diff --git a/0036-v2.4.0-test-functions-add-macro-WAIT_UNTIL.patch b/0036-v2.4.0-test-functions-add-macro-WAIT_UNTIL.patch new file mode 100644 index 0000000..f068e61 --- /dev/null +++ b/0036-v2.4.0-test-functions-add-macro-WAIT_UNTIL.patch @@ -0,0 +1,36 @@ +From 1f72a1c3bdf0dd727d76f205b87223dd29ef0c7c Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 6 Oct 2025 16:32:59 -0400 +Subject: [PATCH 36/48] v2.4.0: test(functions): add macro WAIT_UNTIL + +(cherry picked from commit 50890c62b00db91f15ba5802055afc293a3fe77a) +--- + src/tests/functions.at | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 8b07908c667c..df3fff6ad4b9 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -763,3 +763,18 @@ m4_define([CHECK_NFTABLES_FIB_IN_FORWARD], [ + NS_CHECK([nft delete table inet firewalld_check]) + ]) + ]) ++ ++dnl $1 = command to run until zero exit code ++m4_define([WAIT_UNTIL], [ ++ _fail=1 ++ _timeout=120 ++ for I in $(seq ${_timeout}); do ++ { $1 ; } && { _fail=0; break; } ++ sleep 1 ++ done ++ if test ${_fail} -gt 0; then ++ printf "FAIL: Command failed succeed in ${_timeout} seconds:\n" ++ printf " $1\n" ++ AT_FAIL_IF([:]) ++ fi ++]) +-- +2.47.3 + diff --git a/0037-v2.4.0-fix-server-load-firewall-rules-before-claimin.patch b/0037-v2.4.0-fix-server-load-firewall-rules-before-claimin.patch new file mode 100644 index 0000000..6e17b2e --- /dev/null +++ b/0037-v2.4.0-fix-server-load-firewall-rules-before-claimin.patch @@ -0,0 +1,81 @@ +From 3a91e1c6a575572cabbc06460ad94f65234a7d98 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 14 Oct 2025 16:41:49 -0400 +Subject: [PATCH 37/48] v2.4.0: fix(server): load firewall rules before + claiming dbus + +This guarantees that the firewall is loaded and ready before the daemon +registers with dbus. + +(cherry picked from commit 63d2238d055ee193f18acb51f6362b64d11e0886) +--- + src/firewall/server/firewalld.py | 15 +++++++++++---- + src/firewall/server/server.py | 10 +--------- + 2 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py +index 8b9593a22fd8..fc85d3e0c359 100644 +--- a/src/firewall/server/firewalld.py ++++ b/src/firewall/server/firewalld.py +@@ -25,6 +25,7 @@ from gi.repository import GLib + import copy + import dbus + import dbus.service ++import dbus.mainloop.glib + + from firewall import config + from firewall.core.fw import Firewall +@@ -69,12 +70,18 @@ class FirewallD(DbusServiceObject): + """ Use config.dbus.PK_ACTION_CONFIG as a default """ + + @handle_exceptions +- def __init__(self, *args, **kwargs): +- super(FirewallD, self).__init__(*args, **kwargs) ++ def __init__(self): + self.fw = Firewall() +- self.busname = args[0] +- self.path = args[1] + self.start() ++ ++ dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) ++ bus = dbus.SystemBus() ++ name = dbus.service.BusName(config.dbus.DBUS_INTERFACE, bus=bus) ++ super(FirewallD, self).