import firewalld-0.8.0-2.el8

2020-01-21 17:26:51 -05:00 · 2020-01-21 17:26:51 -05:00 · 473bc21d2d
commit 473bc21d2d
parent 1afbd08f7f
5 changed files with 254 additions and 27 deletions
--- a/.firewalld.metadata
+++ b/.firewalld.metadata
@ -1 +1 @@
-0861cc649bffc66b18bb70fb7e33fe03fe31fe33 SOURCES/firewalld-0.7.0.tar.gz
+e558ccbfd8a0e08d9339cf1506d8856d3533ed82 SOURCES/firewalld-0.8.0.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/firewalld-0.7.0.tar.gz
+SOURCES/firewalld-0.8.0.tar.gz
--- a/SOURCES/0002-fix-CLI-service-also-output-helpers-for-service-info.patch
+++ b/SOURCES/0002-fix-CLI-service-also-output-helpers-for-service-info.patch
@ -0,0 +1,132 @@
+From ff17d85fd863e7be2b4088c92360185aca6693b0 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Thu, 7 Nov 2019 08:21:52 -0500
+Subject: [PATCH] fix: CLI: service: also output helpers for service info
+
+Fixes: 0c07b704f76d ("feat: CLI: add "helper" support for services")
+Fixes: rhbz 1769520
+(cherry picked from commit 6bfffe65f55b727afc37a8c1fb4068f6589bb890)
+---
+ src/firewall/command.py               |  2 ++
+ src/tests/features/helpers_custom.at  | 42 ++++++++++++++++++++++++++-
+ src/tests/features/service_include.at |  3 ++
+ 3 files changed, 46 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/command.py b/src/firewall/command.py
+index 85e58d731a80..c371dc23584c 100644
+--- a/src/firewall/command.py
+++ b/src/firewall/command.py
+@@ -449,6 +449,7 @@ class FirewallCommand(object):
+         destinations = settings.getDestinations()
+         short_description = settings.getShort()
+         includes = settings.getIncludes()
+        helpers = settings.getHelpers()
+         self.print_msg(service)
+         if self.verbose:
+             self.print_msg("  summary: " + short_description)
+@@ -464,6 +465,7 @@ class FirewallCommand(object):
+                        " ".join(["%s:%s" % (k, v)
+                                  for k, v in destinations.items()]))
+         self.print_msg("  includes: " + " ".join(sorted(includes)))
+        self.print_msg("  helpers: " + " ".join(sorted(helpers)))
+ 
+     def print_icmptype_info(self, icmptype, settings):
+         destinations = settings.getDestinations()
+diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
+index c65f067a06ec..4c9024d1e2b8 100644
+--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
+@@ -1,5 +1,5 @@
+ FWD_START_TEST([customer helpers])
+-AT_KEYWORDS(helpers rhbz1733066 gh514)
+AT_KEYWORDS(helpers rhbz1733066 gh514 rhbz1769520)
+ 
+ FWD_CHECK([-q --permanent --new-helper="ftptest" --module="nf_conntrack_ftp"])
+ FWD_CHECK([-q --permanent --helper=ftptest --add-port="2121/tcp"])
+@@ -8,7 +8,27 @@ FWD_CHECK([-q --permanent --new-service="ftptest"])
+ FWD_CHECK([-q --permanent --service=ftptest --add-module="ftptest"])
+ FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"])
+ FWD_CHECK([-q --permanent --service=ftptest --add-port="2121/tcp"])
+FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+  ports: 2121/tcp
+  protocols:
+  source-ports:
+  modules: ftptest
+  destination:
+  includes:
+  helpers:
+])])
+ FWD_RELOAD
+FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+  ports: 2121/tcp
+  protocols:
+  source-ports:
+  modules: ftptest
+  destination:
+  includes:
+  helpers:
+])])
+ 
+ FWD_CHECK([-q --add-service=ftptest])
+ 
+@@ -42,7 +62,27 @@ dnl Same thing as above, but with the new "helper" in service.
+ FWD_CHECK([-q --permanent --service=ftptest --remove-module="ftptest"])
+ FWD_CHECK([-q --permanent --service=ftptest --query-module="ftptest"], 1)
+ FWD_CHECK([-q --permanent --service=ftptest --add-helper="ftptest"])
+FWD_CHECK([--permanent --info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+  ports: 2121/tcp
+  protocols:
+  source-ports:
+  modules:
+  destination:
+  includes:
+  helpers: ftptest
+])])
+ FWD_RELOAD
+FWD_CHECK([--info-service=ftptest | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ftptest
+  ports: 2121/tcp
+  protocols:
+  source-ports:
+  modules:
+  destination:
+  includes:
+  helpers: ftptest
+])])
+ 
+ FWD_CHECK([-q --add-service=ftptest])
+ 
+diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
+index 219d5b42767b..7f02701a9419 100644
+--- a/src/tests/features/service_include.at
+++ b/src/tests/features/service_include.at
+@@ -76,6 +76,7 @@ my-service-with-include
+   modules:
+   destination:
+   includes: mdns recursive-service ssdp
+  helpers:
+ ])])
+ FWD_CHECK([--info-service=my-service-with-include | TRIM_WHITESPACE], 0, [m4_strip([dnl
+ my-service-with-include
+@@ -85,6 +86,7 @@ my-service-with-include
+   modules:
+   destination:
+   includes: mdns recursive-service ssdp
+  helpers:
+ ])])
+ 
+ dnl firewall-offline-cmd
+@@ -106,6 +108,7 @@ my-service-with-include
+   modules:
+   destination:
+   includes: mdns recursive-service ssdp
+  helpers:
+ ])])
+ 
+ dnl negative test for including service that doesn't exist
+-- 
+2.23.0
+
--- a/SOURCES/RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch
+++ b/SOURCES/RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch
@ -1,4 +1,4 @@
-From 0f28f2b7b8072bdc2e483d035230ddcb8b00a919 Mon Sep 17 00:00:00 2001
+From aaba32dd922c84662521754952e5a50198dd8625 Mon Sep 17 00:00:00 2001
 From: Eric Garver <e@erig.me>
 Date: Mon, 9 Jul 2018 11:29:33 -0400
 Subject: [PATCH] Add cockpit by default to some zones
@ -9,12 +9,13 @@ Fixes: #1581578
 config/zones/internal.xml             |  1 +
 config/zones/public.xml               |  1 +
 config/zones/work.xml                 |  1 +
+ src/tests/features/helpers_custom.at  |  9 +++++++++
 src/tests/features/service_include.at |  2 +-
 src/tests/firewall-cmd.at             | 14 +++++++++++++-
 src/tests/regression/gh366.at         |  3 +++
 src/tests/regression/gh453.at         |  2 ++
 src/tests/regression/rhbz1514043.at   |  2 +-
- 9 files changed, 24 insertions(+), 3 deletions(-)
+ 10 files changed, 33 insertions(+), 3 deletions(-)

