From 50b31155893c72ef739a0e3845988d44e7f243ce Mon Sep 17 00:00:00 2001
From: Eric Garver <egarver@redhat.com>
Date: Mon, 19 May 2025 16:18:25 -0400
Subject: [PATCH] fix(fw): start: remove ipset probe

Resolves: RHEL-36234
---
 ...bles-table-owner-use-grep-instead-of.patch | 74 +++++++++++++++++++
 ...ore-ipset-remove-set_supported_types.patch | 63 ++++++++++++++++
 ....4.0-fix-fw-start-remove-ipset-probe.patch | 41 ++++++++++
 firewalld.spec                                |  8 +-
 4 files changed, 185 insertions(+), 1 deletion(-)
 create mode 100644 0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch
 create mode 100644 0030-v2.4.0-chore-ipset-remove-set_supported_types.patch
 create mode 100644 0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch

diff --git a/0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch b/0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch
new file mode 100644
index 0000000..5dc44c6
--- /dev/null
+++ b/0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch
@@ -0,0 +1,74 @@
+From 6ce8e4cf508d45e5b0d05192eb06dc0768dbbb56 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Wed, 7 May 2025 11:31:03 -0400
+Subject: [PATCH 29/31] v2.4.0: test(nftables): table owner: use grep instead
+ of head
+
+Using `head -n 2` will cause head to terminate early while the prior
+commands in the pipeline still have output. This will trigger SIGPIPE
+and in some cases causes messages on stderr. Use grep to consume all the
+output.
+
+Fixes: #1403
+Fixes: e7728b843c2e ("test(nftables): table ownership")
+
+--->8---
+
+./nftables_table_owner.at:1:             env DBUS_SYSTEM_BUS_ADDRESS="unix:abstract=firewalld-testsuite-dbus-system-socket-${at_group_normalized}" ip netns exec fwd-test-${at_group_normalized} nft list table inet firewalld | sed -e 's/^[ \t]*//' -e 's/[ \t]*$//' | sed -e '/^[ \t]*$/d' | sed -e 's/[ \t]\+/ /g' | { printf "%s" "$(cat /dev/stdin)"; echo; } | head -n 2
+--- /dev/null	2025-05-06 18:20:20.014443085 +0000
++++ /home/runner/work/firewalld/firewalld/src/tests/testsuite.dir/at-groups/228/stderr	2025-05-06 18:31:38.431177759 +0000
+@@ -0,0 +1,2 @@
++/home/runner/work/firewalld/firewalld/src/tests/testsuite.dir/at-groups/228/test-source: line 409: printf: write error: Broken pipe
++/home/runner/work/firewalld/firewalld/src/tests/testsuite.dir/at-groups/228/test-source: line 409: echo: write error: Broken pipe
+228. nftables_table_owner.at:1:  FAILED (nftables_table_owner.at:
+
+(cherry picked from commit 31e2584c5ada874639cbd80174c3fd745e392852)
+---
+ src/tests/features/nftables_table_owner.at | 21 +++++----------------
+ 1 file changed, 5 insertions(+), 16 deletions(-)
+
+diff --git a/src/tests/features/nftables_table_owner.at b/src/tests/features/nftables_table_owner.at
+index abc946da0ad7..dd9c3deed2ba 100644
+--- a/src/tests/features/nftables_table_owner.at
++++ b/src/tests/features/nftables_table_owner.at
+@@ -7,32 +7,21 @@ FWD_RELOAD()
+ 
+ AT_SKIP_IF([grep "Configuration has NftablesTableOwner=True, but it's not supported by nftables." ./firewalld.log])
+ 
+-NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl
+-  table inet firewalld { # progname firewalld
+-    flags owner,persist
+-])])
++dnl Make sure it's initially working
++dnl
++NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | grep "flags owner,persist"], 0, [ignore])
+ 
+ dnl Test the transitions from On to Off
+ dnl
+-
+ AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=no/' ./firewalld.conf])
+ FWD_RELOAD()
+-
+-NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl
+-  table inet firewalld {
+-    chain mangle_PREROUTING {
+-])])
++NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | grep "flags owner,persist"], 1)
+ 
+ dnl Test the transitions from Off to On
+ dnl
+-
+ AT_CHECK([sed -i 's/^NftablesTableOwner=.*/NftablesTableOwner=yes/' ./firewalld.conf])
+ FWD_RELOAD()
+-
+-NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | head -n 2], 0, [m4_strip([dnl
+-  table inet firewalld { # progname firewalld
+-    flags owner,persist
+-])])
++NS_CHECK([nft list table inet firewalld | TRIM_WHITESPACE | grep "flags owner,persist"], 0, [ignore])
+ 
+ FWD_END_TEST()
+ ])
+-- 
+2.48.1
+
diff --git a/0030-v2.4.0-chore-ipset-remove-set_supported_types.patch b/0030-v2.4.0-chore-ipset-remove-set_supported_types.patch
new file mode 100644
index 0000000..7c50815
--- /dev/null
+++ b/0030-v2.4.0-chore-ipset-remove-set_supported_types.patch
@@ -0,0 +1,63 @@
+From c1ef9701fa5d33f2116a67f7e20c3c4f525c57f1 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 2 May 2025 16:33:14 -0400
+Subject: [PATCH 30/31] v2.4.0: chore(ipset): remove set_supported_types()
+
+"ipset --help" doesn't actual guarantee that the types are supported in
+the kernel. As such, this probe is useless.
