import UBI firewalld-0.9.11-9.el8_10

SOURCES/0027-v2.0.0-test-atlocal-pass-EBTABLES-to-testsuite.patch

@@ -0,0 +1,38 @@
+From 3a56ea30acb41358742a94f088f12bd4f1ba1f80 Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Tue, 31 Jan 2023 09:24:56 -0500
+Subject: [PATCH 27/30] v2.0.0: test(atlocal): pass EBTABLES to testsuite
+
+(cherry picked from commit a5adb26a5eebdaa6e978c580d4fb73f7aa06802f)
+---
+ src/tests/atlocal.in   | 1 +
+ src/tests/functions.at | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/tests/atlocal.in b/src/tests/atlocal.in
+index 8c5493ac38df..595a96f0f5c9 100644
+--- a/src/tests/atlocal.in
++++ b/src/tests/atlocal.in
+@@ -1,5 +1,6 @@
+ export PYTHON="@PYTHON@"
+ 
++export EBTABLES="@EBTABLES@"
+ export IPTABLES="@IPTABLES@"
+ export IPTABLES_RESTORE="@IPTABLES_RESTORE@"
+ export IP6TABLES="@IP6TABLES@"
+diff --git a/src/tests/functions.at b/src/tests/functions.at
+index a2989c6345da..35e3271ce68d 100644
+--- a/src/tests/functions.at
++++ b/src/tests/functions.at
+@@ -368,7 +368,7 @@ m4_define([EBTABLES_LIST_RULES_NORMALIZE], [dnl
+ m4_define([EBTABLES_LIST_RULES], [
+     dnl ebtables commit 5f508b76a0ce change list output for inversion.
+     m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [], [
+-        NS_CHECK([PIPESTATUS0([ebtables --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])],
++        NS_CHECK([PIPESTATUS0([$EBTABLES --concurrent -t $1 -L $2], [EBTABLES_LIST_RULES_NORMALIZE])],
+                  [$3], [m4_strip([$4])], [m4_strip([$5])], [$6], [$7])
+     ])
+ ])
+-- 
+2.43.0
+

SOURCES/0028-v2.0.0-chore-direct-add-has_runtime_configuration.patch

@@ -0,0 +1,34 @@
+From f61b27ffc91da3d5e634a2d90edd164ac4102086 Mon Sep 17 00:00:00 2001
+From: Eric Garver <egarver@redhat.com>
+Date: Wed, 26 Jun 2024 11:13:00 -0400
+Subject: [PATCH 28/30] v2.0.0: chore(direct): add has_runtime_configuration()
+
+This is originally from cdd015475e83 ("fix(ipset): defer native ipset
+creation if nftables").
+---
+ src/firewall/core/fw_direct.py | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
+index 76aeda9f19cb..a35ebce1f276 100644
+--- a/src/firewall/core/fw_direct.py
++++ b/src/firewall/core/fw_direct.py
+@@ -64,9 +64,14 @@ class FirewallDirect(object):
+     def set_permanent_config(self, obj):
+         self._obj = obj
+ 
+-    def has_configuration(self):
++    def has_runtime_configuration(self):
+         if len(self._chains) + len(self._rules) + len(self._passthroughs) > 0:
+             return True
++        return False
++
++    def has_configuration(self):
++        if self.has_runtime_configuration():
++            return True
+         if len(self._obj.get_all_chains()) + \
+            len(self._obj.get_all_rules()) + \
+            len(self._obj.get_all_passthroughs()) > 0:
+-- 
+2.43.0
+

