import firewalld-0.8.2-6.el8

SOURCES/0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch

@@ -0,0 +1,29 @@
+From 2a1a55209a95c5463e07cc3eb048d128ab7593ed Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 10 Aug 2020 09:29:05 -0400
+Subject: [PATCH 48/62] test(regression/rhbz1541077): use FWD_OFFLINE_CHECK
+ macro
+
+Fixes: 6e279ef6517a ("test(regression/rhbz1541077): correctly use macros")
+Fixes: dddba7b9c276 ("fix(cli): add ipset type hash:mac is incompatible with the family parameter")
+(cherry picked from commit fae16b550ed8b384ee24691e6442b7cbd6b776aa)
+(cherry picked from commit 3efe0f30d4499763aacc573dc634b52ceb11a017)
+---
+ src/tests/regression/rhbz1541077.at | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/regression/rhbz1541077.at b/src/tests/regression/rhbz1541077.at
+index 692ca8ecc892..73ad4b49cb3d 100644
+--- a/src/tests/regression/rhbz1541077.at
++++ b/src/tests/regression/rhbz1541077.at
+@@ -4,6 +4,6 @@ AT_KEYWORDS(ipset rhbz1541077)
+ FWD_CHECK([--permanent --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+ FWD_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+ 
+-AT_CHECK([firewall-offline-cmd --new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
++FWD_OFFLINE_CHECK([--new-ipset hashmacv6 --type hash:mac --family inet6], 2, [ignore], [ignore])
+ 
+ FWD_END_TEST
+-- 
+2.28.0
+

SOURCES/0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch

@@ -0,0 +1,30 @@
+From 5326d7a86d6e7413dee343b795a352d8b4e6ab0d Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 10 Aug 2020 09:33:22 -0400
+Subject: [PATCH 49/62] test(regression/rhbz1855140.at): avoid IPv6 tests if
+ IPv6 not available
+
+Fixes: 87ec14dddd74 ("test(rich): icmptypes with one family")
+(cherry picked from commit a47819d346fbd0f4d4d382a6a795c76c7f443a3b)
+(cherry picked from commit 1b4fea7277c26026ecbe09f79928c794489424b9)
+---
+ src/tests/regression/rhbz1855140.at | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
+index 8059e29fe71a..cea943e0bf24 100644
+--- a/src/tests/regression/rhbz1855140.at
++++ b/src/tests/regression/rhbz1855140.at
+@@ -2,7 +2,9 @@ FWD_START_TEST([rich rule icmptypes with one family])
+ AT_KEYWORDS(rich icmp rhbz1855140)
+ 
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
++IF_HOST_SUPPORTS_IPV6_RULES([
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
++])
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
+ FWD_RELOAD
+ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+-- 
+2.28.0
+

SOURCES/0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch

@@ -0,0 +1,53 @@
+From 4d099f4c0866801e40e362090e6986c693386e2c Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 27 Aug 2020 15:30:45 -0400
+Subject: [PATCH 50/62] fix(icmptype): when applying rules get ict from perm
+ config
+
+Otherwise we may get runtime errors because the running kernel doesn't
+support the ict. Use the permanent ict definition so we allow the case
+where ip6tables is missing or not available. Explicit usage of an ict
+not supported by the kernel will still fail to apply at runtime
+(iptables complains), but if ip6tables is missing we don't attempt to
+apply the ipv6 rules thus avoiding the issue.
+
+(cherry picked from commit fdc44800aef4ec166987d529ffaea51f13ff54c2)
+(cherry picked from commit 0016ec8e4aefb6cf2a8986a91530eae25a28ead7)
+---
+ src/firewall/core/fw_zone.py | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index b9fe1f6aae97..9d8bcf620251 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -1526,7 +1526,7 @@ class FirewallZone(object):
+         if rule.family:
+             ipvs = [ rule.family ]
+         elif rule.element and (isinstance(rule.element, Rich_IcmpBlock) or isinstance(rule.element, Rich_IcmpType)):
+-            ict = self._fw.icmptype.get_icmptype(rule.element.name)
++            ict = self._fw.config.get_icmptype(rule.element.name)
+             if ict.destination:
+                 ipvs = [ipv for ipv in ["ipv4", "ipv6"] if ipv in ict.destination]
+ 
+@@ -1698,7 +1698,7 @@ class FirewallZone(object):
+             # ICMP BLOCK and ICMP TYPE
+             elif type(rule.element) == Rich_IcmpBlock or \
+                  type(rule.element) == Rich_IcmpType:
+-                ict = self._fw.icmptype.get_icmptype(rule.element.name)
++                ict = self._fw.config.get_icmptype(rule.element.name)
+ 
+                 if type(rule.element) == Rich_IcmpBlock and \
+                    rule.action and type(rule.action) == Rich_Accept:
+@@ -1862,7 +1862,7 @@ class FirewallZone(object):
+         transaction.add_rules(backend, rules)
+ 
+     def _icmp_block(self, enable, zone, icmp, transaction):
+-        ict = self._fw.icmptype.get_icmptype(icmp)
++        ict = self._fw.config.get_icmptype(icmp)
+ 
+         if enable:
+             transaction.add_chain(zone, "filter", "INPUT")
+-- 
+2.28.0
+

SOURCES/0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch

@@ -0,0 +1,50 @@
+From 0b69b4e464f02ea6fec50522b587a93092040b4d Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 27 Aug 2020 15:59:13 -0400
+Subject: [PATCH 51/62] fix(rich): clamp the IP families to those actually
+ enabled
+
+One scenario is if IPv6 is not available, but we specify an icmp-type
+that is ipv6 only, then we'll still attempt to call the IPv6 backend. We
+should not do that.
+
+(cherry picked from commit 4fcb27bdcf8be30d91d490ba2c0286af1cf299de)
+(cherry picked from commit b8b0aeaaf853546f6990e8f635d7ea79233bbc79)
+---
+ src/firewall/core/fw_zone.py        | 5 ++++-
+ src/tests/regression/rhbz1855140.at | 2 --
+ 2 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index 9d8bcf620251..bd026222dce5 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -1542,7 +1542,10 @@ class FirewallZone(object):
+                 ipvs = [ source_ipv ]
+ 
+         if not ipvs:
+-            ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)]
++            ipvs = ["ipv4", "ipv6"]
++
++        # clamp ipvs to those that are actually enabled.
++        ipvs = [ipv for ipv in ipvs if self._fw.is_ipv_enabled(ipv)]
+ 
+         # add an element to object to allow backends to know what ipvs this applies to
+         rule.ipvs = ipvs
+diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
+index cea943e0bf24..8059e29fe71a 100644
+--- a/src/tests/regression/rhbz1855140.at
++++ b/src/tests/regression/rhbz1855140.at
+@@ -2,9 +2,7 @@ FWD_START_TEST([rich rule icmptypes with one family])
+ AT_KEYWORDS(rich icmp rhbz1855140)
+ 
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
+-IF_HOST_SUPPORTS_IPV6_RULES([
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
+-])
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
+ FWD_RELOAD
+ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+-- 
+2.28.0
+

