From 51ae9526ba4abc0eec1e4ea89873e5337a4a553f Mon Sep 17 00:00:00 2001 From: Thomas Woerner Date: Tue, 13 Jun 2017 13:39:03 +0200 Subject: [PATCH] =?UTF-8?q?-=20Rebase=20to=20firewalld-0.4.4.5=20=20=20htt?= =?UTF-8?q?p://www.firewalld.org/2017/06/firewalld-0-4-4-5-release=20=20?= =?UTF-8?q?=20-=20Fix=20build=20from=20spec=20=20=20-=20Fix=20=E2=80=93rem?= =?UTF-8?q?ove-service-from-zone=20option=20(RHBZ#1438127)=20=20=20-=20Sup?= =?UTF-8?q?port=20sctp=20and=20dccp=20in=20ports,=20source-ports,=20forwar?= =?UTF-8?q?d-ports,=20helpers=20and=20=20=20=20=20rich=20rules=20(RHBZ#142?= =?UTF-8?q?9808)=20=20=20-=20firewall-cmd:=20Fix=20=E2=80=93{set,get}-{sho?= =?UTF-8?q?rt,description}=20for=20zone=20(RHBZ#1445238)=20=20=20-=20firew?= =?UTF-8?q?all.core.ipXtables:=20Use=20new=20wait=20option=20for=20restore?= =?UTF-8?q?=20commands=20if=20=20=20=20=20available=20=20=20-=20New=20serv?= =?UTF-8?q?ices=20for=20oVirt:=20=20=20=20=20ctdb,=20ovirt-imageio,=20ovir?= =?UTF-8?q?t-storageconsole,=20ovirt-vmconsole=20and=20nrpe=20=20=20-=20Re?= =?UTF-8?q?name=20extension=20for=20policy=20choices=20(server=20and=20des?= =?UTF-8?q?ktop)=20to=20.policy.choice=20=20=20=20=20(RHBZ#1449754)=20=20?= =?UTF-8?q?=20-=20D-Bus=20interfaces:=20Fix=20GetAll=20for=20interfaces=20?= =?UTF-8?q?without=20properties=20=20=20=20=20(RHBZ#1452017)=20=20=20-=20L?= =?UTF-8?q?oad=20NAT=20helpers=20with=20conntrack=20helpers=20(RHBZ#145268?= =?UTF-8?q?1)=20=20=20-=20Translation=20updates=20-=20Additional=20upstrea?= =?UTF-8?q?m=20patches:=20=20=20-=20Rich-rule=20source=20validation=20(d69?= =?UTF-8?q?b7cb)=20=20=20-=20IPv6=20ICMP=20type=20only=20rich-rule=20fix?= =?UTF-8?q?=20(cf50bd0)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ..._icmptype_only_rich_rule_fix-cf50bd0.patch | 28 +++++++++ ...4.4.5-rich_source_validation-d69b7cb.patch | 59 +++++++++++++++++++ firewalld.spec | 48 +++++++++++++-- 3 files changed, 130 insertions(+), 5 deletions(-) create mode 100644 firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix-cf50bd0.patch create mode 100644 firewalld-0.4.4.5-rich_source_validation-d69b7cb.patch diff --git a/firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix-cf50bd0.patch b/firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix-cf50bd0.patch new file mode 100644 index 0000000..db219c1 --- /dev/null +++ b/firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix-cf50bd0.patch @@ -0,0 +1,28 @@ +From cf50bd0004418abe1294f53b58387a181dfd2b51 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Thu, 8 Jun 2017 17:44:32 +0200 +Subject: [PATCH] firewall.core.fw_zone: Rich-rule ICMP type: Error only for + conflicting family + +Only raise error for an ICMP block in a rich-rule if a family has been +specified and conflicts with the ICMP destination. + +Fixes: RHBZ#1459921 +--- + src/firewall/core/fw_zone.