diff --git a/.gitignore b/.gitignore index 16274f0..4fc741b 100644 --- a/.gitignore +++ b/.gitignore @@ -81,3 +81,4 @@ /firewalld-2.1.2.tar.bz2 /firewalld-2.2.0.tar.bz2 /firewalld-2.2.1.tar.bz2 +/firewalld-2.3.0.tar.bz2 diff --git a/0002-RHEL-only-Default-to-StrictForwardPorts-yes.patch b/0002-RHEL-only-Default-to-StrictForwardPorts-yes.patch new file mode 100644 index 0000000..7d0317c --- /dev/null +++ b/0002-RHEL-only-Default-to-StrictForwardPorts-yes.patch @@ -0,0 +1,54 @@ +From d1828d7c5b17b5d152acc461123565f3a32d61ce Mon Sep 17 00:00:00 2001 +From: Eric Garver +Date: Wed, 6 Nov 2024 11:08:14 -0500 +Subject: [PATCH] RHEL only: Default to StrictForwardPorts=yes + +--- + config/firewalld.conf | 4 ++-- + src/firewall/config/__init__.py.in | 2 +- + src/tests/functions.at | 4 ++++ + 3 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/config/firewalld.conf b/config/firewalld.conf +index 800b255c77e0..93b85181c2be 100644 +--- a/config/firewalld.conf ++++ b/config/firewalld.conf +@@ -94,8 +94,8 @@ RFC3964_IPv4=yes + # allowed via firewalld. + # If set to no, then docker (and podman) integrates seamlessly with firewalld. + # Published container ports are implicitly allowed. +-# Defaults to "no". +-StrictForwardPorts=no ++# Defaults to "yes". ++StrictForwardPorts=yes + + # NftablesFlowtable + # This may improve forwarded traffic throughput by enabling nftables flowtable. +diff --git a/src/firewall/config/__init__.py.in b/src/firewall/config/__init__.py.in +index 4951d37cf80e..478bb7383d41 100644 +--- a/src/firewall/config/__init__.py.in ++++ b/src/firewall/config/__init__.py.in +@@ -139,4 +139,4 @@ FALLBACK_ALLOW_ZONE_DRIFTING = False + FALLBACK_NFTABLES_FLOWTABLE = "off" + FALLBACK_NFTABLES_COUNTERS = False + FALLBACK_NFTABLES_TABLE_OWNER = True +-FALLBACK_STRICT_FORWARD_PORTS = False ++FALLBACK_STRICT_FORWARD_PORTS = True +diff --git a/src/tests/functions.at b/src/tests/functions.at +index 500756bdacdb..621f2f6f613c 100644 +--- a/src/tests/functions.at ++++ b/src/tests/functions.at +@@ -141,6 +141,10 @@ m4_define([FWD_START_TEST], [ + AT_CHECK([if ! cp /etc/firewalld/firewalld.conf ./firewalld.conf; then exit 77; fi]) + fi + ++ dnl RHEL downstream changed the default value for this, but upstream tests ++ dnl expect it to be "no". ++ AT_CHECK([sed -i 's/^StrictForwardPorts.*/StrictForwardPorts=no/' ./firewalld.conf]) ++ + m4_ifdef([TESTING_FIREWALL_OFFLINE_CMD], [ + AT_KEYWORDS(offline) + dnl cockpit is added by default downstream, but upstream tests don't expect +-- +2.45.2 + diff --git a/firewalld.spec b/firewalld.spec index dd66547..eacb20d 100644 --- a/firewalld.spec +++ b/firewalld.spec @@ -1,11 +1,12 @@ Summary: A firewall daemon with D-Bus interface providing a dynamic firewall Name: firewalld -Version: 2.2.1 -Release: 2%{?dist} +Version: 2.3.0 +Release: 1%{?dist} URL: http://www.firewalld.org License: GPL-2.0-or-later Source0: https://github.com/firewalld/firewalld/releases/download/v%{version}/firewalld-%{version}.tar.bz2 -Patch0: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch +Patch1: 0001-RHEL-only-Add-cockpit-by-default-to-some-zones.patch +Patch2: 0002-RHEL-only-Default-to-StrictForwardPorts-yes.patch BuildArch: noarch BuildRequires: autoconf BuildRequires: automake @@ -253,6 +254,9 @@ end %{_mandir}/man1/firewall-config*.1* %changelog +* Tue Nov 05 2024 Eric Garver - 2.3.0-1 +- rebase package to v2.3.0 + * Tue Oct 29 2024 Troy Dawson - 2.2.1-2 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018 diff --git a/sources b/sources index 7e88941..35457e3 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (firewalld-2.2.1.tar.bz2) = 08117be01a25a8e263cf419d7b01a98c80b53108af68f6cfc1d900692e6124c37b9dd6feaf4bc3c6e3f27958a9ee45b9795c7f5a9250eb644b6e903f97672c8a +SHA512 (firewalld-2.3.0.tar.bz2) = 9a0fe1098c8bbb63bc4af04f56b7810d3d4e94be4247574daba64fb7a344488053f80426b7422c3a4620a54fee69a4264e1b0d66580757aac29aa65d723007c5