SOURCES/0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch

@@ -0,0 +1,62 @@
+From 5c18dbc41a2f59364fb495ef164dcc3c9147e408 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 28 Aug 2020 11:44:33 -0400
+Subject: [PATCH 52/62] fix(rich icmptype): verify rule and icmptype families
+ don't conflict
+
+Fixes: rhbz 1855140
+(cherry picked from commit 11aac7755d9c8e338f72b5350329255937efd8e8)
+(cherry picked from commit b49a88095b05bcf1bce36e989d7003948f1ee6f7)
+---
+ src/firewall/core/fw_zone.py |  6 ++++++
+ src/firewall/core/io/zone.py | 17 ++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index bd026222dce5..129306b6f969 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -1703,6 +1703,12 @@ class FirewallZone(object):
+                  type(rule.element) == Rich_IcmpType:
+                 ict = self._fw.config.get_icmptype(rule.element.name)
+ 
++                if rule.family and ict.destination and \
++                   rule.family not in ict.destination:
++                    raise FirewallError(errors.INVALID_ICMPTYPE,
++                                        "rich rule family '%s' conflicts with icmp type '%s'" % \
++                                        (rule.family, rule.element.name))
++
+                 if type(rule.element) == Rich_IcmpBlock and \
+                    rule.action and type(rule.action) == Rich_Accept:
+                     # icmp block might have reject or drop action, but not accept
+diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
+index 68b2a7c9567c..529b92c25b62 100644
+--- a/src/firewall/core/io/zone.py
++++ b/src/firewall/core/io/zone.py
+@@ -232,7 +232,22 @@ class Zone(IO_Object):
+                     raise FirewallError(errors.INVALID_ADDR, source)
+         elif item == "rules_str":
+             for rule in config:
+-                rich.Rich_Rule(rule_str=rule)
++                obj_rich = rich.Rich_Rule(rule_str=rule)
++                if self.fw_config and obj_rich.element and (isinstance(obj_rich.element, rich.Rich_IcmpBlock) or
++                                                           isinstance(obj_rich.element, rich.Rich_IcmpType)):
++                    existing_icmptypes = self.fw_config.get_icmptypes()
++                    if obj_rich.element.name not in existing_icmptypes:
++                        raise FirewallError(errors.INVALID_ICMPTYPE,
++                                            "'%s' not among existing icmp types" % \
++                                            obj_rich.element.name)
++
++                    elif obj_rich.family:
++                        ict = self.fw_config.get_icmptype(obj_rich.element.name)
++                        if ict.destination and obj_rich.family not in ict.destination:
++                            raise FirewallError(errors.INVALID_ICMPTYPE,
++                                                "rich rule family '%s' conflicts with icmp type '%s'" % \
++                                                (obj_rich.family, obj_rich.element.name))
++
+ 
+     def check_name(self, name):
+         super(Zone, self).check_name(name)
+-- 
+2.28.0
+

SOURCES/0053-fix-nftables-packet-marks-with-masks.patch

@@ -0,0 +1,48 @@
+From 08cb6f0c7abca95fa898020bb9f3ba3f4bfbf148 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 28 Aug 2020 13:15:34 -0400
+Subject: [PATCH 53/62] fix(nftables): packet marks with masks
+
+(cherry picked from commit e296b926ae5dc4cbc277b6dd755d045e73ed4411)
+(cherry picked from commit 371efe757f2bde20b4301a78ed3c48ec1d31bf5e)
+---
+ src/firewall/core/fw_zone.py  | 2 ++
+ src/firewall/core/nftables.py | 9 +++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py
+index 129306b6f969..6eaed4232405 100644
+--- a/src/firewall/core/fw_zone.py
++++ b/src/firewall/core/fw_zone.py
+@@ -1719,6 +1719,8 @@ class FirewallZone(object):
+                 if enable:
+                     transaction.add_chain(zone, table, "INPUT")
+                     transaction.add_chain(zone, table, "FORWARD_IN")
++                if enable and type(rule.action) == Rich_Mark:
++                    transaction.add_chain(zone, "mangle", "PREROUTING")
+ 
+                 rules = backend.build_zone_icmp_block_rules(enable, zone, ict, rule)
+                 transaction.add_rules(backend, rules)
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 0198200b2372..76668a60468f 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1043,8 +1043,13 @@ class nftables(object):
+                                                 zone=zone)
+             table = "mangle"
+             chain = "%s_%s_%s" % (table, target, chain_suffix)
+-            rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
+-                                      "value": rich_rule.action.set}}
++            value = rich_rule.action.set.split("/")
++            if len(value) > 1:
++                rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
++                                          "value": {"^": [{"&": [{"meta": {"key": "mark"}}, value[1]]}, value[0]]}}}
++            else:
++                rule_action = {"mangle": {"key": {"meta": {"key": "mark"}},
++                                          "value": value[0]}}
+         else:
+             raise FirewallError(INVALID_RULE,
+                                 "Unknown action %s" % type(rich_rule.action))
+-- 
+2.28.0
+

SOURCES/0054-fix-nftables-icmp-types-with-code-0.patch

@@ -0,0 +1,27 @@
+From 603ca9c2dd16f212a8b2fb43a9e9599fe3dd3abf Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 28 Aug 2020 14:22:18 -0400
+Subject: [PATCH 54/62] fix(nftables): icmp types with code == 0
+
+(cherry picked from commit 098e35168d6a15516cc76189a70df8db56bd1b13)
+(cherry picked from commit 8dcfaa607329cd4c2bdaa3b101371a30a04ef858)
+---
+ src/firewall/core/nftables.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 76668a60468f..daa7ace085a2 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -82,7 +82,7 @@ def _icmp_types_fragments(protocol, type, code=None):
+     fragments = [{"match": {"left": {"payload": {"protocol": protocol, "field": "type"}},
+                             "op": "==",
+                             "right": type}}]
+-    if code:
++    if code is not None:
+         fragments.append({"match": {"left": {"payload": {"protocol": protocol, "field": "code"}},
+                                     "op": "==",
+                                     "right": code}})
+-- 
+2.28.0
+

SOURCES/0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch

@@ -0,0 +1,35 @@
+From d4f35b11f2edb1cf680ed2081a14b599ef3f3b63 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 31 Aug 2020 15:38:34 -0400
+Subject: [PATCH 55/62] fix(ipXtables): rich: avoid duplicate rules for
+ icmp-type w/ mark action
+
+This is a stable only fix. It does not occur on master.
+
+(cherry picked from commit 9b7ba2fcedace408aae498fea1c973a988370808)
+---
+ src/firewall/core/ipXtables.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index b1d6c202fda7..c4535f2e5818 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -1240,8 +1240,13 @@ class ip4tables(object):
+             proto = [ "-p", "ipv6-icmp" ]
+             match = [ "-m", "icmp6", "--icmpv6-type", ict.name ]
+ 
++        if rich_rule and rich_rule.action and isinstance(rich_rule.action, Rich_Mark):
++            chains = ["PREROUTING"]
++        else:
++            chains = ["INPUT", "FORWARD_IN"]
++
+         rules = []
+-        for chain in ["INPUT", "FORWARD_IN"]:
++        for chain in chains:
+             target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
+                                                 zone=zone)
+             if self._fw.zone.query_icmp_block_inversion(zone):
+-- 
+2.28.0
+