SOURCES/0029-v2.0.0-feat-direct-avoid-iptables-flush-if-using-nft.patch

@@ -0,0 +1,117 @@
+From 17c70eba7ddfd8a8687b16102cf5ee988e33993f Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 30 Jan 2023 16:42:50 -0500
+Subject: [PATCH 29/30] v2.0.0: feat(direct): avoid iptables flush if using
+ nftables backend
+
+If FirewallBackend=nftables and there are no direct rules; then we can
+avoid flushing iptables at startup and shutdown. This means other
+applications can control iptables while firewalld only touches nftables.
+
+Fixes: #863
+(cherry picked from commit b7faa74db15e2d1ebd9fdfcdc7579874d3a2fa87)
+---
+ src/firewall/core/fw.py        | 31 +++++++++++++++++++++++++++----
+ src/firewall/core/fw_direct.py |  9 +++++++++
+ 2 files changed, 36 insertions(+), 4 deletions(-)
+
+diff --git a/src/firewall/core/fw.py b/src/firewall/core/fw.py
+index 5cef18b5f889..a2ad39bd9f5f 100644
+--- a/src/firewall/core/fw.py
++++ b/src/firewall/core/fw.py
+@@ -425,7 +425,8 @@ class Firewall(object):
+         transaction = FirewallTransaction(self)
+ 
+         # flush rules
+-        self.flush(use_transaction=transaction)
++        if not reload:
++            self.flush(use_transaction=transaction)
+ 
+         # If modules need to be unloaded in complete reload or if there are
+         # ipsets to get applied, limit the transaction to flush.
+@@ -836,7 +837,26 @@ class Firewall(object):
+         if use_transaction is None:
+             transaction.execute(True)
+ 
+-    # flush and policy
++    def may_skip_flush_direct_backends(self):
++        if self.nftables_enabled and not self.direct.has_runtime_configuration():
++            return True
++
++        return False
++
++    def flush_direct_backends(self, use_transaction=None):
++        if use_transaction is None:
++            transaction = FirewallTransaction(self)
++        else:
++            transaction = use_transaction
++
++        for backend in self.all_backends():
++            if backend in self.enabled_backends():
++                continue
++            rules = backend.build_flush_rules()
++            transaction.add_rules(backend, rules)
++
++        if use_transaction is None:
++            transaction.execute(True)
+ 
+     def flush(self, use_transaction=None):
+         if use_transaction is None:
+@@ -846,7 +866,10 @@ class Firewall(object):
+ 
+         log.debug1("Flushing rule set")
+ 
+-        for backend in self.all_backends():
++        if not self.may_skip_flush_direct_backends():
++            self.flush_direct_backends(use_transaction=transaction)
++
++        for backend in self.enabled_backends():
+             rules = backend.build_flush_rules()
+             transaction.add_rules(backend, rules)
+ 
+@@ -1002,7 +1025,7 @@ class Firewall(object):
+         if not _panic:
+             self.set_policy("DROP")
+ 
+-        # stop
++        self.flush()
+         self.cleanup()
+ 
+         start_exception = None
+diff --git a/src/firewall/core/fw_direct.py b/src/firewall/core/fw_direct.py
+index a35ebce1f276..5d4cc6a6918e 100644
+--- a/src/firewall/core/fw_direct.py
++++ b/src/firewall/core/fw_direct.py
+@@ -219,6 +219,9 @@ class FirewallDirect(object):
+         else:
+             transaction = use_transaction
+ 
++        if self._fw.may_skip_flush_direct_backends():
++            transaction.add_pre(self._fw.flush_direct_backends)
++
+         #TODO: policy="ACCEPT"
+         self._chain(True, ipv, table, chain, transaction)
+ 
+@@ -265,6 +268,9 @@ class FirewallDirect(object):
+         else:
+             transaction = use_transaction
+ 
++        if self._fw.may_skip_flush_direct_backends():
++            transaction.add_pre(self._fw.flush_direct_backends)
++
+         self._rule(True, ipv, table, chain, priority, args, transaction)
+ 
+         if use_transaction is None:
+@@ -347,6 +353,9 @@ class FirewallDirect(object):
+         else:
+             transaction = use_transaction
+ 
++        if self._fw.may_skip_flush_direct_backends():
++            transaction.add_pre(self._fw.flush_direct_backends)
++
+         self._passthrough(True, ipv, list(args), transaction)
+ 
+         if use_transaction is None:
+-- 
+2.43.0
+