 diff --git a/config/zones/home.xml b/config/zones/home.xml
 index 42b29b2f2d50..8aa8afa0e8aa 100644
@ -56,11 +57,87 @@ index 6ea5550a40bd..9609ee6f65c2 100644
   <service name="dhcpv6-client"/>
 +  <service name="cockpit"/>
 </zone>
+diff --git a/src/tests/features/helpers_custom.at b/src/tests/features/helpers_custom.at
+index c65f067a06ec..263185c88724 100644
+--- a/src/tests/features/helpers_custom.at
+++ b/src/tests/features/helpers_custom.at
+@@ -17,6 +17,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+ 		chain filter_IN_public_allow {
+ 			tcp dport 22 ct state new,untracked accept
+ 			ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+			tcp dport 9090 ct state new,untracked accept
+ 			tcp dport 2121 ct helper set "helper-ftptest-tcp"
+ 			tcp dport 2121 ct state new,untracked accept
+ 		}
+@@ -27,6 +28,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
+ ])
+ IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ 	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ 	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ])
+ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
+@@ -35,6 +37,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
+ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ 	ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ 	ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+	ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ 	ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ])
+ 
+@@ -51,6 +54,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+ 		chain filter_IN_public_allow {
+ 			tcp dport 22 ct state new,untracked accept
+ 			ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+			tcp dport 9090 ct state new,untracked accept
+ 			tcp dport 2121 ct helper set "helper-ftptest-tcp"
+ 			tcp dport 2121 ct state new,untracked accept
+ 		}
+@@ -61,6 +65,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
+ ])
+ IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ 	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ 	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ])
+ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
+@@ -69,6 +74,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
+ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ 	ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ 	ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+	ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ 	ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ ])
+ 
+@@ -86,6 +92,7 @@ NFT_LIST_RULES([inet], [filter_IN_public_allow], 0, [dnl
+ 		chain filter_IN_public_allow {
+ 			tcp dport 22 ct state new,untracked accept
+ 			ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
+			tcp dport 9090 ct state new,untracked accept
+ 			tcp dport 21 ct helper set "helper-ftp-tcp"
+ 			tcp dport 2121 ct helper set "helper-ftptest-tcp"
+ 			tcp dport 2121 ct state new,untracked accept
+@@ -99,6 +106,7 @@ IPTABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
+ ])
+ IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ 	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
+	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ 	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ 	ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,UNTRACKED
+ ])
+@@ -109,6 +117,7 @@ IP6TABLES_LIST_RULES([raw], [PRE_public_allow], 0, [dnl
+ IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
+ 	ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
+ 	ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
+	ACCEPT tcp ::/0 ::/0 tcp dpt:9090 ctstate NEW,UNTRACKED
+ 	ACCEPT tcp ::/0 ::/0 tcp dpt:2121 ctstate NEW,UNTRACKED
+ 	ACCEPT tcp ::/0 ::/0 tcp dpt:21 ctstate NEW,UNTRACKED
+ ])
 diff --git a/src/tests/features/service_include.at b/src/tests/features/service_include.at
-index b3a50a84bd88..992c5ef0ba92 100644
+index 219d5b42767b..0bf59f63b81b 100644
 --- a/src/tests/features/service_include.at
 +++ b/src/tests/features/service_include.at
-@@ -90,7 +90,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl
+@@ -117,7 +117,7 @@ FWD_CHECK([--zone=drop --list-services], 0, [dnl
 