SOURCES/0056-test-regression-rhbz1855140-add-negative-tests.patch

@@ -0,0 +1,66 @@
+From 08cc79942e820d9ce86c5c0bd0249ec4335955ce Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 28 Aug 2020 10:48:35 -0400
+Subject: [PATCH 56/62] test(regression/rhbz1855140): add negative tests
+
+(cherry picked from commit b50032185422f5538a8a6211cfa43cfaa2d67ec4)
+(cherry picked from commit 264375df35124b5920b9d3e690944aaad1e4790c)
+---
+ src/tests/regression/rhbz1855140.at | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/tests/regression/rhbz1855140.at b/src/tests/regression/rhbz1855140.at
+index 8059e29fe71a..fbb33a419c56 100644
+--- a/src/tests/regression/rhbz1855140.at
++++ b/src/tests/regression/rhbz1855140.at
+@@ -4,7 +4,15 @@ AT_KEYWORDS(rich icmp rhbz1855140)
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="echo-request" accept'], 0, ignore)
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="neighbour-advertisement" accept'], 0, ignore)
+ FWD_CHECK([--permanent --zone public --add-rich-rule='rule icmp-type name="timestamp-request" accept'], 0, ignore)
++FWD_CHECK([--permanent --zone public --add-rich-rule 'rule icmp-type name=bad-header mark set=0x86/0x86'], 0, ignore)
+ FWD_RELOAD
++NFT_LIST_RULES([inet], [mangle_PRE_public_allow], 0, [dnl
++    table inet firewalld {
++        chain mangle_PRE_public_allow {
++            icmpv6 type parameter-problem icmpv6 code no-route mark set mark & 0x00000086 ^ 0x00000086
++        }
++    }
++])
+ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+     table inet firewalld {
+         chain filter_IN_public_allow {
+@@ -18,12 +26,17 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+         }
+     }
+ ])
++IPTABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
++])
+ IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+     ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+     ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+     ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
+     ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 13
+ ])
++IP6TABLES_LIST_RULES([mangle], [PRE_public_allow], 0, [dnl
++    MARK icmpv6 ::/0 ::/0 ipv6-icmptype 4 code 0 MARK or 0x86
++])
+ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+     ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+     ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+@@ -32,4 +45,12 @@ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+     ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 136
+ ])
+ 
+-FWD_END_TEST
++dnl verify bad icmptypes are rejected
++FWD_CHECK([--permanent --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore])
++FWD_CHECK([            --add-rich-rule 'rule icmp-type name=bogus mark set=0x86/0x86'], 107, [ignore], [ignore])
++FWD_CHECK([--permanent --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore])
++IF_HOST_SUPPORTS_IPV6_RULES([
++FWD_CHECK([            --add-rich-rule 'rule family=ipv6 icmp-type name=timestamp-request drop'], 107, [ignore], [ignore])
++])
++
++FWD_END_TEST([-e '/ERROR: INVALID_ICMPTYPE:/d'])
+-- 
+2.28.0
+

SOURCES/0057-fix-policy-cache-rule_str-for-rich-rules.patch

@@ -0,0 +1,80 @@
+From 0f94133731fa497b04744fa4a37cfa5fd5e45fab Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 26 Aug 2020 11:38:36 -0400
+Subject: [PATCH 57/62] fix(policy): cache rule_str for rich rules
+
+There are various areas that we use list comprehensions to convert
+Rich_Rule to rule_str. This isn't cheap. Let's just cache the rule_str
+and avoid the cost.
+
+Fixes: rhbz 1871298
+(cherry picked from commit 5402724221a3dddc9c139663d28ababed4057cc6)
+(cherry picked from commit 763b07972fd80e7b2f28b29efe812b92f6dff1d1)
+---
+ src/firewall/core/io/zone.py | 17 ++++++++---------
+ 1 file changed, 8 insertions(+), 9 deletions(-)
+
+diff --git a/src/firewall/core/io/zone.py b/src/firewall/core/io/zone.py
+index 529b92c25b62..ec81762be100 100644
+--- a/src/firewall/core/io/zone.py
++++ b/src/firewall/core/io/zone.py
+@@ -120,6 +120,7 @@ class Zone(IO_Object):
+         self.sources = [ ]
+         self.fw_config = None # to be able to check services and a icmp_blocks
+         self.rules = [ ]
++        self.rules_str = [ ]
+         self.icmp_block_inversion = False
+         self.combined = False
+         self.applied = False
+@@ -141,6 +142,7 @@ class Zone(IO_Object):
+         del self.sources[:]
+         self.fw_config = None # to be able to check services and a icmp_blocks
+         del self.rules[:]
++        del self.rules_str[:]
+         self.icmp_block_inversion = False
+         self.combined = False
+         self.applied = False
+@@ -163,17 +165,13 @@ class Zone(IO_Object):
+         self.interfaces = [u2b_if_py2(i) for i in self.interfaces]
+         self.sources = [u2b_if_py2(s) for s in self.sources]
+         self.rules = [u2b_if_py2(s) for s in self.rules]
+-
+-    def __getattr__(self, name):
+-        if name == "rules_str":
+-            rules_str = [str(rule) for rule in self.rules]
+-            return rules_str
+-        else:
+-            return getattr(super(Zone, self), name)
++        self.rules_str = [u2b_if_py2(s) for s in self.rules_str]
+ 
+     def __setattr__(self, name, value):
+         if name == "rules_str":
+             self.rules = [rich.Rich_Rule(rule_str=s) for s in value]
++            # must convert back to string to get the canonical string.
++            super(Zone, self).__setattr__(name, [str(s) for s in self.rules])
+         else:
+             super(Zone, self).__setattr__(name, value)
+ 
+@@ -307,6 +305,7 @@ class Zone(IO_Object):
+                 self.source_ports.append(port)
+         for rule in zone.rules:
+             self.rules.append(rule)
++            self.rules_str.append(str(rule))
+         if zone.icmp_block_inversion:
+             self.icmp_block_inversion = True
+ 
+@@ -687,9 +686,9 @@ class zone_ContentHandler(IO_Object_ContentHandler):
+                 except Exception as e:
+                     log.warning("%s: %s", e, str(self._rule))
+                 else:
+-                    if str(self._rule) not in \
+-                       [ str(x) for x in self.item.rules ]:
++                    if str(self._rule) not in self.item.rules_str:
+                         self.item.rules.append(self._rule)
++                        self.item.rules_str.append(str(self._rule))
+                     else:
+                         log.warning("Rule '%s' already set, ignoring.",
+                                     str(self._rule))
+-- 
+2.28.0
+