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/firewall/core/fw_zone.py b/src/firewall/core/fw_zone.py +index 4f3f18c0..f47222e4 100644 +--- a/src/firewall/core/fw_zone.py ++++ b/src/firewall/core/fw_zone.py +@@ -1425,6 +1425,9 @@ def __rule_prepare(self, enable, zone, rule, mark_id, zone_transaction): + raise FirewallError(errors.INVALID_RULE, + "IcmpBlock not usable with accept action") + if ict.destination and ipv not in ict.destination: ++ if rule.family is None: ++ # Add for IPv4 or IPv6 depending on ict.destination ++ continue + raise FirewallError( + errors.INVALID_RULE, + "Icmp%s %s not usable with %s" % \ diff --git a/firewalld-0.4.4.5-rich_source_validation-d69b7cb.patch b/firewalld-0.4.4.5-rich_source_validation-d69b7cb.patch new file mode 100644 index 0000000..cfd7828 --- /dev/null +++ b/firewalld-0.4.4.5-rich_source_validation-d69b7cb.patch @@ -0,0 +1,59 @@ +From d69b7cb2724f041f257b90184a64e28a667ee7e9 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Thu, 8 Jun 2017 15:31:11 +0200 +Subject: [PATCH] firewall.core.rich: Add checks for Rich_Source validation + +A rich-rule source needs to either contain a IP address, a MAC address or an +ipset. +--- + src/firewall/core/rich.py | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/src/firewall/core/rich.py b/src/firewall/core/rich.py +index 3adcb4d9..04791da6 100644 +--- a/src/firewall/core/rich.py ++++ b/src/firewall/core/rich.py +@@ -46,15 +46,21 @@ def __init__(self, addr, mac, ipset, invert=False): + if self.ipset == "": + self.ipset = None + self.invert = invert ++ if self.addr is None and self.mac is None and self.ipset is None: ++ raise FirewallError(errors.INVALID_RULE, ++ "no address, mac and ipset") + + def __str__(self): +- if self.addr: +- x = ' address="%s"' % self.addr +- elif self.mac: +- x = ' mac="%s"' % self.mac +- elif self.ipset: +- x = ' ipset="%s"' % self.ipset +- return 'source%s%s' % (" NOT" if self.invert else "", x) ++ ret = 'source%s ' % (" NOT" if self.invert else "") ++ if self.addr is not None: ++ return ret + 'address="%s"' % self.addr ++ elif self.mac is not None: ++ return ret + 'mac="%s"' % self.mac ++ elif self.ipset is not None: ++ return ret + 'ipset="%s"' % self.ipset ++ else: ++ raise FirewallError(errors.INVALID_RULE, ++ "no address, mac and ipset") + + class Rich_Destination(object): + def __init__(self, addr, invert=False): +@@ -542,10 +548,14 @@ def check(self): + raise FirewallError(errors.INVALID_FAMILY) + if self.source.mac is not None: + raise FirewallError(errors.INVALID_RULE, "address and mac") ++ if self.source.ipset is not None: ++ raise FirewallError(errors.INVALID_RULE, "address and ipset") + if not functions.check_address(self.family, self.source.addr): + raise FirewallError(errors.INVALID_ADDR, str(self.source.addr)) + + elif self.source.mac is not None: ++ if self.source.ipset is not None: ++ raise FirewallError(errors.INVALID_RULE, "mac and ipset") + if not functions.check_mac(self.source.mac): + raise FirewallError(errors.INVALID_MAC, str(self.source.mac)) + diff --git a/firewalld.spec b/firewalld.spec index 9db930e..a1376ac 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -7,7 +7,7 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld -Version: 0.4.4.4 +Version: 0.4.4.5 Release: 1%{?dist} URL: http://www.firewalld.org License: GPLv2+ @@ -19,6 +19,8 @@ Source2: FedoraWorkstation.xml %if 0%{?fedora} Patch0: firewalld-0.2.6-MDNS-default.patch %endif +Patch1: firewalld-0.4.4.5-rich_source_validation-d69b7cb.patch +Patch2: firewalld-0.4.4.5-ipv6_icmptype_only_rich_rule_fix-cf50bd0.patch BuildArch: noarch BuildRequires: desktop-file-utils BuildRequires: gettext @@ -118,7 +120,11 @@ Requires: %{name} = %{version}-%{release} Requires: firewall-config = %{version}-%{release} Requires: hicolor-icon-theme %if 0%{?use_python3} +%if 0%{?fedora} >= 26 +Requires: python3-qt5-base +%else Requires: python3-qt5 +%endif Requires: python3-gobject %else Requires: python-qt5 @@ -154,6 +160,8 @@ firewalld. %if 0%{?fedora} %patch0 -p1 %endif +%patch1 -p1 -b .rich_source_validation-d69b7cb +%patch2 -p1 -b .ipv6_icmptype_only_rich_rule_fix-cf50bd0 ./autogen.sh %if 0%{?with_python3} @@ -169,12 +177,20 @@ sed -i 's|/usr/bin/python|%{__python3}|' %{py3dir}/config/lockdown-whitelist.xml %configure --enable-sysconfig --enable-rpmmacros # Enable the make line if there are patches affecting man pages to # regenerate them +%if 0%{?use_python3} +make -C src %{?_smp_mflags} +%else make %{?_smp_mflags} +%endif %if 0%{?with_python3} pushd %{py3dir} %configure --enable-sysconfig --enable-rpmmacros PYTHON=%{__python3} +%if 0%{?use_python3} make %{?_smp_mflags} +%else +make -C src %{?_smp_mflags} +%endif popd %endif #0%{?with_python3} @@ -263,11 +279,11 @@ fi if [ ! -e %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy ]; then case "$VARIANT_ID" in workstation) - ln -sf org.fedoraproject.FirewallD1.desktop.policy %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || : + ln -sf org.fedoraproject.FirewallD1.desktop.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || : ;; *) # For all other editions, we'll use the Server polkit policy - ln -sf org.fedoraproject.FirewallD1.server.policy %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || : + ln -sf org.fedoraproject.FirewallD1.server.policy.choice %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy || : esac fi %endif @@ -336,8 +352,8 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/firewalld %{_unitdir}/firewalld.service %config(noreplace) %{_sysconfdir}/dbus-1/system.d/FirewallD.conf -%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy -%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.desktop.policy.choice +%{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.server.policy.choice %if 0%{?fedora} > 21 %ghost %{_datadir}/polkit-1/actions/org.fedoraproject.FirewallD1.policy %endif @@ -414,6 +430,28 @@ fi %{_mandir}/man1/firewall-config*.1* %changelog +* Fri Jun 9 2017 Thomas Woerner - 0.4.4.5-1 +- Rebase to firewalld-0.4.4.5 + http://www.firewalld.org/2017/06/firewalld-0-4-4-5-release + - Fix build from spec + - Fix –remove-service-from-zone option (RHBZ#1438127) + - Support sctp and dccp in ports, source-ports, forward-ports, helpers and + rich rules (RHBZ#1429808) + - firewall-cmd: Fix –{set,get}-{short,description} for zone (RHBZ#1445238) + - firewall.core.ipXtables: Use new wait option for restore commands if + available + - New services for oVirt: + ctdb, ovirt-imageio, ovirt-storageconsole, ovirt-vmconsole and nrpe + - Rename extension for policy choices (server and desktop) to .policy.choice + (RHBZ#1449754) + - D-Bus interfaces: Fix GetAll for interfaces without properties + (RHBZ#1452017) + - Load NAT helpers with conntrack helpers (RHBZ#1452681) + - Translation updates +- Additional upstream patches: + - Rich-rule source validation (d69b7cb) + - IPv6 ICMP type only rich-rule fix (cf50bd0) + * Mon Mar 27 2017 Thomas Woerner - 0.4.4.4-1 - Rebase to firewalld-0.4.4.4 http://www.firewalld.org/2017/03/firewalld-0-4-4-4-release