fix(systemd): Requires dbus

Resolves: RHEL-123697

0036-v2.4.0-test-functions-add-macro-WAIT_UNTIL.patch

@@ -0,0 +1,36 @@
+From 1f72a1c3bdf0dd727d76f205b87223dd29ef0c7c Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 6 Oct 2025 16:32:59 -0400
+Subject: [PATCH 36/48] v2.4.0: test(functions): add macro WAIT_UNTIL
+
+(cherry picked from commit 50890c62b00db91f15ba5802055afc293a3fe77a)
+---
+ src/tests/functions.at | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index 8b07908c667c..df3fff6ad4b9 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -763,3 +763,18 @@ m4_define([CHECK_NFTABLES_FIB_IN_FORWARD], [
+         NS_CHECK([nft delete table inet firewalld_check])
+     ])
+ ])
++
++dnl $1 = command to run until zero exit code
++m4_define([WAIT_UNTIL], [
++    _fail=1
++    _timeout=120
++    for I in $(seq ${_timeout}); do
++        { $1 ; } && { _fail=0; break; }
++        sleep 1
++    done
++    if test ${_fail} -gt 0; then
++        printf "FAIL: Command failed succeed in ${_timeout} seconds:\n"
++        printf "  $1\n"
++        AT_FAIL_IF([:])
++    fi
++])
+-- 
+2.47.3
+

0037-v2.4.0-fix-server-load-firewall-rules-before-claimin.patch

@@ -0,0 +1,81 @@
+From 3a91e1c6a575572cabbc06460ad94f65234a7d98 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 14 Oct 2025 16:41:49 -0400
+Subject: [PATCH 37/48] v2.4.0: fix(server): load firewall rules before
+ claiming dbus
+
+This guarantees that the firewall is loaded and ready before the daemon
+registers with dbus.
+
+(cherry picked from commit 63d2238d055ee193f18acb51f6362b64d11e0886)
+---
+ src/firewall/server/firewalld.py | 15 +++++++++++----
+ src/firewall/server/server.py    | 10 +---------
+ 2 files changed, 12 insertions(+), 13 deletions(-)
+
+diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
+index 8b9593a22fd8..fc85d3e0c359 100644
+--- a/src/firewall/server/firewalld.py
++++ b/src/firewall/server/firewalld.py
+@@ -25,6 +25,7 @@ from gi.repository import GLib
+ import copy
+ import dbus
+ import dbus.service
++import dbus.mainloop.glib
+ 
+ from firewall import config
+ from firewall.core.fw import Firewall
+@@ -69,12 +70,18 @@ class FirewallD(DbusServiceObject):
+     """ Use config.dbus.PK_ACTION_CONFIG as a default """
+ 
+     @handle_exceptions
+-    def __init__(self, *args, **kwargs):
+-        super(FirewallD, self).__init__(*args, **kwargs)
++    def __init__(self):
+         self.fw = Firewall()
+-        self.busname = args[0]
+-        self.path = args[1]
+         self.start()
++
++        dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
++        bus = dbus.SystemBus()
++        name = dbus.service.BusName(config.dbus.DBUS_INTERFACE, bus=bus)
++        super(FirewallD, self).__init__(name, config.dbus.DBUS_PATH)
++
++        self.busname = name
++        self.path = config.dbus.DBUS_PATH
++
+         dbus_introspection_prepare_properties(self, config.dbus.DBUS_INTERFACE)
+         self.config = FirewallDConfig(self.fw.config, self.busname,
+                                       config.dbus.DBUS_PATH_CONFIG)
+diff --git a/src/firewall/server/server.py b/src/firewall/server/server.py
+index 2921ae9104f1..7f3404793f12 100644
+--- a/src/firewall/server/server.py
++++ b/src/firewall/server/server.py
+@@ -31,11 +31,6 @@ import signal
+ 
+ from gi.repository import GLib
+ 
+-import dbus
+-import dbus.service
+-import dbus.mainloop.glib
+-
+-from firewall import config
+ from firewall.core.logger import log
+ from firewall.server.firewalld import FirewallD
+ 
+@@ -83,10 +78,7 @@ def run_server(debug_gc=False):
+             GLib.timeout_add_seconds(gc_timeout, gc_collect)
+ 
+     try:
+-        dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
+-        bus = dbus.SystemBus()
+-        name = dbus.service.BusName(config.dbus.DBUS_INTERFACE, bus=bus)
+-        service = FirewallD(name, config.dbus.DBUS_PATH)
++        service = FirewallD()
+ 
+         mainloop = GLib.MainLoop()
+         if debug_gc:
+-- 
+2.47.3
+