SOURCES/0058-test-zone-rich-rule-parsing-bottleneck.patch

@@ -0,0 +1,55 @@
+From ed42b8048e97040802da727f77cad4a1bb5ff42b Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 26 Aug 2020 14:28:45 -0400
+Subject: [PATCH 58/62] test(zone): rich rule parsing bottleneck
+
+Coverage for rhbz 1871298.
+Verify we can parse a large amount of rich rules in a reasonable time.
+
+This test took 3m before the fix and now takes 18s after the fix.
+Considering it "failed" after 45s should give us plenty of headroom.
+
+(cherry picked from commit ece30971412eedb9032b0d87233ca21ef9154830)
+(cherry picked from commit b21f071851ffec6d3a382b6e60eb88dcda7df467)
+---
+ src/tests/regression/regression.at  |  1 +
+ src/tests/regression/rhbz1871298.at | 18 ++++++++++++++++++
+ 2 files changed, 19 insertions(+)
+ create mode 100644 src/tests/regression/rhbz1871298.at
+
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index d7b4d56239d1..65540840f50e 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -34,3 +34,4 @@ m4_include([regression/rhbz1689429.at])
+ m4_include([regression/rhbz1483921.at])
+ m4_include([regression/rhbz1541077.at])
+ m4_include([regression/rhbz1855140.at])
++m4_include([regression/rhbz1871298.at])
+diff --git a/src/tests/regression/rhbz1871298.at b/src/tests/regression/rhbz1871298.at
+new file mode 100644
+index 000000000000..0689399d85ec
+--- /dev/null
++++ b/src/tests/regression/rhbz1871298.at
+@@ -0,0 +1,18 @@
++FWD_START_TEST([rich rule parsing bottleneck])
++AT_KEYWORDS(rich offline rhbz1871298)
++
++AT_SKIP_IF([! NS_CMD([which timeout >/dev/null 2>&1])])
++
++NS_CHECK([mkdir -p ./zones])
++NS_CHECK([echo '<?xml version="1.0" encoding="utf-8"?>' > ./zones/foobar.xml])
++NS_CHECK([echo "<zone>" >> ./zones/foobar.xml])
++NS_CHECK([echo "<short>foobar</short>" >> ./zones/foobar.xml])
++NS_CHECK([sh -c 'for I in $(seq 10000); do echo "<rule family=\"ipv4\"><port protocol=\"tcp\" port=\"$I\" /><accept/></rule>" >> ./zones/foobar.xml; done'])
++NS_CHECK([echo "</zone>" >> ./zones/foobar.xml])
++
++if test "x${FIREWALLD_DEFAULT_CONFIG}" != x ; then
++    FIREWALL_OFFLINE_CMD_ARGS+=" --default-config ${FIREWALLD_DEFAULT_CONFIG}"
++fi
++NS_CHECK([timeout 45 firewall-offline-cmd --system-config ./ $FIREWALL_OFFLINE_CMD_ARGS --check-config], 0, [ignore])
++
++FWD_END_TEST
+-- 
+2.28.0
+

SOURCES/0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch

@@ -0,0 +1,158 @@
+From 244d1bfe190f2cc32c10d0fecaf81536761ecc09 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 1 Sep 2020 13:16:23 -0400
+Subject: [PATCH 59/62] fix(icmptype): nftables: runtimeToPermanent if
+ ip6tables not available
+
+We were not filling the runtime ipv6 icmptypes list if the active
+backend was nftables and ip6tables wasn't available. This caused "ipv6"
+to be dropped from the supported ipvs/destinations for the icmptype.
+This also caused runtimeToPermanent to fail because the runtime
+icmptypes definition dropped "ipv6" causing runtimeToPermanent to copy
+the runtime icmptype to permanent because they were different... this
+caused sanity checks on the permanent configuration to fail.
+
+(cherry picked from commit c92d43dcdf5622e82e28454652acd6a981b015f9)
+(cherry picked from commit 6f23f727be818f356625e39682fb226a81925647)
+---
+ src/firewall/core/fw.py          | 24 ++++++++++++++----------
+ src/firewall/core/fw_icmptype.py |  8 ++++----
+ src/firewall/core/ipXtables.py   |  2 +-
+ src/firewall/core/nftables.py    |  6 +++---
+ src/firewall/server/firewalld.py |  4 ++--
+ 5 files changed, 24 insertions(+), 20 deletions(-)
+
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index c767f416f3d2..1df916efb10f 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -76,10 +76,10 @@ class Firewall(object):
+         else:
+             self.ip4tables_backend = ipXtables.ip4tables(self)
+             self.ip4tables_enabled = True
+-            self.ip4tables_supported_icmp_types = [ ]
++            self.ipv4_supported_icmp_types = [ ]
+             self.ip6tables_backend = ipXtables.ip6tables(self)
+             self.ip6tables_enabled = True
+-            self.ip6tables_supported_icmp_types = [ ]
++            self.ipv6_supported_icmp_types = [ ]
+             self.ebtables_backend = ebtables.ebtables()
+             self.ebtables_enabled = True
+             self.ipset_backend = ipset.ipset()
+@@ -172,11 +172,13 @@ class Firewall(object):
+                 log.warning("iptables-restore and iptables are missing, "
+                             "disabling IPv4 firewall.")
+                 self.ip4tables_enabled = False
+-        if self.ip4tables_enabled:
+-            self.ip4tables_supported_icmp_types = \
+-                self.ip4tables_backend.supported_icmp_types()
++        if self.nftables_enabled:
++            self.ipv4_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv4")
+         else:
+-            self.ip4tables_supported_icmp_types = [ ]
++            if self.ip4tables_enabled:
++                self.ipv4_supported_icmp_types = self.ip4tables_backend.supported_icmp_types()
++            else:
++                self.ipv4_supported_icmp_types = [ ]
+         self.ip6tables_backend.fill_exists()
+         if not self.ip6tables_backend.restore_command_exists:
+             if self.ip6tables_backend.command_exists:
+@@ -186,11 +188,13 @@ class Firewall(object):
+                 log.warning("ip6tables-restore and ip6tables are missing, "
+                             "disabling IPv6 firewall.")
+                 self.ip6tables_enabled = False
+-        if self.ip6tables_enabled:
+-            self.ip6tables_supported_icmp_types = \
+-                self.ip6tables_backend.supported_icmp_types()
++        if self.nftables_enabled:
++            self.ipv6_supported_icmp_types = self.nftables_backend.supported_icmp_types("ipv6")
+         else:
+-            self.ip6tables_supported_icmp_types = [ ]
++            if self.ip6tables_enabled:
++                self.ipv6_supported_icmp_types = self.ip6tables_backend.supported_icmp_types()
++            else:
++                self.ipv6_supported_icmp_types = [ ]
+         self.ebtables_backend.fill_exists()
+         if not self.ebtables_backend.restore_command_exists:
+             if self.ebtables_backend.command_exists:
+diff --git a/src/firewall/core/fw_icmptype.py b/src/firewall/core/fw_icmptype.py
+index afe9f91d6bf6..a565bb6d8733 100644
+--- a/src/firewall/core/fw_icmptype.py
++++ b/src/firewall/core/fw_icmptype.py
+@@ -57,13 +57,13 @@ class FirewallIcmpType(object):
+         ipvs = orig_ipvs[:]
+         for ipv in orig_ipvs:
+             if ipv == "ipv4":
+-                if not self._fw.ip4tables_enabled:
++                if not self._fw.ip4tables_enabled and not self._fw.nftables_enabled:
+                     continue
+-                supported_icmps = self._fw.ip4tables_supported_icmp_types
++                supported_icmps = self._fw.ipv4_supported_icmp_types
+             elif ipv == "ipv6":
+-                if not self._fw.ip6tables_enabled:
++                if not self._fw.ip6tables_enabled and not self._fw.nftables_enabled:
+                     continue
+-                supported_icmps = self._fw.ip6tables_supported_icmp_types
++                supported_icmps = self._fw.ipv6_supported_icmp_types
+             else:
+                 supported_icmps = [ ]
+             if obj.name.lower() not in supported_icmps:
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index c4535f2e5818..450e427c08b5 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -612,7 +612,7 @@ class ip4tables(object):
+                 rules.append(["-t", table, "-P", chain, _policy])
+         return rules
+ 
+-    def supported_icmp_types(self):
++    def supported_icmp_types(self, ipv=None):
+         """Return ICMP types that are supported by the iptables/ip6tables command and kernel"""
+         ret = [ ]
+         output = ""
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index daa7ace085a2..0a73c2c2669d 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -480,13 +480,13 @@ class nftables(object):
+ 
+         return rules
+ 
+-    def supported_icmp_types(self):
++    def supported_icmp_types(self, ipv=None):
+         # nftables supports any icmp_type via arbitrary type/code matching.
+         # We just need a translation for it in ICMP_TYPES_FRAGMENTS.
+         supported = set()
+ 
+-        for ipv in ICMP_TYPES_FRAGMENTS.keys():
+-            supported.update(ICMP_TYPES_FRAGMENTS[ipv].keys())
++        for _ipv in [ipv] if ipv else ICMP_TYPES_FRAGMENTS.keys():
++            supported.update(ICMP_TYPES_FRAGMENTS[_ipv].keys())
+ 
+         return list(supported)
+ 
+diff --git a/src/firewall/server/firewalld.py b/src/firewall/server/firewalld.py
+index 10b085d48660..949f577053cc 100644
+--- a/src/firewall/server/firewalld.py
++++ b/src/firewall/server/firewalld.py
+@@ -162,7 +162,7 @@ class FirewallD(slip.dbus.service.Object):
+             return dbus.Boolean(self.fw.ip4tables_enabled)
+ 
+         elif prop == "IPv4ICMPTypes":
+-            return dbus.Array(self.fw.ip4tables_supported_icmp_types, "s")
++            return dbus.Array(self.fw.ipv4_supported_icmp_types, "s")
+ 
+         elif prop == "IPv6":
+             return dbus.Boolean(self.fw.ip6tables_enabled)
+@@ -171,7 +171,7 @@ class FirewallD(slip.dbus.service.Object):
+             return dbus.Boolean(self.fw.ipv6_rpfilter_enabled)
+ 
+         elif prop == "IPv6ICMPTypes":
+-            return dbus.Array(self.fw.ip6tables_supported_icmp_types, "s")
++            return dbus.Array(self.fw.ipv6_supported_icmp_types, "s")
+ 
+         elif prop == "BRIDGE":
+             return dbus.Boolean(self.fw.ebtables_enabled)
+-- 
+2.28.0
+