SOURCES/0030-v2.0.0-test-direct-avoid-iptables-flush-if-using-nft.patch

@@ -0,0 +1,175 @@
+From 2e34d7361f8a7528f5e5d86f794bc87c94f8214e Mon Sep 17 00:00:00 2001
+From: Eric Garver <eric@garver.life>
+Date: Mon, 30 Jan 2023 14:43:18 -0500
+Subject: [PATCH 30/30] v2.0.0: test(direct): avoid iptables flush if using
+ nftables backend
+
+Coverage: #863
+(cherry picked from commit dcd0dd3674ea8ef757a1b41f6b53717a45e821aa)
+---
+ src/tests/features/features.at                |   1 +
+ .../features/iptables_no_flush_on_shutdown.at | 143 ++++++++++++++++++
+ 2 files changed, 144 insertions(+)
+ create mode 100644 src/tests/features/iptables_no_flush_on_shutdown.at
+
+diff --git a/src/tests/features/features.at b/src/tests/features/features.at
+index 381bf6dba0e4..cfe8e88b46a9 100644
+--- a/src/tests/features/features.at
++++ b/src/tests/features/features.at
+@@ -14,3 +14,4 @@ m4_include([features/icmp_blocks.at])
+ m4_include([features/rpfilter.at])
+ m4_include([features/zone_combine.at])
+ m4_include([features/rich_destination_ipset.at])
++m4_include([features/iptables_no_flush_on_shutdown.at])
+diff --git a/src/tests/features/iptables_no_flush_on_shutdown.at b/src/tests/features/iptables_no_flush_on_shutdown.at
+new file mode 100644
+index 000000000000..a3bb1395791d
+--- /dev/null
++++ b/src/tests/features/iptables_no_flush_on_shutdown.at
+@@ -0,0 +1,143 @@
++m4_if(nftables, FIREWALL_BACKEND, [
++
++dnl If FirewallBackend=nftables, and there are no --direct rules, then we can
++dnl avoid flushing iptables on shutdown. We can also avoid a flush on startup
++dnl if there are no permanent direct rules. But we will have to flush on the
++dnl first direct rule added.
++FWD_START_TEST([avoid iptables flush if using nftables])
++AT_KEYWORDS(direct gh863)
++
++dnl no flush on reload if no direct rules
++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IF_HOST_SUPPORTS_IP6TABLES([
++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
++])
++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all ::/0 ::/0
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
++    -j ACCEPT
++])
++FWD_RELOAD()
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all ::/0 ::/0
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
++    -j ACCEPT
++])
++
++dnl no flush on restart (or stop) if no direct rules
++FWD_RESTART()
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all ::/0 ::/0
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
++    -j ACCEPT
++])
++
++dnl the first runtime direct rule should trigger an iptables flush
++FWD_CHECK([--direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IF_HOST_SUPPORTS_IP6TABLES([
++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
++])
++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 0, [dnl
++    ACCEPT all ::/0 ::/0
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 0, [dnl
++    -j ACCEPT
++])
++FWD_RELOAD()
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
++])
++
++dnl permanent direct rules should trigger a flush at start
++FWD_CHECK([--permanent --direct --add-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore])
++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IF_HOST_SUPPORTS_IP6TABLES([
++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
++])
++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++FWD_RELOAD()
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
++    ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
++])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [INPUT], 0, [dnl
++])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++EBTABLES_LIST_RULES([filter], [INPUT], 0, [dnl
++])
++
++FWD_CHECK([--permanent --direct --remove-rule ipv4 filter INPUT 1 -j ACCEPT], 0, [ignore])
++FWD_RELOAD()
++
++dnl adding a chain should trigger a flush
++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IF_HOST_SUPPORTS_IP6TABLES([
++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
++])
++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++FWD_CHECK([--direct --add-chain ipv4 filter firewalld_foobar], 0, [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++FWD_RELOAD()
++
++dnl adding a chain should trigger a flush
++NS_CHECK([$IPTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IPTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++IF_HOST_SUPPORTS_IP6TABLES([
++NS_CHECK([$IP6TABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$IP6TABLES -t filter -I firewalld_testsuite -j ACCEPT])
++])
++NS_CHECK([$EBTABLES -t filter -N firewalld_testsuite])
++NS_CHECK([$EBTABLES -t filter -I firewalld_testsuite -j ACCEPT])
++FWD_CHECK([--direct --add-passthrough ipv4 -t filter -I INPUT -j ACCEPT], 0, [ignore])
++IPTABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++IP6TABLES_LIST_RULES_ALWAYS([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++EBTABLES_LIST_RULES([filter], [firewalld_testsuite], 1, [ignore], [ignore])
++
++FWD_END_TEST()
++
++])
+-- 
+2.43.0
+

SPECS/firewalld.spec

@@ -1,7 +1,7 @@
 Summary: A firewall daemon with D-Bus interface providing a dynamic firewall
 Name: firewalld
 Version: 0.9.11
-Release: 8%{?dist}
+Release: 9%{?dist}
 URL:     http://www.firewalld.org
 License: GPLv2+
 Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.gz
@@ -31,6 +31,10 @@ Patch23: 0023-v2.2.0-fix-rich-fix-range-check-for-large-rule-limit.patch
 Patch24: 0024-v2.2.0-improvement-policy-extract-helper-function-fo.patch
 Patch25: 0025-v2.2.0-improvement-rich-add-Rich_Limit.value_parse-a.patch
 Patch26: 0026-v2.2.0-improvement-rich-support-burst-attribute-to-l.patch
+Patch27: 0027-v2.0.0-test-atlocal-pass-EBTABLES-to-testsuite.patch
+Patch28: 0028-v2.0.0-chore-direct-add-has_runtime_configuration.patch
+Patch29: 0029-v2.0.0-feat-direct-avoid-iptables-flush-if-using-nft.patch
+Patch30: 0030-v2.0.0-test-direct-avoid-iptables-flush-if-using-nft.patch
 
 BuildArch: noarch
 BuildRequires: autoconf
@@ -232,6 +236,9 @@ desktop-file-install --delete-original \
 %{_mandir}/man1/firewall-config*.1*
 
 %changelog
+* Fri Aug 02 2024 Eric Garver <egarver@redhat.com> - 0.9.11-9
+- feat(direct): avoid iptables flush if using nftables backend
+
 * Thu Jun 13 2024 Eric Garver <egarver@redhat.com> - 0.9.11-8
 - feat(rich): support "burst" attribute to limit in rich rules