From c37c84f095d820cbd137a285e263075472934502 Mon Sep 17 00:00:00 2001
From: Eric Garver <e@erig.me>
Date: Thu, 31 May 2018 14:15:57 -0400
Subject: [PATCH 4/5] firewall-cmd: add --check-config option

Fixes: rhbz 1477771
(cherry picked from commit b071536beb7ef2c91adb79c7769a265fc74ab15f)
---
 doc/xml/firewalld.dbus.xml       | 11 +++++++++++
 src/firewall-cmd                 |  6 +++++-
 src/firewall/client.py           |  5 +++++
 src/firewall/server/firewalld.py | 11 +++++++++++
 4 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
index f02edb173f6e..acdbb5fd6e00 100644
--- a/doc/xml/firewalld.dbus.xml
+++ b/doc/xml/firewalld.dbus.xml
@@ -347,6 +347,17 @@
 	      </para>
             </listitem>
           </varlistentry>
+          <varlistentry id="FirewallD1.Methods.checkPermanentConfig">
+            <term><methodname>checkPermanentConfig</methodname>() &rarr; Nothing</term>
+            <listitem>
+              <para>
+                Run checks on the permanent configuration. This is most useful if changes were made manually to configuration files.
+              </para>
+              <para>
+                Possible errors: any
+              </para>
+            </listitem>
+          </varlistentry>
           <varlistentry id="FirewallD1.Methods.setDefaultZone">
             <term><methodname>setDefaultZone</methodname>(s: <parameter>zone</parameter>) &rarr; Nothing</term>
             <listitem>
diff --git a/src/firewall-cmd b/src/firewall-cmd
index 1a864b32e819..b80115564e1b 100755
--- a/src/firewall-cmd
+++ b/src/firewall-cmd
@@ -59,6 +59,7 @@ Status Options
   --complete-reload    Reload firewall and lose state information
   --runtime-to-permanent
                        Create permanent from runtime configuration
+  --check-config       Check permanent configuration for errors
 
 Log Denied Options
   --get-log-denied     Print the log denied value
@@ -484,6 +485,7 @@ parser_group_standalone.add_argument("--reload", action="store_true")
 parser_group_standalone.add_argument("--complete-reload", action="store_true")
 parser_group_standalone.add_argument("--runtime-to-permanent",
                                      action="store_true")
+parser_group_standalone.add_argument("--check-config", action="store_true")
 parser_group_standalone.add_argument("--get-ipset-types", action="store_true")
 parser_group_standalone.add_argument("--get-log-denied", action="store_true")
 parser_group_standalone.add_argument("--set-log-denied", metavar="<value>")
@@ -750,7 +752,7 @@ options_standalone = a.help or a.version or \
     a.get_default_zone or a.set_default_zone or \
     a.get_active_zones or a.get_ipset_types or \
     a.get_log_denied or a.set_log_denied or \
-    a.get_automatic_helpers or a.set_automatic_helpers
+    a.get_automatic_helpers or a.set_automatic_helpers or a.check_config
 
 options_desc_xml_file = a.set_description or a.get_description or \
                         a.set_short or a.get_short
@@ -2039,6 +2041,8 @@ elif a.complete_reload:
     fw.complete_reload()
 elif a.runtime_to_permanent:
     fw.runtimeToPermanent()
+elif a.check_config:
+    fw.checkPermanentConfig()
 elif a.direct:
     if a.passthrough:
         if len(a.passthrough) < 2:
diff --git a/src/firewall/client.py b/src/firewall/client.py
index f90bbd78eb73..da45ceb5b964 100644
--- a/src/firewall/client.py
+++ b/src/firewall/client.py
@@ -2760,6 +2760,11 @@ class FirewallClient(object):
     def runtimeToPermanent(self):
         self.fw.runtimeToPermanent()
 
+    @slip.dbus.polkit.enable_proxy
+    @handle_exceptions
+    def checkPermanentConfig(self):
+        self.fw.checkPermanentConfig()
+
     @slip.dbus.polkit.enable_proxy
     @handle_exceptions
     def get_property(self, prop):
diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
index fc7422f12261..2cecc4771cb0 100644
--- a/src/firewall/server/firewalld.py
+++ b/src/firewall/server/firewalld.py
@@ -42,6 +42,7 @@ from firewall.dbus_utils import dbus_to_python, \
     command_of_sender, context_of_sender, uid_of_sender, user_of_uid, \
     dbus_introspection_prepare_properties, \
     dbus_introspection_add_properties
+from firewall.core.io.functions import check_config
 from firewall.core.io.zone import Zone
 from firewall.core.io.ipset import IPSet
 from firewall.core.io.service import Service
@@ -336,6 +337,16 @@ class FirewallD(slip.dbus.service.Object):
     def Reloaded(self):
         log.debug1("Reloaded()")
 
+    @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG)
+    @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='',
+                         out_signature='')
+    @dbus_handle_exceptions
+    def checkPermanentConfig(self, sender=None): # pylint: disable=W0613
+        """Check permanent configuration
+        """
+        log.debug1("checkPermanentConfig()")
+        check_config(self.fw)
+
     # runtime to permanent
 
     @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG)
-- 
2.16.3