SOURCES/0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch

@@ -0,0 +1,29 @@
+From 8a520d8343ab1567f0f3df39e4fc45dbaf9c6f77 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 24 Sep 2020 15:24:41 -0400
+Subject: [PATCH 60/62] docs(firewall-cmd): clarify lockdown whitelist command
+ paths
+
+Reported-by: D. Hugh Redelmeier <hugh@mimosa.com>
+(cherry picked from commit a7b12b8eb87dd3bd2bb342cf5d74bf089cf3b9a6)
+(cherry picked from commit 7e9b1a02cc7aa12f9c499b2acad584dbabf9a518)
+---
+ doc/xml/firewall-cmd.xml.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
+index 8bc389acae6c..702c549ab9d9 100644
+--- a/doc/xml/firewall-cmd.xml.in
++++ b/doc/xml/firewall-cmd.xml.in
+@@ -2104,7 +2104,7 @@ For interfaces that are not under control of NetworkManager, firewalld tries to
+ 	If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.
+       </para>
+       <para>
+-	Commands for user root and others is not always the same. Example: As root <command>/bin/firewall-cmd</command> is used, as a normal user <command>/usr/bin/firewall-cmd</command> is be used on Fedora. 
++	Command paths for users are not always the same and depends on the users PATH. Some distributions symlink <command>/bin</command> to <command>/usr/bin</command> in which case it depends on the order they appear in the PATH environment variable.
+       </para>
+       <para>
+ 	The context is the security (SELinux) context of a running application or service. To get the context of a running application use <command>ps -e --context</command>.
+-- 
+2.28.0
+

SOURCES/0061-docs-dbus-fix-invalid-method-names.patch

@@ -0,0 +1,39 @@
+From b82e2cf588916624c5f45c10e7c929f24ff84e9a Mon Sep 17 00:00:00 2001
+From: Donald Yandt <10255876+TorontoMedia@users.noreply.github.com>
+Date: Sun, 27 Sep 2020 20:19:35 -0400
+Subject: [PATCH 61/62] docs(dbus): fix invalid method names
+
+Replace invalid method names for both 'queryEntry' and 'queryIPSet'.
+
+Fixes: #693
+(cherry picked from commit 6fc82d2d34b436a1f1921b36930169c965f3ff4b)
+(cherry picked from commit 24fb2b2424107cd88e331b8f8edae0dc1671c504)
+---
+ doc/xml/firewalld.dbus.xml | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/doc/xml/firewalld.dbus.xml b/doc/xml/firewalld.dbus.xml
+index 1625b9d50576..3bf4f53b108d 100644
+--- a/doc/xml/firewalld.dbus.xml
++++ b/doc/xml/firewalld.dbus.xml
+@@ -579,7 +579,7 @@
+             </listitem>
+           </varlistentry>
+           <varlistentry id="FirewallD1.ipset.Methods.queryEntry">
+-            <term><methodname>queryService</methodname>(s: ipset, s: entry) &rarr; b</term>
++            <term><methodname>queryEntry</methodname>(s: ipset, s: entry) &rarr; b</term>
+             <listitem>
+               <para>
+ 		Return whether <replaceable>entry</replaceable> has been added to <replaceable>ipset</replaceable>.
+@@ -591,7 +591,7 @@
+             </listitem>
+           </varlistentry>
+           <varlistentry id="FirewallD1.ipset.Methods.queryIPSet">
+-            <term><methodname>queryService</methodname>(s: ipset) &rarr; b</term>
++            <term><methodname>queryIPSet</methodname>(s: ipset) &rarr; b</term>
+             <listitem>
+               <para>
+ 		Return whether <replaceable>ipset</replaceable> is defined in runtime configuration.
+-- 
+2.28.0
+

