This function changes a zone the interface is part of.
Because when for example NetworkManager
wants to change the zone the interface belongs to it would otherwise
need to call removeInterface(old_zone, interface) followed by
addInterface(new_zone, interface).
---
src/firewall-cmd | 8 +++++---
src/firewall/client.py | 4 ++++
src/firewall/core/fw_zone.py | 17 +++++++++++++++++
src/firewall/server/firewalld.py | 21 +++++++++++++++++++++
4 files changed, 47 insertions(+), 3 deletions(-)
diff --git a/src/firewall-cmd b/src/firewall-cmd
index 5759508..9163680 100755
--- a/src/firewall-cmd
+++ b/src/firewall-cmd
@@ -71,7 +71,7 @@ try:
"get-zones", "get-active-zones",
"get-zone-of-interface=",
# modes (exactly one of those)
- "add", "remove","enable",
"disable", "query", "list=",
+ "add", "change",
"remove","enable", "disable", "query",
"list=",
# zone
"zone=",
# actions (exactly one of those)
@@ -133,7 +133,7 @@ for (opt, val) in opts:
__fail("Timeout not valid")
# mode
- elif opt in [ "--enable", "--disable", "--query",
"--add", "--remove" ]:
+ elif opt in [ "--enable", "--disable", "--query",
"--add", "--change", "--remove" ]:
if mode:
__fail()
mode = opt[2:]
@@ -174,7 +174,7 @@ if mode not in [ "version", "reload",
"complete-reload", "state",
__fail("No value.")
if action in [ "interface", "service", "port",
"forward-port", "icmp-block" ]:
- if mode not in [ "add", "remove", "query",
"list" ]:
+ if mode not in [ "add", "change", "remove",
"query", "list" ]:
__fail(_("Wrong action and mode combination"))
elif action == "masquerade" and mode not in [ "enable",
"disable", "query" ]:
__fail(_("Wrong action and mode combination"))
@@ -242,6 +242,8 @@ try:
print(", ".join(l))
elif mode == "add":
fw.addInterface(zone, value)
+ elif mode == "change":
+ fw.changeZoneOfInterface(zone, value)
elif mode == "remove":
fw.removeInterface(zone, value)
elif mode == "query":
diff --git a/src/firewall/client.py b/src/firewall/client.py
index f6ccc31..34398bc 100644
--- a/src/firewall/client.py
+++ b/src/firewall/client.py
@@ -112,6 +112,10 @@ class FirewallClient(object):
return dbus_to_python(self.fw_zone.addInterface(zone, interface))
@slip.dbus.polkit.enable_proxy
+ def changeZoneOfInterface(self, zone, interface):
+ return dbus_to_python(self.fw_zone.changeZoneOfInterface(zone, interface))
+
+ @slip.dbus.polkit.enable_proxy
def getInterfaces(self, zone):
return dbus_to_python(self.fw_zone.getInterfaces(zone))
diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
index 71d62d4..6778f75 100644
--- a/src/firewall/core/fw_zone.py
+++ b/src/firewall/core/fw_zone.py
@@ -314,6 +314,23 @@ class FirewallZone:
return _zone
+ def change_zone_of_interface(self, zone, interface, sender=None):
+ self._fw.check_panic()
+ _old_zone = self.get_zone_of_interface(interface)
+ _new_zone = self._fw.check_zone(zone)
+ _obj = self._zones[_new_zone]
+ interface_id = self.__interface_id(interface)
+
+ if _new_zone == _old_zone:
+ raise FirewallError(ZONE_ALREADY_SET)
+
+ if _old_zone != None:
+ self.remove_interface(_old_zone, interface)
+
+ self.add_interface(_new_zone, interface, sender)
+
+ return _new_zone
+
def remove_interface(self, zone, interface):
self._fw.check_panic()
_zone = self._fw.check_zone(zone)
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index 54e749f..2c59f3f 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -344,6 +344,21 @@ class FirewallD(dbus.service.Object):
@dbus_service_method(DBUS_INTERFACE_ZONE, in_signature='ss',
out_signature='s')
@dbus_handle_exceptions
+ def changeZoneOfInterface(self, zone, interface, sender=None):
+ """Change a zone an interface is part of.
+ If zone is empty, use default zone.
+ """
+ interface = str(interface)
+ log.debug1("zone.changeZoneOfInterface('%s', '%s')" %
(zone, interface))
+ _zone = self.fw.zone.change_zone_of_interface(zone, interface, sender)
+
+ self.ZoneOfInterfaceChanged(_zone, interface)
+ return _zone
+
+ @slip.dbus.polkit.require_auth(PK_ACTION_CONFIG)
+ @dbus_service_method(DBUS_INTERFACE_ZONE, in_signature='ss',
+ out_signature='s')
+ @dbus_handle_exceptions
def removeInterface(self, zone, interface, sender=None):
"""Remove interface from a zone.
If zone is empty, use default zone.
@@ -386,6 +401,12 @@ class FirewallD(dbus.service.Object):
@dbus.service.signal(DBUS_INTERFACE_ZONE, signature='ss')
@dbus_handle_exceptions
+ def ZoneOfInterfaceChanged(self, zone, interface):
+ log.debug1("zone.ZoneOfInterfaceChanged('%s', '%s')" %
(zone, interface))
+ pass
+
+ @dbus.service.signal(DBUS_INTERFACE_ZONE, signature='ss')
+ @dbus_handle_exceptions
def InterfaceRemoved(self, zone, interface):
log.debug1("zone.InterfaceRemoved('%s', '%s')" % (zone,
interface))
pass
--
1.7.7.6