Updates for #22

dvershinin · Aug 3, 2021 · 594f882 · 594f882
1 parent f1e1b6b
commit 594f882
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [0.0.30] - 2021-08-03
+### Added
+* Optionally uses aggregation to overcome FirewallD bugs #22
+
 ## [0.0.22] - 2021-07-21
 ### Fixed
 * Auto-start FirewallD if not running

diff --git a/README.md b/README.md
@@ -33,7 +33,9 @@ First, install RPM repository configuration:
 sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
 ```
 
-Then, either [subscribe to the RPM repository](https://www.getpagespeed.com/repo-subscribe) (commercial), or, for free usage, disable the binary packages sub-repository,
+## Free installation
+
+For free installation and usage, disable the binary packages sub-repository,
 which contains non-essential dependencies for `fds`:
 
 ```bash
@@ -47,6 +49,35 @@ Now you can install `fds`:
 sudo yum -y install fds
 ```
 
+## Installation with subscription
+
+By [subscribing to the GetPageSpeed RPM repository](https://www.getpagespeed.com/repo-subscribe), you gain access to a [number of packages](https://extras.getpagespeed.com/redhat/8/x86_64/repoview/) other than `fds`, as well support its development.
+
+Simply run this command:
+
+```bash
+sudo yum -y install fds
+```
+
+The subscription ships with packages for IP prefixes' aggregation.
+`fds` can use those, and thus essentially overcome some [serious FirewallD bugs](https://fds.getpagespeed.com/en/latest/firewalld/).
+
+So it's highly recommended to also run the following if you are a subscriber:
+
+### CentOS/RHEL 7
+
+```bash
+sudo yum -y install python2-aggregate6
+```
+
+### CentOS/RHEL 8
+
+```bash
+sudo yum -y install python3-aggregate6
+```
+
+
+
 
 ## What `fds` can do 
 

diff --git a/docs/firewalld.md b/docs/firewalld.md
@@ -0,0 +1,19 @@
+# FirewallD
+
+## Bugs
+
+Unfortunately, FirewallD has notorious bugs like [this one](https://bugzilla.redhat.com/show_bug.cgi?id=1836571).
+This issue is very severe and occurs when you attempt to block overlapping networks.
+It causes the server to appear down and its network connectivity will appear down.
+
+To fix this, run the following to reset FirewallD completely:
+
+```bash
+sudo systemctl stop firewalld
+sudo rm -rf /etc/firewalld/{zones,ipsets}
+sudo systemctl restart firewalld
+```
+
+To ensure this does not happen: either wait FirewallD to fix it, or install package `python3-aggregate6` (CentOS/RHEL 8),
+or `python2-aggregate6` (CentOS/RHEL 7). Then `fds` will automagically use the installed module and aggregate
+blocked networks. At this time, the aggregate packages are available by [subscription](https://www.getpagespeed.com/repo-subscribe) only.
diff --git a/fds/FirewallWrapper.py b/fds/FirewallWrapper.py
@@ -172,7 +172,15 @@ def block_ip(self, ip, ipset_name=None, reload=True):
             raise Exception('Unsupported protocol')
         self.ensure_block_ipset_in_drop_zone(block_ipset)
         log.info('Adding IP address {} to block set {}'.format(ip, block_ipset.get_property('name')))
-        block_ipset.addEntry(str(ip))
+        try:
+            from aggregate6 import aggregate
+            entries = []
+            for entry in block_ipset.getEntries():
+                entries.append(str(entry))
+            entries.append(str(ip))
+            block_ipset.setEntries(aggregate(entries))
+        except ImportError:
+            block_ipset.addEntry(str(ip))
         if reload:
             log.info('Reloading FirewallD to apply permanent configuration')
             self.fw.reload()