SOURCES/0062-docs-firewall-cmd-small-description-grammar-fix.patch

@@ -0,0 +1,27 @@
+From cd158a2880734c5da329e9a5c9c075ba5bceced6 Mon Sep 17 00:00:00 2001
+From: diegoe <diegoe@gnome.org>
+Date: Wed, 21 Oct 2020 21:19:52 -0500
+Subject: [PATCH 62/62] docs(firewall-cmd): small description grammar fix
+
+(cherry picked from commit 9ae97bb2b65fbafa0ed5c0bfd9ebd5945bc6bea9)
+(cherry picked from commit 9b4664fca4d3551dbb758a53b212a5aab043ccd9)
+---
+ doc/xml/firewall-cmd.xml.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in
+index 702c549ab9d9..1789f513d8ee 100644
+--- a/doc/xml/firewall-cmd.xml.in
++++ b/doc/xml/firewall-cmd.xml.in
+@@ -56,7 +56,7 @@
+     <title>Description</title>
+ 		
+     <para>
+-      firewall-cmd is the command line client of the firewalld daemon. It provides interface to manage runtime and permanent configuration.
++      firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the runtime and permanent configurations.
+     </para>
+ 
+     <para>
+-- 
+2.28.0
+

SOURCES/0065-fix-rich-non-printable-characters-removed-from-rich-.patch

@@ -0,0 +1,107 @@
+From dbce20e28a898c394274109904d471d84cfa7fea Mon Sep 17 00:00:00 2001
+From: Vrinda Punj <vpunj@redhat.com>
+Date: Fri, 13 Nov 2020 10:40:51 -0500
+Subject: [PATCH 65/66] fix(rich): non-printable characters removed from rich
+ rules
+
+Fixes: rhbz 1596304
+Fixes: #480
+
+(cherry picked from commit ac5960856991a00ddf7a558e31fd3248c8279a1f)
+(cherry picked from commit a55416ea5f79f1a7cb1a97b6ee39524a542a8663)
+---
+ src/firewall/core/rich.py           |  2 ++
+ src/firewall/functions.py           |  9 ++++++++-
+ src/tests/regression/regression.at  |  1 +
+ src/tests/regression/rhbz1596304.at | 23 +++++++++++++++++++++++
+ 4 files changed, 34 insertions(+), 1 deletion(-)
+ create mode 100644 src/tests/regression/rhbz1596304.at
+
+diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py
+index 86c0c998a478..03bc194c2b28 100644
+--- a/src/firewall/core/rich.py
++++ b/src/firewall/core/rich.py
+@@ -307,6 +307,8 @@ class Rich_Rule(object):
+         if not rule_str:
+             raise FirewallError(errors.INVALID_RULE, 'empty rule')
+ 
++        rule_str = functions.stripNonPrintableCharacters(rule_str)
++
+         self.priority = 0
+         self.family = None
+         self.source = None
+diff --git a/src/firewall/functions.py b/src/firewall/functions.py
+index 6af220619f17..d20b702e047e 100644
+--- a/src/firewall/functions.py
++++ b/src/firewall/functions.py
+@@ -27,7 +27,7 @@ __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName",
+             "check_single_address", "check_mac", "uniqify", "ppid_of_pid",
+             "max_zone_name_len", "checkUser", "checkUid", "checkCommand",
+             "checkContext", "joinArgs", "splitArgs",
+-            "b2u", "u2b", "u2b_if_py2" ]
++            "b2u", "u2b", "u2b_if_py2", "stripNonPrintableCharacters"]
+ 
+ import socket
+ import os
+@@ -42,6 +42,10 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
+ 
+ PY2 = sys.version < '3'
+ 
++NOPRINT_TRANS_TABLE = {
++    i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
++}
++
+ def getPortID(port):
+     """ Check and Get port id from port string or port id using socket.getservbyname
+ 
+@@ -226,6 +230,9 @@ def checkIPnMask(ip):
+                 return False
+     return True
+ 
++def stripNonPrintableCharacters(rule_str):
++    return rule_str.translate(NOPRINT_TRANS_TABLE)
++
+ def checkIP6nMask(ip):
+     if "/" in ip:
+         addr = ip[:ip.index("/")]
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index 65540840f50e..c1e8620ee700 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -35,3 +35,4 @@ m4_include([regression/rhbz1483921.at])
+ m4_include([regression/rhbz1541077.at])
+ m4_include([regression/rhbz1855140.at])
+ m4_include([regression/rhbz1871298.at])
++m4_include([regression/rhbz1596304.at])
+diff --git a/src/tests/regression/rhbz1596304.at b/src/tests/regression/rhbz1596304.at
+new file mode 100644
+index 000000000000..98a33934e271
+--- /dev/null
++++ b/src/tests/regression/rhbz1596304.at
+@@ -0,0 +1,23 @@
++FWD_START_TEST([rich rules strip non-printable characters])
++AT_KEYWORDS(rich rhbz1596304)
++
++dnl source address contains a tab character
++FWD_CHECK([--permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="104.243.250.0/22	" port port=80 protocol=tcp accept'],0,ignore)
++FWD_RELOAD
++FWD_CHECK([--list-all | TRIM_WHITESPACE], 0, [m4_strip([dnl
++        public
++        target: default
++        icmp-block-inversion: no
++        interfaces:
++        sources:
++        services: cockpit dhcpv6-client ssh
++        ports:
++        protocols:
++        masquerade: no
++        forward-ports:
++        source-ports:
++        icmp-blocks:
++        rich rules:
++	rule family="ipv4" source address="104.243.250.0/22" port port="80" protocol="tcp" accept
++    ])])
++FWD_END_TEST
+-- 
+2.28.0
+

SOURCES/0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch

@@ -0,0 +1,38 @@
+From ff6e65737413d54b6f6964f72827a92fdbecc182 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 8 Jan 2021 13:38:15 -0500
+Subject: [PATCH 68/68] fix(rich): limit table to strip non-printables to C0
+ and C1
+
+Generating the table was taking an unreasonable amount of memory.
+Stripping C0 and C1 should cover most scenarios while limiting memory
+usage.
+
+Fixes: ac5960856991 ("fix(rich): non-printable characters removed from rich rules")
+(cherry picked from commit 015704b44f81d535a868fe28368f977cefd28638)
+(cherry picked from commit 629a53ef027146f8e4e486c40c8bde04cda830d3)
+---
+ src/firewall/functions.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/functions.py b/src/firewall/functions.py
+index d20b702e047e..1ea9f4309234 100644
+--- a/src/firewall/functions.py
++++ b/src/firewall/functions.py
+@@ -43,7 +43,12 @@ from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE
+ PY2 = sys.version < '3'
+ 
+ NOPRINT_TRANS_TABLE = {
+-    i: None for i in range(0, sys.maxunicode + 1) if not chr(i).isprintable()
++    # Limit to C0 and C1 code points. Building entries for all unicode code
++    # points requires too much memory.
++    # C0 = [0, 31]
++    # C1 = [127, 159]
++    #
++    i: None for i in range(0, 160) if not (i > 31 and i < 127)
+ }
+ 
+ def getPortID(port):
+-- 
+2.27.0
+

