind', type: 'array', value: ['no'], description: 'Use valgrind to memory-check the tests') option('valgrind', type: 'array', value: ['no'], description: 'Use valgrind to memory-check the tests')