0038-v2.4.0-Revert-fix-systemd-allow-start-code-251-RUNNI.patch

@@ -0,0 +1,29 @@
+From bbfef80c94f368130e4440d1624d2a2bc1daf28d Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 14 Oct 2025 16:05:41 -0400
+Subject: [PATCH 38/48] v2.4.0: Revert "fix(systemd): allow start code 251
+ (RUNNING_BUT_FAILED)"
+
+This reverts commit d52815e198f05378a3f34633adfedd29165cc64e.
+
+(cherry picked from commit d2af4c8de086b658b0f1a24be9d3bf55b514b3c3)
+---
+ config/firewalld.service.in | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/config/firewalld.service.in b/config/firewalld.service.in
+index bd8690fd87a6..cd7f772b8581 100644
+--- a/config/firewalld.service.in
++++ b/config/firewalld.service.in
+@@ -11,8 +11,6 @@ Documentation=man:firewalld(1)
+ EnvironmentFile=-/etc/sysconfig/firewalld
+ ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS
+ ExecStartPost=@bindir@/firewall-cmd --state
+-# don't fail ExecStartPost on RUNNING_BUT_FAILED
+-SuccessExitStatus=251
+ ExecReload=/bin/kill -HUP $MAINPID
+ StandardOutput=null
+ StandardError=null
+-- 
+2.47.3
+

0039-v2.4.0-Revert-fix-systemd-verify-firewalld-is-respon.patch

@@ -0,0 +1,29 @@
+From 82a7c51975297fa185410ce37ae0c73b70d1924d Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 14 Oct 2025 16:05:54 -0400
+Subject: [PATCH 39/48] v2.4.0: Revert "fix(systemd): verify firewalld is
+ responsive to dbus"
+
+This reverts commit 4ddfe5672e3a51e1c081b410144155553f256e91.
+
+Fixes: #1492
+(cherry picked from commit 3e61bcccdb3efc12474eb99538bd52fc4f63f4dd)
+---
+ config/firewalld.service.in | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/config/firewalld.service.in b/config/firewalld.service.in
+index cd7f772b8581..08c9f74dd924 100644
+--- a/config/firewalld.service.in
++++ b/config/firewalld.service.in
+@@ -10,7 +10,6 @@ Documentation=man:firewalld(1)
+ [Service]
+ EnvironmentFile=-/etc/sysconfig/firewalld
+ ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS
+-ExecStartPost=@bindir@/firewall-cmd --state
+ ExecReload=/bin/kill -HUP $MAINPID
+ StandardOutput=null
+ StandardError=null
+-- 
+2.47.3
+

0040-v2.4.0-fix-nftables-ipset-add-entries-from-GLib-loop.patch

@@ -0,0 +1,66 @@
+From 85d9dfb83d49499b21fb3c97e4486bc944a2651e Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 14 Oct 2025 15:59:05 -0400
+Subject: [PATCH 40/48] v2.4.0: fix(nftables): ipset: add entries from GLib
+ loop when idle
+
+Sets with a large amount of entries can take a significant time to
+apply. Use the GLib mainloop to add them in chunks when the loop is
+idle. This allows dbus calls in between the chunks as the dbus
+events/calls have higher priority.
+
+Fixes: #1277
+(cherry picked from commit 3874bafc427139e647829d7662577567343aceb6)
+---
+ src/firewall/core/nftables.py | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 8115bcb9d7f4..254fe7cfbebe 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -18,6 +18,9 @@
+ # You should have received a copy of the GNU General Public License
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ #
++
++from gi.repository import GLib
++
+ import copy
+ import json
+ import ipaddress
+@@ -1958,15 +1961,27 @@ class nftables(object):
+         rules = []
+         rules.extend(self.build_set_create_rules(set_name, type_name, create_options))
+         rules.extend(self.build_set_flush_rules(set_name))
++        self.set_rules(rules, self._fw.get_log_denied())
++
++        def _idle_set_add_entries(rules):
++            try:
++                self.set_rules(rules, self._fw.get_log_denied())
++            except Exception as e:
++                log.error("While restoring ipset entries the following Error occurred:")
++                log.error(e)
+ 
+-        # avoid large memory usage by chunking the entries
++        # Avoid large memory usage by chunking the entries. Additionally, add
++        # the entries from the GLib main loop when it's idle. This avoids
++        # blocking the main loop for too long.
++        #
+         chunk = 0
++        rules = []
+         for entry in entries:
+             rules.extend(self.build_set_add_rules(set_name, entry))
+             chunk += 1
+             if chunk >= 1000:
+-                self.set_rules(rules, self._fw.get_log_denied())
+-                rules.clear()
++                GLib.idle_add(lambda x: _idle_set_add_entries(x), rules)
++                rules = []
+                 chunk = 0
+         else:
+-            self.set_rules(rules, self._fw.get_log_denied())
++            GLib.idle_add(lambda x: _idle_set_add_entries(x), rules)
+-- 
+2.47.3
+