 ])
 FWD_CHECK([--zone=public --list-services], 0, [dnl
@ -70,10 +147,10 @@ index b3a50a84bd88..992c5ef0ba92 100644
 FWD_CHECK([-q --permanent --service=my-service-with-include --remove-include=does-not-exist])
 FWD_RELOAD
 diff --git a/src/tests/firewall-cmd.at b/src/tests/firewall-cmd.at
-index efc8f9c50757..6444b4566af5 100644
+index 0e0d3938da0a..540bdb8b1065 100644
 --- a/src/tests/firewall-cmd.at
 +++ b/src/tests/firewall-cmd.at
-@@ -1046,6 +1046,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1144,6 +1144,7 @@ FWD_START_TEST([rich rules priority])
         chain filter_IN_public_allow {
         tcp dport 22 ct state new,untracked accept
         ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -81,7 +158,7 @@ index efc8f9c50757..6444b4566af5 100644
         tcp dport 1122 ct state new,untracked accept
         tcp dport 3333 ct state new,untracked accept
         tcp dport 4444 ct state new,untracked accept
-@@ -1061,6 +1062,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1159,6 +1160,7 @@ FWD_START_TEST([rich rules priority])
     ])
     IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -89,7 +166,7 @@ index efc8f9c50757..6444b4566af5 100644
         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1122 ctstate NEW,UNTRACKED
         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3333 ctstate NEW,UNTRACKED
         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:4444 ctstate NEW,UNTRACKED
-@@ -1075,6 +1077,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1173,6 +1175,7 @@ FWD_START_TEST([rich rules priority])
     IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
         ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
         ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -97,7 +174,7 @@ index efc8f9c50757..6444b4566af5 100644
         ACCEPT tcp ::/0 ::/0 tcp dpt:1122 ctstate NEW,UNTRACKED
         ACCEPT tcp ::/0 ::/0 tcp dpt:3333 ctstate NEW,UNTRACKED
         ACCEPT tcp ::/0 ::/0 tcp dpt:4444 ctstate NEW,UNTRACKED
-@@ -1156,6 +1159,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1254,6 +1257,7 @@ FWD_START_TEST([rich rules priority])
         chain filter_IN_public_allow {
         tcp dport 22 ct state new,untracked accept
         ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -105,7 +182,7 @@ index efc8f9c50757..6444b4566af5 100644
         }
         }
     ])
-@@ -1259,6 +1263,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1357,6 +1361,7 @@ FWD_START_TEST([rich rules priority])
     ])
     IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -113,7 +190,7 @@ index efc8f9c50757..6444b4566af5 100644
     ])
     IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
     ])
-@@ -1293,6 +1298,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1391,6 +1396,7 @@ FWD_START_TEST([rich rules priority])
     IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
         ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
         ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -121,7 +198,7 @@ index efc8f9c50757..6444b4566af5 100644
     ])
     IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
     ])
-@@ -1340,6 +1346,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1438,6 +1444,7 @@ FWD_START_TEST([rich rules priority])
         chain filter_IN_public_allow {
         tcp dport 22 ct state new,untracked accept
         ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -129,7 +206,7 @@ index efc8f9c50757..6444b4566af5 100644
         icmp type echo-request accept
         icmpv6 type echo-request accept
         }
-@@ -1380,6 +1387,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1478,6 +1485,7 @@ FWD_START_TEST([rich rules priority])
     ])
     IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -137,7 +214,7 @@ index efc8f9c50757..6444b4566af5 100644
         ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8
     ])
     IPTABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
-@@ -1402,6 +1410,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1500,6 +1508,7 @@ FWD_START_TEST([rich rules priority])
     IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
         ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
         ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -145,7 +222,7 @@ index efc8f9c50757..6444b4566af5 100644
         ACCEPT icmpv6 ::/0 ::/0 ipv6-icmptype 128
     ])
     IP6TABLES_LIST_RULES([filter], [FWDI_public_pre], 0, [dnl
-@@ -1458,6 +1467,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1556,6 +1565,7 @@ FWD_START_TEST([rich rules priority])
         chain filter_IN_public_allow {
         tcp dport 22 ct state new,untracked accept
         ip6 daddr fe80::/64 udp dport 546 ct state new,untracked accept
@ -153,7 +230,7 @@ index efc8f9c50757..6444b4566af5 100644
         }
         }
     ])
-@@ -1495,6 +1505,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1593,6 +1603,7 @@ FWD_START_TEST([rich rules priority])
     ])
     IPTABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
         ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW,UNTRACKED
@ -161,7 +238,7 @@ index efc8f9c50757..6444b4566af5 100644
     ])
     IPTABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
     ])
-@@ -1515,6 +1526,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1613,6 +1624,7 @@ FWD_START_TEST([rich rules priority])
     IP6TABLES_LIST_RULES([filter], [IN_public_allow], 0, [dnl
         ACCEPT tcp ::/0 ::/0 tcp dpt:22 ctstate NEW,UNTRACKED
         ACCEPT udp ::/0 fe80::/64 udp dpt:546 ctstate NEW,UNTRACKED
@ -169,7 +246,7 @@ index efc8f9c50757..6444b4566af5 100644
     ])
     IP6TABLES_LIST_RULES([filter], [IN_public_deny], 0, [dnl
     ])
-@@ -1540,7 +1552,7 @@ FWD_START_TEST([rich rules priority])
+@@ -1638,7 +1650,7 @@ FWD_START_TEST([rich rules priority])
         icmp-block-inversion: no
         interfaces:
         sources:
@ -225,7 +302,7 @@ index f57a79dcf9a2..6d820fce840a 100644
 	tcp dport 21 ct state new,untracked accept
 	tcp dport 5060 ct helper set "helper-sip-tcp"
 diff --git a/src/tests/regression/rhbz1514043.at b/src/tests/regression/rhbz1514043.at
-index deb93a5fac94..88ce4934e5ea 100644
+index efc33e09478b..241cf547f7f3 100644
 --- a/src/tests/regression/rhbz1514043.at
 +++ b/src/tests/regression/rhbz1514043.at
@@ -5,7 +5,7 @@ FWD_CHECK([-q --set-log-denied=all])
@ -235,8 +312,8 @@ index deb93a5fac94..88ce4934e5ea 100644
 -services: dhcpv6-client samba ssh
 +services: cockpit dhcpv6-client samba ssh
 ])
- dnl check that log denied actually took effect
- m4_if(iptables, FIREWALL_BACKEND, [
-- 
-2.20.1
+ 
+ dnl check that log denied actually took effect
+-- 
+2.23.0