SOURCES/0067-fix-zone-add-source-with-mac-address.patch

@@ -0,0 +1,93 @@
+From 2871abfceceba37c6ba38aa0ef25e23a059294ec Mon Sep 17 00:00:00 2001
+From: Vrinda Punj <vpunj@redhat.com>
+Date: Wed, 18 Nov 2020 13:14:44 -0500
+Subject: [PATCH 67/68] fix(zone): add source with mac address
+
+nftables supports matching the destination MAC, but iptables does not.
+As such, lift the restriction from nftables. For iptables, gracefully
+ignore the scenarios in which we attempt to match destination MAC.
+
+Fixes: #703
+Fixes: df4aefcbe7b7 ("improvement(ipXtables): add utility function match sources")
+Fixes: 1582c5dd736a ("feat: nftables: convert to libnftables JSON interface")
+
+Co-authored-by: Eric Garver <eric@garver.life>
+(cherry picked from commit 20151fbb5c5104e3d4dbc4ea938b9a68bdbcf225)
+(cherry picked from commit 79bb113a2a108ce1c69dc7bc7af60297b8ec2ad0)
+---
+ src/firewall/core/ipXtables.py     |  4 ++++
+ src/firewall/core/nftables.py      |  2 --
+ src/tests/regression/gh703.at      | 23 +++++++++++++++++++++++
+ src/tests/regression/regression.at |  1 +
+ 4 files changed, 28 insertions(+), 2 deletions(-)
+ create mode 100644 src/tests/regression/gh703.at
+
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index 450e427c08b5..b28146edd060 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -814,6 +814,10 @@ class ip4tables(object):
+         else:
+             zone_dispatch_chain = "%s_ZONES" % (chain)
+ 
++        # iptables can not match destination MAC
++        if check_mac(address) and chain in ["POSTROUTING", "FORWARD_OUT", "OUTPUT"]:
++            return []
++
+         target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
+         action = "-g"
+ 
+diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
+index 0a73c2c2669d..a0a899dd3eef 100644
+--- a/src/firewall/core/nftables.py
++++ b/src/firewall/core/nftables.py
+@@ -1067,8 +1067,6 @@ class nftables(object):
+             return self._set_match_fragment(address[len("ipset:"):], True if "daddr" == addr_field else False, invert)
+         else:
+             if check_mac(address):
+-                if addr_field == "daddr":
+-                    raise FirewallError(INVALID_RULE, "%s._rule_addr_fragment()", (self.__class__))
+                 family = "ether"
+             elif check_single_address("ipv4", address):
+                 family = "ip"
+diff --git a/src/tests/regression/gh703.at b/src/tests/regression/gh703.at
+new file mode 100644
+index 000000000000..af724a7713a7
+--- /dev/null
++++ b/src/tests/regression/gh703.at
+@@ -0,0 +1,23 @@
++FWD_START_TEST([add source with mac address])
++AT_KEYWORDS(gh703)
++
++FWD_CHECK([--zone=home --add-source=34:7e:5c:3a:4c:32], 0, [ignore])
++
++NFT_LIST_RULES([ip], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
++    table ip firewalld {
++        chain nat_POSTROUTING_ZONES_SOURCE {
++            ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
++        }          
++    }          
++])
++NFT_LIST_RULES([ip6], [nat_POSTROUTING_ZONES_SOURCE], 0, [dnl
++    table ip6 firewalld {
++        chain nat_POSTROUTING_ZONES_SOURCE {
++            ether daddr 34:7e:5c:3a:4c:32 goto nat_POST_home
++        }          
++    }          
++])
++
++dnl NOTE: iptables does _not_ support matching mac destination.
++
++FWD_END_TEST
+diff --git a/src/tests/regression/regression.at b/src/tests/regression/regression.at
+index c1e8620ee700..7597a458076c 100644
+--- a/src/tests/regression/regression.at
++++ b/src/tests/regression/regression.at
+@@ -36,3 +36,4 @@ m4_include([regression/rhbz1541077.at])
+ m4_include([regression/rhbz1855140.at])
+ m4_include([regression/rhbz1871298.at])
+ m4_include([regression/rhbz1596304.at])
++m4_include([regression/gh703.at])
+-- 
+2.27.0
+

SOURCES/v0.9.0-0063-feat-service-add-collectd-service.patch

@@ -0,0 +1,52 @@
+From 4aa1e421dae3ece1de075ef538f709d6388f8811 Mon Sep 17 00:00:00 2001
+From: Vrinda Punj <vpunj@redhat.com>
+Date: Wed, 10 Jun 2020 16:14:43 -0400
+Subject: [PATCH 63/64] feat(service): add collectd service Fixes: rhbz 1837368
+
+(cherry picked from commit 8b974e75d9100b17568a55c4962dfe09d34f03dc)
+---
+ config/Makefile.am           | 1 +
+ config/services/collectd.xml | 6 ++++++
+ po/POTFILES.in               | 1 +
+ 3 files changed, 8 insertions(+)
+ create mode 100644 config/services/collectd.xml
+
+diff --git a/config/Makefile.am b/config/Makefile.am
+index 702592e6a685..5f44678841f3 100644
+--- a/config/Makefile.am
++++ b/config/Makefile.am
+@@ -134,6 +134,7 @@ CONFIG_FILES = \
+ 	services/ceph.xml \
+ 	services/cfengine.xml \
+ 	services/cockpit.xml \
++	services/collectd.xml \
+ 	services/condor-collector.xml \
+ 	services/ctdb.xml \
+ 	services/dhcpv6-client.xml \
+diff --git a/config/services/collectd.xml b/config/services/collectd.xml
+new file mode 100644
+index 000000000000..fb2483e0e716
+--- /dev/null
++++ b/config/services/collectd.xml
+@@ -0,0 +1,6 @@
++<?xml version="1.0" encoding="utf-8"?>
++<service>
++  <short>Collectd</short>
++  <description>Collectd is a monitoring system that allows metrics to be sent over the network. This rule allows incoming collectd traffic from remote boxes.</description>
++  <port protocol="udp" port="25826"/>
++</service>
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 918f6f0986ae..92323b03fc17 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -67,6 +67,7 @@ config/services/ceph.xml
+ config/services/cfengine.xml
+ config/services/cockpit.xml
+ config/services/condor-collector.xml
++config/services/collectd.xml
+ config/services/ctdb.xml
+ config/services/dhcpv6-client.xml
+ config/services/dhcpv6.xml
+-- 
+2.28.0
+

SOURCES/v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch

@@ -0,0 +1,54 @@
+From 7edc99c9aca9c1416a05c117ab65598dc3095c35 Mon Sep 17 00:00:00 2001
+From: Kenneth D'souza <kdsouza@redhat.com>
+Date: Tue, 16 Jun 2020 01:14:52 +0530
+Subject: [PATCH 64/64] feat(service): Add rpc-rquotad.service
+
+Signed-off-by: Kenneth D'souza <kdsouza@redhat.com>
+(cherry picked from commit 35e58d6fca6fbf44c34629dc058f3f1f727e7783)
+---
+ config/Makefile.am          | 1 +
+ config/services/rquotad.xml | 7 +++++++
+ po/POTFILES.in              | 1 +
+ 3 files changed, 9 insertions(+)
+ create mode 100644 config/services/rquotad.xml
+
+diff --git a/config/Makefile.am b/config/Makefile.am
+index 5f44678841f3..178c2358b117 100644
+--- a/config/Makefile.am
++++ b/config/Makefile.am
+@@ -233,6 +233,7 @@ CONFIG_FILES = \
+ 	services/redis.xml \
+ 	services/RH-Satellite-6.xml \
+ 	services/rpc-bind.xml \
++	services/rquotad.xml \
+ 	services/rsh.xml \
+ 	services/rsyncd.xml \
+ 	services/rtsp.xml \
+diff --git a/config/services/rquotad.xml b/config/services/rquotad.xml
+new file mode 100644
+index 000000000000..adcd233ebd4d
+--- /dev/null
++++ b/config/services/rquotad.xml
+@@ -0,0 +1,7 @@
++<?xml version="1.0" encoding="utf-8"?>
++<service>
++  <short>rquotad</short>
++  <description>Remote Quota Server Daemon</description>
++  <port protocol="tcp" port="875"/>
++  <port protocol="udp" port="875"/>
++</service>
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 92323b03fc17..8552b8eca4ab 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -166,6 +166,7 @@ config/services/redis-sentinel.xml
+ config/services/redis.xml
+ config/services/RH-Satellite-6.xml
+ config/services/rpc-bind.xml
++config/services/rquotad.xml
+ config/services/rsh.xml
+ config/services/rsyncd.xml
+ config/services/rtsp.xml
+-- 
+2.28.0
+

