import firewalld-0.8.2-7.el8_4

SOURCES/0069-fix-nm-reload-only-consider-NM-connections-with-a-re.patch

@@ -0,0 +1,45 @@
+From 4f3a9e3b9c776cce4603f91cf1cd3e0b36e9fe4a Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 27 Apr 2021 08:56:13 -0400
+Subject: [PATCH 69/70] fix(nm): reload: only consider NM connections with a
+ real interface
+
+Where real interface means linux interface capable of having an IP
+address and does not exceed IFNAMSIZ.
+
+Fixes: rhbz 1928860
+(cherry picked from commit f18f1cc96503fbc5d42f30ecdc6f0da4c56aac4d)
+(cherry picked from commit f65679066695887b143d1443ac1735b4c602b8dd)
+---
+ src/firewall/core/fw_nm.py | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/fw_nm.py b/src/firewall/core/fw_nm.py
+index 37282a1a7711..0e38dd47e927 100644
+--- a/src/firewall/core/fw_nm.py
++++ b/src/firewall/core/fw_nm.py
+@@ -141,7 +141,9 @@ def nm_get_connections(connections, connections_name):
+ 
+         connections_name[uuid] = name
+         for dev in devices:
+-            connections[dev.get_iface()] = uuid
++            ip_iface = dev.get_ip_iface()
++            if ip_iface:
++                connections[ip_iface] = uuid
+ 
+ def nm_get_interfaces():
+     """Get active interfaces from NM
+@@ -169,7 +171,9 @@ def nm_get_interfaces():
+                 continue
+ 
+         for dev in active_con.get_devices():
+-            active_interfaces.append(dev.get_iface())
++            ip_iface = dev.get_ip_iface()
++            if ip_iface:
++                active_interfaces.append(ip_iface)
+ 
+     return active_interfaces
+ 
+-- 
+2.27.0
+

SOURCES/0070-test-nm-reload-only-consider-NM-connections-with-a-r.patch

@@ -0,0 +1,81 @@
+From 2ecba497ec9d57647748f74500ce5e2ea115474a Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 27 Apr 2021 09:06:22 -0400
+Subject: [PATCH 70/70] test(nm): reload: only consider NM connections with a
+ real interface
+
+Coverage: rhbz 1928860
+(cherry picked from commit 7566d3dc5664955064b14314b3d3ef20bcebd6e4)
+(cherry picked from commit 2e371157382e77731d07c6519fc5692e556e2bee)
+---
+ src/tests/Makefile.am                   |  4 ++--
+ src/tests/integration/networkmanager.at |  1 +
+ src/tests/integration/rhbz1928860.at    | 26 +++++++++++++++++++++++++
+ 3 files changed, 29 insertions(+), 2 deletions(-)
+ create mode 100644 src/tests/integration/rhbz1928860.at
+
+diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am
+index b7556b30ecc8..e936454faf6a 100644
+--- a/src/tests/Makefile.am
++++ b/src/tests/Makefile.am
+@@ -71,7 +71,7 @@ check-container-fedora-rawhide-image: check-container-%-image:
+ 	                 iptables iptables-nft libtool libxml2 libxslt make nftables \
+ 	                 python3-nftables python3-slip-dbus python3-gobject-base \
+ 	                 diffutils procps-ng iproute which dbus-daemon \
+-	                 NetworkManager" && \
++	                 NetworkManager NetworkManager-ovs" && \
+ 	echo "RUN alternatives --set ebtables /usr/sbin/ebtables-nft" && \
+ 	echo "COPY . /tmp/firewalld"; \
+ 	} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
+@@ -86,7 +86,7 @@ check-container-centos8-stream-image: check-container-%-image:
+ 	                 iptables iptables-ebtables nftables libtool libxml2 \
+ 	                 libxslt make nftables python3-nftables python3-slip-dbus \
+ 	                 python3-gobject-base diffutils procps-ng iproute which dbus-daemon \
+-	                 NetworkManager" && \
++	                 NetworkManager NetworkManager-ovs" && \
+ 	echo "COPY . /tmp/firewalld"; \
+ 	} | $(PODMAN) build -t firewalld-testsuite-$* -f - . )
+ 
+diff --git a/src/tests/integration/networkmanager.at b/src/tests/integration/networkmanager.at
+index 08cf6d28451a..0b20adce0462 100644
+--- a/src/tests/integration/networkmanager.at
++++ b/src/tests/integration/networkmanager.at
+@@ -1,2 +1,3 @@
+ AT_BANNER([NetworkManager (FIREWALL_BACKEND)])
+ m4_include([integration/rhbz1773809.at])
++m4_include([integration/rhbz1928860.at])
+diff --git a/src/tests/integration/rhbz1928860.at b/src/tests/integration/rhbz1928860.at
+new file mode 100644
+index 000000000000..8ef2a1dcbd01
+--- /dev/null
++++ b/src/tests/integration/rhbz1928860.at
+@@ -0,0 +1,26 @@
++FWD_START_TEST([reload don't consider non IP capable interfaces])
++AT_KEYWORDS(reload rhbz1928860)
++
++START_NETWORKMANAGER
++
++dnl OVS bridge and port
++NMCLI_CHECK([connection add type ovs-bridge conn.interface ovs-br con-name ovs-br], 0, [ignore])
++NMCLI_CHECK([connection add type ovs-port conn.interface ovs-interface-port master ovs-br con-name ovs-interface-port], 0, [ignore])
++echo NS_CMD([nmcli connection delete ovs-br]) >> ./cleanup
++echo NS_CMD([nmcli connection delete ovs-interface-port]) >> ./cleanup
++
++dnl Up them
++NMCLI_CHECK([connection up ovs-br], 0, [ignore])
++NMCLI_CHECK([connection up ovs-interface-port], 0, [ignore])
++
++dnl Omit the actual linux interface because it requires the OVS daemon to be
++dnl running. The bug is reproducible without it.
++dnl 
++dnl NMCLI_CHECK([connection add type ovs-interface slave-type ovs-port conn.interface ovs-br master ovs-interface-port con-name ovs-interface ipv4.method disabled ipv6.method disabled], 0, [ignore])
++dnl echo NS_CMD([nmcli connection delete ovs-interface]) >> ./cleanup
++dnl NMCLI_CHECK([connection up ovs-interface], 0, [ignore])
++
++dnl just need to verify reload
++FWD_RELOAD
++
++FWD_END_TEST
+-- 
+2.27.0
+

SPECS/firewalld.spec

@@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 0.8.2
-Release: 6%{?dist}
+Release: 7%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@@ -73,6 +73,8 @@ Patch65: 0065-fix-rich-non-printable-characters-removed-from-rich-.patch
 Patch66: 0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch
 Patch67: 0067-fix-zone-add-source-with-mac-address.patch
 Patch68: v1.0.0-0068-feat-service-add-galera-service.patch
+Patch69: 0069-fix-nm-reload-only-consider-NM-connections-with-a-re.patch
+Patch70: 0070-test-nm-reload-only-consider-NM-connections-with-a-r.patch
 
 BuildArch: noarch
 BuildRequires: autoconf
@@ -271,6 +273,9 @@ desktop-file-install --delete-original \
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Tue Jun 01 2021 Eric Garver <egarver@redhat.com> - 0.8.2-7
+- fix(nm): reload: only consider NM connections with a real interface
+
 * Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-6
 - feat(service): add galera service