--- a/SPECS/firewalld.spec
+++ b/SPECS/firewalld.spec
@ -1,11 +1,12 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
-Version: 0.7.0
+Version: 0.8.0
 Release: 2%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
 Patch1: RHEL-only-0001-Add-cockpit-by-default-to-some-zones.patch
+Patch2: 0002-fix-CLI-service-also-output-helpers-for-service-info.patch

 BuildArch: noarch
 BuildRequires: autoconf
@ -20,9 +21,7 @@ BuildRequires: docbook-style-xsl
 BuildRequires: libxslt
 BuildRequires: iptables, ebtables, ipset
 BuildRequires: python3-devel
-BuildRequires: nftables >= 0.9.0
 Requires: iptables, ebtables, ipset
-Requires: nftables >= 0.9.0
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
@ -49,6 +48,7 @@ Requires: python3-dbus
 Requires: python3-slip-dbus
 Requires: python3-decorator
 Requires: python3-gobject-base
+Requires: python3-nftables

 %description -n python3-firewall
 Python3 bindings for firewalld.
@ -90,6 +90,8 @@ firewalld.

 %prep
 %autosetup -p1
+# must autogen since a patch above touched a Makefile.am
+./autogen.sh

 %build
 %configure --enable-sysconfig --enable-rpmmacros PYTHON="%{__python3} %{py3_shbang_opts}"
@ -202,7 +204,23 @@ desktop-file-install --delete-original \
 %{_mandir}/man1/firewall-config*.1*

 %changelog
-* Wed Jun 13 2019 Eric Garver <egarver@redhat.com> - 0.7.0-2
+* Tue Nov 12 2019 Eric Garver <egarver@redhat.com> - 0.8.0-2
+- fix: CLI: service: also output helpers for service info
+
+* Tue Nov 05 2019 Eric Garver <egarver@redhat.com> - 0.8.0-1
+- rebase to v0.8.0
+
+* Tue Aug 13 2019 Eric Garver <egarver@redhat.com> - 0.7.0-5
+- bump nftables version requirements
+
+* Tue Aug 06 2019 Eric Garver <egarver@redhat.com> - 0.7.0-4
+- backport patches to sort source-based zone dispatch by zone name
+
+* Tue Jul 23 2019 Eric Garver <egarver@redhat.com> - 0.7.0-3
+- backport patch to show service includes in service output
+- backport patches to fix dbus API break
+
+* Thu Jun 13 2019 Eric Garver <egarver@redhat.com> - 0.7.0-2
 - package rebuild

 * Wed Jun 12 2019 Eric Garver <egarver@redhat.com> - 0.7.0-1