SOURCES/v1.0.0-0068-feat-service-add-galera-service.patch

@@ -0,0 +1,55 @@
+From 8d0823923302da39bb1f28e55b907db29b03f664 Mon Sep 17 00:00:00 2001
+From: Vrinda Punj <vpunj@redhat.com>
+Date: Tue, 1 Dec 2020 11:58:19 -0500
+Subject: [PATCH 66/66] feat(service): add galera service Fixes: rhbz1696260
+
+(cherry picked from commit 11632147677464cb7121d17526ead242e68be041)
+---
+ config/Makefile.am         | 1 +
+ config/services/galera.xml | 9 +++++++++
+ po/POTFILES.in             | 1 +
+ 3 files changed, 11 insertions(+)
+ create mode 100644 config/services/galera.xml
+
+diff --git a/config/Makefile.am b/config/Makefile.am
+index 178c2358b117..4b849bd54e32 100644
+--- a/config/Makefile.am
++++ b/config/Makefile.am
+@@ -156,6 +156,7 @@ CONFIG_FILES = \
+ 	services/freeipa-replication.xml \
+ 	services/freeipa-trust.xml \
+ 	services/ftp.xml \
++	services/galera.xml \
+ 	services/ganglia-client.xml \
+ 	services/ganglia-master.xml \
+ 	services/git.xml \
+diff --git a/config/services/galera.xml b/config/services/galera.xml
+new file mode 100644
+index 000000000000..2305713fbcab
+--- /dev/null
++++ b/config/services/galera.xml
+@@ -0,0 +1,9 @@
++<?xml version="1.0" encoding="utf-8"?>
++<service>
++  <short>Galera</short>
++  <description>MariaDB-Galera Database Server</description>
++  <port protocol="tcp" port="3306"/>
++  <port protocol="tcp" port="4567"/>
++  <port protocol="tcp" port="4568"/>
++  <port protocol="tcp" port="4444"/>
++</service>
+diff --git a/po/POTFILES.in b/po/POTFILES.in
+index 8552b8eca4ab..27003c5ce1ef 100644
+--- a/po/POTFILES.in
++++ b/po/POTFILES.in
+@@ -88,6 +88,7 @@ config/services/freeipa-ldap.xml
+ config/services/freeipa-replication.xml
+ config/services/freeipa-trust.xml
+ config/services/ftp.xml
++config/services/galera.xml
+ config/services/ganglia-client.xml
+ config/services/ganglia-master.xml
+ config/services/git.xml
+-- 
+2.28.0
+

SPECS/firewalld.spec

@@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 0.8.2
-Release: 2%{?dist}
+Release: 6%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@@ -52,6 +52,27 @@ Patch44: 0044-test-regression-rhbz1483921-correctly-use-macros.patch
 Patch45: 0045-test-regression-rhbz1541077-correctly-use-macros.patch
 Patch46: 0046-fix-rich-use-correct-error-code-for-invalid-priority.patch
 Patch47: 0047-test-dbus-zone-add-nm-shared-to-expected-output-if-i.patch
+Patch48: 0048-test-regression-rhbz1541077-use-FWD_OFFLINE_CHECK-ma.patch
+Patch49: 0049-test-regression-rhbz1855140.at-avoid-IPv6-tests-if-I.patch
+Patch50: 0050-fix-icmptype-when-applying-rules-get-ict-from-perm-c.patch
+Patch51: 0051-fix-rich-clamp-the-IP-families-to-those-actually-ena.patch
+Patch52: 0052-fix-rich-icmptype-verify-rule-and-icmptype-families-.patch
+Patch53: 0053-fix-nftables-packet-marks-with-masks.patch
+Patch54: 0054-fix-nftables-icmp-types-with-code-0.patch
+Patch55: 0055-fix-ipXtables-rich-avoid-duplicate-rules-for-icmp-ty.patch
+Patch56: 0056-test-regression-rhbz1855140-add-negative-tests.patch
+Patch57: 0057-fix-policy-cache-rule_str-for-rich-rules.patch
+Patch58: 0058-test-zone-rich-rule-parsing-bottleneck.patch
+Patch59: 0059-fix-icmptype-nftables-runtimeToPermanent-if-ip6table.patch
+Patch60: 0060-docs-firewall-cmd-clarify-lockdown-whitelist-command.patch
+Patch61: 0061-docs-dbus-fix-invalid-method-names.patch
+Patch62: 0062-docs-firewall-cmd-small-description-grammar-fix.patch
+Patch63: v0.9.0-0063-feat-service-add-collectd-service.patch
+Patch64: v0.9.0-0064-feat-service-Add-rpc-rquotad.service.patch
+Patch65: 0065-fix-rich-non-printable-characters-removed-from-rich-.patch
+Patch66: 0066-fix-rich-limit-table-to-strip-non-printables-to-C0-a.patch
+Patch67: 0067-fix-zone-add-source-with-mac-address.patch
+Patch68: v1.0.0-0068-feat-service-add-galera-service.patch
 
 BuildArch: noarch
 BuildRequires: autoconf
@@ -250,6 +271,24 @@ desktop-file-install --delete-original \
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-6
+- feat(service): add galera service
+
+* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-5
+- fix(zone): add source with mac address
+
+* Fri Jan 29 2021 Eric Garver <egarver@redhat.com> - 0.8.2-4
+- fix(rich): non-printable characters removed from rich
+
+* Mon Oct 26 2020 Eric Garver <egarver@redhat.com> - 0.8.2-3
+- fix(nftables): packet marks with masks
+- fix(nftables): icmp types with code == 0
+- fix(rich icmptype): verify rule and icmptype families
+- fix(zone): cache rule_str for rich rules
+- improvement(service): IPsec: Update description and add TCP port 4500
+- feat(service): add collectd service
+- feat(service): Add rpc-rquotad.service
+
 * Tue Aug 04 2020 Eric Garver <egarver@redhat.com> - 0.8.2-2
 - fix(cli): add ipset type hash:mac is incompatible with the family parameter
 - fix(cli): add --zone is an invalid option with --direct