__init__(name, config.dbus.DBUS_PATH) ++ ++ self.busname = name ++ self.path = config.dbus.DBUS_PATH ++ + dbus_introspection_prepare_properties(self, config.dbus.DBUS_INTERFACE) + self.config = FirewallDConfig(self.fw.config, self.busname, + config.dbus.DBUS_PATH_CONFIG) +diff --git a/src/firewall/server/server.py b/src/firewall/server/server.py +index 2921ae9104f1..7f3404793f12 100644 +--- a/src/firewall/server/server.py ++++ b/src/firewall/server/server.py +@@ -31,11 +31,6 @@ import signal + + from gi.repository import GLib + +-import dbus +-import dbus.service +-import dbus.mainloop.glib +- +-from firewall import config + from firewall.core.logger import log + from firewall.server.firewalld import FirewallD + +@@ -83,10 +78,7 @@ def run_server(debug_gc=False): + GLib.timeout_add_seconds(gc_timeout, gc_collect) + + try: +- dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) +- bus = dbus.SystemBus() +- name = dbus.service.BusName(config.dbus.DBUS_INTERFACE, bus=bus) +- service = FirewallD(name, config.dbus.DBUS_PATH) ++ service = FirewallD() + + mainloop = GLib.MainLoop() + if debug_gc: +-- +2.47.3 + diff --git a/0038-v2.4.0-Revert-fix-systemd-allow-start-code-251-RUNNI.patch b/0038-v2.4.0-Revert-fix-systemd-allow-start-code-251-RUNNI.patch new file mode 100644 index 0000000..c06fa62 --- /dev/null +++ b/0038-v2.4.0-Revert-fix-systemd-allow-start-code-251-RUNNI.patch @@ -0,0 +1,29 @@ +From bbfef80c94f368130e4440d1624d2a2bc1daf28d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 14 Oct 2025 16:05:41 -0400 +Subject: [PATCH 38/48] v2.4.0: Revert "fix(systemd): allow start code 251 + (RUNNING_BUT_FAILED)" + +This reverts commit d52815e198f05378a3f34633adfedd29165cc64e. + +(cherry picked from commit d2af4c8de086b658b0f1a24be9d3bf55b514b3c3) +--- + config/firewalld.service.in | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/config/firewalld.service.in b/config/firewalld.service.in +index bd8690fd87a6..cd7f772b8581 100644 +--- a/config/firewalld.service.in ++++ b/config/firewalld.service.in +@@ -11,8 +11,6 @@ Documentation=man:firewalld(1) + EnvironmentFile=-/etc/sysconfig/firewalld + ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS + ExecStartPost=@bindir@/firewall-cmd --state +-# don't fail ExecStartPost on RUNNING_BUT_FAILED +-SuccessExitStatus=251 + ExecReload=/bin/kill -HUP $MAINPID + StandardOutput=null + StandardError=null +-- +2.47.3 + diff --git a/0039-v2.4.0-Revert-fix-systemd-verify-firewalld-is-respon.patch b/0039-v2.4.0-Revert-fix-systemd-verify-firewalld-is-respon.patch new file mode 100644 index 0000000..e0df397 --- /dev/null +++ b/0039-v2.4.0-Revert-fix-systemd-verify-firewalld-is-respon.patch @@ -0,0 +1,29 @@ +From 82a7c51975297fa185410ce37ae0c73b70d1924d Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 14 Oct 2025 16:05:54 -0400 +Subject: [PATCH 39/48] v2.4.0: Revert "fix(systemd): verify firewalld is + responsive to dbus" + +This reverts commit 4ddfe5672e3a51e1c081b410144155553f256e91. + +Fixes: #1492 +(cherry picked from commit 3e61bcccdb3efc12474eb99538bd52fc4f63f4dd) +--- + config/firewalld.service.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/config/firewalld.service.in b/config/firewalld.service.in +index cd7f772b8581..08c9f74dd924 100644 +--- a/config/firewalld.service.in ++++ b/config/firewalld.service.in +@@ -10,7 +10,6 @@ Documentation=man:firewalld(1) + [Service] + EnvironmentFile=-/etc/sysconfig/firewalld + ExecStart=@sbindir@/firewalld --nofork --nopid $FIREWALLD_ARGS +-ExecStartPost=@bindir@/firewall-cmd --state + ExecReload=/bin/kill -HUP $MAINPID + StandardOutput=null + StandardError=null +-- +2.47.3 + diff --git a/0040-v2.4.0-fix-nftables-ipset-add-entries-from-GLib-loop.patch b/0040-v2.4.0-fix-nftables-ipset-add-entries-from-GLib-loop.patch new file mode 100644 index 