0041-v2.4.0-test-ipset-scale-verify-all-the-entries-were-.patch

@@ -0,0 +1,39 @@
+From c2f4ff8d26d2d7510e32f8ec6bcaa222af95ed9a Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 14 Oct 2025 17:50:22 -0400
+Subject: [PATCH 41/48] v2.4.0: test(ipset): scale: verify all the entries were
+ added
+
+(cherry picked from commit ab35fc7a99536efc7dde2242507fad6bed577d68)
+---
+ src/tests/regression/ipset_scale.at | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/tests/regression/ipset_scale.at b/src/tests/regression/ipset_scale.at
+index 0aef986434f0..d754e035f187 100644
+--- a/src/tests/regression/ipset_scale.at
++++ b/src/tests/regression/ipset_scale.at
+@@ -1,6 +1,8 @@
+ FWD_START_TEST([ipset scale])
+ AT_KEYWORDS(ipset gh738 scale)
+ 
++AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])])
++
+ dnl Create a huge ipset
+ AT_CHECK([touch ./entries], 0, [ignore])
+ AT_CHECK([sh -c '
+@@ -22,4 +24,11 @@ ulimit -d $(expr 1024 \* 300)
+ FWD_RESTART() dnl required because we changed ulimit
+ FWD_RELOAD()
+ 
++dnl Verify all the entries are added.
++m4_if(nftables, FIREWALL_BACKEND, [
++    WAIT_UNTIL([test "$(NS_CMD([nft $NFT_NUMERIC_ARGS list set inet firewalld foobar |wc -l]))" -eq 31256])
++], [
++    WAIT_UNTIL([test "$(NS_CMD([$IPSET list foobar |wc -l]))" -eq 62508])
++])
++
+ FWD_END_TEST()
+-- 
+2.47.3
+

0042-v2.4.0-fix-systemd-Requires-dbus.patch

@@ -0,0 +1,28 @@
+From f7c7f94908834824bc777334c5b61e7af4d629b5 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 13 Oct 2025 15:44:17 -0400
+Subject: [PATCH 42/48] v2.4.0: fix(systemd): Requires dbus
+
+Use Requires so when dbus is restarted firewalld is also restarted.
+
+Fixes: RHEL-94927
+(cherry picked from commit b9595ea06e6159735300bb4668a3e7e84966219c)
+---
+ config/firewalld.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/config/firewalld.service.in b/config/firewalld.service.in
+index 08c9f74dd924..7ace390c29d6 100644
+--- a/config/firewalld.service.in
++++ b/config/firewalld.service.in
+@@ -2,6 +2,7 @@
+ Description=firewalld - dynamic firewall daemon
+ Before=network-pre.target
+ Wants=network-pre.target
++Requires=dbus.service
+ After=dbus.service
+ After=polkit.service
+ Conflicts=iptables.service ip6tables.service ebtables.service ipset.service
+-- 
+2.47.3
+

firewalld.service

@@ -1,6 +1,8 @@
 [Unit]
 Description=Firewall dynamic change handling daemon
 After=syslog.target
+Requires=dbus.service
+After=dbus.service
 
 [Service]
 Type=forking

firewalld.spec

@@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 1.3.4
-Release: 16%{?dist}
+Release: 17%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2
@@ -40,6 +40,13 @@ Patch32: 0032-v2.4.0-fix-systemd-allow-start-code-251-RUNNING_BUT_FAILED.patch
 Patch33: 0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch
 Patch34: 0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch
 Patch35: 0035-v2.2.0-feat-add-iperf-2-3-services.patch
+Patch36: 0036-v2.4.0-test-functions-add-macro-WAIT_UNTIL.patch
+Patch37: 0037-v2.4.0-fix-server-load-firewall-rules-before-claimin.patch
+Patch38: 0038-v2.4.0-Revert-fix-systemd-allow-start-code-251-RUNNI.patch
+Patch39: 0039-v2.4.0-Revert-fix-systemd-verify-firewalld-is-respon.patch
+Patch40: 0040-v2.4.0-fix-nftables-ipset-add-entries-from-GLib-loop.patch
+Patch41: 0041-v2.4.0-test-ipset-scale-verify-all-the-entries-were-.patch
+Patch42: 0042-v2.4.0-fix-systemd-Requires-dbus.patch
 BuildArch: noarch
 BuildRequires: autoconf
 BuildRequires: automake
@@ -263,6 +270,11 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Tue Dec 02 2025 Eric Garver <egarver@redhat.com> - 1.3.4-17
+- fix(server): load firewall rules before claiming dbus
+- fix(nftables): ipset: add entries from GLib loop when idle
+- fix(systemd): Requires dbus
+
 * Tue Dec 02 2025 Eric Garver <egarver@redhat.com> - 1.3.4-16
 - feat: add iperf{2,3} services