+
+(cherry picked from commit 1e401a7d22d4d00be90330e171929c78ddd9b55b)
+---
+ src/firewall/core/fw.py    |  3 ---
+ src/firewall/core/ipset.py | 21 ---------------------
+ 2 files changed, 24 deletions(-)
+
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index 557b6e527dbd..92574bc7e650 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -228,9 +228,6 @@ class Firewall(object):
+                 self.ipset_supported_types = [ ]
+             # ipset is not usable
+             self.ipset_enabled = False
+-        else:
+-            # ipset is usable, get all supported types
+-            self.ipset_supported_types = self.ipset_backend.set_supported_types()
+ 
+         self.ip4tables_backend.fill_exists()
+         if not self.ip4tables_backend.restore_command_exists:
+diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
+index d8e0a1ab1e56..a7f0ce17a61b 100644
+--- a/src/firewall/core/ipset.py
++++ b/src/firewall/core/ipset.py
+@@ -93,27 +93,6 @@ class ipset(object):
+             raise FirewallError(errors.INVALID_NAME,
+                                 "ipset name '%s' is not valid" % name)
+ 
+-    def set_supported_types(self):
+-        """Return types that are supported by the ipset command and kernel"""
+-        ret = [ ]
+-        output = ""
+-        try:
+-            output = self.__run(["--help"])
+-        except ValueError as ex:
+-            log.debug1("ipset error: %s" % ex)
+-        lines = output.splitlines()
+-
+-        in_types = False
+-        for line in lines:
+-            #print(line)
+-            if in_types:
+-                splits = line.strip().split(None, 2)
+-                if splits[0] not in ret and splits[0] in IPSET_TYPES:
+-                    ret.append(splits[0])
+-            if line.startswith("Supported set types:"):
+-                in_types = True
+-        return ret
+-
+     def check_type(self, type_name):
+         """Check ipset type"""
+         if len(type_name) > IPSET_MAXNAMELEN or type_name not in IPSET_TYPES:
+-- 
+2.48.1
+
diff --git a/0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch b/0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch
new file mode 100644
index 0000000..63e22f6
--- /dev/null
+++ b/0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch
@@ -0,0 +1,41 @@
+From 6b9c44e3fcc861342cb6624d35eac9d192ce1a2a Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Fri, 2 May 2025 16:37:27 -0400
+Subject: [PATCH 31/31] v2.4.0: fix(fw): start: remove ipset probe
+
+This probe is causing kernel modules to be loaded even if the ipset
+backend will not be used due to "omit native ipsets". Since the backend
+and iptables are deprecated lets just remove the probe and let it fail
+at runtime.
+
+Fixes: RHEL-36234
+(cherry picked from commit ac20628701509165feaacab679c0699db2c7b8b8)
+---
+ src/firewall/core/fw.py | 11 -----------
+ 1 file changed, 11 deletions(-)
+
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index 92574bc7e650..877ad028d4e2 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -218,17 +218,6 @@ class Firewall(object):
+             raise FirewallError(errors.UNKNOWN_ERROR, "No IPv4 and IPv6 firewall.")
+ 
+     def _start_probe_backends(self):
+-        try:
+-            self.ipset_backend.set_list()
+-        except ValueError:
+-            if self.nftables_enabled:
+-                log.info1("ipset not usable, disabling ipset usage in firewall. Other set backends (nftables) remain usable.")
+-            else:
+-                log.warning("ipset not usable, disabling ipset usage in firewall.")
+-                self.ipset_supported_types = [ ]
+-            # ipset is not usable
+-            self.ipset_enabled = False
+-
+         self.ip4tables_backend.fill_exists()
+         if not self.ip4tables_backend.restore_command_exists:
+             if self.ip4tables_backend.command_exists:
+-- 
+2.48.1
+
diff --git a/firewalld.spec b/firewalld.spec
index b36e119..f18ebea 100644
--- a/firewalld.spec
+++ b/firewalld.spec
@@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 1.3.4
-Release: 12%{?dist}
+Release: 13%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2
@@ -33,6 +33,9 @@ Patch25: 0025-v2.3.0-test-functions-fix-iptables-normalization-for.patch
 Patch26: 0026-v2.4.0-test-add-scale-keyword-to-scale-tests.patch
 Patch27: 0027-v2.4.0-fix-systemd-verify-firewalld-is-responsive-to.patch
 Patch28: 0028-v2.4.0-fix-systemd-remove-unnecessary-comment.patch
+Patch29: 0029-v2.4.0-test-nftables-table-owner-use-grep-instead-of.patch
+Patch30: 0030-v2.4.0-chore-ipset-remove-set_supported_types.patch
+Patch31: 0031-v2.4.0-fix-fw-start-remove-ipset-probe.patch
 BuildArch: noarch
 BuildRequires: autoconf
 BuildRequires: automake
@@ -256,6 +259,9 @@ rm -rf %{buildroot}%{_datadir}/firewalld/testsuite
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Mon May 19 2025 Eric Garver <egarver@redhat.com> - 1.3.4-13
+- fix(fw): start: remove ipset probe
+
 * Mon May 19 2025 Eric Garver <egarver@redhat.com> - 1.3.4-12
 - fix(systemd): verify firewalld is responsive to dbus