0000000..4ce834e --- /dev/null +++ b/0040-v2.4.0-fix-nftables-ipset-add-entries-from-GLib-loop.patch @@ -0,0 +1,66 @@ +From 85d9dfb83d49499b21fb3c97e4486bc944a2651e Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 14 Oct 2025 15:59:05 -0400 +Subject: [PATCH 40/48] v2.4.0: fix(nftables): ipset: add entries from GLib + loop when idle + +Sets with a large amount of entries can take a significant time to +apply. Use the GLib mainloop to add them in chunks when the loop is +idle. This allows dbus calls in between the chunks as the dbus +events/calls have higher priority. + +Fixes: #1277 +(cherry picked from commit 3874bafc427139e647829d7662577567343aceb6) +--- + src/firewall/core/nftables.py | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py +index 8115bcb9d7f4..254fe7cfbebe 100644 +--- a/src/firewall/core/nftables.py ++++ b/src/firewall/core/nftables.py +@@ -18,6 +18,9 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + # ++ ++from gi.repository import GLib ++ + import copy + import json + import ipaddress +@@ -1958,15 +1961,27 @@ class nftables(object): + rules = [] + rules.extend(self.build_set_create_rules(set_name, type_name, create_options)) + rules.extend(self.build_set_flush_rules(set_name)) ++ self.set_rules(rules, self._fw.get_log_denied()) ++ ++ def _idle_set_add_entries(rules): ++ try: ++ self.set_rules(rules, self._fw.get_log_denied()) ++ except Exception as e: ++ log.error("While restoring ipset entries the following Error occurred:") ++ log.error(e) + +- # avoid large memory usage by chunking the entries ++ # Avoid large memory usage by chunking the entries. Additionally, add ++ # the entries from the GLib main loop when it's idle. This avoids ++ # blocking the main loop for too long. ++ # + chunk = 0 ++ rules = [] + for entry in entries: + rules.extend(self.build_set_add_rules(set_name, entry)) + chunk += 1 + if chunk >= 1000: +- self.set_rules(rules, self._fw.get_log_denied()) +- rules.clear() ++ GLib.idle_add(lambda x: _idle_set_add_entries(x), rules) ++ rules = [] + chunk = 0 + else: +- self.set_rules(rules, self._fw.get_log_denied()) ++ GLib.idle_add(lambda x: _idle_set_add_entries(x), rules) +-- +2.47.3 + diff --git a/0041-v2.4.0-test-ipset-scale-verify-all-the-entries-were-.patch b/0041-v2.4.0-test-ipset-scale-verify-all-the-entries-were-.patch new file mode 100644 index 0000000..a862e49 --- /dev/null +++ b/0041-v2.4.0-test-ipset-scale-verify-all-the-entries-were-.patch @@ -0,0 +1,39 @@ +From c2f4ff8d26d2d7510e32f8ec6bcaa222af95ed9a Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Tue, 14 Oct 2025 17:50:22 -0400 +Subject: [PATCH 41/48] v2.4.0: test(ipset): scale: verify all the entries were + added + +(cherry picked from commit ab35fc7a99536efc7dde2242507fad6bed577d68) +--- + src/tests/regression/ipset_scale.at | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/tests/regression/ipset_scale.at b/src/tests/regression/ipset_scale.at +index 0aef986434f0..d754e035f187 100644 +--- a/src/tests/regression/ipset_scale.at ++++ b/src/tests/regression/ipset_scale.at +@@ -1,6 +1,8 @@ + FWD_START_TEST([ipset scale]) + AT_KEYWORDS(ipset gh738 scale) + ++AT_SKIP_IF([! NS_CMD([which wc >/dev/null 2>&1])]) ++ + dnl Create a huge ipset + AT_CHECK([touch ./entries], 0, [ignore]) + AT_CHECK([sh -c ' +@@ -22,4 +24,11 @@ ulimit -d $(expr 1024 \* 300) + FWD_RESTART() dnl