backport fix for rhbz 1575431

Fixes: rhbz 1575431

0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch

@@ -0,0 +1,48 @@
+From 0cf02b4c0d4a3b7f55ded6d4d41cf184bc1881e0 Mon Sep 17 00:00:00 2001
+From: Eric Garver <e@erig.me>
+Date: Tue, 3 Jul 2018 09:12:28 -0400
+Subject: [PATCH] IPv6 rpfilter: explicitly allow neighbor solicitation
+
+Some kernel versions (4.16-4.17) have a bug which causes the rpfilter
+extension to not match neighbor solicitation frames. This causes the
+IPv6 rpfilter to mistakenly drop them. Lets work around the buggy kernel
+versions by explicitly allowing neighbor solicitation.
+
+Fixes: rhbz 1575431
+(cherry picked from commit 3d6a5063566319b5df58c6f738f203e88724961e)
+---
+ src/firewall/core/ipXtables.py | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
+index 437808027155..c2aac90d838c 100644
+--- a/src/firewall/core/ipXtables.py
++++ b/src/firewall/core/ipXtables.py
+@@ -474,16 +474,21 @@ class ip6tables(ip4tables):
+ 
+     def apply_rpfilter_rules(self, transaction, log_denied=False):
+             transaction.add_rule(self.ipv,
+-                                 [ "-I", "PREROUTING", "1", "-t", "raw",
++                          [ "-I", "PREROUTING", "1", "-t", "raw",
++                            "-p", "ipv6-icmp",
++                            "--icmpv6-type=neighbour-solicitation",
++                            "-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17
++            transaction.add_rule(self.ipv,
++                                 [ "-I", "PREROUTING", "2", "-t", "raw",
+                                    "-p", "ipv6-icmp",
+                                    "--icmpv6-type=router-advertisement",
+                                    "-j", "ACCEPT" ]) # RHBZ#1058505
+             transaction.add_rule(self.ipv,
+-                                 [ "-I", "PREROUTING", "2", "-t", "raw",
++                                 [ "-I", "PREROUTING", "3", "-t", "raw",
+                                    "-m", "rpfilter", "--invert", "-j", "DROP" ])
+             if log_denied != "off":
+                 transaction.add_rule(self.ipv,
+-                                     [ "-I", "PREROUTING", "2", "-t", "raw",
++                                     [ "-I", "PREROUTING", "3", "-t", "raw",
+                                        "-m", "rpfilter", "--invert",
+                                        "-j", "LOG",
+                                        "--log-prefix", "rpfilter_DROP: " ])
+-- 
+2.16.3
+

firewalld.spec

@@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 0.5.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
@@ -11,6 +11,7 @@ Source2: FedoraWorkstation.xml
 %endif
 %if 0%{?fedora}
 Patch0: firewalld-0.2.6-MDNS-default.patch
+Patch1: 0001-IPv6-rpfilter-explicitly-allow-neighbor-solicitation.patch
 %endif
 BuildArch: noarch
 BuildRequires: autoconf
@@ -124,10 +125,7 @@ The firewall configuration application provides an configuration interface for
 firewalld.
 
 %prep
-%setup -q
+%autosetup -p1
-%if 0%{?fedora}
-%patch0 -p1
-%endif
 ./autogen.sh
 sed -i -e 's|/usr/bin/python -Es|%{__python3} -Es|' ./fix_python_shebang.sh
 sed -i 's|/usr/bin/python|%{__python3}|' ./config/lockdown-whitelist.xml
@@ -320,6 +318,9 @@ fi
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Tue Jul 03 2018 Eric Garver <egarver@redhat.com> - 0.5.3-3
+- backport fix for rhbz 1575431
+
 * Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.5.3-2
 - Rebuilt for Python 3.7