From 594f88279aa9212e8d6c5dca4a000382403e4ac3 Mon Sep 17 00:00:00 2001 From: Danila Vershinin <250071+dvershinin@users.noreply.github.com> Date: Tue, 3 Aug 2021 22:47:00 +0300 Subject: [PATCH] Updates for #22 --- CHANGELOG.md | 4 ++++ README.md | 33 ++++++++++++++++++++++++++++++++- docs/firewalld.md | 19 +++++++++++++++++++ fds/FirewallWrapper.py | 10 +++++++++- 4 files changed, 64 insertions(+), 2 deletions(-) create mode 100644 docs/firewalld.md diff --git a/CHANGELOG.md b/CHANGELOG.md index ba5427b..eb9a158 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,10 @@ # Changelog All notable changes to this project will be documented in this file. +## [0.0.30] - 2021-08-03 +### Added +* Optionally uses aggregation to overcome FirewallD bugs #22 + ## [0.0.22] - 2021-07-21 ### Fixed * Auto-start FirewallD if not running diff --git a/README.md b/README.md index 562185a..cd50c17 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,9 @@ First, install RPM repository configuration: sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm ``` -Then, either [subscribe to the RPM repository](https://www.getpagespeed.com/repo-subscribe) (commercial), or, for free usage, disable the binary packages sub-repository, +## Free installation + +For free installation and usage, disable the binary packages sub-repository, which contains non-essential dependencies for `fds`: ```bash @@ -47,6 +49,35 @@ Now you can install `fds`: sudo yum -y install fds ``` +## Installation with subscription + +By [subscribing to the GetPageSpeed RPM repository](https://www.getpagespeed.com/repo-subscribe), you gain access to a [number of packages](https://extras.getpagespeed.com/redhat/8/x86_64/repoview/) other than `fds`, as well support its development. + +Simply run this command: + +```bash +sudo yum -y install fds +``` + +The subscription ships with packages for IP prefixes' aggregation. +`fds` can use those, and thus essentially overcome some [serious FirewallD bugs](https://fds.getpagespeed.com/en/latest/firewalld/). + +So it's highly recommended to also run the following if you are a subscriber: + +### CentOS/RHEL 7 + +```bash +sudo yum -y install python2-aggregate6 +``` + +### CentOS/RHEL 8 + +```bash +sudo yum -y install python3-aggregate6 +``` + + + ## What `fds` can do diff --git a/docs/firewalld.md b/docs/firewalld.md new file mode 100644 index 0000000..1f0ae91 --- /dev/null +++ b/docs/firewalld.md @@ -0,0 +1,19 @@ +# FirewallD + +## Bugs + +Unfortunately, FirewallD has notorious bugs like [this one](https://bugzilla.redhat.com/show_bug.cgi?id=1836571). +This issue is very severe and occurs when you attempt to block overlapping networks. +It causes the server to appear down and its network connectivity will appear down. + +To fix this, run the following to reset FirewallD completely: + +```bash +sudo systemctl stop firewalld +sudo rm -rf /etc/firewalld/{zones,ipsets} +sudo systemctl restart firewalld +``` + +To ensure this does not happen: either wait FirewallD to fix it, or install package `python3-aggregate6` (CentOS/RHEL 8), +or `python2-aggregate6` (CentOS/RHEL 7). Then `fds` will automagically use the installed module and aggregate +blocked networks. At this time, the aggregate packages are available by [subscription](https://www.getpagespeed.com/repo-subscribe) only. \ No newline at end of file diff --git a/fds/FirewallWrapper.py b/fds/FirewallWrapper.py index 13d8047..a7c3877 100644 --- a/fds/FirewallWrapper.py +++ b/fds/FirewallWrapper.py @@ -172,7 +172,15 @@ def block_ip(self, ip, ipset_name=None, reload=True): raise Exception('Unsupported protocol') self.ensure_block_ipset_in_drop_zone(block_ipset) log.info('Adding IP address {} to block set {}'.format(ip, block_ipset.get_property('name'))) - block_ipset.addEntry(str(ip)) + try: + from aggregate6 import aggregate + entries = [] + for entry in block_ipset.getEntries(): + entries.append(str(entry)) + entries.append(str(ip)) + block_ipset.setEntries(aggregate(entries)) + except ImportError: + block_ipset.addEntry(str(ip)) if reload: log.info('Reloading FirewallD to apply permanent configuration') self.fw.reload()