required because we changed ulimit + FWD_RELOAD() + ++dnl Verify all the entries are added. ++m4_if(nftables, FIREWALL_BACKEND, [ ++ WAIT_UNTIL([test "$(NS_CMD([nft $NFT_NUMERIC_ARGS list set inet firewalld foobar |wc -l]))" -eq 31256]) ++], [ ++ WAIT_UNTIL([test "$(NS_CMD([$IPSET list foobar |wc -l]))" -eq 62508]) ++]) ++ + FWD_END_TEST() +-- +2.47.3 + diff --git a/0042-v2.4.0-fix-systemd-Requires-dbus.patch b/0042-v2.4.0-fix-systemd-Requires-dbus.patch new file mode 100644 index 0000000..b50453d --- /dev/null +++ b/0042-v2.4.0-fix-systemd-Requires-dbus.patch @@ -0,0 +1,28 @@ +From f7c7f94908834824bc777334c5b61e7af4d629b5 Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Mon, 13 Oct 2025 15:44:17 -0400 +Subject: [PATCH 42/48] v2.4.0: fix(systemd): Requires dbus + +Use Requires so when dbus is restarted firewalld is also restarted. + +Fixes: RHEL-94927 +(cherry picked from commit b9595ea06e6159735300bb4668a3e7e84966219c) +--- + config/firewalld.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/config/firewalld.service.in b/config/firewalld.service.in +index 08c9f74dd924..7ace390c29d6 100644 +--- a/config/firewalld.service.in ++++ b/config/firewalld.service.in +@@ -2,6 +2,7 @@ + Description=firewalld - dynamic firewall daemon + Before=network-pre.target + Wants=network-pre.target ++Requires=dbus.service + After=dbus.service + After=polkit.service + Conflicts=iptables.service ip6tables.service ebtables.service ipset.service +-- +2.47.3 + diff --git a/firewalld.service b/firewalld.service index 5c41851..d25a114 100644 --- a/firewalld.service +++ b/firewalld.service @@ -1,6 +1,8 @@ [Unit] Description=Firewall dynamic change handling daemon After=syslog.target +Requires=dbus.service +After=dbus.service [Service] Type=forking diff --git a/firewalld.spec b/firewalld.spec index 4fa43fe..0a48c2b 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,7 +1,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld Version: 1.3.4 -Release: 16%{?dist} +Release: 17%{?dist} URL: http://www.firewalld.org License: GPLv2+ Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2 @@ -40,6 +40,13 @@ Patch32: 0032-v2.4.0-fix-systemd-allow-start-code-251-RUNNING_BUT_FAILED.patch Patch33: 0033-v2.4.0-fix-policy-rich-verify-ipset-exists.patch Patch34: 0034-v2.4.0-test-rich-rule-reference-invalid-ipset.patch Patch35: 0035-v2.2.0-feat-add-iperf-2-3-services.patch +Patch36: 0036-v2.4.0-test-functions-add-macro-WAIT_UNTIL.patch +Patch37: 0037-v2.4.0-fix-server-load-firewall-rules-before-claimin.patch +Patch38: 0038-v2.4.0-Revert-fix-systemd-allow-start-code-251-RUNNI.patch +Patch39: 0039-v2.4.0-Revert-fix-systemd-verify-firewalld-is-respon.patch +Patch40: 0040-v2.4.0-fix-nftables-ipset-add-entries-from-GLib-loop.patch +Patch41: 0041-v2.4.0-test-ipset-scale-verify-all-the-entries-were-.patch +Patch42: 0042-v2.4.0-fix-systemd-Requires-dbus.patch BuildArch: noarch BuildRequires: autoconf BuildRequires: automake @@ -263,6 +270,11 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite %{_mandir}/man1/firewall-config*.1* %changelog +* Tue Dec 02 2025 Eric Garver - 1.3.4-17 +- fix(server): load firewall rules before claiming dbus +- fix(nftables): ipset: add entries from GLib loop when idle +- fix(systemd): Requires dbus + * Tue Dec 02 2025 Eric Garver - 1.3.4-16 - feat: add iperf{2,3} services